Yes i am doing dmarc today once again,exciting stuff this.and i have finally figured out opendmarc-reports which for the zoo atps is apparently needed.
These records are fun and once you do one domain, the others also need doing ala.
_adsp._domainkey.example.com IN TXT "dkim=all; atps=y; asl=example.net;" YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps.example.com IN TXT "v=atps01; d=example.net;"
The YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ is sha1 hashed example.net. opendkim-atpszone can make this with
opendkim-atpszone -h sha1 -u example.com -A example.net -vvv
The rest of the dns lines from above is where your on your own
YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ._atps TXT 86400 "v=ATPS1; d=example.net"
Eagle eyed readers will note that v=ATPS1; and v=atps01; differ and no adsp record is made.
The has found that atps01 works and is unwilling to test the capital variant.
The only reason i have this is for opendmarc-report which for some reason if i do not have them i get a dmarc error of no.
postfix/smtp[*]: *: status=bounced (host aspmx.l.google.com[126.96.36.199] said: 550-5.7.1 Unauthenticated email from example is not accepted due to 550-5.7.1 domain's DMARC policy. Please contact the administrator of 550-5.7.1 example domain if this was a legitimate mail.
That’s it which is what brought me to this vague corner of dns and email
The dmarc report i received back the next day was interesting.
Maybe the zoo’s way of doing things is weird to openmarc-reports which is good at keeping secrets on our live mail server, so it is happy with adsp and human emaail gets sent properly with aligned spf,dkim and dmarc i will say no more.
So that fixes opendmarc-reporting. Yay