I don’t know what spoofing protection is, so probably no.
I always add all of the default DNS records when I configure a domain, those include the DMARC, DKIM and SPF records, then I always test that they are working by sending emails to mail-tester.com.
Everything else is default hestiaCP out of the box.
Do I need to do something extra to perform checking DMARC and/or configure spoofing protection?
If you have an enforcing DMARC policy of either quarantine or reject, checking DMARC is the cornerstone of spoofing protection. I expect it is configured in spamassassin, but I don’t use HestiaCP for email, so please wait for one of the other forum members to let you know how to enable that setting.
You can use the dnschecker tools to setup your records: DKIM Checker | DKIM Record Lookup
I was not aware of how to do it myself, tbvh. But you can test it there and see if it is all good.
For all my domains, these are the DKIM/DMARC/SPF:
_dmarcv=DMARC1; p=quarantine; pct=100 mail._domainkeyv=DKIM1; k=rsa; p=Your base64 encoded public key _domainkeyt=y; o=~; domain.tldv=spf1 a mx ip4:IPHERE -all
That is a good test to see if you are publishing DKIM records, but to prevent spoofed email from being received, inbound mail needs to be evaluated before it is delivered to the inbox.
A DNS test can’t determine if you are sending valid signatures. If you dont use a DMARC reporting service, you can always send an email to one of the many testing sites.
Shouldn’t this incoming email have failed validation?
Does this simply mean that my hestiaCP email server is NOT doing the DMARC, DKIM, SPF validation on incoming emails the same way that other email servers do it? For example the way that www.learndmarc.com processed the email I SENT to it?
SPF tests against the RFC5322.MailFrom and in order for a valid SPF to be used to pass DMARC, the RFC5322.MailFrom and the RFC5322.From need to be in the same domain, or if the policy is relaxed, a subdomain is allowed.
In your example, the SPF would not be able to pass DMARC, even if it was valid. Without access to the secret key that corresponds to the public key in your DKIM record, that email couldn’t pass DKIM either. So neither way of testing DMARC would have passed that spoofed message.
I agree with your conclusion that you are not verifying DMARC on your server. Regrettably, this puts back to where we were earlier with me not knowing the HestiaCP way of enabling DMARC inspection since I use other email solutions. The upside is that once you identify that, you should be able to send such forgeries to quarantine, or, if you increase your policy to reject, you could refuse to accept such messages altogether.
As @linkp said, you can use it in SpamAssassin. By default, SpamAssassin is configured to check DKIM, SPF, and DMARC… if the required Perl modules are installed. However, Hestia only installs the module for DKIM (at least for Debian, for Ubuntu I don’t know if all mail modules are installed by default).
You can check whether they are installed:
for i in DKIM SPF DMARC; do perl -MMail::$i -e1 &>/dev/null && echo "$i is installed" || echo "$i is NOT installed"; done
If DMARC or SPF modules aren’t installed, you just need to install them, restart SpamAssassin and you’re good to go.
Well, you can tweak the score assigned to each case, but that’s another question