Document DMARC support and it enable it by default

Despite being incomplete, it can be still be useful and provide
protection for users.

The missing part is the report generation, which is defined as a part of
a minimal implementation by RFC 7489, though.

README.md

@@ -14,8 +14,7 @@ changes happen from time to time**
   - IMAP4rev1 & SMTP server in one binary
   - [DKIM][dkim] signing and verification
   - [SPF][spf] policy enforcement
-  - [DMARC][dmarc] policy enforcement (experimental,
-    enable with `dmarc on` in smtp config)
+  - [DMARC][dmarc] policy enforcement
   - [MTA-STS][mtasts] policy enforcement
 * Simple to configure
   - Two steps (excluding messing with DNS) to get your own

dist/vim/syntax/maddy-conf.vim

@@ -78,6 +78,7 @@ syn keyword maddyDispatchDir
 	\ reject
 	\ deliver_to
 	\ reroute
+	\ dmarc
 
 " grep --no-file -E 'cfg..+\(".+", ' **.go | sed -E 's/.+cfg..+\("([^"]+)", .+/\1/' | sort -u
 syn keyword maddyModDir

maddy.conf

@@ -53,6 +53,10 @@ smtp tcp://0.0.0.0:25 {
         apply_spf
     }
 
+    # Enforce sender's DMARC policy.
+    # Report generation is not implemented yet.
+    dmarc on
+
     modify {
         # Implement plus-address notation.
         replace_rcpt /(.+)\+(.+)@(.+)/ $1@$3

man/maddy-smtp.5.scd

@@ -20,6 +20,7 @@ smtp tcp://0.0.0.0:25 {
     max_message_size 32M
     auth pam
     defer_sender_reject yes
+    dmarc yes
 
     # Example pipeline ocnfiguration.
     destination example.org {
@@ -104,6 +105,17 @@ Amount of RCPT-time errors that should be logged. Further errors will be
 handled silently. This is to prevent log flooding during email dictonary
 attacks (address probing).
 
+*Syntax*: dmarc _boolean_ ++
+*Default*: yes
+
+Enforce sender's DMARC policy. Due to implementation limitations, it is not a
+check module.
+
+*NOTE*: Report generation is not implemented now.
+
+*NOTE*: DMARC needs apply_spf and verify_dkim checks to function correctly.
+Without these checks, you will get false negatives.
+
 # Submission module (submission)
 
 Module 'submission' implements all functionality of the 'smtp' module and adds
@@ -380,6 +392,10 @@ This configuration allows to specify alias local addresses to remote ones
 without being an open relay, since remote_queue can be used only if remote
 address was introduced as a result of rewrite of local address.
 
+*WARNING*: If you have DMARC enabled (default), results generated by apply_spf
+and verify_dkim checks inside a reroute block *will not* be considered in DMARC
+evaluation.
+
 *Syntax*: destination _rule..._ { ... } ++
 *Context*: pipeline configuration, source block