habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Zimbra Enable DMARC, SPF and DKIM

3 min read

Zimbra-Enable-DMARC-SPF-and-DKIM

DMARC, SPF and DKIM are now a mandatory part of a mail server.

DMARC

In theory, DMARC stands for Domain-based Message Authentication Reporting and Conformance (DMARC). Where is  is a free and open technical specification that is used to authenticate an email by aligning SPF and DKIM mechanisms.

With DMARC you can tell the world how to handle the unauthorized use of your email domains by instituting a policy in your DMARC record. The three DMARC policies are:

  • p=none: Monitors your email traffic. No further actions are taken.
  • p=quarantine: Sends unauthorized emails to the spam folder.
  • p=reject: The final policy and the ultimate goal of implementing DMARC. This policy ensures that unauthorized email doesn’t get delivered at all.

Here is example DMARC record. Base on wizard online DMARc generator.

Record Type: TXT,
Target / Host / Location: _dmarc.[yourdomain.com]

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];

SPF

Sender Policy Framework (SPF) is used to authenticate the sender of an email. With an SPF record in place, Internet Service Providers can verify that a mail server is authorized to send email for a specific domain. An SPF record is a DNS TXT record containing a list of the IP addresses that are allowed to send email on behalf of your domain.

This example SPF that i use. Base on online SPF generator.

habibza.in.  IN TXT "v=spf1 mx a ip4:103.224.12.12/32 a:mail.habibza.in a:smtp.habibza.in ~all"
  • mx = Allow servers listed as MX to send email for this domain.
  • a = Allow current IP address of the domain to send email for this domain.
  • ip4:103.224.12.12/32 = IP addresses in CIDR format that deliver or relay mail for this domain.
  • a:mail.habibza.in = Add any other server hostname that may deliver or relay mail for this domain.
  • ~all = strict should be the servers treating the emails (Soft Fail, Fail, Neutral ).
See also  Log Zimbra.log not Show Anything

DKIM

DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.

Starting with Zimbra 8.0, the ability to add DKIM signing to outgoing mail is available.

Setting up signing consists of two steps:

  1. Running zmdkimkeyutil to generate the DKIM keys and selector. The generated data is stored in the LDAP server as part of the domain LDAP entry.
  2. Updating the DNS server with the public DNS entry

The zmdkimkeyutility should be run on an MTA server.

Adding DKIM data to a domain with no existing DKIM configuration.

/opt/zimbra/libexec/zmdkimkeyutil -a -d habibza.in

As zimbra user, run zmdkimkeyutil to generate dkim.

root@mail:~# su - zimbra
zimbra@mail:~$ /opt/zimbra/libexec/zmdkimkeyutil -a -d habibza.in
DKIM Data added to LDAP for domain habibza.in with selector 87428382-CF6D-11EC-9DEE-F88DDBDF68A9
Public signature to enter into DNS:
87428382-CF6D-11EC-9DEE-F88DDBDF68A9._domainkey IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv1ZqZZHblmORElqGsv4f0D67v9Vnqk15KAl18awxlahnsSQhAv8/JLacvsnZe/q3Wxr2u/gWou+UdmfJqy/+um2a2YXNH1ICTB+aG7Q4qucYT74i7sq88WxZ+RonWfcRHx5pLaGJ83CORMisGKSz02dNlL/Ftdyjkef8g/KDp7AWN51fhCLeZlQ8ks5SSjvvIPjHC6OJBsqrPY"
          "i3AELInKaOA8j/E5L1gkVfgCRD4Avf2Yxn4L0GEU1BbsZzvPXQ1Wxp5V6S6F76fqL8GklJQFO9GWg369GnN5wOH8Yml2dz0a6Yp44fWY+4h/95K3KId9Q55TTb/9XuiAlZEkzOYQIDAQAB" )  ; ----- DKIM key 87428382-CF6D-11EC-9DEE-F88DDBDF68A9 for habibza.in

In DNS record based on the results generated above, we have to do a little edit. By removing the upper colon it becomes like this. All code is one line.

87428382-CF6D-11EC-9DEE-F88DDBDF68A9._domainkey IN      TXT     ( "v=DKIM1; k=rsa;   "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv1ZqZZHblmORElqGsv4f0D67v9Vnqk15KAl18awxlahnsSQhAv8/JLacvsnZe/q3Wxr2u/gWou+UdmfJqy/+um2a2YXNH1ICTB+aG7Q4qucYT74i7sq88WxZ+RonWfcRHx5pLaGJ83CORMisGKSz02dNlL/Ftdyjkef8g/KDp7AWN51fhCLeZlQ8ks5SSjvvIPjHC6OJBsqrPY       i3AELInKaOA8j/E5L1gkVfgCRD4Avf2Yxn4L0GEU1BbsZzvPXQ1Wxp5V6S6F76fqL8GklJQFO9GWg369GnN5wOH8Yml2dz0a6Yp44fWY+4h/95K3KId9Q55TTb/9XuiAlZEkzOYQIDAQAB"
  • 87428382-CF6D-11EC-9DEE-F88DDBDF68A9 = is name of selector.

Removing DKIM data for a domain

/opt/zimbra/libexec/zmdkimkeyutil -r -d example.com

This command deletes the DKIM data from LDAP. New emails will no longer be signed for the domain. The DNS TXT record should remain for a period of time to allow verification of emails signed with this key.

See also  Zimbra Collaboration Postscreen Implementation

DKIM with Custom Name Selector

We can customization name selector with parameter -s when generate DKIM. Example like this.

zimbra@mail:~$  /opt/zimbra/libexec/zmdkimkeyutil -a -d habibza.in -s myselector

DKIM Data added to LDAP for domain habibza.in with selector myselector
Public signature to enter into DNS:
myselector._domainkey   IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4SFEVOyA3qo0MZgL6NbEgvllmjtBNjCUgvvRZkp+0X6dgHh3/CpwIuhTmFC2d0N1ehn+Cp7K3yq0wFcZ2YkAuCY79MtBp8IwJ1NPZ83kQvcKhI9Balkl09N57Gr8VtkiPikFX0Mhi6WSnCT5lX4bvATLQshes3W4N7Ahb7r2BjjY1wy1D0hK2UujYOAgojHSl48xXFS1wbZu2L"
          "IRqkdTjUOcMHg8nNPh1C/nHAd5gwRCq1J9ui7Q08PYrlMwyi4u2sjq68R800eP+CD6tBk9ZZtKV4bYqGQKbMz9M15ro0odh5o6H1MDX49O/PUh3Dp/N6csHt0X/2usubKjXi45kwIDAQAB" )  ; ----- DKIM key myselector for habibza.in

Retrieving the stored DKIM data for a domain

/opt/zimbra/libexec/zmdkimkeyutil -q -d example.com

This command will output all the stored DKIM information, specifically

 DKIM Domain
 DKIM Selector
 DKIM Private Key
 DKIM Public Signature
 DKIM Identity

Add TXT record of DMARC, SPF and DKIM into DNS

Last step, is add TXT record of DMARC, SPF and DKIM into dns zone editor.

Lenght of dkim is 2048 bit, so cPanel that i use have to use 2 box string. But the code DKIM is same still in one line. And important, only one pair of quotes.

The last result like this.

habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Zimbra Relay Amazon SES

Zimbra is a widely used collaboration platform that provides robust email services. When it comes to improving email deliverability and ensuring the security of...
habibzain
1 min read

Install Zimbra 10 Ubuntu 20.04 from Scratch

Zimbra 10 may have had specific installation requirements, and there might be updates or changes beyond that point. Here is simple guide how to...
habibzain
4 min read

Zimbra Cannot start TLS: handshake failure

The Zimbra log show error message “Cannot start TLS handshake” typically indicates an issue with establishing a secure TLS (Transport Layer Security) connection. This...
habibzain
1 min read

2 Replies to “Zimbra Enable DMARC, SPF and DKIM”

  1. Hello. Unable to verify dkim signature. Is there anything I need to do extra? In Ired Mail, verification takes place immediately.

Leave a Reply

Your email address will not be published. Required fields are marked *

Never miss good article from us, get weekly updates in your inbox