DMARC, SPF and DKIM are now a mandatory part of a mail server.
In theory, DMARC stands for Domain-based Message Authentication Reporting and Conformance (DMARC). Where is is a free and open technical specification that is used to authenticate an email by aligning SPF and DKIM mechanisms.
With DMARC you can tell the world how to handle the unauthorized use of your email domains by instituting a policy in your DMARC record. The three DMARC policies are:
p=none: Monitors your email traffic. No further actions are taken.
p=quarantine: Sends unauthorized emails to the spam folder.
p=reject: The final policy and the ultimate goal of implementing DMARC. This policy ensures that unauthorized email doesn’t get delivered at all.
Here is example DMARC record. Base on wizard online DMARc generator.
Record Type: TXT,
Target / Host / Location: _dmarc.[yourdomain.com]
Sender Policy Framework (SPF) is used to authenticate the sender of an email. With an SPF record in place, Internet Service Providers can verify that a mail server is authorized to send email for a specific domain. An SPF record is a DNS TXT record containing a list of the IP addresses that are allowed to send email on behalf of your domain.
This example SPF that i use. Base on online SPF generator.
habibza.in. IN TXT "v=spf1 mx a ip4:18.104.22.168/32 a:mail.habibza.in a:smtp.habibza.in ~all"
mx= Allow servers listed as MX to send email for this domain.
a= Allow current IP address of the domain to send email for this domain.
ip4:22.214.171.124/32= IP addresses in CIDR format that deliver or relay mail for this domain.
a:mail.habibza.in= Add any other server hostname that may deliver or relay mail for this domain.
~all= strict should be the servers treating the emails (Soft Fail, Fail, Neutral ).
DKIM stands for DomainKeys Identified Mail and is used for the authentication of an email that’s being sent. Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record exists in the DNS, but it is a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.
Starting with Zimbra 8.0, the ability to add DKIM signing to outgoing mail is available.
Setting up signing consists of two steps:
- Running zmdkimkeyutil to generate the DKIM keys and selector. The generated data is stored in the LDAP server as part of the domain LDAP entry.
- Updating the DNS server with the public DNS entry
The zmdkimkeyutility should be run on an MTA server.
Adding DKIM data to a domain with no existing DKIM configuration.
/opt/zimbra/libexec/zmdkimkeyutil -a -d habibza.in
As zimbra user, run
zmdkimkeyutil to generate dkim.
root@mail:~# su - zimbra
zimbra@mail:~$ /opt/zimbra/libexec/zmdkimkeyutil -a -d habibza.in
DKIM Data added to LDAP for domain habibza.in with selector 87428382-CF6D-11EC-9DEE-F88DDBDF68A9
Public signature to enter into DNS:
87428382-CF6D-11EC-9DEE-F88DDBDF68A9._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"i3AELInKaOA8j/E5L1gkVfgCRD4Avf2Yxn4L0GEU1BbsZzvPXQ1Wxp5V6S6F76fqL8GklJQFO9GWg369GnN5wOH8Yml2dz0a6Yp44fWY+4h/95K3KId9Q55TTb/9XuiAlZEkzOYQIDAQAB" ) ; ----- DKIM key 87428382-CF6D-11EC-9DEE-F88DDBDF68A9 for habibza.in
In DNS record based on the results generated above, we have to do a little edit. By removing the upper colon it becomes like this. All code is one line.
87428382-CF6D-11EC-9DEE-F88DDBDF68A9._domainkey IN TXT ( "v=DKIM1; k=rsa; "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv1ZqZZHblmORElqGsv4f0D67v9Vnqk15KAl18awxlahnsSQhAv8/JLacvsnZe/q3Wxr2u/gWou+UdmfJqy/+um2a2YXNH1ICTB+aG7Q4qucYT74i7sq88WxZ+RonWfcRHx5pLaGJ83CORMisGKSz02dNlL/Ftdyjkef8g/KDp7AWN51fhCLeZlQ8ks5SSjvvIPjHC6OJBsqrPY i3AELInKaOA8j/E5L1gkVfgCRD4Avf2Yxn4L0GEU1BbsZzvPXQ1Wxp5V6S6F76fqL8GklJQFO9GWg369GnN5wOH8Yml2dz0a6Yp44fWY+4h/95K3KId9Q55TTb/9XuiAlZEkzOYQIDAQAB"
87428382-CF6D-11EC-9DEE-F88DDBDF68A9= is name of selector.
Removing DKIM data for a domain
/opt/zimbra/libexec/zmdkimkeyutil -r -d example.com
This command deletes the DKIM data from LDAP. New emails will no longer be signed for the domain. The DNS TXT record should remain for a period of time to allow verification of emails signed with this key.
DKIM with Custom Name Selector
We can customization name selector with parameter
-s when generate DKIM. Example like this.
zimbra@mail:~$ /opt/zimbra/libexec/zmdkimkeyutil -a -d habibza.in -s myselector
DKIM Data added to LDAP for domain habibza.in with selector myselector
Public signature to enter into DNS:
myselector._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"IRqkdTjUOcMHg8nNPh1C/nHAd5gwRCq1J9ui7Q08PYrlMwyi4u2sjq68R800eP+CD6tBk9ZZtKV4bYqGQKbMz9M15ro0odh5o6H1MDX49O/PUh3Dp/N6csHt0X/2usubKjXi45kwIDAQAB" ) ; ----- DKIM key myselector for habibza.in
Retrieving the stored DKIM data for a domain
/opt/zimbra/libexec/zmdkimkeyutil -q -d example.com
This command will output all the stored DKIM information, specifically
DKIM Private Key
DKIM Public Signature
Add TXT record of DMARC, SPF and DKIM into DNS
Last step, is add TXT record of DMARC, SPF and DKIM into dns zone editor.
Lenght of dkim is 2048 bit, so cPanel that i use have to use 2 box string. But the code DKIM is same still in one line. And important, only one pair of quotes.
The last result like this.