CentOS 7.x Zimbra SPF, DMARC, DKIM
SPF is used to indicate which IP addresses are allowed to send emails on our domain behalf. Any server which receives email from @<our-domain>, can check our SPF and use it as a hint to decide whether to treat incoming email as SPAM or not. Thus, at least configure TXT record for SPF as follows:
"v=spf1 mx a ~all"
This indicates that mail server (MX) addresses and website domain addresses (A) typically same as www.domain are allowed to send email on behalf of domain. ~all indicates that other systems might send email on behalf of this domain but treat them with suspicion. To make SPF more strict you can consider using -all instead of ~all which indicates that any other sender should be treated as SPAM.
Consider using online tools such as https://mxtoolbox.com/SPFRecordGenerator.aspx for generating custom SPF. You can also learn about SPF syntax online and hand-craft your custom SPF record as per requirement.
For SPF part there is no change required on Zimbra side. All changes must be done to our public DNS TXT record only.
DMARC creates a feed-back system for other domains to inform us when they receive email from our domain and those email are getting categorized as SPAM. Normally any attacker can send SPAM emails with fake sender address from our domain. This can affect reputation of our domain badly as SPAM seems to originate from our domain. We would not know about such SPAM as it would go from attacker to destination. With DMARC the destination server can inform us about the SPAM email headers so that we can learn about attackers trying to send SPAM using our domain addresses.
Same as SPF we can learn about DMARC syntax. We can also use online generators such as https://www.kitterman.com/dmarc/assistant.html to generate DMARC record. At the minimum try to configure _dmarc TXT record with following value:
"v=DMARC1; p=quarantine; rua=mailto:dmarc@<our-domain>; ruf=mailto:dmarc@<our-domain>; sp=quarantine"
where <our-domain> should be replaced with domain name such as sbarjatiya.com
If you use above DMARC value then create user named dmarc on your email server. Ideally configure automatic deletion of emails after certain time (eg 90 days) for dmarc email address so that old dmarc emails get deleted automatically. You can open the dmarc email ID and download compressed xml file sent by various domains with aggregate information. This XML contains header-from and source-IP from which emails were received. The XML also indicates whether DKIM and SPF was passed by the emails or not.
Again no change is required on Zimbra side to implement DMARC apart from creation of dmarc user-ID if you use DMARC value as suggested above.
Create DKIM record for our domain by running following command as Zimbra user:
/opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
where example.com should be replaced with our email domain such as sbarjatiya.com
The output of above command will give value of TXT record to be added for given SELECTOR._domainkey such as 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey. We should configure the appropriate TXT record and validate that we have added it correctly using:
dig -t txt <SELECTOR>._domainkey.example.com ns.example.com #Should show the stored TXT record properly /opt/zimbra/common/sbin/opendkim-testkey -d example.com -s <SELECTOR> -x /opt/zimbra/conf/opendkim.conf
where ns.example.com is authoritative DNS for example.com domain. Replace example.com with your own domain. Replace <SELECTOR> with selectro generated by zmdkimkeyutil command. If everything is fine the second command will not generate any output indicating that test is passed successfully.
Opendkim.conf configuration error at line 0 error
If /opt/zimbra/conf/opendkim.conf is missing then you may get "configuration error at line 0" error. To solve that use:
zmprov ms `zmhostname` +zimbraServiceEnabled opendkim ./libexec/configrewrite opendkim