Configuring DKIM, SPF and DMARC in Zimbra Collaboration Suite
If, when you tried to send a message to Gmail's mail servers, you suddenly received an error like "likely unsolicited mail." To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. ”, It almost always means that DKIM, SFP and DMARC are not configured on your mail server. Large mail servers (Gmail, mail.ru, Yandex) require the availability of these records. Today we will explain how to do this in the Zimbra Collaboration Suite.
DKIM (DomainKeys Identified Mail) is an e-mail authentication method based on digital signature authentication. DKIM is necessary so that postal services check the sender and protect the recipient of the letter from fraudulent mailings, which are made with the substitution of the sender's address.
')
The method involves encrypting outgoing message headers using the domain private key, and adding the public version of the key to the DNS records of a domain that is accessible to everyone. The recipient server's MTA requests the public key from the sender's DNS server to decrypt the headers of the incoming messages, and then checks whether the message was indeed sent from the stated source.
DKIM is available from Zimbra 8.0. Signature setup consists of two stages:
Add DKIM data to a domain that does not have an existing DKIM configuration:
We get:
You can also update the DKIM data for the domain:
Delete DKIM data for a domain:
Extract saved DKIM data for domain:
The public key must be added as a TXT record to the domain:
Update the DNS, and check the result of the command:
For example:
If the key is extracted, use
If you get an error:
This means that the file /opt/zimbra/conf/opendkim.conf does not exist, you can create it with the command:
If it becomes necessary to revoke the DKIM signature key, set an empty “p =” tag in the TXT entry.
By default, a 1024-bit key is created (depending on the ZCS version), the size can be changed with the -b parameter.
SPF (Sender Policy Framework) is an extension to the protocol for sending email via SMTP. SPF is defined in RFC 7208. An SPF record protects your domain from being tampered with and helps prevent spam emails sent from your addresses. SPF is configured for the address used in the envelope-from (SMTP envelope).
Using spf records, a domain owner can specify a list of servers that are authorized to send email messages for a domain. In general, the order is as follows:
[version] [mechanisms] [-all | ~ all | redirect]
The version is always spf1, modifiers say who can send mail:
Options:
Consider examples:
Example 1
example.com. IN TXT "v = spf1 ip4: 62.220.58.72 a mx-all"
For the example.com domain, to receive letters sent from the IP address 62.220.58.72, also to receive from the servers specified in A and MX records, messages from other servers must be rejected.
Example 2
example.com. IN TXT "v = spf1 redirect: example.org"
Get rules from example.com.
Example 3
example.com. IN TXT "v = spf1 include: _spf.google.com -all"
Receive emails only from Google’s smtp servers.
Domain-based Message Authentication, Reporting and Conformance (message identification, report creation and matching by domain name) or DMARC is a technical specification created by a group of organizations to deal with spammers who spoof sender addresses. It is based on the identification of the sender's mail domains based on the rules and characteristics set on the recipient's mail server.
Thus, the mail server decides for itself whether the message is good or bad and acts according to the DMARC record. By configuring DMARC, domain owners can create rules for processing emails that come from unauthorized domains.
After creating the SPF and DKIM records, you need to configure the DMARC check by adding a TXT type record to your DNS (similar to SPF). Parameters can be as follows:
More details can be found in the registry of tags DMARC .
The rule for the domain (what the recipient server should do if the test for spf and dkim fails) can be one of three:
If you want to receive reports, do not forget to include the email address in the rua tag:
Below is an example of dns entries for example.com:
Setting DKIM in Zimbra
DKIM (DomainKeys Identified Mail) is an e-mail authentication method based on digital signature authentication. DKIM is necessary so that postal services check the sender and protect the recipient of the letter from fraudulent mailings, which are made with the substitution of the sender's address.
')
The method involves encrypting outgoing message headers using the domain private key, and adding the public version of the key to the DNS records of a domain that is accessible to everyone. The recipient server's MTA requests the public key from the sender's DNS server to decrypt the headers of the incoming messages, and then checks whether the message was indeed sent from the stated source.
DKIM is available from Zimbra 8.0. Signature setup consists of two stages:
First stage: generation of keys and selector
Add DKIM data to a domain that does not have an existing DKIM configuration:
# su zimbra
$ /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
We get:
DKIM Data added to LDAP for domain example.com with selector ECAC22D2-DCA2-11E6-BA30-B554729FE32A
Public signature to enter into DNS:
ECAC22D2-DCA2-11E6-BA30-B554729FE32B._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs5OCY0sX04ziF+sOHt/1kq3A7iAzAjBjb4JteaoFzu1q2uBOiQS0uyaFeY6CgSgRRbvPnq8cWLG/XMU0tM9gSGtgtWDmHOs6/+QgKp6zRmetfsyABA2Y2U+XJlVURUE5ai3KIA/njt7IGZ5yeFsdZIKmhOCAOPGCovq10xkZXHdjRwiqxbCYGXv2m3o74BcWtOLPfEvexD5PYx"
"aTWFbelJpGlDN7WdBCE+ObpLGkJ9co/1sVOcd3c9SHfPq3jcBAFm7oPX2ak7Fb7cslVK77lA2hBgMYqI2Sh+T64o6R33dU++Ej7CuImmv7PAqVUn5MjYr05t3LK9dwWM8Cm6aJ/QIDAQAA" ) ; ----- DKIM key ECAC22D2-DCA2-11E6-BA30-B554729FE32A for example.comYou can also update the DKIM data for the domain:
$ /opt/zimbra/libexec/zmdkimkeyutil -u -d example.comDelete DKIM data for a domain:
$ /opt/zimbra/libexec/zmdkimkeyutil -r -d example.comExtract saved DKIM data for domain:
$ /opt/zimbra/libexec/zmdkimkeyutil -q -d example.comSecond stage: updating DNS records
The public key must be added as a TXT record to the domain:
$ORIGIN example.com.
ECAC22D2-DCA2-11E6-BA30-B554729FE32B._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs5OCY0sX04ziF+sOHt/1kq3A7iAzAjBjb4JteaoFzu1q2uBOiQS0uyaFeY6CgSgRRbvPnq8cWLG/XMU0tM9gSGtgtWDmHOs6/+QgKp6zRmetfsyABA2Y2U+XJlVURUE5ai3KIA/njt7IGZ5yeFsdZIKmhOCAOPGCovq10xkZXHdjRwiqxbCYGXv2m3o74BcWtOLPfEvexD5PYx"
"aTWFbelJpGlDN7WdBCE+ObpLGkJ9co/1sVOcd3c9SHfPq3jcBAFm7oPX2ak7Fb7cslVK77lA2hBgMYqI2Sh+T64o6R33dU++Ej7CuImmv7PAqVUn5MjYr05t3LK9dwWM8Cm6aJ/QIDAQAA" ) ; ----- DKIM key ECAC22D2-DCA2-11E6-BA30-B554729FE32A for example.comUpdate the DNS, and check the result of the command:
# host -t txt SELECTOR._domainkey.DOMAINFor example:
# host -t txt ECAC22D2-DCA2-11E6-BA30-B554729FE32B._domainkey.example.com ns1.example.comIf the key is extracted, use
/opt/zimbra/common/sbin/opendkim-testkey to ensure that the public key matches the private key.$ opendkim-testkey -d example.com -s ECAC22D2-DCA2-11E6-BA30-B554729FE32B -x /opt/zimbra/conf/opendkim.confIf you get an error:
opendkim-testkey: /opt/zimbra/conf/opendkim.conf: configuration error at line 0This means that the file /opt/zimbra/conf/opendkim.conf does not exist, you can create it with the command:
$ zmprov ms `zmhostname` +zimbraServiceEnabled opendkim ./libexec/configrewrite opendkimIf it becomes necessary to revoke the DKIM signature key, set an empty “p =” tag in the TXT entry.
By default, a 1024-bit key is created (depending on the ZCS version), the size can be changed with the -b parameter.
Sender Policy Framework (SPF)
SPF (Sender Policy Framework) is an extension to the protocol for sending email via SMTP. SPF is defined in RFC 7208. An SPF record protects your domain from being tampered with and helps prevent spam emails sent from your addresses. SPF is configured for the address used in the envelope-from (SMTP envelope).
Using spf records, a domain owner can specify a list of servers that are authorized to send email messages for a domain. In general, the order is as follows:
[version] [mechanisms] [-all | ~ all | redirect]
The version is always spf1, modifiers say who can send mail:
- a, mx - servers from DNS records A or MX respectively,
- ip4, ip6 - server address (you can specify subnets, for example: ip4: 1.2.3.4/24),
- include - take data from another address
Options:
- -all means not to accept mail if the mechanism check failed;
- ~ all if the check fails, then act at the discretion of the recipient's server.
- redirect means pick up rules from another server.
Consider examples:
Example 1
example.com. IN TXT "v = spf1 ip4: 62.220.58.72 a mx-all"
For the example.com domain, to receive letters sent from the IP address 62.220.58.72, also to receive from the servers specified in A and MX records, messages from other servers must be rejected.
Example 2
example.com. IN TXT "v = spf1 redirect: example.org"
Get rules from example.com.
Example 3
example.com. IN TXT "v = spf1 include: _spf.google.com -all"
Receive emails only from Google’s smtp servers.
DMARC setup
Domain-based Message Authentication, Reporting and Conformance (message identification, report creation and matching by domain name) or DMARC is a technical specification created by a group of organizations to deal with spammers who spoof sender addresses. It is based on the identification of the sender's mail domains based on the rules and characteristics set on the recipient's mail server.
Thus, the mail server decides for itself whether the message is good or bad and acts according to the DMARC record. By configuring DMARC, domain owners can create rules for processing emails that come from unauthorized domains.
After creating the SPF and DKIM records, you need to configure the DMARC check by adding a TXT type record to your DNS (similar to SPF). Parameters can be as follows:
More details can be found in the registry of tags DMARC .
The rule for the domain (what the recipient server should do if the test for spf and dkim fails) can be one of three:
- none - just register messages for the report, do nothing with the messages themselves;
- quarantine - mark such messages as spam;
- reject - reject receiving messages at the SMTP level.
If you want to receive reports, do not forget to include the email address in the rua tag:
_dmarc.example.com IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@example.com"Result of adding DNS records
Below is an example of dns entries for example.com:
$ORIGIN .
$TTL 3600
example.com IN SOA example.com. hostmaster.example.com. (
2017011011 ; serial
3600 ; refresh [1h]
600; retry [10m]
1209600 ; expire [14d]
3600 ; min TTL [1h]
)
NS ns1.example.com.
MX 10 ns1.example.com.
A 62.220.58.71
IN TXT "v=spf1 a mx ip4:62.220.58.71 ~all"
$ORIGIN example.com.
ECAC22D2-DCA2-11E6-BA30-B554729FE32B._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs5OCY0sX04ziF+sOHt/1kq3A7iAzAjBjb4JteaoFzu1q2uBOiQS0uyaFeY6CgSgRRbvPnq8cWLG/XMU0tM9gSGtgtWDmHOs6/+QgKp6zRmetfsyABA2Y2U+XJlVURUE5ai3KIA/njt7IGZ5yeFsdZIKmhOCAOPGCovq10xkZXHdjRwiqxbCYGXv2m3o74BcWtOLPfEvexD5PYx"
"aTWFbelJpGlDN7WdBCE+ObpLGkJ9co/1sVOcd3c9SHfPq3jcBAFm7oPX2ak7Fb7cslVK77lA2hBgMYqI2Sh+T64o6R33dU++Ej7CuImmv7PAqVUn5MjYr05t3LK9dwWM8Cm6aJ/QIDAQAB" ) ; ----- DKIM key ECAC22D2-DCA2-11E6-BA30-B554729FE32B for example.com
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:postmaster@example.com"
ns1 IN A 62.220.58.71
www 86400 IN CNAME example.com.Source: https://habr.com/ru/post/339296/
All Articles