DMARC alignment in Zimbra 8.8.15

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
mabi
Posts: 9
Joined: Thu Nov 03, 2022 2:21 pm

DMARC alignment in Zimbra 8.8.15

Post by mabi »

Hello,

Does Zimbra 8.8.15 GA perform DMARC alignment (incl. SPF+DKIM alignment) out-of-the-box in order to prevent email address/domain spoofing?

And if yes, how can I verify that it is working properly?

Best regards,
M.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: DMARC alignment in Zimbra 8.8.15

Post by L. Mark Stone »

mabi wrote:Hello,

Does Zimbra 8.8.15 GA perform DMARC alignment (incl. SPF+DKIM alignment) out-of-the-box in order to prevent email address/domain spoofing?

And if yes, how can I verify that it is working properly?

Best regards,
M.
Zimbra's SpamAssassin includes tests that check for this. You can customize the scores for each of these tests as you wish. By increasing the Amavis logging level to 2 from the default 1, you will see, for each email scanned by Zimbra, the list of specific SpamAssassin tests that fired (and their respective scores). This will enable you confirm proper operation.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
mabi
Posts: 9
Joined: Thu Nov 03, 2022 2:21 pm

Re: DMARC alignment in Zimbra 8.8.15

Post by mabi »

Thank you very much for your reply. Glad to hear that Zimbra has these tests included. Unfortunately I can't seem to find these DMARC alignment tests, I checked in the /opt/zimbra/data/spamassassin/rules directory by grepping for "DMARC" and I can't find any such rules in SpamAssassin's config. Does these tests maybe have another prefix as DMARC_ ? or are they maybe located somewhere else?

Thanks also for the tip with the zimbraAmavisLogLevel parameter.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: DMARC alignment in Zimbra 8.8.15

Post by L. Mark Stone »

mabi wrote:Thank you very much for your reply. Glad to hear that Zimbra has these tests included. Unfortunately I can't seem to find these DMARC alignment tests, I checked in the /opt/zimbra/data/spamassassin/rules directory by grepping for "DMARC" and I can't find any such rules in SpamAssassin's config. Does these tests maybe have another prefix as DMARC_ ? or are they maybe located somewhere else?

Thanks also for the tip with the zimbraAmavisLogLevel parameter.
In the rules directory, 60_whitelst.cf has some DMARC notes, but you'll find all the real tests in the localrules directory.

Code: Select all

grep DMARC /opt/zimbra/data/spamassassin/localrules/*
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
mabi
Posts: 9
Joined: Thu Nov 03, 2022 2:21 pm

Re: DMARC alignment in Zimbra 8.8.15

Post by mabi »

Hi Mark,

Thank you for your hint regarding the location to search for. So grepping for DMARC I could find the following rules/scores in the salocal.cf file:

Code: Select all

  askdns   __DMARC_POLICY_NONE   _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*none       \s*(?:;|\z)/x
  askdns   __DMARC_POLICY_QUAR   _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*quarantine \s*(?:;|\z)/x
  askdns   __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*reject     \s*(?:;|\z)/x

  meta     DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
  describe DMARC_FAIL_REJECT DMARC validation failed and policy is to reject
  score    DMARC_FAIL_REJECT 9.0

  meta     DMARC_FAIL_QUAR   !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
  describe DMARC_FAIL_QUAR   DMARC validation failed and policy is quarantine
  score    DMARC_FAIL_QUAR   6.0

  meta     DMARC_FAIL_NONE   !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
  describe DMARC_FAIL_NONE   DMARC validation failed and policy is none
  score    DMARC_FAIL_NONE   1.2

  meta     DMARC_PASS_REJECT DKIM_VALID_AU && SPF_PASS && __DMARC_POLICY_REJECT
  describe DMARC_PASS_REJECT DMARC validation passed and policy is to reject
  tflags   DMARC_PASS_REJECT nice
  score    DMARC_PASS_REJECT -1.2

  meta     DMARC_PASS_QUAR   DKIM_VALID_AU && SPF_PASS && __DMARC_POLICY_QUAR
  describe DMARC_PASS_QUAR   DMARC validation passed and policy is quarantine
  tflags   DMARC_PASS_QUAR   nice
  score    DMARC_PASS_QUAR   -1.0

  meta     DMARC_PASS_NONE   DKIM_VALID_AU && SPF_PASS && __DMARC_POLICY_NONE
  describe DMARC_PASS_NONE   DMARC validation passed and policy is none
  tflags   DMARC_PASS_NONE   nice
  score    DMARC_PASS_NONE   -0.6
I then check each one of them and all these rules do is to check if SPF passed and DKIM is valid and authorized. None of these rules check if SPF and DKIM are aligned and hence if DMARC is also aligned...
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: DMARC alignment in Zimbra 8.8.15

Post by L. Mark Stone »

If by “aligned” you mean that both DKIM and SPF are valid, yes I agree there is no test of which I am aware for that.

Please help me to understand why that matters?

If I have a valid DKIM-signed email that fails SPF, then I know that most commonly the admin forgot to add the sending server’s IP to the SPF record.

If I have a failed DKIM test (and not from forwarding) but a valid SPF, again, most commonly I see this is due to the admin neglecting to set up DKIM.

While it is nice to know that DKIM and SPF are both “aligned” (if that’s what you mean) by both being correct, I’m not sure what value that adds in deciding whether to score an offending email high enough to mark it as spam.

I mark a not insignificant amount of email as spam from large well-known companies due to sloppiness on the part of their email admins.

When my customers ask me why I’m marking those emails as spam, I explain that I am doing what the sender’s DNS records are commanding me to do.

If you have another definition for “alignment” I’m curious to know!

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
mabi
Posts: 9
Joined: Thu Nov 03, 2022 2:21 pm

Re: DMARC alignment in Zimbra 8.8.15

Post by mabi »

Dear Mark,

In order to understand why full alignment of SPF, DKIM and DMARC is so important in fighting spam and especially for phishing mails, I kindly invite you the have a look at the Zimbra blog post entitled "mail security webinar about DMARC" which you can find at the link below:

https://blog.zimbra.com/2022/04/email-s ... out-dmarc/

Please watch the full video here:

https://www.youtube.com/watch?v=UrsHtmd ... =emb_title

or alternatively carefully go through all slides of the of this presentation:

https://blog.zimbra.com/wp-content/uplo ... Series.pdf

I hope this will give you enough insight on why this matters or please kindly explain me why it would not matter...

Best regards,
Mabi
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: DMARC alignment in Zimbra 8.8.15

Post by L. Mark Stone »

Hi Mabi,

Thanks for the reference links; I am very familiar with SPF, DKIM and DMARC and totally agree the three should be deployed by senders to protect one's own domain from abuse, and checked by recipients to minimize ingestion of spam/harmful emails.

What I thought you were asking originally was if there was a SpamAssassin test that checked "alignment" between the three technologies. In the first instance, I was endeavoring to ask exactly what you meant by "alignment". But more practically speaking, I was endeavoring to ask what in your view is lacking with the existing SpamAssassin and other tests that you feel requires you to add an additional "alignment" test?
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
mabi
Posts: 9
Joined: Thu Nov 03, 2022 2:21 pm

Re: DMARC alignment in Zimbra 8.8.15

Post by mabi »

Hi Mark,

Thank you for your answer.

For me what is see right now is that Zimbra and/or SpamAssassin is clearly lacking SPF alignment and DKIM alignment checks meaning that it does not do proper DMARC alignment. What I could see so far is that Zimbra, or SpamAssassin respectively, does DKIM authentication and SPF authentication but that's only half of the work for a proper and complete DMARC check on incoming mails... Alignment is fully missing...

In a google support article about DMARC they nicely explain in short what is required for a DMARC check to fully pass and that would be the following, I quote:
To pass DMARC, a message must pass at least one of these checks:

SPF authentication and SPF alignment
DKIM authentication and DKIM alignment

A message fails the DMARC check if the message fails both:

SPF (or SPF alignment)
DKIM (or DKIM alignment)

Source: https://support.google.com/a/answer/10032169#alignment

So for me Zimbra/SpamAssassin does only half the job or I still did not manage to find out where exactly Zimbra/SpamAssassin does any SPF and DKIM alignment...

I hope that makes things clearer for you if not feel free to ask again, I would really like to get full DMARC support as this is very important to fight phishing mails with spoofed addresses.

Best regards,
Mabi
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: DMARC alignment in Zimbra 8.8.15

Post by L. Mark Stone »

Hi Mabi,

If the built-in tests for DMARC that ship with SpamAssassin don't meet your needs, Zimbra allows you to customize SpamAssassin as you wish.

There may also be existing third-party plugins for the DMARC checks you are seeking, and you are free to incorporate those too. This link has some proposed tests with different scores depending on the p= value in the sender's DMARC record: https://serverfault.com/questions/10232 ... but-not-qu

But there are already similar rules in the 3.4.6 version of SpamAssassin shipping with Zimbra, so if I've missed the mark it would be helpful if you could explain with specificity exactly what it is you want to test.

Code: Select all

zimbra@mail2:~/data/spamassassin/localrules$ grep DMARC *
grep: sa-update-keys: Is a directory
salocal.cf:  askdns   __DMARC_POLICY_NONE   _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*none       \s*(?:;|\z)/x
salocal.cf:  askdns   __DMARC_POLICY_QUAR   _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*quarantine \s*(?:;|\z)/x
salocal.cf:  askdns   __DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v\s*=DMARC1 (?=\s*;) .* ;\s* p\s*=\s*reject     \s*(?:;|\z)/x
salocal.cf:  meta     DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT
salocal.cf:  describe DMARC_FAIL_REJECT DMARC validation failed and policy is to reject
salocal.cf:  score    DMARC_FAIL_REJECT 9.0
salocal.cf:  meta     DMARC_FAIL_QUAR   !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_QUAR
salocal.cf:  describe DMARC_FAIL_QUAR   DMARC validation failed and policy is quarantine
salocal.cf:  score    DMARC_FAIL_QUAR   6.0
salocal.cf:  meta     DMARC_FAIL_NONE   !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_NONE
salocal.cf:  describe DMARC_FAIL_NONE   DMARC validation failed and policy is none
salocal.cf:  score    DMARC_FAIL_NONE   1.2
salocal.cf:  meta     DMARC_PASS_REJECT DKIM_VALID_AU && SPF_PASS && __DMARC_POLICY_REJECT
salocal.cf:  describe DMARC_PASS_REJECT DMARC validation passed and policy is to reject
salocal.cf:  tflags   DMARC_PASS_REJECT nice
salocal.cf:  score    DMARC_PASS_REJECT -1.2
salocal.cf:  meta     DMARC_PASS_QUAR   DKIM_VALID_AU && SPF_PASS && __DMARC_POLICY_QUAR
salocal.cf:  describe DMARC_PASS_QUAR   DMARC validation passed and policy is quarantine
salocal.cf:  tflags   DMARC_PASS_QUAR   nice
salocal.cf:  score    DMARC_PASS_QUAR   -1.0
salocal.cf:  meta     DMARC_PASS_NONE   DKIM_VALID_AU && SPF_PASS && __DMARC_POLICY_NONE
salocal.cf:  describe DMARC_PASS_NONE   DMARC validation passed and policy is none
salocal.cf:  tflags   DMARC_PASS_NONE   nice
salocal.cf:  score    DMARC_PASS_NONE   -0.6
zimbra@mail2:~/data/spamassassin/localrules$ 
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply