DMARC for mail server domain
DMARC for mail server domain
We have a zimbra 8.8 server that handles around 10 domains.
The zimbra server domain is the mx for all of those domains so when a lookup is done for email, it finds the zimbra server domain's mx.
When I test DMARC for the zimbra domain, everything looks good because I created the DMARC key for the mail server domain.
However, when I test for any of the domains that the server is handling mail for, all fail the DMARC test.
This is expected since those domains are using the mail server's MX so don't have their own DMARC records.
My question is, should I be creating a DMARC key for each of those domains, even though they are using the mail server for their mail services?
The zimbra server domain is the mx for all of those domains so when a lookup is done for email, it finds the zimbra server domain's mx.
When I test DMARC for the zimbra domain, everything looks good because I created the DMARC key for the mail server domain.
However, when I test for any of the domains that the server is handling mail for, all fail the DMARC test.
This is expected since those domains are using the mail server's MX so don't have their own DMARC records.
My question is, should I be creating a DMARC key for each of those domains, even though they are using the mail server for their mail services?
Re: DMARC for mail server domain
The answer to that question would be yes you should create a DMARC (and SPF etc., etc.) DNS records for each domain.zim_mike wrote:My question is, should I be creating a DMARC key for each of those domains, even though they are using the mail server for their mail services?
Re: DMARC for mail server domain
That might explain why some email keeps landing in spam bins from the domains that are hosted on that server.
Do I use the same method as the main domain, meaning...
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain1.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain2.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain3.com
And this won't break anything on the mail server right?
Do I use the same method as the main domain, meaning...
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain1.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain2.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain3.com
And this won't break anything on the mail server right?
Re: DMARC for mail server domain
Yes, you use the same method as the primary domain and no, it won't break anything - although I use Rspamd and that does DMARC for me it does the same as the ZCS opendkim and it works fine. Obviously when you create the new DMARC DNS records you should set it with a policy of "none" initially so your mail doesn't get rejected if there are any problems.zim_mike wrote:That might explain why some email keeps landing in spam bins from the domains that are hosted on that server.
Do I use the same method as the main domain, meaning...
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain1.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain2.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain3.com
And this won't break anything on the mail server right?
Re: DMARC for mail server domain
Thank you very much Bill.
I actually have it set to reject because I was seeing some negative results when testing DMARC due to using none.
My understanding was that when set to none, while there is a valid DMARC, it seems to get a negative since we're still allowing everything.
Looking at the records generated by Zimbra, I don't really see a policy setting. Each one looks like this and no mention of the policy setting such as none, quarantine or reject.
v=DKIM1;k=rsa;p=MIIBxxxxxxxxxxxxxxxxxx (long code)
Maybe I need to test that again using none.
I actually have it set to reject because I was seeing some negative results when testing DMARC due to using none.
My understanding was that when set to none, while there is a valid DMARC, it seems to get a negative since we're still allowing everything.
Looking at the records generated by Zimbra, I don't really see a policy setting. Each one looks like this and no mention of the policy setting such as none, quarantine or reject.
v=DKIM1;k=rsa;p=MIIBxxxxxxxxxxxxxxxxxx (long code)
Maybe I need to test that again using none.
Last edited by zim_mike on Fri Jul 19, 2019 4:06 pm, edited 1 time in total.
Re: DMARC for mail server domain
The 'none' option should just report if the mail is failing DMARC rather then it being rejected. Obviously there test sites that will verify if your DMAR settings (and send you a report) are correct as will sending a message to gmail - in those circumstances you don't really want it to be rejected, once you're happy it's all OK then flip it to reject.
Re: DMARC for mail server domain
I understand. What I am not finding however is how you introduce the policy setting into the code generated by zimbra.
Last edited by zim_mike on Fri Jul 19, 2019 4:18 pm, edited 1 time in total.
Re: DMARC for mail server domain
I think I have it now, it's a separate TXT entry.
v=DMARC1; p=quarantine; rua=mailto:xxxx@report.com; fo=1
v=DMARC1; p=quarantine; rua=mailto:xxxx@report.com; fo=1
Re: DMARC for mail server domain
Last but not least, if it helps anyone else.
Using mxtoolbox, the dmarc record for domains with p=none receive
DMARC Policy Not Enabled DMARC Quarantine/Reject policy not enabled
I'm not 100% sure if this is a bad thing but it's probably ok while testing and until it's changed to something higher.
Using mxtoolbox, the dmarc record for domains with p=none receive
DMARC Policy Not Enabled DMARC Quarantine/Reject policy not enabled
I'm not 100% sure if this is a bad thing but it's probably ok while testing and until it's changed to something higher.
Re: DMARC for mail server domain
Are you following the wiki article here: https://wiki.zimbra.com/wiki/Best_Pract ... MARC#DMARC
Effectively what you're doing for each domain is creating a DKIM signing key and adding that to a Public DNS server, next you also add a DMARC record to the Public DNS server and that verifies that the mail is from the organisation that's supposed to be sending it. Obviously you'll need SPF records for each domain saying that's it's your mail server that's sending the mail for that domain.
Effectively what you're doing for each domain is creating a DKIM signing key and adding that to a Public DNS server, next you also add a DMARC record to the Public DNS server and that verifies that the mail is from the organisation that's supposed to be sending it. Obviously you'll need SPF records for each domain saying that's it's your mail server that's sending the mail for that domain.