DMARC for mail server domain

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

DMARC for mail server domain

Post by zim_mike »

We have a zimbra 8.8 server that handles around 10 domains.
The zimbra server domain is the mx for all of those domains so when a lookup is done for email, it finds the zimbra server domain's mx.

When I test DMARC for the zimbra domain, everything looks good because I created the DMARC key for the mail server domain.
However, when I test for any of the domains that the server is handling mail for, all fail the DMARC test.
This is expected since those domains are using the mail server's MX so don't have their own DMARC records.

My question is, should I be creating a DMARC key for each of those domains, even though they are using the mail server for their mail services?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: DMARC for mail server domain

Post by phoenix »

zim_mike wrote:My question is, should I be creating a DMARC key for each of those domains, even though they are using the mail server for their mail services?
The answer to that question would be yes you should create a DMARC (and SPF etc., etc.) DNS records for each domain.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: DMARC for mail server domain

Post by zim_mike »

That might explain why some email keeps landing in spam bins from the domains that are hosted on that server.
Do I use the same method as the main domain, meaning...

/opt/zimbra/libexec/zmdkimkeyutil -a -d domain1.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain2.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain3.com

And this won't break anything on the mail server right?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: DMARC for mail server domain

Post by phoenix »

zim_mike wrote:That might explain why some email keeps landing in spam bins from the domains that are hosted on that server.
Do I use the same method as the main domain, meaning...

/opt/zimbra/libexec/zmdkimkeyutil -a -d domain1.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain2.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain3.com

And this won't break anything on the mail server right?
Yes, you use the same method as the primary domain and no, it won't break anything - although I use Rspamd and that does DMARC for me it does the same as the ZCS opendkim and it works fine. Obviously when you create the new DMARC DNS records you should set it with a policy of "none" initially so your mail doesn't get rejected if there are any problems.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: DMARC for mail server domain

Post by zim_mike »

Thank you very much Bill.
I actually have it set to reject because I was seeing some negative results when testing DMARC due to using none.
My understanding was that when set to none, while there is a valid DMARC, it seems to get a negative since we're still allowing everything.

Looking at the records generated by Zimbra, I don't really see a policy setting. Each one looks like this and no mention of the policy setting such as none, quarantine or reject.
v=DKIM1;k=rsa;p=MIIBxxxxxxxxxxxxxxxxxx (long code)

Maybe I need to test that again using none.
Last edited by zim_mike on Fri Jul 19, 2019 4:06 pm, edited 1 time in total.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: DMARC for mail server domain

Post by phoenix »

The 'none' option should just report if the mail is failing DMARC rather then it being rejected. Obviously there test sites that will verify if your DMAR settings (and send you a report) are correct as will sending a message to gmail - in those circumstances you don't really want it to be rejected, once you're happy it's all OK then flip it to reject.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: DMARC for mail server domain

Post by zim_mike »

I understand. What I am not finding however is how you introduce the policy setting into the code generated by zimbra.
Last edited by zim_mike on Fri Jul 19, 2019 4:18 pm, edited 1 time in total.
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: DMARC for mail server domain

Post by zim_mike »

I think I have it now, it's a separate TXT entry.

v=DMARC1; p=quarantine; rua=mailto:xxxx@report.com; fo=1
zim_mike
Outstanding Member
Outstanding Member
Posts: 330
Joined: Sat Sep 13, 2014 3:26 am

Re: DMARC for mail server domain

Post by zim_mike »

Last but not least, if it helps anyone else.

Using mxtoolbox, the dmarc record for domains with p=none receive

DMARC Policy Not Enabled DMARC Quarantine/Reject policy not enabled

I'm not 100% sure if this is a bad thing but it's probably ok while testing and until it's changed to something higher.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: DMARC for mail server domain

Post by phoenix »

Are you following the wiki article here: https://wiki.zimbra.com/wiki/Best_Pract ... MARC#DMARC

Effectively what you're doing for each domain is creating a DKIM signing key and adding that to a Public DNS server, next you also add a DMARC record to the Public DNS server and that verifies that the mail is from the organisation that's supposed to be sending it. Obviously you'll need SPF records for each domain saying that's it's your mail server that's sending the mail for that domain.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Post Reply