Best Practices on Email Protection: SPF, DKIM and DMARC: Difference between revisions
(Created page with "{{Article Infobox|{{admin}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}} = Best Practices on Email Protection: SPF, DKIM and DMARC = Once we installed Zimbra Collaboration, we need...") |
|||
Line 52: | Line 52: | ||
===How to test it=== | ===How to test it=== | ||
Have a lot of SPF tools to check if the DNS entry is correct, for example: | |||
* '''[http://tools.wordtothewise.com/spf http://tools.wordtothewise.com/spf]''' (will show an overview of all the allowed IPS that can send using the domain) | |||
* '''[http://www.kitterman.com/getspf2.py http://www.kitterman.com/getspf2.py]''' (Simple but effective, will show the SPF DNs entry and also the result: pass, softfail, fail, neutral, etc.) | |||
* '''[http://mxtoolbox.com/ http://mxtoolbox.com/]''' A Classic | |||
===Deprecated SPF RR, use TXT RR only=== | |||
In April 2014, the SPF DNS record was deprecated in the RFC, and the correct way to implement the SPF is using only a TXT DNS record. | |||
For example, this '''was a valid DNS entries before April 2014''', TXT and SPF: | |||
[[File:Zimbra-spf005.png]] | |||
And here the RFC text where you can find the part about use only TXT: | |||
[[File:Zimbra-spf006.png]] | |||
* '''[http://tools.ietf.org/html/rfc4408 RFC before April 2014]''' | |||
* '''[http://tools.ietf.org/html/rfc7208 RFC after April 2014]''' | |||
==DKIM== | ==DKIM== |
Revision as of 22:37, 6 April 2015
Article Information |
---|
This article applies to the following ZCS versions. |
Best Practices on Email Protection: SPF, DKIM and DMARC
Once we installed Zimbra Collaboration, we need to be aware of some additional configurations that will allow us to send emails to other Email systems with an improve Security, such Gmail, Hotmail, Yahoo!, etc. This Wiki article will show the different Email Protection resources that exists, depends of the volume of sent email, will be better implement only one, or two or all of them.
SPF
Sender Policy Framework (SPF) is an email validation system designed to prevent unwanted emails using a spoofing system. To check this common security problem, SPF verify the source IP of the email and compare it with a DNS TXT record with a SPF content.
Where needs to be configured?
SPF needs to be configured in the Public DNS
How to configure it?
First of all, generate the TXT SPF DNS entry (using the Mailradar SPF Tool, or something similar), for example with the domain called domain.com and have 3 different entries to add:
- The A entry - mail.domain.com
- The MX entry - srvmta.domain.com
- The IPv4 entry - 60.70.80.90
If in your email system you are using external services like Mailchimp, Salesforce, etc. add them in the include part, for example:
- include:servers.mcsv.net (Mailchimp)
- include:_spf.salesforce.com (Salesforce)
- include:_spf.google.com (Google Apps)
Understand the "all" feature in the SPF entry
SPF can be configured in different ways, since neutral to hard fail. Almost 98% of domains are using the ~all (softfail) that means even if something of the SPF entry is wrong against the source Mailserver, mark the mail only like softfail. Here, the complete table to understand the feature all in the SPF
Parameter | Result | Means |
---|---|---|
+all | pass | Permits all the email, like have nothing configured. |
-all | fail | Will only mark the email like pass if the source Email Server fits exactly, IP, MX, etc. with the SPF entry. |
~all | softfail | Allows to send the email, and if something is wrong will mark it like softfail. |
?all | neutral | Without policy |
Difference between ~all and -all
If your domain is under an SPAM attack trying to spoofing your domain, try to change the SPF to -all for a while, and reset to ~all when the attack ends. Keep selected the -all if you want to be strict with the SPF entry and you are sure that your DNS entry is correct.
How to test it
Have a lot of SPF tools to check if the DNS entry is correct, for example:
- http://tools.wordtothewise.com/spf (will show an overview of all the allowed IPS that can send using the domain)
- http://www.kitterman.com/getspf2.py (Simple but effective, will show the SPF DNs entry and also the result: pass, softfail, fail, neutral, etc.)
- http://mxtoolbox.com/ A Classic
Deprecated SPF RR, use TXT RR only
In April 2014, the SPF DNS record was deprecated in the RFC, and the correct way to implement the SPF is using only a TXT DNS record. For example, this was a valid DNS entries before April 2014, TXT and SPF:
And here the RFC text where you can find the part about use only TXT:
DKIM
How to configure it?
How to test it
DMARC
How to configure it?
How to test it
rDNS
How to configure it?
How to test it
Sender ID
How to configure it?
How to test it
Identified Support Issues