Difference between revisions of "Best Practices on Email Protection: SPF, DKIM and DMARC"

(DMARC)
Line 91: Line 91:
  
 
==DMARC==
 
==DMARC==
 +
 +
[[File:Zimbra-DMARC.png]]
  
 
===Where needs to be configured?===
 
===Where needs to be configured?===
Line 97: Line 99:
  
 
===How to test it===
 
===How to test it===
 
  
 
==rDNS==
 
==rDNS==

Revision as of 12:02, 7 April 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.6 Article ZCS 8.6ZCS 8.5 Article ZCS 8.5ZCS 8.0 Article ZCS 8.0


Best Practices on Email Protection: SPF, DKIM and DMARC

Once we installed Zimbra Collaboration, we need to be aware of some additional configurations that will allow us to send emails to other Email systems with an improve Security, such Gmail, Hotmail, Yahoo!, etc. This Wiki article will show the different Email Protection resources that exists, depends of the volume of sent email, will be better implement only one, or two or all of them.

SPF

Sender Policy Framework (SPF) is an email validation system designed to prevent unwanted emails using a spoofing system. To check this common security problem, SPF verify the source IP of the email and compare it with a DNS TXT record with a SPF content. Zimbra-spf.png

Where needs to be configured?

SPF needs to be configured in the Public DNS

How to configure it?

First of all, generate the TXT SPF DNS entry (using the Mailradar SPF Tool, or something similar), for example with the domain called domain.com and have 3 different entries to add:

  • The A entry - mail.domain.com
  • The MX entry - srvmta.domain.com
  • The IPv4 entry - 60.70.80.90

If in your email system you are using external services like Mailchimp, Salesforce, etc. add them in the include part, for example:

  • include:servers.mcsv.net (Mailchimp)
  • include:_spf.salesforce.com (Salesforce)
  • include:_spf.google.com (Google Apps)

An example will looks like: Zimbra-spf002.png

Understand the "all" feature in the SPF entry

SPF can be configured in different ways, since neutral to hard fail. Almost 98% of domains are using the ~all (softfail) that means even if something of the SPF entry is wrong against the source Mailserver, mark the mail only like softfail. Here, the complete table to understand the feature all in the SPF

Parameter Result Means
+all pass Permits all the email, like have nothing configured.
-all fail Will only mark the email like pass if the source Email Server fits exactly, IP, MX, etc. with the SPF entry.
~all softfail Allows to send the email, and if something is wrong will mark it like softfail.
 ?all neutral Without policy

Difference between ~all and -all

If your domain is under an SPAM attack trying to spoofing your domain, try to change the SPF to -all for a while, and reset to ~all when the attack ends. Keep selected the -all if you want to be strict with the SPF entry and you are sure that your DNS entry is correct.

How to test it

Have a lot of SPF tools to check if the DNS entry is correct, for example:

Deprecated SPF RR, use TXT RR only

In April 2014, the SPF DNS record was deprecated in the RFC, and the correct way to implement the SPF is using only a TXT DNS record. For example, this was a valid DNS entries before April 2014, TXT and SPF: Zimbra-spf005.png

And here the RFC text where you can find the part about use only TXT: Zimbra-spf006.png

DKIM

DomainKeys Identified Mail (DKIM), is a method to associate de domain name and the email, allowing to a person or company assume the responsibiltity of the email.

Zimbra-dkim.png

Where needs to be configured?

DKIM needs to be generated per domain in our Zimbra Server, and needs to be configured in the public DNS of each domain.

How to configure it?

To configure properly DKIM, please follow the next Wiki - Configuring_for_DKIM_Signing

Once have the DKIM generated in Zimbra, add the info in the public DNS, will looks like:

Zimbra-dkim-002.png

How to test it

Have multiple websites to test it, for example:

  • http://dkimvalidator.com You need to send a email, once you have the DKIM configured, then in the website will found a section called DKIM and the result in the end, if the test is passed or not.

DMARC

Zimbra-DMARC.png

Where needs to be configured?

How to configure it?

How to test it

rDNS

Where needs to be configured?

How to configure it?

How to test it

Sender ID

Where needs to be configured?

How to configure it?

How to test it

Identified Support Issues


Verified Against: Zimbra Collaboration Suite 8.6, 8.5 Date Created: 04/07/2015
Article ID: https://wiki.zimbra.com/index.php?title=Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC Date Modified: 2015-04-07



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search