Disable SPF DKIM and DMRAC
Disable SPF, DKIM, and DMARC validation
Problem
Disable SPF, DKIM, and DMARC validation of incoming messages.
- Note: Disabling SPF, DKIM, and DMARC validation is not best practice because these records helps to identify spam messages.
Solution
Step-1: Disable SPF records validation. A. Disable SPF validation at CBPolicyd level, if CBPolicyd enabled. zmprov ms `zmhostname` zimbraCBPolicydCheckSPFEnabled FALSE
Note: To get existing value run "zmprov -l gs `zmhostname` zimbraCBPolicydCheckSPFEnabled"
B. Disable SPF checking at SpamAssassin level by modifying "/opt/zimbra/data/spamassassin/localrules/init.pre", open this file and comment "loadplugin Mail::SpamAssassin::Plugin::SPF". # loadplugin Mail::SpamAssassin::Plugin::SPF
Step-2:
Disable DKIM records validation.
A. Disable DKIM validation at Amavis level.
zmprov ms `zmhostname` zimbraAmavisEnableDKIMVerification FALSE
Note: To get existing value run "zmprov -l gs `zmhostname` zimbraAmavisEnableDKIMVerification"
B. Disable DKIM validation at SpamAssassin level by modifying "/opt/zimbra/data/spamassassin/localrules/v312.pre", open this file and comment "loadplugin Mail::SpamAssassin::Plugin::DKIM" # loadplugin Mail::SpamAssassin::Plugin::DKIM
Step-3 Disable DMARC validation. Nothing to do for DMRAC, it will not function when SPF, DKIM disabled.
Step-4: Restart MTA services. zmamavisdctl restart zmmtactl restart
Step-5: Verification, to confirm the same, check "X-Spam-Status:" in the show original of received emails. Must not display any tags related to SPF, DKIM, and DMARC.
Header when SPF, DKIM validation done. X-Spam-Status: No, score=1.467 required=6.6 tests=[DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RDNS_NONE=1.274, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01]
Header when SPF, DKIM validation not done. X-Spam-Status: No, score=1.265 required=6.6 tests=[HTML_MESSAGE=0.001, RDNS_NONE=1.274, T_SCC_BODY_TEXT_LINE=-0.01]
Note: Customizations may not forward with updates/upgrades, so document these changes, and validate post update/upgrade ptache/zcs.
Submitted by: Raghu Noti |