Disable SPF DKIM and DMRAC
Disable SPF, DKIM, and DMARC validation
Problem
Disable SPF, DKIM, and DMARC validation of incoming messages.
Note: Disabling SPF, DKIM, and DMARC validation is not best practice because these records helps to identify spam messages.
Solution
Step 1:
- Disable SPF records validation.
- A. Disable SPF validation at CBPolicyd level, if CBPolicyd enabled.
zmprov ms `zmhostname` zimbraCBPolicydCheckSPFEnabled FALSE
- Note: To get existing value run
zmprov -l gs `zmhostname` zimbraCBPolicydCheckSPFEnabled
- B. Disable SPF checking at SpamAssassin level by modifying
/opt/zimbra/data/spamassassin/localrules/init.pre
, open this file and commentloadplugin Mail::SpamAssassin::Plugin::SPF
. # loadplugin Mail::SpamAssassin::Plugin::SPF
- B. Disable SPF checking at SpamAssassin level by modifying
Step 2:
- Disable DKIM records validation.
- A. Disable DKIM validation at Amavis level.
zmprov ms `zmhostname` zimbraAmavisEnableDKIMVerification FALSE
- Note: To get existing value run
zmprov -l gs `zmhostname` zimbraAmavisEnableDKIMVerification
- B. Disable DKIM validation at SpamAssassin level by modifying
/opt/zimbra/data/spamassassin/localrules/v312.pre
, open this file and commentloadplugin Mail::SpamAssassin::Plugin::DKIM
# loadplugin Mail::SpamAssassin::Plugin::DKIM
- B. Disable DKIM validation at SpamAssassin level by modifying
Step 3:
- Disable DMARC validation. Nothing to do for DMRAC, it will not function when SPF, DKIM disabled.
Step 4:
- Restart MTA services.
zmamavisdctl restart zmmtactl restart
Step 5:
- Verification, to confirm the same, check "X-Spam-Status:" in the show original of received emails. Must not display any tags related to SPF, DKIM, and DMARC.
- Header when SPF, DKIM validation done.
X-Spam-Status: No, score=1.467 required=6.6 tests=[DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RDNS_NONE=1.274, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01]
- Header when SPF, DKIM validation not done.
X-Spam-Status: No, score=1.265 required=6.6 tests=[HTML_MESSAGE=0.001, RDNS_NONE=1.274, T_SCC_BODY_TEXT_LINE=-0.01]
- Note:Customizations may not forward with updates/upgrades, so document these changes, and validate post update/upgrade ptache/zcs.
Submitted by: Raghu Noti |