Multi-domain on single server: DNS, multi-CoS, proxy and best practice

Hi everyone

For the past 2 years we've been using Zimbra under a single domain but I'm now looking to expand it so that Zimbra handles domains for various associates. So people who already have a Zimbra account can have an additional alias for Or create new accounts for users.
At the moment our mail server is hosted over our ADSL connection but once I have built a new machine and got this procedure up and going

From the admin interface it looks easy to add a new domain but my questions are relating to the broader aspects of running a Zimbra server which handles multiple domains. I'd like there to be as little extra configuration needed as possible when adding new domains so I want to make sure I get it correct in my mind before I start.

So here are my questions...

1) Bind/named. We have bind/named running as the DNS server on our Zimbra server. This means I have to keep the local Zimbra copy of our DNS records in sync with our external DNS server (cPanel/WHM).
Is there any way I can have the DNS records synced from our external DNS server for those domains? Or is it not worth the hassle of setting up DNS replication?

2) Bind/named records. So to add to the DNS on our Zimbra server, I need to add this to named.conf...
zone "" {
    type master;
    file "";
Then create in the same way I created it for our existing domain?

3) A records. If I want users to be able to access the server using then I'll need to set up an A record for to point to the server's IP address. But because I only allow communication through TLS/SSL then surely when they try to access they'll get certificate warnings because we have the commercial SSL cert under
Is there a way to have per-domain SSL certificates to avoid these warnings?
Or would the server then need multiple IP addresses to support the multiple SSL certs?
I'm thinking I might not set an A record so users are forced to use our existing server address. That way they won't get any SSL warnings (which seem harder and harder to override these days!).

4) MX records. For should I just create an MX record to point to
Or should I create an A record for pointing to the server's IP address, and have the MX record for pointing to that A record?
For mail delivery and spam filters, does it make any difference that the MX record for is actually pointing to a different domain's subdomain (eg: as opposed to

5) SPF records. We have an SPF record for our current domain which explicitly lists the only servers that can relay mail for
For I could either do an include: to so it picks up the existing SPF record for
Or I could just copy & paste the SPF record for so I have to maintain 2 identical SPF records. Not loads of work but if there's a way to slipstream it then I'd like to try. All mail from domains on the Zimbra servers will originate from the same IP addresses (our web servers and a private mail relay VPS).
Are there any downsides to including an SPF record from another domain?
Does it even work like that?

6) Mail relay. All our outgoing e-mail from Zimbra gets routed through an SSH tunnel to a private postfix VPS and delivered out to the internet from there. The hostname of this private relay is
Is there any disadvantage in having mail from being sent out onto the internet by a server within a different domain, eg: increased "spamminess"?
Or is it no problem so long as is listed in the SPF record for

7) DKIM/DomainKeys. The reason we have all outgoing e-mail routed through a single external relay is that it makes it easier for us to use DKIM/DomainKeys without having to mess around with modifying any configuration files associated with Zimbra. The down-side is that internal mail isn't signed.
Is it best practice to have a different DKIM key for each domain?
Or could I re-use the key that we have for since the mail for both domains originate from the same server?

8) Zimbra proxy. Do I need the Zimbra proxy service for multi-domain support?
Eg: being able to access their mail from instead of
Or is Zimbra proxy mainly for multi-server uses?

9) Per-domain global address lists. Will the GAL list all accounts on the zimbra server? Or just ones from a matching domain?
How do hosting providers avoid exposing all hosted accounts in the GAL, yet still retain GAL functionality?

Hope that was all clear and I'm looking forward to getting some advice on all this!

Cheers, B