Page 1 of 2

DMARC for mail server domain

Posted: Fri Jul 19, 2019 3:00 pm
by zim_mike
We have a zimbra 8.8 server that handles around 10 domains.
The zimbra server domain is the mx for all of those domains so when a lookup is done for email, it finds the zimbra server domain's mx.

When I test DMARC for the zimbra domain, everything looks good because I created the DMARC key for the mail server domain.
However, when I test for any of the domains that the server is handling mail for, all fail the DMARC test.
This is expected since those domains are using the mail server's MX so don't have their own DMARC records.

My question is, should I be creating a DMARC key for each of those domains, even though they are using the mail server for their mail services?

Re: DMARC for mail server domain

Posted: Fri Jul 19, 2019 3:17 pm
by phoenix
zim_mike wrote:My question is, should I be creating a DMARC key for each of those domains, even though they are using the mail server for their mail services?
The answer to that question would be yes you should create a DMARC (and SPF etc., etc.) DNS records for each domain.

Re: DMARC for mail server domain

Posted: Fri Jul 19, 2019 3:32 pm
by zim_mike
That might explain why some email keeps landing in spam bins from the domains that are hosted on that server.
Do I use the same method as the main domain, meaning...

/opt/zimbra/libexec/zmdkimkeyutil -a -d domain1.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain2.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain3.com

And this won't break anything on the mail server right?

Re: DMARC for mail server domain

Posted: Fri Jul 19, 2019 3:48 pm
by phoenix
zim_mike wrote:That might explain why some email keeps landing in spam bins from the domains that are hosted on that server.
Do I use the same method as the main domain, meaning...

/opt/zimbra/libexec/zmdkimkeyutil -a -d domain1.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain2.com
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain3.com

And this won't break anything on the mail server right?
Yes, you use the same method as the primary domain and no, it won't break anything - although I use Rspamd and that does DMARC for me it does the same as the ZCS opendkim and it works fine. Obviously when you create the new DMARC DNS records you should set it with a policy of "none" initially so your mail doesn't get rejected if there are any problems.

Re: DMARC for mail server domain

Posted: Fri Jul 19, 2019 4:01 pm
by zim_mike
Thank you very much Bill.
I actually have it set to reject because I was seeing some negative results when testing DMARC due to using none.
My understanding was that when set to none, while there is a valid DMARC, it seems to get a negative since we're still allowing everything.

Looking at the records generated by Zimbra, I don't really see a policy setting. Each one looks like this and no mention of the policy setting such as none, quarantine or reject.
v=DKIM1;k=rsa;p=MIIBxxxxxxxxxxxxxxxxxx (long code)

Maybe I need to test that again using none.

Re: DMARC for mail server domain

Posted: Fri Jul 19, 2019 4:06 pm
by phoenix
The 'none' option should just report if the mail is failing DMARC rather then it being rejected. Obviously there test sites that will verify if your DMAR settings (and send you a report) are correct as will sending a message to gmail - in those circumstances you don't really want it to be rejected, once you're happy it's all OK then flip it to reject.

Re: DMARC for mail server domain

Posted: Fri Jul 19, 2019 4:11 pm
by zim_mike
I understand. What I am not finding however is how you introduce the policy setting into the code generated by zimbra.

Re: DMARC for mail server domain

Posted: Fri Jul 19, 2019 4:17 pm
by zim_mike
I think I have it now, it's a separate TXT entry.

v=DMARC1; p=quarantine; rua=mailto:xxxx@report.com; fo=1

Re: DMARC for mail server domain

Posted: Fri Jul 19, 2019 4:23 pm
by zim_mike
Last but not least, if it helps anyone else.

Using mxtoolbox, the dmarc record for domains with p=none receive

DMARC Policy Not Enabled DMARC Quarantine/Reject policy not enabled

I'm not 100% sure if this is a bad thing but it's probably ok while testing and until it's changed to something higher.

Re: DMARC for mail server domain

Posted: Fri Jul 19, 2019 4:24 pm
by phoenix
Are you following the wiki article here: https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC#DMARC

Effectively what you're doing for each domain is creating a DKIM signing key and adding that to a Public DNS server, next you also add a DMARC record to the Public DNS server and that verifies that the mail is from the organisation that's supposed to be sending it. Obviously you'll need SPF records for each domain saying that's it's your mail server that's sending the mail for that domain.