As Zimbra Collaboration is a central communication hub for your business, it needs to be protected and secured. Zimbra Collaboration contains multiple antispam features like SpamAssassin, Amavis-d, etc.
But, how do you protect against spoofing? How do we ensure outgoing emails are not going into the junk folder of recipients using other platforms like Google Apps, Outlook 365, etc. ?
Around an Email Server have always external security methods to protect the outgoing emails, like SPF, DKIM, DMARC, rDNS:
SPF & SenderID
Sender Policy Framework (SPF) is an email validation system, designed to prevent unwanted emails using a spoofing system. To check this common security problem, SPF going to verify the source IP of the email and compare it with a DNS txt record with a SPF content.
Since it was derived from SPF, Sender ID can also validate the MAIL FROM. But it defines the new PRA identity to validate, and defines new sender policy record tags that specify whether a policy covers MAIL FROM (called MFROM by Sender ID), PRA, or both. For more information about SenderID, please visit OpenSPF.org.
DKIM
DomainKeys Identified Mail (DKIM), is a method to associate the domain name and the email, allowing to a person or company assume the responsibility of the email.
DKIM diagram, updated with the proper email flow, thank you Vinzenz.
DMARC
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.
DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.
(inspired by dmarc.org)
rDNS
The reverse DNS (rDNS) resolution is a determination of the domain name that is associated to an IP. Some email companies like AOL, for example, will reject any email that doesn’t have a valid rDNS.
You can find much more information in our Wiki
Considering al the leaks and hacks that are taking place these days, i think this would be a good upgrade of the security.
nice work. Clear and precise; always enjoy your blogs Jorge.
Thank you very much Glen, hope to see you soon.
Hi Jorge,
does Zimbra implement DMARC on the receiving side, i.e., evaluate DMARC policy and send reports for incoming mails?
On a side note, in the DKIM figure the server should of course publish the public key, not the private one ;-)
Thanks,
vinzenz
Hi Vinzenz,
The Blog post was updated with the proper flow email, thank you.
I have a scenario with 3rd party vendors… Our company has a lot of 3rd party mail services. I have set up the dmarc with p – none and SPF records were updated with known sending servers. Could you please clarify a statement which I read in Dmarc.org site about making 3rd party vendors Dmarc compliant.
1. Either add their sending servers to our spf records
2. Or share your DKIM private key to them
My question is, SPF checks for envelope from address so when the vendor sends mails on behalf of us, the from address will be our company address and envelope from will be his company. So then how will SPF pass? SPF will check the dns server of envelope from? Is my understanding right?
Secondly, DKIM checks from address or envelope from address? How does it work when we share the private key
Hi lavanyasvraman,
My understanding here is the next:
SPF: You need to add all the IPS of the server that sends email in your name, or using your domain. Like for example if you are using Salesforce, or Mailchimp, or other kind of 3rd party, is explained here – https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC#Where_needs_to_be_configured.3F. Also I recommend to you in the begining use the ~all instead the -all, and once you feel condifdent that you have all your servers, and the 3rd party ones correctly added into your SPF, then change to -all and test.
DKIM: To sign properly your outgoing emails using DKIM, depends of your 3party, some of them allow you to add your private key, like Salesforce – http://releasenotes.docs.salesforce.com/en-us/spring15/release-notes/rn_general_domain_keys.htm#rn_general_domain_keys
My experience for example using a Zimbra server with a Barracuda, or other Email Filtering to the incoming/outgoing email, is that my domain need to have the DKIM signature of the Barracuda, not the Zimbra one.
Let us know if you have any special doubt, and if you can share with us what kind of 3rd party are you using. Is much better to discuss in the Community – https://community.zimbra.com/collaboration/f/1886 Where much others members can also help to reply.
Best regards