Setting up DNS before installing Zimbra

DNS is an important aspect of any Zimbra installation. This article will help those that are new on installing Zimbra to get an idea what needs to be configured to get started. There will also be some tips and best practices that will improve security and email deliverability that may be lesser know even to experienced administrators. Having a good DNS configuration will improve:

  1. Reliability
  2. Performance
  3. Security

DNS and reliability

The first things to consider is rolling out Zimbra using a so called Split DNS.

Your Zimbra server has the domain name When on the server itself you query the DNS A record for, the answer from DNS is an internal network address such as However when someone from the Internet queries the A record for the answer is a public IP address such as

One of the benefits of a split DNS is that you can make sure network traffic does not needlessly have to pass though your router/firewall and or NAT. On top of that when set-up correctly the internal DNS should be 100% under your control. This makes the Zimbra system more reliable. Because even when external DNS would fail, internally Zimbra would run as normally.

Setting up Split DNS

The following steps will show you how to set-up a basic split DNS using the /etc/hosts file on your Zimbra machines combined with DNSMASQ. These steps assume you have not yet installed Zimbra. First find the local IP address of your server by running the ip a command from the server.

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:00:17:0a:8c:e4 brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet brd scope global ens3
       valid_lft forever preferred_lft forever
    inet6 2603:c020:400d:567e:c37f:fdad:8a43:d3b4/128 scope global dynamic noprefixroute
       valid_lft 4699sec preferred_lft 4399sec
    inet6 fe80::17ff:fe0a:8ce4/64 scope link
       valid_lft forever preferred_lft forever

You will have to use the address that is listed after inet under the device called ensX, ethX or enpX. In most cases it will start with 192.168. or 10.0. If you directly get a public IP for example from your hosting provider on your Zimbra machine, you can use this IP.

Next you have to set this IP and the hostname in the /etc/hosts file. The following line must be present or added as follows: mail

You have to set-up the /etc/hostname file as follows:

Next install DNSMASQ as follows:

apt-get install -y dnsmasq

Next disable systemd-resolved:

systemctl stop systemd-resolved
systemctl disable systemd-resolved
systemctl mask systemd-resolved

Next set this server to resolve DNS using the locally installed DNSMASQ:

rm -f /etc/resolv.conf
echo "nameserver" > /etc/resolv.conf

You can optionally prevent changes from upstream package updates to resolv.conf by making this file immutable:

chattr +i /etc/resolv.conf #make immutable
chattr -i /etc/resolv.conf #regular setting

If you are installing Zimbra or installing Zimbra/OS updates make sure to reset the resolv.conf file to the regular setting, meaning chattr -i because otherwise packages fail to install.

Finally configure DNSMASQ by editing /etc/dnsmasq.conf, in this example we will be using Quad9, Cloudflare and Google for upstream resolving of DNS. Set listen-address to so only queries from the local Zimbra machine are accepted.


# trust-anchor is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from




You can now restart your server and proceed with the installation of Zimbra. Please note that when running the Zimbra installer choose N when asked to install zimbra-dnscache.

MX record

At the very minimum you will also have to set an MX record, you can use the command dig to verify it is set correctly:

dig +short MX

To find the actual IP of you use dig again as follows:

dig +short A

Internally you should get the internal IP such as in this example. Externally you would get again this is just an example.

DNS and Performance

When using DNSMASQ you can control the cache of DNS, and since DNSMASQ runs locally it answer very quickly. This makes it that your email gets delivered faster.

Setting zimbraMtaLmtpHostLookup

After installation you can set the zimbraMtaLmtpHostLookup directive. This tells Zimbra NOT to use DNS when delivering internal email. This increases performance.

zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native
zmprov mcf zimbraMtaLmtpHostLookup native
zmmtactl restart

DNS and Security

With the installation of DNSMASQ and the configuration as above you enforce DNSSEC this increases security. You should also implement SPF, DKIM, DMARC etc. Take a look at our email security webinars for in depth information on these topics.

Testing DNSSEC

You can use the following service via the command line: or from a browser (in most cases you will not have a browser on your Zimbra server).

To test from the command line using dig:

#The next query should return A record
dig @

#The next query should return SERVFAIL
dig @


2 Responses to Setting up DNS before installing Zimbra

  1. Leonardo Corato January 5, 2024 at 3:35 AM #

    This guide IMHO has two mistakes:
    the first one is that it sets resolv.conf nameserver but then dnsmasq is bind to another ip (in this case and of course if you bind dnsmasq MUST point to the same IPs or they won’t work.
    The second mistake is that if you make immutable resolv.conf with chattr +i /etc/resolv.conf , then the installation of – at least zimbra10 – returns “installed resolvconf package post-installation script subprocess returned error exit status 1” even if you doesn’t install zimbra-dnscache. So can’t be set.

    • Avatar photo
      Barry de Graaff January 11, 2024 at 3:54 AM #

      Thanks for the comment, you are right about the first issue. The second issue was already mentioned in the blog post, but I reworded it to make it more

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures