Configure Zimbra OpenDKIM to sign the Subject header

By default Zimbra OpenDKIM does not sign the Subject header. At this time the configuration of what headers are signed by Zimbra OpenDKIM cannot be done via zmprov. There is a pending feature request to make these headers configurable via zmprov. In this article you will learn how to configure Zimbra OpenDKIM by customizing the configuration files.

If you have not implemented DKIM/DMARC or are unfamiliar with these topics take a look at the blogs in the further reading section below.

The DKIM RFC https://www.rfc-editor.org/rfc/rfc6376 says on the topic: signing fields present in the message such as Date, Subject, Reply-To, Sender, and all MIME header fields are highly advised.

To make changes to Zimbra OpenDKIM configuration, as root user (sudo) open the files /opt/zimbra/conf/opendkim.conf.in and /opt/zimbra/conf/opendkim.conf and change the line

SignHeaders message-id,date,from,mime-version,to

as follows:

SignHeaders message-id,date,from,mime-version,to,subject

Then as user zimbra restart OpenDKIM:

zmopendkimctl restart

Before the change the email header DKIM-Signature looks like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.zimbra.tech;
s=...;h=Date:From:To:Message-ID:MIME-Version;...

After the change the email header DKIM-Signature looks like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.zimbra.tech;
s=...;h=Date:From:To:Message-ID:Subject:MIME-Version;...

Which means that all new outgoing email will have the Subject header signed as well, and it can no longer be tampered with.

Further reading

3 Responses to Configure Zimbra OpenDKIM to sign the Subject header

  1. Andras May 16, 2023 at 5:50 AM #

    Thanks for the turorial but it’s not working for me.
    I tried, but the zmopendkimctl restart command always restores the file to it’s previous state.
    zimbra-opendkim-2.10.3-1zimbra8.7b5.el7.x86_64
    zimbra-core-8.8.15_GA_3869.RHEL7_64-20190917004220.x86_64

  2. Andras May 16, 2023 at 6:10 AM #

    Mea culpa, it works great! Many thanks!
    It seems like it’s enough to modify /opt/zimbra/conf/opendkim.conf.in only.

    • Avatar photo
      Barry de Graaff May 16, 2023 at 6:17 AM #

      Good to hear it worked for you!

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures