By default Zimbra OpenDKIM does not sign the Subject header. At this time the configuration of what headers are signed by Zimbra OpenDKIM cannot be done via zmprov. There is a pending feature request to make these headers configurable via zmprov. In this article you will learn how to configure Zimbra OpenDKIM by customizing the configuration files.
If you have not implemented DKIM/DMARC or are unfamiliar with these topics take a look at the blogs in the further reading section below.
The DKIM RFC https://www.rfc-editor.org/rfc/rfc6376 says on the topic: signing fields present in the message such as Date, Subject, Reply-To, Sender, and all MIME header fields are highly advised.
To make changes to Zimbra OpenDKIM configuration, as root user (sudo) open the files /opt/zimbra/conf/opendkim.conf.in and /opt/zimbra/conf/opendkim.conf and change the line
SignHeaders message-id,date,from,mime-version,to
as follows:
SignHeaders message-id,date,from,mime-version,to,subject
Then as user zimbra restart OpenDKIM:
zmopendkimctl restart
Before the change the email header DKIM-Signature looks like this:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.zimbra.tech; s=...;h=Date:From:To:Message-ID:MIME-Version;...
After the change the email header DKIM-Signature looks like this:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.zimbra.tech; s=...;h=Date:From:To:Message-ID:Subject:MIME-Version;...
Which means that all new outgoing email will have the Subject header signed as well, and it can no longer be tampered with.
Thanks for the turorial but it’s not working for me.
I tried, but the zmopendkimctl restart command always restores the file to it’s previous state.
zimbra-opendkim-2.10.3-1zimbra8.7b5.el7.x86_64
zimbra-core-8.8.15_GA_3869.RHEL7_64-20190917004220.x86_64
Mea culpa, it works great! Many thanks!
It seems like it’s enough to modify /opt/zimbra/conf/opendkim.conf.in only.
Good to hear it worked for you!