How to Set Up SPF, DKIM on Zimbra : GoDMARC

Try this on a test domain first.

To have Zimbra sign outgoing messages with DKIM, you need to generate DKIM keys using the command as user zimbra:

/opt/zimbra/libexec/zmdkimkeyutil -a -d example.com

Store the output of this command to set up in DNS later.

DKIM Data added to LDAP for domain example.com with selector 8250020E-EF81-11EB-BB5B-4520489C3827 Public signature to enter into DNS:

DKIM Data added to LDAP for domain example.com with selector 8250020E-EF81-11EB-BB5B-4520489C3827

Public signature to enter into DNS:

8250020E-EF81-11EB-BB5B-4520489C3827._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvo1fSt7kWZkQn69KhXubeVdXg2oX0waQeCSR4zZcHccpM+kxRTYLkPVlbSJ/8Aa6Pr9LFm0+9C IJjuN9UyAeRnlYspCrN7Y8iPVB/2Vsvl6I9v1KPITB9jyY5u5ETwAu1ic2nAm4B7CsRNfgL8G6BqBQbCWU4W4onhwz3bdytMec/cgV0st+whdJTMjTflJoRvF QYcNnQRmdai" "tTVzbnziG0k8hxFYkg0oJs5/4zdi6O6vizACwbVWckS19NsW3XPj6ppXVZ2gQYrVW4QoNnYX/ji7fBZxFonRXErCvnRrq9a743UF3kJXihAkZ7HR+dn6rXwM ZgC2dbBc8l2NxmJwIDAQAB" ) ; ----- DKIM key 8250020E-EF81-11EB-BB5B-4520489C3827 for example.com

Now DNS is set up. Assuming you are using a bind DNS server, add the following 2 records to your zone file (and reload bind):

@ TXT "v=spf1 a mx ~all"

8250020E-EF81-11EB-BB5B-4520489C3827._domainkey.example.com. IN TXT ( "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvo1fSt7kWZkQn69KhXubeVdXg2oX0waQeCSR4zZcHccpM+kxRTYLkPVlbSJ/8Aa6Pr9LFm0+9C IJjuN9UyAeRnlYspCrN7Y8iPVB/2Vsvl6I9v1KPITB9jyY5u5ETwAu1ic2nAm4B7CsRNfgL8G6BqBQbCWU4W4onhwz3bdytMec/cgV0st+whdJTMjTflJoRvF QYcNnQRmdai" "tTVzbnziG0k8hxFYkg0oJs5/4zdi6O6vizACwbVWckS19NsW3XPj6ppXVZ2gQYrVW4QoNnYX/ji7fBZxFonRXErCvnRrq9a743UF3kJXihAkZ7HR+dn6rXwM ZgC2dbBc8l2NxmJwIDAQAB" ) ; ----- DKIM key 8250020E-EF81-11EB-BB5B-4520489C3827 for example.com

The SPF record v=spf1 a mx ~all tells the world the version of SPF used and allows email to be sent from the servers in our A and MX records, which is your website and mail server. You can also add other IP addresses or ranges.

Test your SPF record via an online tool such as https://godmarc.com/tool/spf-record to be sure it is configured correctly.

The DKIM record is a copy-paste from the output of the zmdkimkeyutil command,

we only need to add .example.com in case bind DNS server is used.

You can check the DKIM record via https://godmarc.com/tool/dkim-record and do a lookup for

Your Domain Name: example.com

Selector: 8250020E- EF81-11EB-BB5B-4520489C3827

Now you can do one last test on Zimbra:

[zimbra@mind root]$ /opt/zimbra/common/sbin/opendkim-testkey -d example.com -s 8250020E-EF81-11EB-BB5B-4520489C3827 -x /opt/zimbra/conf/opendkim.conf

If there are no errors reported by the command, you can enable the DKIM signing by running as user

zmprov ms `zmhostname` +zimbraServiceEnabled opendkim

Do a real test

The easiest way to test your configuration is to send an email to a 3rd party like Gmail.

How to Set Up SPF, DKIM on Zimbra Print

Do a real test

Related Articles