Zimbra Best Practices: Improve outgoing Email Security | Zimbra

Today, in this article, we want to cover an interesting aspect to be considered once you have Zimbra installed: how to improve the security of the emails you send.

Zimbra offers various Email Protection resources to choose from, in particular SPF, DKIM, DMARC and rDNS. In this article we are going to know them better and see how they work, giving you the opportunity to later evaluate how many and which ones to implement depending on your business needs.

What is important to consider, is that your main goal is to verify and increase the “reputation” of your emails, so that they are not considered spam by the mail servers that receive them. Therefore, we are going to see in detail how the resources offered by Zimbra can help us in this sense.

Sender Policy Framework

Sender Policy Framework (SPF), is an email verification system, designed to avoid undesired emails using a spoofing system. This process is done by comparing the source IP address (from which the email is sent) with the data in a DNS TXT record with a SPF content.

To learn how to configure it in the right way, you can refer to this article: How To Configure Zimbra SPF for Outgoing Emails?

Once the configuration is complete, you can perform some checks to make sure you have entered everything correctly, as explained in this article: How to Verify Your SPF Record

DomainKeys Identified Mail

DomainKeys Identified Mail (DKIM), is a method to combine the domain name and email, allowing a person or company to take responsibility for the email. It works through the use of a digital signature, tied to a domain name, for each sent email. This way you can verify that the email sent from a given domain is actually authorized by the owner.

To learn how to configure it in the right way, you can refer to this article: How To Configure Zimbra DKIM to Sign Outgoing Emails?

Once the configuration is complete, you can verify that everything is working fine following the instruction you can find in the following article: How to Verify Your DKIM Signature

Domain-based Message Authentication, Reporting & Conformance

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a technical specification created by a group of organizations with the goal of helping to reduce the potential for email-based abuse. This is accomplished by solving a couple of long-standing problems with e-mail authentication protocols at the operational, deployment, and reporting levels.

It works by publishing a policy within your DNS records that determines whether to use DKIM, SPF or both for sending mail from your domain. This allows you to protect your domain from fraudulent emails.

To learn how to configure it in the right way, you can refer to this article: How To Configure Zimbra DMARC?

Once the configuration is complete, you can check that you have entered your records correctly, as explained in this article: How to Verify Your DMARC Record

reverse DNS

The reverse DNS resolution (rDNS) is a definition of the domain name that is associated with an IP.

Please note that some email companies will reject any email that doesn’t have a valid rDNS.

It is a crucial routine and one of the first performed by admins. This is both because of what is stated in the note above, and because of its usefulness as an anti-spam technique. The reason for this is that it allows you to check whether an address is dynamically assigned, which is highly unlikely to be done by a legitimate mail server, with the consequence that e-mails sent from such an address are more likely to be considered as spam.

rDNS configurations are published in the public DNS as PTR records, so in order to properly set up rDNS, you need first to create the reverse zone domain and then add a PTR record to it. To learn how to configure it, you can read the following article:  How To Configure Zimbra rDNS?

To verify that your rDNS works fine, you can refer to the instruction you can find in the following article: How to Verify Your rDNS Record