zimbra enforce SPF checking for incomming email

In this tutorial, I'm enable and configure spf to check for incommning email with cbpolicyd. By default, the SPF checking module is not enable and there are no SPF policies. zimbra logs with "Sender address rejected: Failed SPF check". How to zimbra enforce spf checking for incomming email as below. I'm running commands as zimbra account ( su - zimbra )

Links to below you maybe likes:
zimbra 8.6 cbpolicyd example
How to install and configure zimbra multi server.
How to restrict to user sending mail on zimbra 8.6.
How to Restrict Sending to Distribution list in zimbra mail.
How to change last login time for all accounts in zimbra ldap.
How to zimbra reject authenticated sender login mismatch.

To check zimbra policyd spf

$ zmprov gs `zmhostname` zimbraCBPolicydCheckSPFEnabled

If zimbra spf checking not enable then, to enable policyd checkspf
$ zmprov ms `zmhostname` zimbraCBPolicydCheckSPFEnabled TRUE

To restart policyd service

$ zmcbpolicydctl restart

To create zimbra-cbpolicyd-spf.sql file

$ vim /opt/zimbra/data/cbpolicyd/db/zimbra-cbpolicyd-spf.sql
The content as below:

INSERT INTO "policies" (ID,Name,Priority,Description) VALUES(12,'CBPolicyd SPF Policies', 20, 'CBPolicyd SPF Policies');
INSERT INTO "policy_members" (ID,PolicyID,Source,Destination) VALUES(13,12, '!%internal_domains', '%internal_domains');
INSERT INTO "checkspf" (ID,PolicyID,Name,UseSPF,RejectFailedSPF,AddSPFHeader,Comment,Disabled) VALUES(6,13,"SPF Policy",1,0,1,"Zimbra CheckSPF Policy",0);

The SPF policy will not reject emails with failed SPF checks. If you reject emails with failed SPF check then change RejectFailedSPF to 1 into zimbra-cbpolicyd-spf.sql file

INSERT INTO "checkspf" (ID,PolicyID,Name,UseSPF,RejectFailedSPF,AddSPFHeader,Comment,Disabled) VALUES(6,13,"SPF Policy",1,1,1,"Zimbra CheckSPF Policy",0);

Import the cbpolicyd policy databases

$ sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb < /opt/zimbra/data/cbpolicyd/db/zimbra-cbpolicyd-spf.sql

To restart policyd service

$ zmcbpolicydctl restart

To check spf polices

sqlite3 /opt/zimbra/data/cbpolicyd/db/cbpolicyd.sqlitedb
sqlite> select * from policy_groups;
sqlite> select * from policy_group_members;
sqlite> select * from policies;
sqlite> select * from policy_members;
sqlite> select * from checkspf;
sqlite> .quit

The zimbra logs SPF

$ tailf /var/log/zimbra.log | egrep "Failed SPF check"

Good luck! I hope this useful :)


  1. Dear, very useful tutorial...after enabling SPF on Zimbra, do I have to do any adjustment relating to SPF ? Thanks a lot.

  2. Yeh, Thank you reading my blog!
    After enabling SPF on zimbra, you can check log SPF
    $ tailf /opt/zimbra/log/cbpolicyd.log
    $ tailf /var/log/zimbra.log | egrep "Failed SPF check"

  3. when i run sqlite i got the below
    Error: near line 2: no such table: policies
    Error: near line 3: no such table: policy_members
    Error: near line 4: no such table: checkspf


Post a Comment

Popular posts from this blog

zimbra some services are not running [Solve problem]

How to install php7 on centos 6

Bash script list all IP addresses connected to Server