SPF is awesome for stopping delivery of spoofed spam and junk back-scatter, but many of the articles on how to set up SPF in Zimbra are old and out-of-date. It took a bit of research and trial-and-error, but I finally got it working.
1. Install the SPF module.
apt-get install libmail-spf-perl
2. Add scores to the SpamAssassin config. This was the hard part because the proper location keeps changing on me. As of Zimbra 8.5 and later, the reported location to customize SpamAssassin is here:
/opt/zimbra/data/spamassassin/localrulesI refer to this article for the latest location for customizing SpamAssassin: https://wiki.zimbra.com/wiki/Anti-spam_Strategies#Customizing_SpamAssassin
Edit the file in here called local.cf and pop in the scores. You'll notice this file contains a comment at that top that says something like, "This is the place to customize SpamAssassin..." I've also seen a file called user_prefs.cf being used instead. To be honest I don't think the file name matters much because SpamAssassin reads all the cf files in this folder.
The scores should look like this. Customize them to suit your needs.
# SPF Check
score SPF_SOFTFAIL 2.000
score SPF_FAIL 10.000
score SPF_HELO_FAIL 10.000
3. Restart Zimbra.
su - zimbra
4. Search /var/log/zimbra.log for SPF. You should see a line in the log that indicates the SPF module is starting.
cat zimbra.log | grep SPF
5. Hopefully you won't receive any more spoofed email. If you do, then check the mail headers and see if the SPF check is listed. Perhaps you have to adjust your scores.
UPDATE - 2014/10/23
I updated this article for Zimbra 8.5 running on Ubuntu 14.04.
UPDATE - 2015/2/20
Tested and working with Zimbra 8.6.
It's a good idea to match your Zimbra MTA hostname given during an EHLO with the hostname associated with your public IP address.su - zimbrazmprov mcf zimbraMta...
What follows is an outline I compiled while building an Ubuntu server for running the Joomla CMS on the Nginx web server. NOTE: Ubuntu 14.04 LTS was used for th...