I've started to use the dnsmasq split DNS setup on new Zimbra servers now because of how much simpler it is than the bind based setup and how much less likely I have been to have missed a step or end up having trouble with it.
However, it appears that something I've done has changed the way that DNSBL lookups are working, such that on the servers that I'm using the bind setup, I'm getting URIBL_BLACK, RED, and GREY rules triggering properly, but on the servers I'm using dnsmasq with, I'm instead getting URIBL_BLOCK, which is a SpamAssassin "rule" that simply indicates that my lookups are being blocked by the URIBL guys. Both of the servers in question are ZCS 8.0.4 on RHEL 6.4. One is NE, the other is OSS. This has had a substantially negative effect on my ability to block spam. I've followed the Split DNS article for dnsmasq, I'm not having any mail transport issues, and I've successfully checked everything in the "verify" section of the Split DNS article.
One difference I've noticed between the bind setups and the dnsmasq setups is that the dnsmasq setup actually wants me to put in an upstream DNS server. The bind setup doesn't. My ISP and/or Google's DNS probably are blocked from doing URIBL lookups because of how heavily they're used by so many people. Any way I can configure dnsmasq to keep Zimbra happy and the DNSBLs happy at the same time?