Cisco Cisco Email Security Appliance C680 User Guide
17-2
Cisco AsyncOS 8.0.1 for Email User Guide
Chapter 17 Email Authentication
DomainKeys and DKIM Authentication
DomainKeys and DKIM Authentication Workflow
Figure 17-1
Authentication Work Flow
1.
Administrator (domain owner) publishes a public key into the DNS name space.
2.
Administrator loads a private key in the outbound Mail Transfer Agent (MTA).
3.
Email submitted by an authorized user of that domain is digitally signed with the respective private
key. The signature is inserted in the email as a DomainKey or DKIM signature header and the email
is transmitted.
key. The signature is inserted in the email as a DomainKey or DKIM signature header and the email
is transmitted.
4.
Receiving MTA extracts the DomainKeys or DKIM signature from the header and the claimed
sending domain (via the Sender: or From: header) from the email. The public key is retrieved from
the claimed signing domain which is extracted from DomainKeys or DKIM signature header fields.
sending domain (via the Sender: or From: header) from the email. The public key is retrieved from
the claimed signing domain which is extracted from DomainKeys or DKIM signature header fields.
5.
The public key is used to determine whether the DomainKeys or DKIM signature was generated
with the appropriate private key.
with the appropriate private key.
To test your outgoing DomainKeys signatures, you can use a Yahoo! or Gmail address, as these services
are free and provide validation on incoming messages that are DomainKeys signed.
are free and provide validation on incoming messages that are DomainKeys signed.
DomainKeys and DKIM Signing in AsyncOS
DomainKeys and DKIM signing in AsyncOS is implemented via domain profiles and enabled via a mail
flow policy (typically, the outgoing “relay” policy). For more information, see the “Configuring the
Gateway to Receive Mail” chapter in the Cisco IronPort AsyncOS for Email Configuration Guide.
Signing the message is the last action performed by the appliance before the message is sent.
flow policy (typically, the outgoing “relay” policy). For more information, see the “Configuring the
Gateway to Receive Mail” chapter in the Cisco IronPort AsyncOS for Email Configuration Guide.
Signing the message is the last action performed by the appliance before the message is sent.
Domain profiles associate a domain with domain key information (signing key and related information).
As email is sent via a mail flow policy on the Cisco appliance, sender email addresses that match any
domain profile are DomainKeys signed with the signing key specified in the domain profile. If you
enable both DKIM and DomainKeys signing, the DKIM signature is used. You implement DomainKeys
and DKIM profiles via the
As email is sent via a mail flow policy on the Cisco appliance, sender email addresses that match any
domain profile are DomainKeys signed with the signing key specified in the domain profile. If you
enable both DKIM and DomainKeys signing, the DKIM signature is used. You implement DomainKeys
and DKIM profiles via the
domainkeysconfig
CLI command or via the Mail Policies > Domain Profiles
and the Mail Policies > Signing Keys pages in the GUI.
DomainKeys and DKIM signing works like this: a domain owner generates two keys — a public key
stored in the public DNS (a DNS TXT record associated with that domain) and a private key that is stored
on the appliance is used to sign mail that is sent (mail that originates) from that domain.
stored in the public DNS (a DNS TXT record associated with that domain) and a private key that is stored
on the appliance is used to sign mail that is sent (mail that originates) from that domain.
As messages are received on a listener used to send messages (outbound), the Cisco appliance checks to
see if any domain profiles exist. If there are domain profiles created on the appliance (and implemented
for the mail flow policy), the message is scanned for a valid Sender: or From: address. If both are present,
the Sender: is used for DomainKeys. The From: address is always used for DKIM signing. Otherwise,
the first From: address is used. If a valid address is not found, the message is not signed and the event is
logged in the mail_logs.
see if any domain profiles exist. If there are domain profiles created on the appliance (and implemented
for the mail flow policy), the message is scanned for a valid Sender: or From: address. If both are present,
the Sender: is used for DomainKeys. The From: address is always used for DKIM signing. Otherwise,
the first From: address is used. If a valid address is not found, the message is not signed and the event is
logged in the mail_logs.