Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
17-3
Cisco AsyncOS 8.0.2 for Email User Guide
Chapter 17 Email Authentication
Configuring DomainKeys and DKIM Signing
Note
If you create both a DomainKey and DKIM profile (and enable signing on a mail flow policy), AsyncOS
signs outgoing messages with both a DomainKeys and DKIM signature.
signs outgoing messages with both a DomainKeys and DKIM signature.
If a valid sending address is found, the sending address is matched against the existing domain profiles.
If a match is found, the message is signed. If not, the message is sent without signing. If the message has
an existing DomainKeys (a “DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing DKIM signature, a new
DKIM signature is added to the message.
If a match is found, the message is signed. If not, the message is sent without signing. If the message has
an existing DomainKeys (a “DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing DKIM signature, a new
DKIM signature is added to the message.
AsyncOS provides a mechanism for signing email based on domain as well as a way to manage (create
new or input existing) signing keys.
new or input existing) signing keys.
The configuration descriptions in this document represent the most common uses for signing and
verification. You can also enable DomainKeys and DKIM signing on a mail flow policy for inbound
email, or enable DKIM verification on a mail flow policy for outbound email.
verification. You can also enable DomainKeys and DKIM signing on a mail flow policy for inbound
email, or enable DKIM verification on a mail flow policy for outbound email.
Note
When you configure domain profiles and signing keys in a clustered environment, note that the Domain
Key Profile settings and Signing Key settings are linked. Therefore, if you copy, move or delete a signing
key, the same action is taken on the related profile.
Key Profile settings and Signing Key settings are linked. Therefore, if you copy, move or delete a signing
key, the same action is taken on the related profile.
Configuring DomainKeys and DKIM Signing
Signing Keys
A signing key is the private key stored on the Cisco appliance. When creating a signing key, you specify
a key size. Larger key sizes are more secure; however, larger keys also can impact performance. The
Cisco appliance supports keys from 512 bits up to 2048 bits. The 768 - 1024 bit key sizes are considered
secure and used by most senders today. Keys based on larger key sizes can impact performance and are
not supported above 2048 bits. For more information about creating signing keys, see
a key size. Larger key sizes are more secure; however, larger keys also can impact performance. The
Cisco appliance supports keys from 512 bits up to 2048 bits. The 768 - 1024 bit key sizes are considered
secure and used by most senders today. Keys based on larger key sizes can impact performance and are
not supported above 2048 bits. For more information about creating signing keys, see
If you are entering an existing key, simply paste it into the form. Another way to use existing signing
keys is to import the key as a text file. For more information about adding existing signing keys, see
keys is to import the key as a text file. For more information about adding existing signing keys, see
Once a key is entered, it is available for use in domain profiles, and will appear in the Signing Key
drop-down list in the domain profile.
drop-down list in the domain profile.
Exporting and Importing Signing Keys
You can export your signing keys to a text file on the Cisco appliance. When you export keys, all of the
keys currently existing on the appliance are put into a text file. For more information about exporting
keys, see
keys currently existing on the appliance are put into a text file. For more information about exporting
keys, see
You can import keys that have been exported as well.
Note
Importing keys causes all of the current keys on the appliance to be replaced.