Cisco Cisco Email Security Appliance C650 Guía Del Usuario
5-21
Cisco IronPort AsyncOS 7.5 for Email Advanced Configuration Guide
OL-25137-01
Chapter 5 Email Authentication
Domain Keys and Logging
Lines such as the following are added to the mail logs upon DomainKeys signing:
Lines such as these are added to the mail logs upon DKIM signing:
Configuring DKIM Verification
In addition to signing outgoing mail, you can use DKIM to verify incoming mail.
To configure DKIM verification, you need to:
•
Enable DKIM verification on a mail flow policy for inbound mail.
•
Optionally, configure a content filter to perform an action for DKIM verified
emails using the DKIM authentication condition.
emails using the DKIM authentication condition.
When you configure an AsyncOS appliance for DKIM verification, the following
checks are performed:
checks are performed:
Step 1
AsyncOS checks for the DKIM-Signature field in incoming mail, the syntax of the
signature header, valid tag values, and required tags. If the signature fails any of
these checks, AsyncOS returns a permfail.
signature header, valid tag values, and required tags. If the signature fails any of
these checks, AsyncOS returns a permfail.
Step 2
After the signature check is performed, the public key is retrieved from the public
DNS record, and the TXT record is validated. If errors are encountered during this
process, AsyncOS returns a permfail. A tempfail occurs if the DNS query for the
public key fails to get a response.
DNS record, and the TXT record is validated. If errors are encountered during this
process, AsyncOS returns a permfail. A tempfail occurs if the DNS query for the
public key fails to get a response.
Step 3
After retrieving the public key, AsyncOS checks the hashed values and verifies the
signature. If any failures occur during this step, AsyncOS returns a permfail.
signature. If any failures occur during this step, AsyncOS returns a permfail.
Tue Aug 28 15:29:30 2007 Info: MID 371 DomainKeys: signing with
dk-profile - matches user123@example.com
Tue Aug 28 15:34:15 2007 Info: MID 373 DomainKeys: cannot sign - no
profile matches user12@example.com
Tue Aug 28 15:29:54 2007 Info: MID 372 DKIM: signing with
dkim-profile - matches user@example.com
Tue Aug 28 15:34:15 2007 Info: MID 373 DKIM: cannot sign - no profile
matches user2@example.com