Cisco Cisco Email Security Appliance C650 Guía Del Usuario
Chapter 5 Email Authentication
5-254
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
DomainKeys and DKIM Signing in AsyncOS
DomainKeys and DKIM signing in AsyncOS is implemented via domain profiles
and enabled via a mail flow policy (typically, the outgoing “relay” policy). For
more information, see the “Configuring the Gateway to Receive Mail” chapter in
the Cisco IronPort AsyncOS for Email Configuration Guide. Signing the message
is the last action performed by the appliance before the message is sent.
and enabled via a mail flow policy (typically, the outgoing “relay” policy). For
more information, see the “Configuring the Gateway to Receive Mail” chapter in
the Cisco IronPort AsyncOS for Email Configuration Guide. Signing the message
is the last action performed by the appliance before the message is sent.
Domain profiles associate a domain with domain key information (signing key
and related information). As email is sent via a mail flow policy on the Cisco
IronPort appliance, sender email addresses that match any domain profile are
DomainKeys signed with the signing key specified in the domain profile. If you
enable both DKIM and DomainKeys signing, the DKIM signature is used. You
implement DomainKeys and DKIM profiles via the
and related information). As email is sent via a mail flow policy on the Cisco
IronPort appliance, sender email addresses that match any domain profile are
DomainKeys signed with the signing key specified in the domain profile. If you
enable both DKIM and DomainKeys signing, the DKIM signature is used. You
implement DomainKeys and DKIM profiles via the
domainkeysconfig
CLI
command or via the Mail Policies > Domain Profiles and the Mail Policies >
Signing Keys pages in the GUI.
Signing Keys pages in the GUI.
DomainKeys and DKIM signing works like this: a domain owner generates two
keys — a public key stored in the public DNS (a DNS TXT record associated with
that domain) and a private key that is stored on the appliance is used to sign mail
that is sent (mail that originates) from that domain.
keys — a public key stored in the public DNS (a DNS TXT record associated with
that domain) and a private key that is stored on the appliance is used to sign mail
that is sent (mail that originates) from that domain.
As messages are received on a listener used to send messages (outbound), the
Cisco IronPort appliance checks to see if any domain profiles exist. If there are
domain profiles created on the appliance (and implemented for the mail flow
policy), the message is scanned for a valid Sender: or From: address. If both are
present, the Sender: is used for DomainKeys. The From: address is always used
for DKIM signing. Otherwise, the first From: address is used. If a valid address is
not found, the message is not signed and the event is logged in the mail_logs.
Cisco IronPort appliance checks to see if any domain profiles exist. If there are
domain profiles created on the appliance (and implemented for the mail flow
policy), the message is scanned for a valid Sender: or From: address. If both are
present, the Sender: is used for DomainKeys. The From: address is always used
for DKIM signing. Otherwise, the first From: address is used. If a valid address is
not found, the message is not signed and the event is logged in the mail_logs.
Note
If you create both a DomainKey and DKIM profile (and enable signing on a mail
flow policy), AsyncOS signs outgoing messages with both a DomainKeys and
DKIM signature.
flow policy), AsyncOS signs outgoing messages with both a DomainKeys and
DKIM signature.
If a valid sending address is found, the sending address is matched against the
existing domain profiles. If a match is found, the message is signed. If not, the
message is sent without signing. If the message has an existing DomainKeys (a
“DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing
DKIM signature, a new DKIM signature is added to the message.
existing domain profiles. If a match is found, the message is signed. If not, the
message is sent without signing. If the message has an existing DomainKeys (a
“DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing
DKIM signature, a new DKIM signature is added to the message.