Cisco Cisco Email Security Appliance C160 Mode D'Emploi
19-17
Cisco AsyncOS 8.5.6 for Email User Guide
Chapter 19 Email Authentication
How to Verify Incoming Messages Using DKIM
Note
When the message body is greater than the specified length, AsyncOS returns the following verdict:
dkim = pass (partially verified [x bytes])
where X represents the number of bytes verified.
The final verification result is entered as an Authentication-Results header. For example, you might get
a header that looks like one of the following:
a header that looks like one of the following:
Authentication-Results: example1.com
header.from=From:user123@example.com; dkim=pass (signature verified)
Authentication-Results: example1.com
header.from=From:user123@example.com; dkim=pass (partially verified [1000 bytes])
Authentication-Results: example1.com
header.from=From:user123@example.com; dkim=permfail (body hash did not verify)
Note
Current DKIM verification stops at the first valid signature. It is not possible to verify using the last
signature encountered. This functionality may be available in a later release.
signature encountered. This functionality may be available in a later release.
Managing DKIM Verification Profiles
A DKIM verification profile is a list of parameters that the Email Security appliance’s mail flow policies
use for verifying DKIM signatures. For example, you can create two verification profiles, one that allows
30 seconds before a query times out and a second that allows only 3 seconds before a query times out.
You can assign the second verification profile to the Throttled mail flow policy to prevent connection
starvation in case of a DDoS. A verification profile consists of the following information:
use for verifying DKIM signatures. For example, you can create two verification profiles, one that allows
30 seconds before a query times out and a second that allows only 3 seconds before a query times out.
You can assign the second verification profile to the Throttled mail flow policy to prevent connection
starvation in case of a DDoS. A verification profile consists of the following information:
•
A name for the verification profile.
•
The smallest and largest acceptable public key size. The default key sizes are 512 and 2048,
respectively.
respectively.
•
The maximum number of signatures in the message to verify. If a message has more signatures than
the maximum amount you defined, the appliance skips verification of the remaining signatures and
continues to process the message. The default is 5 signatures.
the maximum amount you defined, the appliance skips verification of the remaining signatures and
continues to process the message. The default is 5 signatures.
•
The maximum allowed difference in time (in seconds) between the sender’s system time and
verifier’s. For example, if the message signature expires at 05:00:00 and the verifier’s system time
is 05:00:30, the message signature is still valid if the allowed difference in time is 60 seconds but it
is invalid if the allowed difference is 10 seconds. The default is 60 seconds.
verifier’s. For example, if the message signature expires at 05:00:00 and the verifier’s system time
is 05:00:30, the message signature is still valid if the allowed difference in time is 60 seconds but it
is invalid if the allowed difference is 10 seconds. The default is 60 seconds.
•
An option whether to use a body length parameter.
•
The SMTP action to take in case of a temporary failure.
•
The SMTP action to take in case of a permanent failure.
You can search through all of your existing verification profiles by the profile name.
You can export your DKIM verification profiles as a text file in your appliance’s configure directory.
When you export the verification profiles, all of the profiles existing on the appliance are put into a single
text file. See
When you export the verification profiles, all of the profiles existing on the appliance are put into a single
text file. See