Cisco Cisco Email Security Appliance C160 Mode D'Emploi
Chapter 5 Email Authentication
5-4
Cisco IronPort AsyncOS 7.5 for Email Advanced Configuration Guide
OL-25137-01
Domain profiles associate a domain with domain key information (signing key
and related information). As email is sent via a mail flow policy on the Cisco
IronPort appliance, sender email addresses that match any domain profile are
DomainKeys signed with the signing key specified in the domain profile. If you
enable both DKIM and DomainKeys signing, the DKIM signature is used. You
implement DomainKeys and DKIM profiles via the
and related information). As email is sent via a mail flow policy on the Cisco
IronPort appliance, sender email addresses that match any domain profile are
DomainKeys signed with the signing key specified in the domain profile. If you
enable both DKIM and DomainKeys signing, the DKIM signature is used. You
implement DomainKeys and DKIM profiles via the
domainkeysconfig
CLI
command or via the Mail Policies > Domain Profiles and the Mail Policies >
Signing Keys pages in the GUI.
Signing Keys pages in the GUI.
DomainKeys and DKIM signing works like this: a domain owner generates two
keys — a public key stored in the public DNS (a DNS TXT record associated with
that domain) and a private key that is stored on the appliance is used to sign mail
that is sent (mail that originates) from that domain.
keys — a public key stored in the public DNS (a DNS TXT record associated with
that domain) and a private key that is stored on the appliance is used to sign mail
that is sent (mail that originates) from that domain.
As messages are received on a listener used to send messages (outbound), the
Cisco IronPort appliance checks to see if any domain profiles exist. If there are
domain profiles created on the appliance (and implemented for the mail flow
policy), the message is scanned for a valid Sender: or From: address. If both are
present, the Sender: is used for DomainKeys. The From: address is always used
for DKIM signing. Otherwise, the first From: address is used. If a valid address is
not found, the message is not signed and the event is logged in the mail_logs.
Cisco IronPort appliance checks to see if any domain profiles exist. If there are
domain profiles created on the appliance (and implemented for the mail flow
policy), the message is scanned for a valid Sender: or From: address. If both are
present, the Sender: is used for DomainKeys. The From: address is always used
for DKIM signing. Otherwise, the first From: address is used. If a valid address is
not found, the message is not signed and the event is logged in the mail_logs.
Note
If you create both a DomainKey and DKIM profile (and enable signing on a mail
flow policy), AsyncOS signs outgoing messages with both a DomainKeys and
DKIM signature.
flow policy), AsyncOS signs outgoing messages with both a DomainKeys and
DKIM signature.
If a valid sending address is found, the sending address is matched against the
existing domain profiles. If a match is found, the message is signed. If not, the
message is sent without signing. If the message has an existing DomainKeys (a
“DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing
DKIM signature, a new DKIM signature is added to the message.
existing domain profiles. If a match is found, the message is signed. If not, the
message is sent without signing. If the message has an existing DomainKeys (a
“DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing
DKIM signature, a new DKIM signature is added to the message.
AsyncOS provides a mechanism for signing email based on domain as well as a
way to manage (create new or input existing) signing keys.
way to manage (create new or input existing) signing keys.
The configuration descriptions in this document represent the most common uses
for signing and verification. You can also enable DomainKeys and DKIM signing
on a mail flow policy for inbound email, or enable DKIM verification on a mail
flow policy for outbound email.
for signing and verification. You can also enable DomainKeys and DKIM signing
on a mail flow policy for inbound email, or enable DKIM verification on a mail
flow policy for outbound email.