Cisco Cisco Email Security Appliance C160 Mode D'Emploi
22-3
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 22 Email Authentication
Configuring DomainKeys and DKIM Signing
DomainKeys and DKIM signing works like this: a domain owner generates two keys — a public key
stored in the public DNS (a DNS TXT record associated with that domain) and a private key that is stored
on the appliance is used to sign mail that is sent (mail that originates) from that domain.
stored in the public DNS (a DNS TXT record associated with that domain) and a private key that is stored
on the appliance is used to sign mail that is sent (mail that originates) from that domain.
As messages are received on a listener used to send messages (outbound), the appliance checks to see if
any domain profiles exist. If there are domain profiles created on the appliance (and implemented for the
mail flow policy), the message is scanned for a valid Sender: or From: address. If both are present, the
Sender: is used for DomainKeys. The From: address is always used for DKIM signing. Otherwise, the
first From: address is used. If a valid address is not found, the message is not signed and the event is
logged in the mail_logs.
any domain profiles exist. If there are domain profiles created on the appliance (and implemented for the
mail flow policy), the message is scanned for a valid Sender: or From: address. If both are present, the
Sender: is used for DomainKeys. The From: address is always used for DKIM signing. Otherwise, the
first From: address is used. If a valid address is not found, the message is not signed and the event is
logged in the mail_logs.
Note
If you create both a DomainKey and DKIM profile (and enable signing on a mail flow policy), AsyncOS
signs outgoing messages with both a DomainKeys and DKIM signature.
signs outgoing messages with both a DomainKeys and DKIM signature.
If a valid sending address is found, the sending address is matched against the existing domain profiles.
If a match is found, the message is signed. If not, the message is sent without signing. If the message has
an existing DomainKeys (a “DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing DKIM signature, a new
DKIM signature is added to the message.
If a match is found, the message is signed. If not, the message is sent without signing. If the message has
an existing DomainKeys (a “DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing DKIM signature, a new
DKIM signature is added to the message.
AsyncOS provides a mechanism for signing email based on domain as well as a way to manage (create
new or input existing) signing keys.
new or input existing) signing keys.
The configuration descriptions in this document represent the most common uses for signing and
verification. You can also enable DomainKeys and DKIM signing on a mail flow policy for inbound
email, or enable DKIM verification on a mail flow policy for outbound email.
verification. You can also enable DomainKeys and DKIM signing on a mail flow policy for inbound
email, or enable DKIM verification on a mail flow policy for outbound email.
Note
When you configure domain profiles and signing keys in a clustered environment, note that the Domain
Key Profile settings and Signing Key settings are linked. Therefore, if you copy, move or delete a signing
key, the same action is taken on the related profile.
Key Profile settings and Signing Key settings are linked. Therefore, if you copy, move or delete a signing
key, the same action is taken on the related profile.
Configuring DomainKeys and DKIM Signing
Related Topics
•
•
•
•
•
•
•