Cisco Cisco Email Security Appliance C650 ユーザーガイド

For an overview of how DomainKeys and DKIM work on the Email Security 
appliance, see 

When creating a DKIM signing key, you specify a key size. Email Security 
appliances in FIPS mode only support the 1024, 1536, and 2048 bits key sizes. 
The larger key sizes is more secure; however, larger keys can have an impact on 
performance.

The appliance cannot be switched to FIPS mode if it has any non-compliant RSA 
keys in use. It will displays an error message instead. 

FIPS-compliant signing keys are available for use in domain profiles and appear 
in the Signing Key list when creating or editing a domain profile using the Mail 
Policies > Domain Profiles page. Once you have associated a signing key with a 
domain profile, you can create DNS text record which contains your public key. 
You do this via the Generate link in the DNS Text Record column in the domain 
profile listing (or via 

domainkeysconfig -> profiles -> dnstxt

 in the CLI).

The appliance requires a message to use a FIPS-compliant key in order to verify 
a DKIM signature. If the signature does not use a FIPS-compliant key, the 
appliance returns a permanant failure.