Cisco Cisco Email Security Appliance C170 사용자 가이드
22-2
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 22 Email Authentication
Email Authentication Overview
DomainKeys and DKIM consist of two main parts: signing and verification. AsyncOS supports the
“signing” half of the process for DomainKeys, and it supports both signing and verification for DKIM.
You can also enable bounce and delay messages to use DomainKeys and DKIM signing.
“signing” half of the process for DomainKeys, and it supports both signing and verification for DKIM.
You can also enable bounce and delay messages to use DomainKeys and DKIM signing.
Related Topics
•
•
DomainKeys and DKIM Authentication Workflow
Figure 22-1
Authentication Work Flow
1.
Administrator (domain owner) publishes a public key into the DNS name space.
2.
Administrator loads a private key in the outbound Mail Transfer Agent (MTA).
3.
Email submitted by an authorized user of that domain is digitally signed with the respective private
key. The signature is inserted in the email as a DomainKey or DKIM signature header and the email
is transmitted.
key. The signature is inserted in the email as a DomainKey or DKIM signature header and the email
is transmitted.
4.
Receiving MTA extracts the DomainKeys or DKIM signature from the header and the claimed
sending domain (via the Sender: or From: header) from the email. The public key is retrieved from
the claimed signing domain which is extracted from DomainKeys or DKIM signature header fields.
sending domain (via the Sender: or From: header) from the email. The public key is retrieved from
the claimed signing domain which is extracted from DomainKeys or DKIM signature header fields.
5.
The public key is used to determine whether the DomainKeys or DKIM signature was generated
with the appropriate private key.
with the appropriate private key.
To test your outgoing DomainKeys signatures, you can use a Yahoo! or Gmail address, as these services
are free and provide validation on incoming messages that are DomainKeys signed.
are free and provide validation on incoming messages that are DomainKeys signed.
DomainKeys and DKIM Signing in AsyncOS
DomainKeys and DKIM signing in AsyncOS is implemented via domain profiles and enabled via a mail
flow policy (typically, the outgoing “relay” policy). For more information, see the “Configuring the
Gateway to Receive Mail” chapter. Signing the message is the last action performed by the appliance
before the message is sent.
flow policy (typically, the outgoing “relay” policy). For more information, see the “Configuring the
Gateway to Receive Mail” chapter. Signing the message is the last action performed by the appliance
before the message is sent.
Domain profiles associate a domain with domain key information (signing key and related information).
As email is sent via a mail flow policy on the appliance, sender email addresses that match any domain
profile are DomainKeys signed with the signing key specified in the domain profile. If you enable both
DKIM and DomainKeys signing, the DKIM signature is used. You implement DomainKeys and DKIM
profiles via the
As email is sent via a mail flow policy on the appliance, sender email addresses that match any domain
profile are DomainKeys signed with the signing key specified in the domain profile. If you enable both
DKIM and DomainKeys signing, the DKIM signature is used. You implement DomainKeys and DKIM
profiles via the
domainkeysconfig
CLI command or via the Mail Policies > Domain Profiles and the
Mail Policies > Signing Keys pages in the GUI.