Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
20-17
Cisco AsyncOS 9.0 for Email User Guide
Chapter 20 Email Authentication
How to Verify Incoming Messages Using DKIM
•
•
DKIM Verification Checks Performed by AsyncOS
When you configure an AsyncOS appliance for DKIM verification, the following checks are performed:
Procedure
Step 1
AsyncOS checks for the DKIM-Signature field in incoming mail, the syntax of the signature header,
valid tag values, and required tags. If the signature fails any of these checks, AsyncOS returns a permfail.
valid tag values, and required tags. If the signature fails any of these checks, AsyncOS returns a permfail.
Step 2
After the signature check is performed, the public key is retrieved from the public DNS record, and the
TXT record is validated. If errors are encountered during this process, AsyncOS returns a permfail. A
tempfail occurs if the DNS query for the public key fails to get a response.
TXT record is validated. If errors are encountered during this process, AsyncOS returns a permfail. A
tempfail occurs if the DNS query for the public key fails to get a response.
Step 3
After retrieving the public key, AsyncOS checks the hashed values and verifies the signature. If any
failures occur during this step, AsyncOS returns a permfail.
failures occur during this step, AsyncOS returns a permfail.
Step 4
If the checks all pass, AsyncOS returns a pass.
Note
When the message body is greater than the specified length, AsyncOS returns the following verdict:
dkim = pass (partially verified [x bytes])
where X represents the number of bytes verified.
The final verification result is entered as an Authentication-Results header. For example, you might get
a header that looks like one of the following:
a header that looks like one of the following:
Authentication-Results: example1.com
header.from=From:user123@example.com; dkim=pass (signature verified)
Authentication-Results: example1.com
header.from=From:user123@example.com; dkim=pass (partially verified [1000 bytes])
Authentication-Results: example1.com
header.from=From:user123@example.com; dkim=permfail (body hash did not verify)
Note
Current DKIM verification stops at the first valid signature. It is not possible to verify using the last
signature encountered. This functionality may be available in a later release.
signature encountered. This functionality may be available in a later release.
Managing DKIM Verification Profiles
A DKIM verification profile is a list of parameters that the Email Security appliance’s mail flow policies
use for verifying DKIM signatures. For example, you can create two verification profiles, one that allows
30 seconds before a query times out and a second that allows only 3 seconds before a query times out.
You can assign the second verification profile to the Throttled mail flow policy to prevent connection
starvation in case of a DDoS. A verification profile consists of the following information:
use for verifying DKIM signatures. For example, you can create two verification profiles, one that allows
30 seconds before a query times out and a second that allows only 3 seconds before a query times out.
You can assign the second verification profile to the Throttled mail flow policy to prevent connection
starvation in case of a DDoS. A verification profile consists of the following information: