Cisco Cisco Email Security Appliance C380 Guia Do Utilizador
Chapter 4 Email Authentication
4-234
Cisco IronPort AsyncOS 7.1 for Email Advanced Configuration Guide
OL-22164-02
Domain profiles associate a domain with domain key information (signing key
and related information). As email is sent via a mail flow policy on the IronPort
appliance, sender email addresses that match any domain profile are DomainKeys
signed with the signing key specified in the domain profile. If you enable both
DKIM and DomainKeys signing, the DKIM signature is used. You implement
DomainKeys and DKIM profiles via the
and related information). As email is sent via a mail flow policy on the IronPort
appliance, sender email addresses that match any domain profile are DomainKeys
signed with the signing key specified in the domain profile. If you enable both
DKIM and DomainKeys signing, the DKIM signature is used. You implement
DomainKeys and DKIM profiles via the
domainkeysconfig
CLI command or via
the Mail Policies > Domain Profiles and the Mail Policies > Signing Keys pages
in the GUI.
in the GUI.
DomainKeys and DKIM signing works like this: a domain owner generates two
keys — a public key stored in the public DNS (a DNS TXT record associated with
that domain) and a private key that is stored on the appliance is used to sign mail
that is sent (mail that originates) from that domain.
keys — a public key stored in the public DNS (a DNS TXT record associated with
that domain) and a private key that is stored on the appliance is used to sign mail
that is sent (mail that originates) from that domain.
As messages are received on a listener used to send messages (outbound), the
IronPort appliance checks to see if any domain profiles exist. If there are domain
profiles created on the appliance (and implemented for the mail flow policy), the
message is scanned for a valid Sender: or From: address. If both are present, the
Sender: is used for DomainKeys. The From: address is always used for DKIM
signing. Otherwise, the first From: address is used. If a valid address is not found,
the message is not signed and the event is logged in the mail_logs.
IronPort appliance checks to see if any domain profiles exist. If there are domain
profiles created on the appliance (and implemented for the mail flow policy), the
message is scanned for a valid Sender: or From: address. If both are present, the
Sender: is used for DomainKeys. The From: address is always used for DKIM
signing. Otherwise, the first From: address is used. If a valid address is not found,
the message is not signed and the event is logged in the mail_logs.
Note
If you create both a DomainKey and DKIM profile (and enable signing on a mail
flow policy), AsyncOS signs outgoing messages with both a DomainKeys and
DKIM signature.
flow policy), AsyncOS signs outgoing messages with both a DomainKeys and
DKIM signature.
If a valid sending address is found, the sending address is matched against the
existing domain profiles. If a match is found, the message is signed. If not, the
message is sent without signing. If the message has an existing DomainKeys (a
“DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing
DKIM signature, a new DKIM signature is added to the message.
existing domain profiles. If a match is found, the message is signed. If not, the
message is sent without signing. If the message has an existing DomainKeys (a
“DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing
DKIM signature, a new DKIM signature is added to the message.
AsyncOS provides a mechanism for signing email based on domain as well as a
way to manage (create new or input existing) signing keys.
way to manage (create new or input existing) signing keys.
The configuration descriptions in this document represent the most common uses
for signing and verification. You can also enable DomainKeys and DKIM signing
on a mail flow policy for inbound email, or enable DKIM verification on a mail
flow policy for outbound email.
for signing and verification. You can also enable DomainKeys and DKIM signing
on a mail flow policy for inbound email, or enable DKIM verification on a mail
flow policy for outbound email.