Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
20-3
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 20 Email Authentication
Configuring DomainKeys and DKIM Signing
As messages are received on a listener used to send messages (outbound), the appliance checks to see if
any domain profiles exist. If there are domain profiles created on the appliance (and implemented for the
mail flow policy), the message is scanned for a valid Sender: or From: address. If both are present, the
Sender: is used for DomainKeys. The From: address is always used for DKIM signing. Otherwise, the
first From: address is used. If a valid address is not found, the message is not signed and the event is
logged in the mail_logs.
any domain profiles exist. If there are domain profiles created on the appliance (and implemented for the
mail flow policy), the message is scanned for a valid Sender: or From: address. If both are present, the
Sender: is used for DomainKeys. The From: address is always used for DKIM signing. Otherwise, the
first From: address is used. If a valid address is not found, the message is not signed and the event is
logged in the mail_logs.
Note
If you create both a DomainKey and DKIM profile (and enable signing on a mail flow policy), AsyncOS
signs outgoing messages with both a DomainKeys and DKIM signature.
signs outgoing messages with both a DomainKeys and DKIM signature.
If a valid sending address is found, the sending address is matched against the existing domain profiles.
If a match is found, the message is signed. If not, the message is sent without signing. If the message has
an existing DomainKeys (a “DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing DKIM signature, a new
DKIM signature is added to the message.
If a match is found, the message is signed. If not, the message is sent without signing. If the message has
an existing DomainKeys (a “DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing DKIM signature, a new
DKIM signature is added to the message.
AsyncOS provides a mechanism for signing email based on domain as well as a way to manage (create
new or input existing) signing keys.
new or input existing) signing keys.
The configuration descriptions in this document represent the most common uses for signing and
verification. You can also enable DomainKeys and DKIM signing on a mail flow policy for inbound
email, or enable DKIM verification on a mail flow policy for outbound email.
verification. You can also enable DomainKeys and DKIM signing on a mail flow policy for inbound
email, or enable DKIM verification on a mail flow policy for outbound email.
Note
When you configure domain profiles and signing keys in a clustered environment, note that the Domain
Key Profile settings and Signing Key settings are linked. Therefore, if you copy, move or delete a signing
key, the same action is taken on the related profile.
Key Profile settings and Signing Key settings are linked. Therefore, if you copy, move or delete a signing
key, the same action is taken on the related profile.
Configuring DomainKeys and DKIM Signing
Related Topics
•
•
•
•
•
•
•
Signing Keys
A signing key is the private key stored on the appliance. When creating a signing key, you specify a key
size. Larger key sizes are more secure; however, larger keys also can impact performance. The appliance
supports keys from 512 bits up to 2048 bits. The 768 - 1024 bit key sizes are considered secure and used
by most senders today. Keys based on larger key sizes can impact performance and are not supported
above 2048 bits. For more information about creating signing keys, see
size. Larger key sizes are more secure; however, larger keys also can impact performance. The appliance
supports keys from 512 bits up to 2048 bits. The 768 - 1024 bit key sizes are considered secure and used
by most senders today. Keys based on larger key sizes can impact performance and are not supported
above 2048 bits. For more information about creating signing keys, see