Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
5-3
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 5 Email Authentication
DomainKeys and DKIM Signing in AsyncOS
DomainKeys and DKIM signing in AsyncOS is implemented via domain profiles and enabled via a mail
flow policy (typically, the outgoing “relay” policy). For more information, see the “Configuring the
Gateway to Receive Mail” chapter in the Cisco IronPort AsyncOS for Email Configuration Guide.
Signing the message is the last action performed by the appliance before the message is sent.
flow policy (typically, the outgoing “relay” policy). For more information, see the “Configuring the
Gateway to Receive Mail” chapter in the Cisco IronPort AsyncOS for Email Configuration Guide.
Signing the message is the last action performed by the appliance before the message is sent.
Domain profiles associate a domain with domain key information (signing key and related information).
As email is sent via a mail flow policy on the Cisco IronPort appliance, sender email addresses that
match any domain profile are DomainKeys signed with the signing key specified in the domain profile.
If you enable both DKIM and DomainKeys signing, the DKIM signature is used. You implement
DomainKeys and DKIM profiles via the
As email is sent via a mail flow policy on the Cisco IronPort appliance, sender email addresses that
match any domain profile are DomainKeys signed with the signing key specified in the domain profile.
If you enable both DKIM and DomainKeys signing, the DKIM signature is used. You implement
DomainKeys and DKIM profiles via the
domainkeysconfig
CLI command or via the Mail Policies >
Domain Profiles and the Mail Policies > Signing Keys pages in the GUI.
DomainKeys and DKIM signing works like this: a domain owner generates two keys — a public key
stored in the public DNS (a DNS TXT record associated with that domain) and a private key that is stored
on the appliance is used to sign mail that is sent (mail that originates) from that domain.
stored in the public DNS (a DNS TXT record associated with that domain) and a private key that is stored
on the appliance is used to sign mail that is sent (mail that originates) from that domain.
As messages are received on a listener used to send messages (outbound), the Cisco IronPort appliance
checks to see if any domain profiles exist. If there are domain profiles created on the appliance (and
implemented for the mail flow policy), the message is scanned for a valid Sender: or From: address. If
both are present, the Sender: is used for DomainKeys. The From: address is always used for DKIM
signing. Otherwise, the first From: address is used. If a valid address is not found, the message is not
signed and the event is logged in the mail_logs.
checks to see if any domain profiles exist. If there are domain profiles created on the appliance (and
implemented for the mail flow policy), the message is scanned for a valid Sender: or From: address. If
both are present, the Sender: is used for DomainKeys. The From: address is always used for DKIM
signing. Otherwise, the first From: address is used. If a valid address is not found, the message is not
signed and the event is logged in the mail_logs.
Note
If you create both a DomainKey and DKIM profile (and enable signing on a mail flow policy), AsyncOS
signs outgoing messages with both a DomainKeys and DKIM signature.
signs outgoing messages with both a DomainKeys and DKIM signature.
If a valid sending address is found, the sending address is matched against the existing domain profiles.
If a match is found, the message is signed. If not, the message is sent without signing. If the message has
an existing DomainKeys (a “DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing DKIM signature, a new
DKIM signature is added to the message.
If a match is found, the message is signed. If not, the message is sent without signing. If the message has
an existing DomainKeys (a “DomainKey-Signature:” header) the message is only signed if a new sender
address has been added after the original signing. If a message has an existing DKIM signature, a new
DKIM signature is added to the message.
AsyncOS provides a mechanism for signing email based on domain as well as a way to manage (create
new or input existing) signing keys.
new or input existing) signing keys.
The configuration descriptions in this document represent the most common uses for signing and
verification. You can also enable DomainKeys and DKIM signing on a mail flow policy for inbound
email, or enable DKIM verification on a mail flow policy for outbound email.
verification. You can also enable DomainKeys and DKIM signing on a mail flow policy for inbound
email, or enable DKIM verification on a mail flow policy for outbound email.
Note
When you configure domain profiles and signing keys in a clustered environment, note that the Domain
Key Profile settings and Signing Key settings are linked. Therefore, if you copy, move or delete a signing
key, the same action is taken on the related profile.
Key Profile settings and Signing Key settings are linked. Therefore, if you copy, move or delete a signing
key, the same action is taken on the related profile.