Руководство Пользователя для Cisco Cisco Email Security Appliance C170
5-2
Cisco IronPort AsyncOS 7.6 for Email Advanced Configuration Guide
OL-25137-01
Chapter 5 Email Authentication
SPF and SIDF email authentication allow the owners of Internet domains to use a special format of DNS
TXT records to specify which machines are authorized to transmit email for their domains. Compliant
mail receivers then use the published SPF records to test the authorization of the sending Mail Transfer
Agent’s identity during a mail transaction. For more information about SPF and SIDF, see
TXT records to specify which machines are authorized to transmit email for their domains. Compliant
mail receivers then use the published SPF records to test the authorization of the sending Mail Transfer
Agent’s identity during a mail transaction. For more information about SPF and SIDF, see
DomainKeys and DKIM Authentication: Overview
AsyncOS supports DomainKeys and DKIM authentication to prevent email forgery. DomainKeys and
DKIM are mechanisms used to verify that the source of the email and the contents of the message were
not altered during transit. DKIM is an enhanced protocol that combines DomainKeys specification with
aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail
(DKIM). DomainKeys and DKIM consist of two main parts: signing and verification. The current
version of AsyncOS supports the “signing” half of the process for DomainKeys, and it supports both
signing and verification for DKIM. You can also enable bounce and delay messages to use DomainKeys
and DKIM signing.
DKIM are mechanisms used to verify that the source of the email and the contents of the message were
not altered during transit. DKIM is an enhanced protocol that combines DomainKeys specification with
aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail
(DKIM). DomainKeys and DKIM consist of two main parts: signing and verification. The current
version of AsyncOS supports the “signing” half of the process for DomainKeys, and it supports both
signing and verification for DKIM. You can also enable bounce and delay messages to use DomainKeys
and DKIM signing.
When you use DomainKeys or DKIM authentication, the sender signs the email using public key
cryptography. The verified domain can then be used to detect forgeries by comparing it with the domain
in the From: (or Sender:) header of the email.
cryptography. The verified domain can then be used to detect forgeries by comparing it with the domain
in the From: (or Sender:) header of the email.
Figure 5-1
Authentication Work Flow
Step 1
Administrator (domain owner) publishes a public key into the DNS name space.
Step 2
Administrator loads a private key in the outbound Mail Transfer Agent (MTA).
Step 3
Email submitted by an authorized user of that domain is digitally signed with the respective private key.
The signature is inserted in the email as a DomainKey or DKIM signature header and the email is
transmitted.
The signature is inserted in the email as a DomainKey or DKIM signature header and the email is
transmitted.
Step 4
Receiving MTA extracts the DomainKeys or DKIM signature from the header and the claimed sending
domain (via the Sender: or From: header) from the email. The public key is retrieved from the claimed
signing domain which is extracted from DomainKeys or DKIM signature header fields.
domain (via the Sender: or From: header) from the email. The public key is retrieved from the claimed
signing domain which is extracted from DomainKeys or DKIM signature header fields.
Step 5
The public key is used to determine whether the DomainKeys or DKIM signature was generated with
the appropriate private key.
the appropriate private key.
To test your outgoing DomainKeys signatures, you can use a Yahoo! or Gmail address, as these services
are free and provide validation on incoming messages that are DomainKeys signed.
are free and provide validation on incoming messages that are DomainKeys signed.