Cisco Cisco Email Security Appliance C160 用户指南
21-2
Cisco AsyncOS 9.5 for Email User Guide
Chapter 21 Email Authentication
DomainKeys and DKIM Authentication
Related Topics
•
•
DomainKeys and DKIM Authentication Workflow
Figure 21-1
Authentication Work Flow
1.
Administrator (domain owner) publishes a public key into the DNS name space.
2.
Administrator loads a private key in the outbound Mail Transfer Agent (MTA).
3.
Email submitted by an authorized user of that domain is digitally signed with the respective private
key. The signature is inserted in the email as a DomainKey or DKIM signature header and the email
is transmitted.
key. The signature is inserted in the email as a DomainKey or DKIM signature header and the email
is transmitted.
4.
Receiving MTA extracts the DomainKeys or DKIM signature from the header and the claimed
sending domain (via the Sender: or From: header) from the email. The public key is retrieved from
the claimed signing domain which is extracted from DomainKeys or DKIM signature header fields.
sending domain (via the Sender: or From: header) from the email. The public key is retrieved from
the claimed signing domain which is extracted from DomainKeys or DKIM signature header fields.
5.
The public key is used to determine whether the DomainKeys or DKIM signature was generated
with the appropriate private key.
with the appropriate private key.
To test your outgoing DomainKeys signatures, you can use a Yahoo! or Gmail address, as these services
are free and provide validation on incoming messages that are DomainKeys signed.
are free and provide validation on incoming messages that are DomainKeys signed.
DomainKeys and DKIM Signing in AsyncOS
DomainKeys and DKIM signing in AsyncOS is implemented via domain profiles and enabled via a mail
flow policy (typically, the outgoing “relay” policy). For more information, see the “Configuring the
Gateway to Receive Mail” chapter. Signing the message is the last action performed by the appliance
before the message is sent.
flow policy (typically, the outgoing “relay” policy). For more information, see the “Configuring the
Gateway to Receive Mail” chapter. Signing the message is the last action performed by the appliance
before the message is sent.
Domain profiles associate a domain with domain key information (signing key and related information).
As email is sent via a mail flow policy on the appliance, sender email addresses that match any domain
profile are DomainKeys signed with the signing key specified in the domain profile. If you enable both
DKIM and DomainKeys signing, the DKIM signature is used. You implement DomainKeys and DKIM
profiles via the
As email is sent via a mail flow policy on the appliance, sender email addresses that match any domain
profile are DomainKeys signed with the signing key specified in the domain profile. If you enable both
DKIM and DomainKeys signing, the DKIM signature is used. You implement DomainKeys and DKIM
profiles via the
domainkeysconfig
CLI command or via the Mail Policies > Domain Profiles and the
Mail Policies > Signing Keys pages in the GUI.
DomainKeys and DKIM signing works like this: a domain owner generates two keys — a public key
stored in the public DNS (a DNS TXT record associated with that domain) and a private key that is stored
on the appliance is used to sign mail that is sent (mail that originates) from that domain.
stored in the public DNS (a DNS TXT record associated with that domain) and a private key that is stored
on the appliance is used to sign mail that is sent (mail that originates) from that domain.