Cisco Cisco Email Security Appliance C160 用户指南
29-6
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 29 FIPS Management
Managing Keys for DKIM Signing and Verification
•
DKIM Signing
When creating a DKIM signing key, you specify a key size. Email Security appliances in FIPS mode
only support 2048 bits key size. The larger key sizes is more secure; however, larger keys can have an
impact on performance.
only support 2048 bits key size. The larger key sizes is more secure; however, larger keys can have an
impact on performance.
The appliance cannot be switched to FIPS mode if it has any non-compliant RSA keys in use. It will
displays an error message instead.
displays an error message instead.
FIPS-compliant signing keys are available for use in domain profiles and appear in the Signing Key list
when creating or editing a domain profile using the Mail Policies > Domain Profiles page. Once you
have associated a signing key with a domain profile, you can create DNS text record which contains your
public key. You do this via the Generate link in the DNS Text Record column in the domain profile listing
(or via
when creating or editing a domain profile using the Mail Policies > Domain Profiles page. Once you
have associated a signing key with a domain profile, you can create DNS text record which contains your
public key. You do this via the Generate link in the DNS Text Record column in the domain profile listing
(or via
domainkeysconfig -> profiles -> dnstxt
in the CLI).
DKIM Verification
The appliance requires a message to use a FIPS-compliant key in order to verify a DKIM signature. If
the signature does not use a FIPS-compliant key, the appliance returns a permanent failure.
the signature does not use a FIPS-compliant key, the appliance returns a permanent failure.