Go to the table of contents Go to the previous page Go to the next page View or print as PDF
DKIM Signing
DomainKeys Identified Mail (DKIM) is an authentication method designed to protect recipients from spoofed messages. DKIM authenticates the message sender address and message body to provide validation that the sender has not been forged and that the message has not been altered.
When DKIM signing is enabled, the cloud service signs outgoing messages from specified sender domains/subdomains with a private key, adding a DKIM-Signature header. Recipient servers can use the information in this header to perform a DNS lookup. The DNS response provides the Forcepoint public key, which can be used to decrypt the signed header and authenticate the message.
A DKIM signing rule defines which of your sender domains/subdomains to protect with a specified signing domain. Granular sender/recipient options can be applied, to include or exclude specific sender addresses, or sender/recipient combinations.
Note: a single signing domain can be used by multiple rules to validate different sender subdomains. A sender domain/subdomain can only be signed by one signing domain, and consequently can only be added to one rule.
 
Important 
Adding a DKIM signing rule
To add a DKIM signing rule:
1.
Navigate to Email > Policies > [policy name] > Antispoofing tab.
2.
3.
On the Add DKIM Signing Rule page, enter a rule name.
4.
Note: sender domains/subdomains can appear in only one signing rule.
5.
6.
Optionally, select Enable granular DKIM sender/recipient options to include or exclude specific senders, or sender/recipient combinations. Otherwise, click Submit.
7.
*
Sign messages from these addresses to sign messages from specific addresses, or
*
Do not sign messages from these addresses to sign messages from all senders within your sender domains except specific addresses.
8.
Note: this field is required when granular sender/recipient options are enabled.
9.
*
When Sign messages from these addresses is selected, only messages from a specified sender address to any of the entered recipient addresses will be signed.
*
When Do not sign messages from these addresses is selected, messages from all addresses within your sender domains will be signed, except for messages that are from a specified sender address to any of the specified recipient addresses.
10.
Click Submit.
Once you have added a signing rule, the service checks the CNAME records for your signing domain. If the CNAME record check fails, an error message is shown. A rule cannot be enabled until the CNAME record check has passed.
Enabling a DKIM signing rule
DKIM signing rules are initially set to OFF. In order to enable a DKIM signing rule, the signing domain must have passed a CNAME record check.
Enable a DKIM signing rule on the Email > Policies > [policy name] > Antispoofing tab, under DKIM Signing.
To enable a rule:
*
*
Once you have published the CNAME record, click Recheck to perform the check again.
To disable a rule, toggle the State switch to OFF, then click Save.
Editing a DKIM signing rule
Click the name of the rule in the DKIM Signing table to edit the sender domains/subdomains or signing domain for the rule, or to make changes to the granular sender/recipient options.
For more information on the configuration options for DKIM signing, see Adding a DKIM signing rule.
To delete a rule, click the rule name in the DKIM Signing table to open the Edit DKIM Signing Rule page. Click Delete to remove the rule.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2022 Forcepoint. All rights reserved.