Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Managing Messages > DomainKeys Identified Mail (DKIM) integration
DomainKeys Identified Mail (DKIM) integration
Administrator Help | Forcepoint Email Security | Version 8.5.x
The DomainKeys Identified Mail (DKIM) functionality provides an email authentication method to help ensure that a message is not modified while it is in transit from an organization's protected domains. The implementation depends on a set of keys (private and public), which a recipient domain can use to verify the sender domain. DKIM settings are configured on the page Settings > Inbound/Outbound > DKIM Settings.
A DKIM integration has the following components:
*
*
For the signing element, a private key resides in the mail transfer agent, providing a digital signature that is added to the header of each message sent from a protected domain. A public key is generated and published in the DNS as a text record that is used by a recipient mail system in the verification process.
A signing rule associates specified sender domains with a private and public key set.
Configuring a DKIM signing key
A signing key provides a digital signature for email sent from your protected domains. You may create a signing (private) key, import a key from a local directory, or export a key to a local directory.
The signing keys table includes the following information about each key:
 
Configure the number of entries per page
*
From the pull-down menu Per page, select the number of signing key entries per page, between 25 and 100.
Search entries by keyword
1.
2.
Click Search.
Search results display in the section DKIM Signing Keys.
3.
The search field clears and all DKIM signing keys display.
Adding a key
Use the following steps to create a DKIM signing key on the page Settings > Inbound/Outbound > DKIM Settings:
1.
The Add Signing Key page displays.
2.
In the text field Key name, enter a name for your key.
3.
*
This is the default. The only option for key length is 1024 bits. See this Knowledge Base article to increase key length to 2048.
*
Paste the key in the entry box.
4.
The key is saved and displays in the section DKIM Signing Keys.
Deleting a key
*
The key is deleted. A key cannot be deleted if it is currently in use by a signing rule.
Editing a key
1.
The Edit Signing Key page displays. The current private key displays in the text field.
2.
A new key is generated and displays in the text field. The only option for key length is 1024 bits. See this Knowledge Base article to increase key length to 2048.
3.
The key is saved and displays in the section DKIM Signing Keys.
Importing or exporting a key
DKIM signing keys can be imported and exported on the page Settings > Inbound/Outbound > DKIM Settings.
Import a DKIM signing key
1.
The Import Key dialog box displays.
2.
Click Browse and navigate to the desired key file.
3.
Click Open.
The Import Key dialog box displays.
4.
The key is imported. Duplicate key files cannot be imported.
Export a DKIM signing key
1.
A dialog box displays.
2.
The key is exported.
Creating a DKIM signing rule
A DKIM signing rule associates a private/public key pair with a set of domains and email addresses. Signing rule options let you determine which message headers to sign, how much of the message body to sign, and whether to attach additional signature tags for such items as signature date/time or expiration time. Signing rules are configured on the page Settings > Inbound/Outbound > DKIM Settings.
The signing rules table includes the following information about each rule:
 
Configure the number of entries per page
*
From the pull-down menu Per page, select the number of signing rule entries per page, between 25 and 100.
Search entries by keyword
1.
2.
Click Search.
Search results display in the section DKIM Signing Rules.
3.
The search field clears and all DKIM signing rules display.
Adding a signing rule
Use the following steps to create a DKIM signing rule on the page Settings > Inbound/Outbound > DKIM Settings:
1.
The Add Signing Rule page displays.
2.
In the text field Rule name, enter a name for your rule.
3.
4.
(Optional) Include the identity of the user or agent for whom the message is signed; mark the check box Include user identifier.
5.
(Optional) In the text field User identifier, enter the user identifier.
This field is not enabled if the check box Include user identifier is not marked.
6.
In the text field Selector, enter the domain name selector.
A selector is a name component provided in addition to the domain name used in the DNS public key query. A given domain may have multiple selectors.
7.
From the pull-down menu Signing key, select the signing key to associate with this rule from the list of existing keys.
8.
Click Advanced Options.
A box displays with additional optional rule settings:
*
From the pull-down menu Algorithm, select an encryption algorithm.
Options include RSA-SHA-1 or RSA-SHA-256. The default is RSA-SHA-1.
*
The canonicalization process prepares a message header and body before email is signed. Canonicalization is required because email processing may introduce minor changes to a message.
The following header and body changes are made, based on the selection of Simple or Relaxed:
*
*
In the field Additional headers, include other headers as a comma-separated list.
*
For the latter selection, enter the maximum number of Kbytes to be signed. The default is 1024.
*
*
t lets you add a signature creation timestamp.
*
x lets you specify a signature expiration time in seconds.
The default is 3600 seconds.
*
z adds the list of signed header fields to the signature.
9.
From the pull-down menu Signing rule options, select either Sign email messages or Do not sign email messages.
Next, create a list of email addresses to which this option applies.
*
For example, if you select Sign email messages, then email from the addresses in the list is signed. Email from other addresses is not signed.
*
If you select Do not sign email messages, then email from the addresses in the list is not signed, and email from all other users is signed.
Remove an email address from the list by selecting it and clicking Remove.
10.
The settings are saved.
Importing or exporting a rule
DKIM signing rules can be imported or exported on the page Settings > Inbound/Outbound > DKIM Settings.
Import a DKIM signing rule
1.
The Import Rule dialog box displays.
2.
Click Browse and navigate to the desired key rule file.
3.
Click Open.
4.
The key rule is imported. Duplicate key rule files cannot be imported.
Export a DKIM signing rule
1.
A dialog box displays.
2.
The rule is exported.
Generating a DNS text record (public key)
Generate a public key for a rule from the DKIM Signing Rules table by clicking the link for the desired rule in the DNS Text Record column. A Generate DNS Text Record box that contains the new public key appears.
View a public key by clicking View for a particular private key in the DKIM Signing Keys table Public Key column.
Testing a rule
Ensure that you have created a valid rule by clicking the Test link in the Test Rule column of the DKIM Signing Rules table for the desired signing rule. The test performs a DNS lookup query. You receive confirmation of success or failure when the test is complete.
You must have performed a successful rule test before a rule can be enabled.
Enabling DKIM verification
The DKIM validation method uses the message header digital signature to associate a domain name with the email. The DKIM signature verification function retrieves signer information, including the public key, from the DNS. This signer information is analyzed and verified to determine message legitimacy.
Enable DKIM verification on the page Settings > Inbound/Outbound > DKIM Settings, in the section DomainKeys Identified Mail (DKIM) Verification. Mark any or all of the following check boxes to activate DKIM verification:
*
*
*
By default, these check boxes are not marked.
Configure a custom content policy filter to scan for a DKIM signature in the message header, along with a filter action to take when a message header triggers the filter. See Custom content.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Managing Messages > DomainKeys Identified Mail (DKIM) integration
Copyright 2022 Forcepoint. All rights reserved.