Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Managing Messages > DomainKeys Identified Mail (DKIM) integration
DomainKeys Identified Mail (DKIM) integration
Administrator Help | Forcepoint Email Security | Version 8.5.x
The DomainKeys Identified Mail (DKIM) functionality provides an email authentication method to help ensure that a message is not modified while it is in transit from an organization's protected domains. The implementation depends on a set of keys (private and public), which a recipient domain can use to verify the sender domain. DKIM settings are configured on the page Settings > Inbound/Outbound > DKIM Settings.
A DKIM integration has the following components:
*
Email signing
*
Email verification
For the signing element, a private key resides in the mail transfer agent, providing a digital signature that is added to the header of each message sent from a protected domain. A public key is generated and published in the DNS as a text record that is used by a recipient mail system in the verification process.
A signing rule associates specified sender domains with a private and public key set.
Configuring a DKIM signing key
A signing key provides a digital signature for email sent from your protected domains. You may create a signing (private) key, import a key from a local directory, or export a key to a local directory.
The signing keys table includes the following information about each key:
 
Signing Key Item
Description
Key Name
Name of the signing key. Click the key name to open the Edit Signing Key page.
Key Size (bits)
Number of bits in the signing key. The only option for key length is 1024 bits. See this Knowledge Base article to increase key length to 2048.
Rule Name
Name of the rule with which the signing key is associated.
Public Key
Link that opens a View Public Key box, which displays the public key text record.
Configure the number of entries per page
*
From the pull-down menu Per page, select the number of signing key entries per page, between 25 and 100.
Search entries by keyword
1.
From the top right, enter a search term in the text field.
2.
Click Search.
Search results display in the section DKIM Signing Keys.
3.
Clear search results; click Show all keys.
The search field clears and all DKIM signing keys display.
Adding a key
Use the following steps to create a DKIM signing key on the page Settings > Inbound/Outbound > DKIM Settings:
1.
From the section DKIM Signing Keys, click Add.
The Add Signing Key page displays.
2.
In the text field Key name, enter a name for your key.
3.
Select one of the following options for creating your key:
*
Generate key to create the private key
This is the default. The only option for key length is 1024 bits. See this Knowledge Base article to increase key length to 2048.
*
Private key to enter a key you have already created
Paste the key in the entry box.
4.
Click OK.
The key is saved and displays in the section DKIM Signing Keys.
Deleting a key
*
From the section DKIM Signing Keys, mark the check box for a key and select Delete.
The key is deleted. A key cannot be deleted if it is currently in use by a signing rule.
Editing a key
1.
From the section DKIM Signing Keys, click the name of a key.
The Edit Signing Key page displays. The current private key displays in the text field.
2.
Generate a new key; click the button Generate Key.
A new key is generated and displays in the text field. The only option for key length is 1024 bits. See this Knowledge Base article to increase key length to 2048.
3.
Click OK.
The key is saved and displays in the section DKIM Signing Keys.
Importing or exporting a key
DKIM signing keys can be imported and exported on the page Settings > Inbound/Outbound > DKIM Settings.
Import a DKIM signing key
1.
From the section DKIM Signing Keys, click Import.
The Import Key dialog box displays.
2.
Click Browse and navigate to the desired key file.
3.
Click Open.
The Import Key dialog box displays.
4.
On the Import Key dialog box, click Import.
The key is imported. Duplicate key files cannot be imported.
Export a DKIM signing key
1.
From the section DKIM Signing Keys, mark the check box for the key and click Export.
A dialog box displays.
2.
Navigate to the desired directory location and click Save.
The key is exported.
Creating a DKIM signing rule
A DKIM signing rule associates a private/public key pair with a set of domains and email addresses. Signing rule options let you determine which message headers to sign, how much of the message body to sign, and whether to attach additional signature tags for such items as signature date/time or expiration time. Signing rules are configured on the page Settings > Inbound/Outbound > DKIM Settings.
The signing rules table includes the following information about each rule:
 
Signing Rule Item
Description
Rule Name
Name of the signing rule. Click the rule name to open the Edit Signing Rule page.
Domain
Domain name to which the signing rule applies.
Selector
Name component in addition to the domain name used in the DNS query. A given domain may have multiple selectors (e.g., for location or organization division).
Signing Key Name
Name of the signing key associated with this rule.
DNS Text Record
Link that opens a Generate DNS Text Record dialog box. See Generating a DNS text record (public key).
Test Rule
Link to test whether the signing rule is valid. A successful test must be performed before a rule can be enabled.
Status
Indicator of signing rule status (i.e., enabled or disabled). A rule must be enabled in order to take effect.
Configure the number of entries per page
*
From the pull-down menu Per page, select the number of signing rule entries per page, between 25 and 100.
Search entries by keyword
1.
From the top right, enter a search term in the text field.
2.
Click Search.
Search results display in the section DKIM Signing Rules.
3.
Clear search results; click Show all rules.
The search field clears and all DKIM signing rules display.
Adding a signing rule
Use the following steps to create a DKIM signing rule on the page Settings > Inbound/Outbound > DKIM Settings:
1.
From the section DKIM Signing Rules, click Add.
The Add Signing Rule page displays.
2.
In the text field Rule name, enter a name for your rule.
3.
Enter the name of the domain to which this signing rule applies.
4.
(Optional) Include the identity of the user or agent for whom the message is signed; mark the check box Include user identifier.
5.
(Optional) In the text field User identifier, enter the user identifier.
This field is not enabled if the check box Include user identifier is not marked.
6.
In the text field Selector, enter the domain name selector.
A selector is a name component provided in addition to the domain name used in the DNS public key query. A given domain may have multiple selectors.
7.
From the pull-down menu Signing key, select the signing key to associate with this rule from the list of existing keys.
8.
Click Advanced Options.
A box displays with additional optional rule settings:
*
From the pull-down menu Algorithm, select an encryption algorithm.
Options include RSA-SHA-1 or RSA-SHA-256. The default is RSA-SHA-1.
*
In the section Canonicalization, specify a canonicalization method for message header and body.
The canonicalization process prepares a message header and body before email is signed. Canonicalization is required because email processing may introduce minor changes to a message.
The following header and body changes are made, based on the selection of Simple or Relaxed:
 
Simple (default)
Relaxed
Message Header
No header changes made
*
Header names changed to lowercase
*
Header line breaks removed
*
Linear white spaces (including tabs and carriage returns) reduced to a single space
*
Leading and trailing spaces stripped
Message Body
Empty lines at end of body stripped
*
Empty lines at end of message body stripped
*
Linear white spaces (including tabs and carriage returns) reduced to a single space
*
Trailing spaces stripped
*
From the list of standard headers, indicate the message headers to sign.
*
In the field Additional headers, include other headers as a comma-separated list.
*
Specify whether to sign the entire message body or only a portion.
For the latter selection, enter the maximum number of Kbytes to be signed. The default is 1024.
*
Select any optional signature tags for the signing rule:
*
t lets you add a signature creation timestamp.
*
x lets you specify a signature expiration time in seconds.
The default is 3600 seconds.
*
z adds the list of signed header fields to the signature.
9.
From the pull-down menu Signing rule options, select either Sign email messages or Do not sign email messages.
Next, create a list of email addresses to which this option applies.
*
For example, if you select Sign email messages, then email from the addresses in the list is signed. Email from other addresses is not signed.
*
If you select Do not sign email messages, then email from the addresses in the list is not signed, and email from all other users is signed.
Remove an email address from the list by selecting it and clicking Remove.
10.
Click OK.
The settings are saved.
Importing or exporting a rule
DKIM signing rules can be imported or exported on the page Settings > Inbound/Outbound > DKIM Settings.
Import a DKIM signing rule
1.
From the section DKIM Signing Rules, click Import.
The Import Rule dialog box displays.
2.
Click Browse and navigate to the desired key rule file.
3.
Click Open.
4.
On the Import Rule dialog box, click Import.
The key rule is imported. Duplicate key rule files cannot be imported.
Export a DKIM signing rule
1.
From the section DKIM Signing Rules, mark the check box for the rule and click Export.
A dialog box displays.
2.
Navigate to the desired directory location and click Save.
The rule is exported.
Generating a DNS text record (public key)
Generate a public key for a rule from the DKIM Signing Rules table by clicking the link for the desired rule in the DNS Text Record column. A Generate DNS Text Record box that contains the new public key appears.
View a public key by clicking View for a particular private key in the DKIM Signing Keys table Public Key column.
Testing a rule
Ensure that you have created a valid rule by clicking the Test link in the Test Rule column of the DKIM Signing Rules table for the desired signing rule. The test performs a DNS lookup query. You receive confirmation of success or failure when the test is complete.
You must have performed a successful rule test before a rule can be enabled.
Enabling DKIM verification
The DKIM validation method uses the message header digital signature to associate a domain name with the email. The DKIM signature verification function retrieves signer information, including the public key, from the DNS. This signer information is analyzed and verified to determine message legitimacy.
Enable DKIM verification on the page Settings > Inbound/Outbound > DKIM Settings, in the section DomainKeys Identified Mail (DKIM) Verification. Mark any or all of the following check boxes to activate DKIM verification:
*
Enable DomainKeys Identified Mail (DKIM) verification for inbound messages
*
Enable DomainKeys Identified Mail (DKIM) verification for outbound messages
*
Enable DomainKeys Identified Mail (DKIM) verification for internal messages
By default, these check boxes are not marked.
Configure a custom content policy filter to scan for a DKIM signature in the message header, along with a filter action to take when a message header triggers the filter. See Custom content.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Managing Messages > DomainKeys Identified Mail (DKIM) integration
Copyright 2022 Forcepoint. All rights reserved.