Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Email Policies > Antispoofing tab > DKIM Signing
DKIM Signing
DomainKeys Identified Mail (DKIM) is an authentication method designed to protect recipients from spoofed messages. DKIM authenticates the message sender address and message body to provide validation that the sender has not been forged and that the message has not been altered.
When DKIM signing is enabled, the cloud service signs outgoing messages from specified sender domains/subdomains with a private key, adding a DKIM-Signature header. Recipient servers can use the information in this header to perform a DNS lookup. The DNS response provides the Forcepoint public key, which can be used to decrypt the signed header and authenticate the message.
A DKIM signing rule defines which of your sender domains/subdomains to protect with a specified signing domain. Granular sender/recipient options can be applied, to include or exclude specific sender addresses, or sender/recipient combinations.
Note: a single signing domain can be used by multiple rules to validate different sender subdomains. A sender domain/subdomain can only be signed by one signing domain, and consequently can only be added to one rule.
 
* 
Important 
Before enabling a signing rule, you must publish DNS CNAME records for your signing domain. CNAME records enable the DNS lookup to Forcepoint in order to provide the public key to recipient mail servers. Details of the CNAME records you must publish can be found on the DNS Records and Service IPs page. See DNS records and service IP addresses for more information.
Adding a DKIM signing rule
To add a DKIM signing rule:
1.
Navigate to Email > Policies > [policy name] > Antispoofing tab.
2.
Under DKIM Signing, click Add.
3.
On the Add DKIM Signing Rule page, enter a rule name.
4.
In the Sender domains/subdomains field, add one or more sender domain/subdomains that will be signed by this rule, separated by a line break.
Note: sender domains/subdomains can appear in only one signing rule.
5.
In the Signing domain field, enter the domain that will be used as the signing domain for this rule.
6.
Optionally, select Enable granular DKIM sender/recipient options to include or exclude specific senders, or sender/recipient combinations. Otherwise, click Submit.
7.
Using the options that appear, select either:
*
Sign messages from these addresses to sign messages from specific addresses, or
*
Do not sign messages from these addresses to sign messages from all senders within your sender domains except specific addresses.
8.
In the Senders field, enter one or more email addresses for the senders who will be included or excluded by this rule. Email addresses must be separated by a line break. Use *@domain.com to include all addresses for a domain.
Note: this field is required when granular sender/recipient options are enabled.
9.
In the Recipients field, optionally enter recipients that will be included or excluded by this rule. Email addresses must be separated by a line break. Use *@domain.com to include all addresses for a domain.
*
When Sign messages from these addresses is selected, only messages from a specified sender address to any of the entered recipient addresses will be signed.
*
When Do not sign messages from these addresses is selected, messages from all addresses within your sender domains will be signed, except for messages that are from a specified sender address to any of the specified recipient addresses.
10.
Click Submit.
Once you have added a signing rule, the service checks the CNAME records for your signing domain. If the CNAME record check fails, an error message is shown. A rule cannot be enabled until the CNAME record check has passed.
Enabling a DKIM signing rule
DKIM signing rules are initially set to OFF. In order to enable a DKIM signing rule, the signing domain must have passed a CNAME record check.
Enable a DKIM signing rule on the Email > Policies > [policy name] > Antispoofing tab, under DKIM Signing.
To enable a rule:
*
If the CNAME record check has passed, toggle the State switch on ON, then click Save.
*
If the CNAME record check has failed, ensure that the CNAME record has been published for the signing domain. For further information on publishing the CNAME record, see DNS records and service IP addresses.
Once you have published the CNAME record, click Recheck to perform the check again.
To disable a rule, toggle the State switch to OFF, then click Save.
Editing a DKIM signing rule
Click the name of the rule in the DKIM Signing table to edit the sender domains/subdomains or signing domain for the rule, or to make changes to the granular sender/recipient options.
For more information on the configuration options for DKIM signing, see Adding a DKIM signing rule.
To delete a rule, click the rule name in the DKIM Signing table to open the Edit DKIM Signing Rule page. Click Delete to remove the rule.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Email Policies > Antispoofing tab > DKIM Signing
Copyright 2023 Forcepoint. All rights reserved.