Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Managing Messages > DomainKeys Identified Mail (DKIM) integration
DomainKeys Identified Mail (DKIM) integration
Administrator Help | TRITON AP-EMAIL | Version 8.2.x
The DomainKeys Identified Mail (DKIM) functionality provides an email authentication method to help ensure that a message is not modified while it is in transit from an organization's protected domains. The implementation depends on a set of keys (private and public), which a recipient domain can use to verify the sender domain.
A DKIM integration has the following components:
*
*
For the signing element, a private key resides in the mail transfer agent, providing a digital signature that is added to the header of each message sent from a protected domain. A public key is generated and published in the DNS as a text record that is used by a recipient mail system in the verification process.
A signing rule associates specified sender domains with a private and public key set.
Configuring a DKIM signing key
A signing key provides a digital signature for email sent from your protected domains. You may create a signing (private) key, import a key from a local directory, or export a key to a local directory.
You may also delete an existing key, unless it is currently in use by a signing rule. Select the desired key by marking its associated check box and click Delete.
The DKIM Signing Keys section contains a table of key information. You can configure the number of signing key entries per page, between 25 and 100, in the Per page drop-down list at the top of the table.
You can perform a keyword search by entering a term in the entry field at the top right of the table and clicking Search. Click Show all keys to clear the Search field and refresh the signing keys list.
The signing keys table includes the following information about each key:
Adding a key
Use the following steps to create a DKIM signing key in the Settings > Inbound/Outbound > DKIM Settings page:
1.
Click Add in the DKIM Signing Keys section to open the Add Signing Key page.
2.
3.
*
Generate key (default) to create the private key. Only 1024-bit keys are supported.
*
Private key to enter a key you have already created. Paste the key in the entry box.
4.
Importing or exporting a key
To import a DKIM signing key in the Settings > Inbound/Outbound > DKIM Settings page, click Import to open a browser window. Navigate to the desired key file and click Open. You cannot import a duplicate key file.
To export a key, select the desired key in the signing keys table by marking its associated check box and click Export to open a browser window. Navigate to the desired directory location and click Save.
Creating a DKIM signing rule
A DKIM signing rule associates a private/public key pair with a set of domains and email addresses. Signing rule options let you determine which message headers to sign, how much of the message body to sign, and whether to attach additional signature tags for such items as signature date/time or expiration time.
You may create a signing rule, import an existing rule from a local directory, or export a rule to a local directory on the Settings > Inbound/Outbound > DKIM Settings page.
You may also delete a signing rule. Select the desired rule by marking its associated check box and click Delete.
The DKIM Signing Rules section contains a table of rule information. You can configure the number of signing rule entries per page, between 25 and 100, in the Per page drop-down list at the top of the table.
You can perform a keyword search by entering a term in the entry field at the top right of the table and clicking Search. Click Show all rules to clear the Search field and refresh the signing rules list.
The signing rules table includes the following information about each rule:
Adding a signing rule
Use the following steps to create a DKIM signing rule in the Settings > Inbound/Outbound > DKIM Settings page:
1.
Click Add in the DKIM Signing Rules section to open the Add Signing Rule page.
2.
3.
4.
If desired, mark the Include user identifier check box to include the identity of the user or agent for whom the message is signed.
5.
Enter the user identifier in the User identifier entry field (optional). This field is not enabled if the Include user identifier check box is not marked.
6.
Enter the domain name selector in the Selector entry field. A selector is a name component provided in addition to the domain name used in the DNS public key query. A given domain may have multiple selectors.
7.
8.
Click Advanced Options to open a box with additional optional rule settings:
*
Select an encryption algorithm from the Algorithm drop-down list. Options include RSA-SHA-1 (default) or RSA-SHA-256.
*
Specify a canonicalization method for message header and body in the Canonicalization section. The canonicalization process prepares a message header and body before email is signed. Canonicalization is required because email processing may introduce minor changes to a message.
The following header and body changes are made, based on the selection of Simple or Relaxed:
*
*
*
*
t lets you add a signature creation timestamp
*
x lets you specify a signature expiration time in seconds (default is 3600)
*
z adds the list of signed header fields to the signature
9.
From the Signing rule options drop-down list, select either Sign email messages or Do not sign email messages. Then create a list of email addresses to which this option applies.
For example, if you select Sign email messages, then email from the addresses in the list are signed. Email from other addresses is not signed.
If you select Do not sign email messages, then email from the addresses in the list are not signed, and email from all other users is signed.
You may search the email address list by entering a keyword in the search entry field and clicking Search.
You may remove an email address from the list by selecting it and clicking Remove.
10.
Importing or exporting a rule
To import a DKIM signing rule in the Settings > Inbound/Outbound > DKIM Settings page, click Import to open a browser window. Navigate to the desired rule file and click Open. You cannot import a duplicate key rule.
To export a rule, select the desired rule in the signing rules table by marking its associated check box and click Export to open a browser window. Navigate to the desired directory location and click Save.
Generating a DNS text record (public key)
Generate a public key for a rule from the DKIM Signing Rules table by clicking the link for the desired rule in the DNS Text Record column. A Generate DNS Text Record box that contains the new public key appears.
You can view a public key by clicking View for a particular private key in the DKIM Signing Keys table Public Key column.
Testing a rule
Ensure that you have created a valid rule by clicking the Test link in the Test Rule column of the DKIM Signing Rules table for the desired signing rule. The test performs a DNS lookup query. You receive confirmation of success or failure when the test is complete.
You must have performed a successful rule test before a rule can be enabled.
Enabling DKIM verification
The DKIM validation method uses the message header digital signature to associate a domain name with the email. The DKIM signature verification function retrieves signer information, including the public key, from the DNS. This signer information is analyzed and verified to determine message legitimacy.
You can enable DKIM verification in the Settings > Inbound/Outbound > DKIM Settings page, in the DomainKeys Identified Mail (DKIM) Verification section. Mark any of the following check boxes to activate DKIM verification:
*
*
*
By default, these check boxes are not marked.
You can configure a custom content policy filter to scan for a DKIM signature in the message header, along with a filter action to take when a message header triggers the filter. See Custom content for information about creating this filter.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Managing Messages > DomainKeys Identified Mail (DKIM) integration
Copyright 2016 Forcepoint LLC. All rights reserved.