KBA-01905

Configuring DomainKeys/DKIM verification options in SecurityGateway

This article explains how to configure SecurityGateway to check for DKIM and DomainKeys information, which is a method to verify the senders of incoming message with a encrypted key in the message-header compared against information registered on the sending domain. More information about DKIM and DomainKeys can be found at http://www.dkim.org/info/dkim-faq.html.

 From the Dashboard, after logging in:

  1. Click on Security in the lower-left corner
  2. Locate the Anti-Spoofing section 
  3. Click on DKIM Verification

From there you may configure the following options:

  • Verify signatures created using DomainKeys Identified Mail (DKIM)

    SecurityGateway will check incoming messages for DKIM signatures, and check the information registered on the sending domain to verify a match. By default, this is enabled.

  • Verify signatures created using DomainKeys (DK)

    SecurityGateway will check incoming messages for DomainKeys signatures, and check the information registered on the sending domain to verify a match. By default, this is enabled.

  • When verification returns a FAIL result (requires SSP processing)

    If an incoming message has a DK/DKIM key in its header, but it does not match the information registered on the sending domain, SecurityGateway will check the SSP (Secure Signing Policy) for the domain to verify their signing policy.

    If a match is required, SecurityGateway will either refuse delivery of the message completely, quarantine it for later review by the administrators or recipient, or accept the message, and perform additional steps according to the next two options. By default, SecurityGateway will refuse delivery of messages that fail a required DK/DKIM key match.

  • ... tag subject with <>

    If you choose to quarantine, or accept for delivery, a message that fails a DK/DKIM key match, you may add some text to the start of the message's subject, by default '*** FRAUD ***'. By default, this is disabled.

  • ... add x points to message score

    If you choose to quarantine or accept for delivery a message that fails a DK/DKIM match, you may add a number of points to its message score. By default, SecurityGateway will add 3.0 points which may cause the message to be marked as spam or quarantined.

  • When verification returns a PASS result... add x points to message score

    If a message has a DK/DKIM key that can be verified against the sending domain's information, you may change its message-score by putting a negative number here to subtract that amount. By default, this is set to 0.0.

  • Exclude messages from whitelisted IP addresses

    If the sending IP address is on the server's whitelist, then SecurityGateway will not do a DK/DKIM check on the message. By default, this is enabled.

  • Exclude messages from authenticated sessions

    If the connecting user authenticates their session using a username and password on the SecurityGateway server before sending the message, SecurityGateway will not do a DK/DKIM check on the message. By default, this is enabled.


    Note that the next three options affect all domains globally, and cannot be set specifically for individual ones.

  • Unsigned or improperly signed messages trigger SSP processing

    If an incoming message does not have a DK/DKIM key in its header, or it is not signed properly, SecurityGateway will check the SSP for the domain to verify if message-signing is required, and return a FAIL result if necessary. This is disabled by default.

  • Verifier honors body length count (l= tag)

    If an incoming message has an 'l=' tag listed in the DK/DKIM key, it will verify the length of the message as per this flag, and return a FAIL result if it does not match. By default, this is disabled.

  • Verifier requires signatures to protect the Subject header

    SecurityGateway will check to see if the subject of the message looks to have been changed from what is listed in the DKIM key in the message-header, and return a FAIL result if necessary. By default, this is disabled.

    Additional Comments

    The above settings, aside from the three specifically mentioned, can be configured for either the entire server, or for individual domains, depending on your needs. Click the 'For Domain' drop down on the upper right to select the domain you wish to configure.

    Related Articles

    KBA-01906 Configuring DomainKeys/DKIM signing options in SecurityGateway