Views:
Cloud Email Gateway Protection verifies DKIM signatures in incoming email messages and allows administrators to take actions on messages that fail to pass signature verification. If a message's DKIM signature passes verification, the message will continue to the next step in the regular delivery process.
The DKIM verification settings apply only to the selected recipient domain.
Note
Note
Cloud Email Gateway Protection provides a built-in default rule that has the lowest priority to ensure you receive a baseline level of protection. The default rule cannot be deleted.
You can create only one single rule for each Managed Domain. The default rule will be applied if no other rules are matched based on the Managed Domain.

Procedure

  1. Go to Inbound ProtectionDomain-based AuthenticationDomainKeys Identified Mail (DKIM) Verification.
  2. Click Add.
    The Add DKIM Verification Settings screen appears.
  3. Select a specific recipient domain from the Managed domain drop-down list.
  4. Select Enable DKIM verification.
  5. Optionally select Skip DKIM verification for email messages with no envelope sender addresses.
  6. Optionally select Insert an X-Header into email messages.
    X-Header is added to indicate whether DKIM verification is successful or not.
    Here are some examples of X-Header:
    X-TM-Authentication-Results:dkim=pass; No signatures and verification is not enforced
    X-TM-Authentication-Results:dkim=pass; No processed signatures and verification is not enforced
    X-TM-Authentication-Results:dkim=fail; No processed signatures but verification is enforced
    X-TM-Authentication-Results:dkim=pass; Contain verified signature, header.d=test.com, header.s=TM-DKIM_201603291435, header.i=sender@test.com
    X-TM-Authentication-Results:dkim=fail; No verified signatures
  7. Under Intercept, select an action that you want to take on a message that fails DKIM verification.
    • Do not intercept messages
    • Delete entire message
    • Quarantine
  8. Under Tag and Notify, select further actions that you want to take on the message.
    • Tag subject
      Note
      Note
      Tags can be customized. When selecting the Tag subject action, note the following:
      • This action may destroy the existing DKIM signatures in email messages, leading to a DKIM verification failure by the downstream mail server.
      • To prevent tags from breaking digital signatures, select Do not tag digitally signed messages.
    • Send notification
  9. Under Ignored Peers, do any of the following:
    • To add ignored peers to skip DKIM verification for specific sender domains, specify one or multiple sender domain names, IP addresses, or CIDR blocks, and click Add.
      Cloud Email Gateway Protection will not implement DKIM verification for email messages from the specific domain, IP addresses, or CIDR blocks. The email messages will continue to the next step in the regular delivery process.
      However, this does not mean the email messages have passed DKIM verification. They will fail subsequent DMARC authentication if they do not actually meet specific criteria of the DKIM standard.
      Note
      Note
      For ignored peers specified using domain names, Cloud Email Gateway Protection uses senders' envelope addresses to match the domain names.
    • To search for existing ignored peers, type a keyword and click Search.
    • To import ignored peers from a CSV file, click Import.
      The following import options are available:
      • Merge: append the ignored peers to the existing list.
      • Overwrite: replace the existing list with the ignored peers in the file.
    • To export all ignored peers to a CSV file, click Export.
  10. Under Enforced Peers, do any of the following:
    • Select Use the header sender to match enforced peers.
      Note
      Note
      The envelope sender address is always used for matching enforced peers.
      Select this option when you want to use the sender address in the message header for matching as well.
    • To add enforced peers to enforce DKIM verification for specific sender domains, specify one or multiple sender domain names and click Add.
      Each email message from the specified domain must meet specific criteria of the DKIM standard; otherwise, an action will be taken on the message.
      The following criteria must be met:
      • The sender domain must have a DKIM record.
      • There is at least one verified signature in the message.
    • To search for, import or export enforced peers, perform similar operations as described in the previous step.
    Note
    Note
    • The ignored peer list takes precedence over the enforced peer list. If a message matches both the ignored peer list and enforced peer list, Cloud Email Gateway Protection skips DKIM verification for the message.
    • If you have enabled Skip DKIM verification for email messages with no envelope sender addresses, such email messages skip DKIM verification even if their header sender addresses match the enforced peer list.
  11. Click Add to finish adding the DKIM verification settings.
    Note
    Note
    All the settings you added take effect only when you click Add.