Views:
Cloud Email Gateway Protection authenticates incoming email messages of the selected domain and allows administrators to take actions on messages that fail to pass DMARC authentication. If DMARC authentication passes, the messages will be delivered normally. If DMARC authentication fails, the messages will be quarantined, rejected or delivered according to the DMARC settings.
The DMARC settings apply only to the selected recipient domain.
Note
Note
Cloud Email Gateway Protection provides a built-in default rule that has the lowest priority to ensure you receive a baseline level of protection. The default rule cannot be deleted.
You can create only one single rule for each Managed Domain. The default rule will be applied if no other rules are matched based on the Managed Domain.

Procedure

  1. Go to Inbound ProtectionDomain-based AuthenticationDomain-based Message Authentication, Reporting and Conformance (DMARC).
  2. Click Add.
    The Add DMARC Settings screen appears.
  3. Select a specific recipient domain from the Managed domain drop-down list.
  4. Select Enable DMARC.
  5. Optionally select Skip DMARC for email messages with no envelope sender addresses.
  6. Optionally select Enable Authenticated Received Chain (ARC).
    Cloud Email Gateway Protection will successfully authenticate the email messages that fail DMARC authentication but pass ARC validation, and will also insert a set of ARC headers into these email messages.
    Here is an example of a set of ARC headers:
    ARC-Authentication-Results: i=2; tmes.trendmicro.com; spf=temperror (sender IP address: 10.135.11.245) smtp.mailfrom=example.com; dkim=none (no processed signatures) header.d=none; dmarc=fail action=none header.from=test.com; arc=pass
    ARC-Message-Signature: i=2; a=rsa-sha256; d=tmes.trendmicro.com; s=TM-DKIM-20200223173148; t=1628750516; c=relaxed/relaxed; bh=5ffn1pIbUBxx6CFHIVuU2HzEpEvAtzhWZ1Jz7ddgWws=; h=Date:From:To:Subject:Message-ID:Content-Type; b=cAaAR+7GtaByy8iSJiWo7GIf8T28Pjod3W2vWKcQWLH/7YA4n0X51cSBlPwtTygfX otqfftTsCNIO1/Xx5LtdE2KdVYZbVgrFo+WpDgtCXCLLw6sO7OsdsPSSPbcpEq8r6q ERfAqu5TNDLaj2+cR197bBhUFYVDJDe7pbfNaAy2g8GL3gOGrkWQcYw1DrRWXeOSEi 3i59afFHqH3LOY4cmlyWDpZxyDhhn7Rhb3ZNlw9aUuQtMj7iaXkxQaC1M/T6bxLEAE XXV4jczaONiJ/5XmsPlR0gvHr0SpC42isWxElyXr2J1C93HgeAmK1Db4JAOGV2mXMF I3fzA7jbSSLag==
    ARC-Seal: i=2; a=rsa-sha256; d=tmes.trendmicro.com; s=TM-DKIM-20200223173148; t=1628750516; cv=pass; b=LKQY/mrwXnJKLJIclybRcGQyWziCvHqIFBAZAYtTlz1aYQ2EiHaXaLbkmokgF8ibC zj5UwsJrIj20lpm0aB+qKDoy4Psme/I3JZNDa5B1OeLHvkcubfUq9bzfSZadkN/dWC N9FfbNSQwiZ0++SOLVwYCcIqh9PkWcfIJa7bo4sP7aUZjJkcXutfcm0q94J9j4fIgz HWxEh58pvjtuMrSKCVCyMIODGoEYa1EbD2EbiTI7iZ54VfPXHjR79b0+21xppZbVEN 0QZGWYuuCoLUrIWDhPzS0kyYyIumPIh4RLe8sMKaBrKECo89XU+BjfNuwZpAPJs/id Q6RbaHHVtp8XA==
  7. Optionally select Insert an X-Header into email messages.
    X-Header is added to indicate whether DMARC authentication is successful or not.
    Here are some examples of X-Header:
    X-TM-Authentication-Results: spf=pass (sender IP address: 10.210.128.20) smtp.mailfrom=example.com; dkim=pass (signatures verified) header.d=example.com; dmarc=pass action=none header.from=example.com; arc=none
    X-TM-Authentication-Results: spf=fail (sender IP address: 10.204.148.40) smtp.mailfrom=example.com; dkim=fail (no verified signatures found) header.d=example.com; dmarc=fail action=none header.from=example.com; arc=none
    X-TM-Authentication-Results: spf=fail (sender IP address: 10.204.148.40) smtp.mailfrom=example.com; dkim=pass (signatures verified) header.d=example.com; dmarc=pass action=none header.from=example.com; arc=pass
    X-TM-Authentication-Results: spf=pass (sender IP address: 10.204.128.20) smtp.mailfrom=example.com; dkim=fail (no verified signatures found) header.d=example.com; dmarc=pass action=none header.from=example.com; arc=pass
  8. Optionally select Deliver daily reports to senders.
    If you select this option, aggregated reports will be generated daily for authentication failures and sent back to email senders.
  9. Under Intercept, specify actions to take on messages that fail DMARC authentication.
    A DMARC tag instructs recipients how to handle email messages that fail DMARC authentication. There are three values for the tag: "none", "quarantine", and "reject". Cloud Email Gateway Protection enables you to specify the action to take in each scenario based on the instructions:
    • None: select the action to take when the DMARC tag value is "none".
    • Quarantine: select the action to take when the DMARC tag value is "quarantine".
    • Reject: select the action to take when the DMARC tag value is "reject".
    • No DMARC records: select the action to take when there is no DMARC records.
  10. Under Tag and Notify, select further actions that you want to take on the messages.
    • Tag subject
      Note
      Note
      Tags can be customized. When selecting the Tag subject action, note the following:
      • This action may destroy the existing DKIM signatures in email messages, leading to a DKIM verification failure by the downstream mail server.
      • To prevent tags from breaking digital signatures, select Do not tag digitally signed messages.
    • Send notification
  11. Under Ignored Peers, do any of the following:
    • To add ignored peers to skip DMARC authentication for specific sender domains, specify one or multiple sender domain names, IP addresses, or CIDR blocks, and click Add.
      Cloud Email Gateway Protection will not implement DMARC authentication for email messages from the specific domains, IP addresses, or CIDR blocks. The email messages will continue to the next step in the regular delivery process.
      Note
      Note
      For ignored peers specified using domain names, Cloud Email Gateway Protection uses senders' envelope addresses to match the domain names.
    • To search for existing ignored peers, type a keyword and click Search.
    • To import ignored peers from a CSV file, click Import.
      The following import options are available:
      • Merge: append the ignored peers to the existing list.
      • Overwrite: replace the existing list with the ignored peers in the file.
    • To export all ignored peers to a CSV file, click Export.
  12. Under Enforced Peers, do any of the following:
    • Select Use the header sender to match enforced peers.
      Note
      Note
      The envelope sender address is always used for matching enforced peers.
      Select this option when you want to use the sender address in the message header for matching as well.
    • To add enforced peers to enforce DMARC authentication for specific sender domains, specify one or multiple sender domain names and click Add.
      Each email message from the specified domain must meet specific criteria of the DMARC standard; otherwise, an action will be taken on the message.
      The following criteria must be met:
      • The sender domain has a DMARC record.
      • The message passes the SPF check, and its identifier domain is in alignment. Alternatively, the message passes DKIM verification, and its identifier domain is in alignment.
    • To search for, import or export enforced peers, perform similar operations as described in the previous step.
    Note
    Note
    • The ignored peer list takes precedence over the enforced peer list. If a message matches both the ignored peer list and enforced peer list, Cloud Email Gateway Protection skips DMARC verification for the message.
    • If you have enabled Skip DMARC for email messages with no envelope sender addresses, such email messages skip DMARC verification even if their header sender addresses match the enforced peer list.
  13. Click Add to finish adding the DMARC settings.
    Note
    Note
    All the settings you added take effect only when you click Add.