DKIM verification

You can configure Secure Email Gateway to perform DomainKeys Identified Mail (DKIM DomainKeys Identified Mail) verification checks on inbound messages.

Secure Email Gateway checks the DKIM signature of inbound messages to ensure the verified domain name matches the "From:" or "Sender:" address in an email header.

Secure Email Gateway retrieves signer information, including public key The key a sender gives to a recipient so that the recipient can verify the sender's signature and confirm that the message was not altered. Recipients also use the public key to encrypt email messages to the sender., from the DNS. It analyzes this signer information and then verifies whether or not the message is legitimate.

Messages can fail DKIM checks in two ways:

• Hard Failure. DKIM DNS records state with certainty that the message is not coming from the stated sender.
• Soft Failure. There are problems with DKIM DNS records that make it impossible for Secure Email Gateway to check the DKIM signature.

Secure Email Gateway searches for a "pass" response. If the pass response fails, it searches for a Hard Fail response, and finally a Soft Fail response.

Secure Email Gateway enables you to specify different actions to perform on messages, depending on the type of DKIM failure.

Tell me about...

• Messages failing DKIM due to an invalid signature

  If messages fail your DKIM policy due to an invalid signature, this could be a result of modifications to the message made between the point at which the DKIM signature was applied, and the point at which it arrived at the Gateway.

  In this scenario, the Gateway correctly determines that the message has an invalid signature.

  • Show me an example

    1. A contact sends a message from their company's internal mail server.
    2. The internal mail server applies a DKIM signature to the message and sends it to a managed mail service provider used by the company.
    3. The message is then modified by the managed mail service provider, invalidating the DKIM signature.
    4. The message is sent to the recipient(s).
    5. The message is received by Secure Email Gateway (with DKIM verification enabled).
    6. The Gateway determines that the DKIM signature is not consistent with the message. The message is rejected or held in a message area.
  • Show me how to check a message DKIM verification failure

    1. From the Home page, click Messages > Find Held Messages. Select the message you want to view.
    2. Click the Structure tab.

    3. Search for the SpamLogicField property.

       If DKIM validation failed, the attribute dkim displays the value: SignatureValidationFailed.

For more information, see Configuring DKIM Settings.