Use this page to configure SecurityGateway to verify DomainKeys Identified Mail (DKIM) signatures in incoming messages. When this feature is enabled and an incoming message has been cryptographically signed, SecurityGateway will retrieve the public key from the DNS record of the domain taken from the signature and then use that key to test the message’s DKIM signature to determine its validity. If the DKIM signature passes the verification test, the message will continue on to the next step in the regular delivery process and can optionally have its Message Score adjusted.
For more on DKIM, see: www.dkim.org.
Cryptographic verification
Verify signatures created using DomainKeys Identified Mail (DKIM)
By default SecurityGateway will verify messages that were signed using DKIM. Clear this checkbox if you do not wish to verify DKIM signatures in messages.
When verification returns a PASS result:
...add [xx] points to message score
Use this option if you wish to adjust the Message Score when the message receives a PASS result from DKIM verification. By default the value of this option is set to 0.0, meaning that no scoring adjustment will be made. If you choose to adjust the score of these messages, you should use a negative value in this option, which would give the Message Score a beneficial adjustment. For example, using -0.5 in this option would lower the final score by .5 points.
Exclusions
Exclude messages from allowlisted IP addresses
By default, messages coming from allowlisted IP addresses will be exempt from DKIM verification. Clear this checkbox if you wish to verify DKIM signatures even when the sender is on the IP Address allowlist.
Exclude messages from authenticated sessions
Messages arriving over authenticated SMTP sessions are excluded from DKIM verification by default. Clear this checkbox if you wish to verify DKIM signatures even when the SMTP session was authenticated.
Exclude messages from domain mail servers
Messages coming from one of your domain mail servers will be exempt from DKIM verification by default. Clear this checkbox if you wish to verify DKIM signatures in message coming from those servers.
DKIM Verification Options (All domains)
Verifier honors body length count ("l=" tag)
When this option is enabled, SecurityGateway will honor the body length count tag when it is found in an incoming message's DKIM signature. When the actual body length count is greater than the value contained in this tag, SecurityGateway will only verify the amount specified in the tag; the remainder of the message will remain unverified. This indicates that something was appended to the message, and consequently that unverified portion could be considered suspect. When the actual body length count is less than the value contained in this tag, the signature will not pass verification (i.e. it will receive a "FAIL" result). This indicates that some portion of the message was deleted, causing the body length count to be less than the amount specified in the tag. This option is disabled by default.
Verifier requires signatures to protect the Subject header
Enable this option if you wish to require the DKIM signature of incoming messages to protect the Subject header. This option is disabled by default.
Exceptions - Domains
If you select a specific domain in the "For Domain:" drop-down list box at the top of the page when configuring these settings, that domain will be listed here after saving the settings. Click the View/Edit link for the corresponding domain to review or edit its DKIM Verification settings, or click Reset to reset the domain's settings to the default Global values.
