Configuring DomainKeys/DKIM verification options in SecurityGateway

This article explains how to configure SecurityGateway to check for DKIM and DomainKeys information, which is a method to verify the senders of incoming message with a encrypted key in the message-header compared against information registered on the sending domain. More information about DKIM and DomainKeys can be found at http://www.dkim.org/info/dkim-faq.html.

 From the Dashboard, after logging in:

  1. Click on Security in the lower-left corner
  2. Locate the Anti-Spoofing section 
  3. Click on DKIM Verification

From there you may configure the following options:

  • Verify signatures created using DomainKeys Identified Mail (DKIM)

    SecurityGateway will check incoming messages for DKIM signatures, and check the information registered on the sending domain to verify a match. By default, this is enabled.

  • Verify signatures created using DomainKeys (DK)

    SecurityGateway will check incoming messages for DomainKeys signatures, and check the information registered on the sending domain to verify a match. By default, this is enabled.

  • When verification returns a FAIL result (requires SSP processing)

    If an incoming message has a DK/DKIM key in its header, but it does not match the information registered on the sending domain, SecurityGateway will check the SSP (Secure Signing Policy) for the domain to verify their signing policy.

    If a match is required, SecurityGateway will either refuse delivery of the message completely, quarantine it for later review by the administrators or recipient, or accept the message, and perform additional steps according to the next two options. By default, SecurityGateway will refuse delivery of messages that fail a required DK/DKIM key match.

  • ... tag subject with <>

    If you choose to quarantine, or accept for delivery, a message that fails a DK/DKIM key match, you may add some text to the start of the message's subject, by default '*** FRAUD ***'. By default, this is disabled.

  • ... add x points to message score

    If you choose to quarantine or accept for delivery a message that fails a DK/DKIM match, you may add a number of points to its message score. By default, SecurityGateway will add 3.0 points which may cause the message to be marked as spam or quarantined.

  • When verification returns a PASS result... add x points to message score

    If a message has a DK/DKIM key that can be verified against the sending domain's information, you may change its message-score by putting a negative number here to subtract that amount. By default, this is set to 0.0.

  • Exclude messages from whitelisted IP addresses

    If the sending IP address is on the server's whitelist, then SecurityGateway will not do a DK/DKIM check on the message. By default, this is enabled.

  • Exclude messages from authenticated sessions

    If the connecting user authenticates their session using a username and password on the SecurityGateway server before sending the message, SecurityGateway will not do a DK/DKIM check on the message. By default, this is enabled.


    Note that the next three options affect all domains globally, and cannot be set specifically for individual ones.

  • Unsigned or improperly signed messages trigger SSP processing

    If an incoming message does not have a DK/DKIM key in its header, or it is not signed properly, SecurityGateway will check the SSP for the domain to verify if message-signing is required, and return a FAIL result if necessary. This is disabled by default.

  • Verifier honors body length count (l= tag)

    If an incoming message has an 'l=' tag listed in the DK/DKIM key, it will verify the length of the message as per this flag, and return a FAIL result if it does not match. By default, this is disabled.

  • Verifier requires signatures to protect the Subject header

    SecurityGateway will check to see if the subject of the message looks to have been changed from what is listed in the DKIM key in the message-header, and return a FAIL result if necessary. By default, this is disabled.

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

(FAQ) How to configure Office 365 to route outbound mail through SecurityGateway

Follow the steps below to configure Office 365 to route outbound mail through SecurityGateway....

How to change what directories are used by SecurityGateway

This article explains how to change which directories SecurityGateway uses to store various...

How to view a list of all messages in SecurityGateway

This article explains how to review the messages SecurityGateway has quarantined for review, or...

How do I start and stop SecurityGateway?

How do I start and stop SecurityGateway?   There are three methods to shut down, or start up,...

Upgrading SecurityGateway

his article explains how to upgrade an existing version of SecurityGateway to the current release...