Professional Documents
Culture Documents
Copyright © SecureBeans.
SYMANTEC MESSAGING GATEWAY
Configuration Steps:
1. Enabling DMARC
To configure DMARC:
Sender authentication for inbound mail
In the SMG Control Center, select Spam and Go in Settings and then Go Sender
Authentication
On the Sender Authentication page, in the Authentication Type Section Enable
Domain-based Message Authentication, Reporting (DMARC)
In the DMARC Reporting Settings Section , select Enable Failure Reports
In the Sender Address field, type the email address from which the failure
reports appear to be sent. The Sender Address must be a valid address on
your email system. SMG sends failure reports only to domains that supply
an email address in their DMARC DNS records. If a failure report cannot be
delivered to a domain that supplies an address, your Sender Address
mailbox receives a bounce back message.
If you want to monitor when failure reports cannot be delivered, enter an
administrator address as the Sender Address.
If you do not want to monitor these delivery failures, enter the address of
an email account that is not monitored.
In the Domain Authentication Section
Select Authenticate all domains to perform sender authentication on
inbound mail from all domains
Select Authenticate only the following domains to perform sender
authentication on inbound mail that appears to originate from the listed
domains.
Select Authenticate all domains except the following domains to exclude
the listed domains from sender authentication
In Normal condition, we refer Authenticate all domains option
Then click Save.
SMG does not keep copies of the failure reports that it sends.
Go to Content and Go in Policies and Select Email and Go to Email Content
Filtering Policies Page; assign policy groups to the related content filtering policies,
to process the messages that do not pass DMARC validation.
For more information, including the DMARC resource record syntax, visit. You can also find a
general procedure for implementing DMARC in the dmarc.org FAQ
"FAQ#What_steps_should_I_follow_to_implement_DMARC_on_my_corporate_email_domain.3F"
2. Enabling DKIM
To configure DKIM:
In SMG select Spam and in Settings section select Sender Authentication, in the
Authentication Types section, Enable DKIM.
You can also change the Maximum number of DKIM signature validations to any number
between 1 and 20, inclusive.
NOTE: When the Maximum number of DKIM signature validations is exceeded for a
single message, Symantec Messaging Gateway stops DKIM validation for that message.
Additional signatures are ignored.
If any DKIM signature passes, the message passes DKIM validation. If no signature passes
when the Maximum number of DKIM signature validations is reached, the message
fails DKIM validation.
Now Go to Content and Select Policies then select Email section and in Email Content
Filtering Policies page, assign policy groups to the related content filtering policies, to
process the messages that do not pass DKIM validation
SMG Scanners use domain keys to perform DKIM signing on outbound mail
First Go to Administration, then go Settings, and go to Certificates then select Domain
Keys tab, add or import a domain key.
When you enable DKIM signing for a domain, you select the domain key.
SMG uses the private key to create a signature, which it adds to the header and body of
each outbound message. The recipient mail server uses the public key to validate the
message.
SYMANTEC MESSAGING GATEWAY
NOTE: In the Key length drop-down list, choose a length, in bits, for the RSA key. The
default key length is 1024 bits. Many DNS servers have a 256-character limitation for
DNS records. Records that are longer than 256 characters may fail to load or the DNS
server may truncate them. To avoid this issue, use 1024 length DKIM keys. To use a
1536-bit key or 2048-bit key, split the DNS entry into multiple lines of less than 256
characters.
Click Create.
If you want to use your own private key to create DKIM signatures, you can import it as a
domain key instead of adding a domain key.
If the domain key is not in PEM format, or is not acceptable to OpenSSL, Symantec Messaging
Gateway will attempt to convert the domain key to correct the issue. If the attempt fails, or if
the key or file does not comply with the other requirements, import fails.
You can enable DKIM signing for all outbound messages from a specific domain, using an
existing domain key.
NOTE: Although the DKIM standard allows multiple signatures, Symantec Messaging Gateway
can add only one DKIM signature to an outbound message.
SYMANTEC MESSAGING GATEWAY
NOTE: If you also enable DMARC for outbound mail, the base domain that you enter here
impacts the DKIM alignment that you specify in your DMARC record. For instructions on how to
create a DMARC record, visit.
In the Selector box, type a selector string that receiving MTAs can use to perform
DNS lookup to retrieve your public key.
NOTE: The selector identifies the key that SMG uses to sign the messages that are sent from this
domain. Enter a string of up to 63 lower case alphanumeric characters (a-z or 0-9).
For more information on the use of selectors, see RFC 4871, Section 3.1.
rfc4871#section-3.1
From the Signing key drop-down list, choose the domain key that you want to
use to sign messages from this domain.
In the Signature expiration box, type an integer between 1 and 9999, inclusive,
and then click either Hours or Days.
If you want to customize DKIM signing further, click Show Advanced and
complete the following optional fields:
Details: https://techdocs.broadcom.com/us/en/symantec-security-software/email-
security/messaging-gateway/10-7-3/Spam_5/enabling-dkim-signing-for-a-domain-v27452323-
d419e2546.html
Click Generate to create a DKIM DNS text record. This text record uses the base
domain, selector, and signing key details that you specified in the previous steps.
Click Save.