SYMANTEC MESSAGING GATEWAY

Configuration Steps for Enabling DKIM and DMARC

SYMANTEC MESSAGING GATEWAY

 SYMANTEC MESSAGING GATEWAY

THIS DOCUMENT CONTAINS VALUABLE TRADE SECRETS AND CONFIDENTIAL INFORMATION OF

SECUREBEANS, AND SHALL NOT BE DISCLOSED TO ANY PERSON, ORGANIZATION, OR ENTITY
UNLESS SUCH DISCLOSURE IS SUBJECT TO THE PROVISIONS OF A WRITTEN NON-DISCLOSURE
AND PROPRIETARY RIGHTS AGREEMENT OR INTELLECTUAL PROPERTY LICENSE AGREEMENT
APPROVED BY SECUREBEANS. THE DISTRIBUTION OF THIS DOCUMENT DOES NOT GRANT ANY
LICENSE IN OR RIGHTS, IN WHOLE OR IN PART, TO THE CONTENT, THE PRODUCT(S),
TECHNOLOGY OF INTELLECTUAL PROPERTY DESCRIBED HEREIN.

Copyright © SecureBeans.
 SYMANTEC MESSAGING GATEWAY

Enabling DKIM and DMARC

Configuration Steps:

1. Enabling DMARC

To configure DMARC:
Sender authentication for inbound mail

 In the SMG Control Center, select Spam and Go in Settings and then Go Sender
Authentication
 On the Sender Authentication page, in the Authentication Type Section Enable
Domain-based Message Authentication, Reporting (DMARC)
 In the DMARC Reporting Settings Section , select Enable Failure Reports
 In the Sender Address field, type the email address from which the failure
reports appear to be sent. The Sender Address must be a valid address on
your email system. SMG sends failure reports only to domains that supply
an email address in their DMARC DNS records. If a failure report cannot be
delivered to a domain that supplies an address, your Sender Address
mailbox receives a bounce back message.
 If you want to monitor when failure reports cannot be delivered, enter an
administrator address as the Sender Address.
 If you do not want to monitor these delivery failures, enter the address of
an email account that is not monitored.
 In the Domain Authentication Section
 Select Authenticate all domains to perform sender authentication on
inbound mail from all domains
 Select Authenticate only the following domains to perform sender
authentication on inbound mail that appears to originate from the listed
domains.
 Select Authenticate all domains except the following domains to exclude
the listed domains from sender authentication
In Normal condition, we refer Authenticate all domains option
 Then click Save.
 SMG does not keep copies of the failure reports that it sends.
 Go to Content and Go in Policies and Select Email and Go to Email Content
Filtering Policies Page; assign policy groups to the related content filtering policies,
to process the messages that do not pass DMARC validation.

For more information about DMARC failure reports, visit rfc7489#section-7.3

 SYMANTEC MESSAGING GATEWAY

Sender authentication for outbound mail

 First Enable DKIM signing for the domain

 Add the DMARC resource records to your DNS records for the domain.

For more information, including the DMARC resource record syntax, visit. You can also find a
general procedure for implementing DMARC in the dmarc.org FAQ
"FAQ#What_steps_should_I_follow_to_implement_DMARC_on_my_corporate_email_domain.3F"

2. Enabling DKIM

To configure DKIM:

Sender authentication for inbound mail

 In SMG select Spam and in Settings section select Sender Authentication, in the
Authentication Types section, Enable DKIM.
 You can also change the Maximum number of DKIM signature validations to any number
between 1 and 20, inclusive.
NOTE: When the Maximum number of DKIM signature validations is exceeded for a
single message, Symantec Messaging Gateway stops DKIM validation for that message.
Additional signatures are ignored.
If any DKIM signature passes, the message passes DKIM validation. If no signature passes
when the Maximum number of DKIM signature validations is reached, the message
fails DKIM validation.
 Now Go to Content and Select Policies then select Email section and in Email Content
Filtering Policies page, assign policy groups to the related content filtering policies, to
process the messages that do not pass DKIM validation

Sender authentication for outbound mail

 SMG Scanners use domain keys to perform DKIM signing on outbound mail
 First Go to Administration, then go Settings, and go to Certificates then select Domain
Keys tab, add or import a domain key.
 When you enable DKIM signing for a domain, you select the domain key.
 SMG uses the private key to create a signature, which it adds to the header and body of
each outbound message. The recipient mail server uses the public key to validate the
message.
 SYMANTEC MESSAGING GATEWAY

 To add a domain key

 In the Control Center, click Administration, go to Settings, and select

Certificates.
 Click the Domain Keys tab.
 Click Add
 In the Domain key name field, type a unique name for this domain key.

NOTE: In the Key length drop-down list, choose a length, in bits, for the RSA key. The
default key length is 1024 bits. Many DNS servers have a 256-character limitation for
DNS records. Records that are longer than 256 characters may fail to load or the DNS
server may truncate them. To avoid this issue, use 1024 length DKIM keys. To use a
1536-bit key or 2048-bit key, split the DNS entry into multiple lines of less than 256
characters.
 Click Create.

If you want to use your own private key to create DKIM signatures, you can import it as a
domain key instead of adding a domain key.

 Importing a Domain Key

If the domain key is not in PEM format, or is not acceptable to OpenSSL, Symantec Messaging
Gateway will attempt to convert the domain key to correct the issue. If the attempt fails, or if
the key or file does not comply with the other requirements, import fails.

PEM format requirements for certificates and domain keys

 Go to Control Center, click Administration, and select Settings then select

Certificates.
 Click the Domain Keys tab.
 Click Import.
 Next to the File name field, click Browse and select a text file containing the
domain key you want to add.
 In the Domain key name field, type a unique name for this domain key.
 Click Import.

 Enabling DKIM signing for a domain

You can enable DKIM signing for all outbound messages from a specific domain, using an
existing domain key.

NOTE: Although the DKIM standard allows multiple signatures, Symantec Messaging Gateway
can add only one DKIM signature to an outbound message.
 SYMANTEC MESSAGING GATEWAY

 After Adding Domain key

 Go to Protocols and select SMTP and select Domains
 Click the underlined name of the domain to which you want to add DKIM signing.
 Go to Edit Domain page, click the Delivery tab.
 In the DomainKeys Identified Mail section, click Enable DKIM signing for
messages from this domain.
 In the Base domain field, enter the domain name to be used as part of the DKIM
signature, in the form: example.com

NOTE: If you also enable DMARC for outbound mail, the base domain that you enter here
impacts the DKIM alignment that you specify in your DMARC record. For instructions on how to
create a DMARC record, visit.

 In the Selector box, type a selector string that receiving MTAs can use to perform
DNS lookup to retrieve your public key.
NOTE: The selector identifies the key that SMG uses to sign the messages that are sent from this
domain. Enter a string of up to 63 lower case alphanumeric characters (a-z or 0-9).
For more information on the use of selectors, see RFC 4871, Section 3.1.
rfc4871#section-3.1

 From the Signing key drop-down list, choose the domain key that you want to
use to sign messages from this domain.
 In the Signature expiration box, type an integer between 1 and 9999, inclusive,
and then click either Hours or Days.

NOTE: The default value is 30 days.

 If you want to customize DKIM signing further, click Show Advanced and
complete the following optional fields:

Details: https://techdocs.broadcom.com/us/en/symantec-security-software/email-
security/messaging-gateway/10-7-3/Spam_5/enabling-dkim-signing-for-a-domain-v27452323-
d419e2546.html

 Click Generate to create a DKIM DNS text record. This text record uses the base
domain, selector, and signing key details that you specified in the previous steps.
 Click Save.