Symantec Email Security.Cloud, also known as MessageLabs is an email gateway that supports authentication via SPF and DKIM. The gateway can also validate inbound emails for DMARC but this is not enabled by default.

This article covers the SPF and DKIM authentication processes for Symantec Email Security.Cloud and how they are managed in Valimail. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.

1. On the Outbound DKIM Signing Settings page, locate the domain to which you want to add the selector. Enter the domain name in the Search box, or scroll through the domains with the Previous Page/Next Page arrows.

2. Click the domain name to select it. A new dialog box with the domain name at the top appears.

3. Click Add New, and ensure that the radio button to the left of the new selector item is selected.

4. Enter a name for the selector (alphanumeric characters only). Symantec recommend usage of the date in the selector name to make it easier to rotate selectors in the future.

5. Select a key length from the DKIM Key Length drop-down list. The longer the key, the more secure it is, so please select the 2048 bit key.

6. The two DNS TXT record fields are automatically populated. Click Save to save the values, but do not close the dialog. The dialog must stay open so that you can copy these values into your public DNS record in the next step.

1. With the domain name dialog box still open, navigate to the public DNS TXT record for the domain.

2. Click the Copy to Clipboard icon to the right of the Host Name field. Click the Copy to Clipboard icon to the right of the TXT value field.

3. Add the DKIM key in Valimail Enforce.

4. Click Close to close the domain name dialog box.

Note: Propagation of the DKIM records must be complete before DKIM can be enabled for this domain.

1. To be certain that the updated DNS record has propagated, on the main Outbound DKIM Signing Settings page, click the domain name. The domain name dialog box appears.

2. Ensure that you have selected the appropriate selector. Then click Test to perform a DNS lookup to check whether the DNS TXT record matches the active selector in the portal.

3. If the test succeeds, then close the domain name dialog box to return to the DKIM Signing Settings page. Use the slider in the DKIM Enable column to enable DKIM for that domain.

You can find the instructions to set up DKIM for Symantec Email Security.Cloud here.

You can find more detailed information on how to add a DKIM key in Valimail, here:

Once you establish that Symantec Email Security.Cloud is an authorized sender for your domain, you will need to add the service in your Enabled Senders.

You will find more detailed information on how to add a service for your domain in Valimail, here:

Note: We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.

Important Note: In order to validate the configuration you may need to append MessageLabs's include mechanism to your SPF record, after the macro directive. Your SPF record should look as follows: v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:spf.messagelabs.com ~all

Important: If you are using this as a gateway, it is necessary to keep the MessageLabs include in the SPF record after delegating to Valimail, as expressed above. This is due to a known bug in the gateway that manifests when emails are routed internally in their infrastructure. The bug causes the EHLO name to be set to a value that Valimail will not recognize. The Symantec/Broadcom bug number is: Etrack 4235858

For more detailed info on why an action such as in the above note might be required, please consult our articles regarding How to work around Vendor Verification for SPF and Trailing SPF includes in Valimail delegated domains.