SPF(supported)
DKIM(recommended)


Symantec Email Security.Cloud, also known as MessageLabs is an email gateway that supports authentication via SPF and DKIM. The gateway can also validate inbound emails for DMARC but this is not enabled by default.

This article covers the SPF and DKIM authentication processes for Symantec Email Security.Cloud and how they are managed in Valimail Enforce. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.



TABLE OF CONTENTS




Configuring DKIM authentication for your Symantec Email Security.Cloud emails


Step 1: Add a selector to a domain


1. On the Outbound DKIM Signing Settings page, locate the domain to which you want to add the selector. Enter the domain name in the Search box, or scroll through the domains with the Previous Page/Next Page arrows.


2. Click the domain name to select it. A new dialog box with the domain name at the top appears.


3. Click Add New, and ensure that the radio button to the left of the new selector item is selected.


4. Enter a name for the selector (alphanumeric characters only). Symantec recommend usage of the date in the selector name to make it easier to rotate selectors in the future.


5. Select a key length from the DKIM Key Length drop-down list. The longer the key, the more secure it is, so please select the 2048 bit key.


6. The two DNS TXT record fields are automatically populated. Click Save to save the values, but do not close the dialog. The dialog must stay open so that you can copy these values into your public DNS record in the next step.



Step 2: Update the public DNS record


1. With the domain name dialog box still open, navigate to the public DNS TXT record for the domain.


2. Click the Copy to Clipboard icon to the right of the Host Name field. Click the Copy to Clipboard icon to the right of the TXT value field.


3. Add the DKIM key in Valimail Enforce.


4. Click Close to close the domain name dialog box.


Note: Propagation of the DKIM records must be complete before DKIM can be enabled for this domain.



Step 3: Verify propagation and then enable DKIM for the domain


1. To be certain that the updated DNS record has propagated, on the main Outbound DKIM Signing Settings page, click the domain name. The domain name dialog box appears.


2. Ensure that you have selected the appropriate selector. Then click Test to perform a DNS lookup to check whether the DNS TXT record matches the active selector in the portal.


3. If the test succeeds, then close the domain name dialog box to return to the DKIM Signing Settings page. Use the slider in the DKIM Enable column to enable DKIM for that domain.



You can find the instructions to set up DKIM for Symantec Email Security.Cloud here.






Add a Symantec Email Security.Cloud DKIM key in Enforce


1. Go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM key.


    a. Scroll down and add the DKIM key in your configuration, by clicking on Add a DKIM key

    b. Enter the selector name, the DKIM TXT value (the actual value is the entire string after the p= tag), associate the key with Symantec Email Security.Cloud and then click Add.




You can find more detailed information on how to add a DKIM key in Valimail Enforce here.






Configuring SPF authentication for your Symantec Email Security.Cloud emails


Once you establish that Symantec Email Security.Cloud is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.


1. Please go to your domain's Configuration page in Enforce.

2. Click on the + sign from the Enabled Senders section:



3. Choose Symantec Email Security.Cloud from the list of configurable senders and then click Enable:




We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.



Important Note: In order to validate the configuration you may need to append StatusPage's include mechanism to your SPF record, after the macro directive. Your SPF record should look as follows: v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:spf.messagelabs.com ~all



ImportantIf you are using this as a gateway, it is necessary to keep the MessageLabs include in the SPF record after delegating to Valimail, as expressed above. This is due to a known bug in the gateway that manifests when emails are routed internally in their infrastructure. The bug causes the EHLO name to be set to a value that Enforce will not recognize. The Symantec/Broadcom bug number is: Etrack 4235858


For more detailed info on why an action such as in the above note might be required, please consult our articles regarding How to work around Vendor Verification for SPF and Trailing SPF includes in Valimail delegated domains.






As always, if you have any questions, please don't hesitate to submit a ticket.