SPF(supported)
DKIM(recommended)



This article covers the SPF and DKIM authentication processes for Cisco Cloud Email Security and how they are managed in Valimail Enforce. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.



TABLE OF CONTENTS




Configuring DKIM authentication for your Cisco Cloud Email Security emails


Create a DKIM signing key


1. Login to Cisco Cloud Email Security console and go to Mail Policies -> Signing Keys and select Add Key...

2. Name the DKIM key and either generate a new private key or paste in an existing one. (Best practice is to select the 2048 option for key encryption).

3. Commit the changes.


Generate a new DKIM signing profile


4. Go to Mail Policies -> Signing Profiles and click Add Profile...


    a. Give the profile a descriptive name in the field Profile Name.

    b. Enter your domain in the field Domain Name.

    c. Enter a new selector string into the field Selector.

    d. Select the DKIM signing key created in the previous section in the field Signing Key.

    e. Click Submit.


Note: The selector is an arbitrary string that is used to allow multiple DKIM DNS records for a given domain.


5. From here, click Generate in the column DNS Text Record for the signing profile you just created.


6. Commit the changes.


7. Now you will need to add the generated DKIM key in Valimail Enforce. (In Enforce you will only be adding the DKIM selector and the exact TXT value of the key - like the bolded italics ones below).


selector2._domainkey.example.com. IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwMaX6wMAk4iQoLNWiEkj0BrIRMDHXQ7743OQUOYZQqEXSs+jMGomOknAZJpjR8TwmYHVPbD+30QRw0qEiRY3hYcmKOCWZ/hTo+NQ8qj1CSc1LTMdV0HWAi2AGsVOT8BdFHkyxg40oyGWgktzc1q7zIgWM8usHfKVWFzYgnattNzyEqHsfI7lGilz5gdHBOvmF8LrDSfNKtGrTtvIxJM8pWeJm6pg6TM/cy0FypS2azkrl9riJcWWDvu38JXFL/eeYjGnB1zQeR5Pnbc3sVJd3cGaWx1bWjepyNQZ1PrS6Zwr7ZxSRa316Oxc36uCid5JAq0z+IcH4KkHqUueSGuGhwIDAQAB;"


8. Go to Mail Policies -> Signing Profiles.


9. Under the column Test Profile, click Test for the new DKIM signing profile.


Turn DKIM signing on


10. After the test is confirmed successful, you will need to turn DKIM signing on. Go to Mail Policies -> Mail Flow Policies.


11. Go to each mail flow policy that has the Connection Behavior of Relay and turn Domain Key/DKIM Signing to On.



You can also find the instructions on how to set up DKIM for Cisco Cloud Email Security here.






Add a Cisco Cloud Email Security DKIM key in Enforce


1. Go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM key.


    a. Scroll down and add the two DKIM keys in your configuration, by clicking on Add a DKIM key

    b. Enter the selector name, the DKIM TXT value (the actual value is the entire string after the p= tag), associate the key with Cisco Cloud Email Security and then click Add.




You can find more detailed information on how to add a DKIM key in Valimail Enforce here.






Configuring SPF authentication for your Cisco Cloud Email Security emails


Once you establish that Cisco Cloud Email Security is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.


1. Please go to your domain's Configuration page in Enforce.

2. Click on the + sign from the Enabled Senders section:



3. Choose Cisco Cloud Email Security from the list of configurable senders and then click Enable:




We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.





As always, if you have any questions, please don't hesitate to submit a ticket.