This article covers the SPF and DKIM authentication processes for the Forcepoint Email Security Cloud service and how they are managed in Valimail Enforce. While only one of the two authentication methods is required for an email to pass DMARC, our recommendation is to configure both whenever possible.
TABLE OF CONTENTS
- Configuring DKIM authentication for your Forcepoint Email Security Cloud emails
- Add a Forcepoint Email Security Cloud DKIM key in Enforce
- Configuring SPF authentication for your Forcepoint Email Security Cloud emails
Configuring DKIM authentication for your Forcepoint Email Security Cloud emails
Adding a DKIM key
1. Log in to your ForcePoint account as an administrator and go to Settings -> Inbound/Outbound -> DKIM Settings page:
2. Click Add in the DKIM Signing Keys section to open the Add Signing Key page.
3. Enter a name for your key in the Key name entry field.
4. Select one of the following options for creating your key:
- Generate key (default) to create the private key. Only 1024-bit keys are supported.
- Private key to enter a key you have already created. Paste the key in the entry box.
5. Click OK.
Importing or exporting a DKIM key
- To import a DKIM signing key in the Settings -> Inbound/Outbound -> DKIM Settings page, click Import to open a browser window. Navigate to the desired key file and click Open. You cannot import a duplicate key file.
- To export a key, select the desired key in the signing keys table by marking its associated check box and click Export to open a browser window. Navigate to the desired directory location and click Save.
Creating a DKIM signing rule
A DKIM signing rule associates a private/public key pair with a set of domains and email addresses. Signing rule options let you determine which message headers to sign, how much of the message body to sign, and whether to attach additional signature tags for such items as signature date/time or expiration time.
You may create a signing rule, import an existing rule from a local directory, or export a rule to a local directory on the Settings -> Inbound/Outbound -> DKIM Settings page.
You may also delete a signing rule. Select the desired rule by marking its associated check box and click Delete.
The DKIM Signing Rules section contains a table of rule information. You can configure the number of signing rule entries per page, between 25 and 100, in the Per page drop-down list at the top of the table.
You can perform a keyword search by entering a term in the entry field at the top right of the table and clicking Search. Click Show all rules to clear the Search field and refresh the signing rules list.
Adding a signing rule
Use the following steps to create a DKIM signing rule in the Settings -> Inbound/Outbound -> DKIM Settings page:
1. Click Add in the DKIM Signing Rules section to open the Add Signing Rule page.
2. Enter a name for your rule in the Rule name entry field.
3. Enter the name of the domain to which this signing rule applies.
4. If desired, mark the Include user identifier check box to include the identity of the user or agent for whom the message is signed.
5. Enter the user identifier in the User identifier entry field (optional). This field is not enabled if the Include user identifier check box is not marked.
6. Enter the domain name selector in the Selector entry field. A selector is a name component provided in addition to the domain name used in the DNS public key query. A given domain may have multiple selectors.
7. Select the signing key you want to associate with this rule from the Signing key drop-down list of existing keys.
8. Click Advanced Options to open a box with additional optional rule settings:
- Select an encryption algorithm from the Algorithm drop-down list. Options include RSA-SHA-1 (default) or RSA-SHA-256.
- Specify a canonicalization method for message header and body in the Canonicalization section. The canonicalization process prepares a message header and body before email is signed. Canonicalization is required because email processing may introduce minor changes to a message.
- Indicate the message headers you want to sign from the list of standard headers. You can include other headers as a comma-separated list in the Additional headers field.
- Specify whether you want the entire message body signed or only a portion of it signed. For the latter selection, enter the maximum number of Kbytes you want signed (default is 1024).
- Select any optional signature tags for the signing rule:
* t lets you add a signature creation timestamp
* x lets you specify a signature expiration time in seconds (default is 3600)
* z adds the list of signed header fields to the signature
9. From the Signing rule options drop-down list, select either Sign email messages or Do not sign email messages. Then create a list of email addresses to which this option applies.
For example, if you select Sign email messages, then email from the addresses in the list are signed. Email from other addresses is not signed.
If you select Do not sign email messages, then email from the addresses in the list are not signed, and email from all other users is signed.
You may search the email address list by entering a keyword in the search entry field and clicking Search.
You may remove an email address from the list by selecting it and clicking Remove.
10. Click OK.
Importing or exporting a rule
To import a DKIM signing rule in the Settings -> Inbound/Outbound -> DKIM Settings page, click Import to open a browser window. Navigate to the desired rule file and click Open. You cannot import a duplicate key rule.
To export a rule, select the desired rule in the signing rules table by marking its associated check box and click Export to open a browser window. Navigate to the desired directory location and click Save.
Generating a DNS text record (public key)
Generate a public key for a rule from the DKIM Signing Rules table by clicking the link for the desired rule in the DNS Text Record column. A Generate DNS Text Record box that contains the new public key appears.
You can view a public key by clicking View for a particular private key in the DKIM Signing Keys table Public Key column.
Testing a rule
Ensure that you have created a valid rule by clicking the Test link in the Test Rule column of the DKIM Signing Rules table for the desired signing rule. The test performs a DNS lookup query. You receive confirmation of success or failure when the test is complete.
You must have performed a successful rule test before a rule can be enabled.
Enabling DKIM verification
The DKIM validation method uses the message header digital signature to associate a domain name with the email. The DKIM signature verification function retrieves signer information, including the public key, from the DNS. This signer information is analyzed and verified to determine message legitimacy.
You can enable DKIM verification in the Settings -> Inbound/Outbound -> DKIM Settings page, in the DomainKeys Identified Mail (DKIM) Verification section. Mark any of the following check boxes to activate DKIM verification:
- Enable DomainKeys Identified Mail (DKIM) verification for inbound messages
- Enable DomainKeys Identified Mail (DKIM) verification for outbound messages
- Enable DomainKeys Identified Mail (DKIM) verification for internal messages
By default, these check boxes are not marked.
You can also find the instructions and complete Forcepoint Email Security Cloud DKIM setup up procedure, here.
Add a Forcepoint Email Security Cloud DKIM key in Enforce
1. Go to your domain's Configuration page in Valimail Enforce and publish the newly created DKIM key.
a. Scroll down and add the DKIM key in your configuration, by clicking on Add a DKIM key.
b. Enter the selector name, the DKIM TXT value (the actual value is the entire string after the p= tag), associate the key with Forcepoint Email Security Cloud and then click Add.
You can find more detailed information on how to add a DKIM key in Valimail Enforce here.
Configuring SPF authentication for your Forcepoint Email Security Cloud emails
Once you establish that Forcepoint Email Security Cloud is an authorized sender for your domain, you will need to add the service in your Enabled Senders list in Enforce.
1. Please go to your domain's Configuration page in Enforce.
2. Click on the + sign from the Enabled Senders section:
3. Choose Forcepoint Email Security Cloud from the list of configurable senders and then click Enable:
We encourage you to use the comment section for any useful information about your sending service, such as the name of the service owner, change request ticket numbers, etc.
As always, if you have any questions, please don't hesitate to submit a ticket.