DomainKeys Identified Mail (DKIM)

You can configure Clearswift Gateway to perform DomainKeys Identified Mail (DKIMDomainKeys Identified Mail) verification checks on inbound messages.

The Clearswift Gateway checks the DKIM signature of inbound messages to ensure the verified domain name matches the "From:" or "Sender:" address in an email header. The Clearswift Gateway retrieves signer information, including public key, from the DNS. It analyzes this signer information and then verifies whether or not the message is legitimate.

Messages can fail DKIM checks in two ways:

Hard Failure. DKIM DNS records state with certainty that the message is not coming from the stated sender.
Soft Failure. There are problems with DKIM DNS records that make it impossible for the Clearswift Gateway to check the DKIM signature.

The Clearswift Gateway searches for a 'pass' response. If the pass response fails, it searches for a Hard Fail response, and finally a Soft Fail response.

The Clearswift Gateway enables you to specify different actions to perform on messages, depending on the type of DKIM failure.

Show me...

What happens when the Gateway detects messages with multiple DKIM signatures

A message can contain more than one DKIM signature. In this case, the Gateway searches for 'pass' responses first and then prioritizes a Hard Fail over a Soft Fail.

For example, a message with both a 'pass' signature and a 'Hard Fail' signature is treated as a DKIM pass. A Detect Spam content rule that is configured to detect only DKIM Hard Fails does not detect this message.

A message with both a 'Soft Fail' and a 'Hard Fail' signature is treated as a DKIM Hard Fail. A Detect Spam content rule that is configured to detect only DKIM Hard Fails detects this message, but a similar rule that is configured to detect DKIM Soft Fails does not.

For more information, see Configuring DKIM Settings.