Open with table of contents

Spoof detection

Your Gateway offers the following spoof detection features:

For inbound email you can provide:

• Protection at the connection level. Suspect emails can be rejected if a problem is detected between the sending domain and email sender. When enabled, spoof detection provides protection against email originating from outside your organization that has a forged sender with an internal email address.
• Protection at the email content level. This is provided by DKIMDomainKeys Identified Mail as part of Junk Email Detection within your spam policy.

To provide trust to mail exchangers that receive email from your organization's domains, you can use DKIM signing. DKIM uses public and private keys, along with DNS records, to validate outbound email that is sent from your organization. When configuring spam settings, you can configure DKIM verification on inbound messages.

Tell me about...

• How DKIM signing works Show me

  DKIM is an email validation system designed to detect email spoofing. It provides a mechanism that allows receiving mail exchangers to check that incoming mail from your organization's domain is authorized by your organization.

  It does this by including a DKIM signature within the email. The signature can then be validated by the recipient by identifying the paired public key as published in the DNS.

  To enable DKIM signing you need to create a public and private key pair, and a DNS record for each of your organization's domains.

  DKIM verification can fail if the system times of the sending and receiving message transfer agents are not synchronized to within 5 minutes. System times are not affected by time zone differences.

How do I...

• Configure my Gateway to detect inbound spoof? Show me

  See Configure Spoof Detection settings.

• Configure DKIM to provide trust to external mail exchangers? Show me

  See Configure DKIM signing for outbound messages.

• Create public and private keys to use with DKIM signing? Show me

  Although DKIM requires a private and public key pair, you need only to take steps to create a private key as the public key part of the pair will be elicited from the private key by your Gateway.

  The easiest way to create keys for DKIM purposes is to use OpenSSL.

  The following example generates an RSA key. We recommend that RSA keys are created with a key length of at least 1024 bits. Consult OpenSSL and DKIM documentation for more information.

  To create a private key of 1024 bits, type the following from the command line:

  openssl genrsa -out <private.key> 1024

  where <private.key> is the name of the key you want to create.

  To create a public key using the private key, type the following from the command line:

  openssl rsa -in <private.key> -pubout -out <public.key>

  where <private.key> is the name of the created private key and <public.key> is the name of the public key you want to create.

See also...

• Configure Spam Policy

• Configure DKIM signing for outbound messages

• Configure spoof detection settings