DomainKeys Identified Mail (DKIM)

You can configure Clearswift Gateway to perform DomainKeys Identified Mail (DKIMDomainKeys Identified Mail) verification checks on inbound messages.

The Clearswift Gateway checks the DKIM signature of inbound messages to ensure the verified domain name matches the "From:" or "Sender:" address in an email header. The Clearswift Gateway retrieves signer information, including public key, from the DNS. It analyzes this signer information and then verifies whether or not the message is legitimate.

Messages can fail DKIM checks in two ways:

Hard Failure. DKIM DNS records state with certainty that the message is not coming from the stated sender.
Soft Failure. There are problems with DKIM DNS records that make it impossible for the Clearswift Gateway to check the DKIM signature.

The Clearswift Gateway searches for a 'pass' response. If the pass response fails, it searches for a Hard Fail response, and finally a Soft Fail response.

The Clearswift Gateway enables you to specify different actions to perform on messages, depending on the type of DKIM failure.

Tell me about...

Messages failing DKIM due to an invalid signature
If messages fail your DKIM policy due to an invalid signature, this could be a result of modifications to the message made between the point at which the DKIM signature was applied, and the point at which it arrived at the Gateway.

In this scenario, the Gateway correctly determines that the message has an invalid signature.
- Show me an example
  
  A contact sends a message from their company's internal mail server.
  
  The internal mail server applies a DKIM signature to the message and sends it to a managed mail service provider used by the company.
  
  The message is then modified by the managed mail service provider, invalidating the DKIM signature.
  
  The message is sent to the recipient(s).
  
  The message is received by the Clearswift SECURE Email Gateway (with DKIM verification enabled).
  
  The Gateway determines that the DKIM signature is not consistent with the message. The message is rejected or held in a message area.
- Show me how to check a message DKIM verification failure
  
  From the Home page, click Messages > Find Held Messages. Select the message you want to view.
  
  Click the Structure tab.
  
  Search for the SpamLogicField property.
  
  If DKIM validation failed, the attribute dkim displays the value: SignatureValidationFailed.

For more information, see Configuring DKIM Settings.