Policies - Configuring DNS Authentication Definition

Updated

This article contains information on configuring DNS Authentication policies in Mimecast, including inbound and outbound DNS authentication definitions, SPF, DKIM, and DMARC checks, and steps to manage DNS records for secure email communication.

DNS Authentication policies control the types of email authentication checks performed when we send or receive a message. The following systems work by defining extra DNS records for the sending domain. See the DNS Authentication Configuration Guide before configuring any DNS Authentication definitions.

Mail Transfer Agents (MTAs) can verify SPF or DKIM for inbound mail if the sender publishes DNS entries for them in their domain records.

 

Configuring an Inbound DNS Authentication Definition

To configure an Inbound DNS Authentication definition:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to  Policies | Gateway Policies.
  3. Click on the Definitions drop-down.
  4. Select DNS Authentication - Inbound definition type from the list.
  5. Either click on the:
      • Definition to be changed
      • New DNS Authentication - Inbound Checks button to create a definition.
  1. Complete the DNS Authentication - Inbound Check Properties section as follows:
      • Items highlighted in Bold are the recommended default settings for most customers.
Field / Option Configurable Actions Description
Description N/A Enter a description for the definition that allows you to identify it at a later date easily.
Verify SPF for Inbound Mail Enabled / Disabled Select this to enable SPF checks on inbound messages. We'll only be able to perform these checks if the sender has published at least one SPF record for their domain.
Verify DKIM for Inbound Mail Enabled / Disabled Select this to enable DKIM checks on inbound messages. We'll only be able to perform these checks if the sender has published a valid DKIM public key for their domain.
Verify DMARC for Inbound Mail Enabled / Disabled Select this to enable DMARC checks on inbound messages. We can only perform these checks if the sender has published a valid DMARC record for their domain. You don't need to select either the "Verify SPF for Inbound Mail" or "Verify DKIM for Inbound Mail" options if selected.

 

If selected, DKIM checks are enabled by default. Should a message be received from a sender that hasn't published a DMARC policy, the MTA checks whether a valid DKIM signature has been applied to the inbound message. This ensures the inbound message is legitimate, rather than allowing it to pass through untouched. When this occurs, the configured action for a DKIM check result is applied, even if the DKIM check is disabled in the definition.

 

Configure the Action to apply for each of the possible results that can occur below, based upon the enabled inbound checks:

SPF:

For further information on verifying the SPF scan results, we recommend reading the "How to Interpret SPF Authentication Verification Results" page on the Return Path website.

Scan Result Configurable Actions
None
  • Reject: Inbound messages are rejected when the SPF check returns a "None" result.
  • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "None" result.
  • Take No Action: No specific actions are applied to a message when the SPF check returns a "None" result.
Neutral
  • Reject: Inbound messages are rejected when the SPF check returns a "Neutral" result.
  • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "Neutral" result.
  • Take No Action: No specific actions are applied to a message when the SPF check returns a "Neutral" result.
SoftFail
  • Reject: Inbound messages are rejected when the SPF check returns a "SoftFail" result.
  • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "SoftFail" result.
  • Take No Action: No specific actions are applied to a message when the SPF check returns a "SoftFail" result.
HardFail
  • Reject: Inbound messages are rejected when the SPF check returns a "HardFail" result.
  • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "HardFail" result.
  • Take No Action: No specific actions are applied to a message when the SPF check returns a "HardFail" result.
PermError
  • Reject: Inbound messages are rejected when the SPF check returns a "PermError" result.
  • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "PermError" result.
  • Take No Action: No specific actions are applied to a message when the SPF check returns a "PermError" result.
TempError
  • Reject: Inbound mail is rejected when the SPF check returns a "TempError" result.
  • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "TempError" result.
  • Take No Action: No specific actions are applied to a message when the SPF check returns a "TempError" result.

DKIM: Items highlighted in Bold are the recommended default settings for most customers.

Scan Result Configurable Actions
None
  • Reject: Inbound messages are rejected when the DKIM check returns a "None" result.
  • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DKIM check results in a "None" result.
  • Take No Action: No specific actions are applied to a message when the DKIM check returns a "None" result.
Fail
  • Reject: Inbound messages are rejected when the DKIM check returns a "Fail" result.
  • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DKIM check results in a "Fail" result.
  • Take No Action: No specific actions are applied to a message when the DKIM check returns a "Fail" result.
PermError
  • Reject: Inbound messages are rejected when the DKIM check returns a "PermError" result.
  • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DKIM check results in a "PermError" result.
  • Take No Action: No specific actions are applied to a message when the DKIM check returns a "PermError" result.
TempError
  • Reject: Inbound messages are rejected when the DKIM check returns a "TempError" result.
  • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DKIM check results in a "TempError" result.
  • Take No Action: No specific actions are applied to a message when the DKIM check returns a "TempError" result.

DMARC: Items highlighted in Bold are the recommended default settings for most customers.

 
Scan Result Configurable Actions
None
  • Reject: Inbound messages are rejected when the DMARC check returns a "None" result.
  • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DMARC check results in a "None" result.
  • Take No Action: No specific actions are applied to a message when the DMARC check returns a "None" result.
Fail
  • Take No Action: No specific actions are applied to the inbound message when the DMARC check returns a "Fail" result.
  • Reject: Inbound messages are rejected when the DMARC check returns a "Fail" result.
  • Ignore Managed/Permitted Sender Entries: Spam checks are performed when the DMARC check results in a "Fail" result.
  • Honor DMARC Record: The action specified in the sending domain's DMARC record is honored. If the action is Quarantine Mimecast places the incoming message in the Hold for Review queue.

If the Administrator selects the Honor DMARC Record, an option to Enable Notifications will then be displayed.

  • An Administrator Group can be selected to receive notifications on an email being held due to policy. Check the Lookup option and then select the group to be added.
  • The Internal Recipient can receive a notification advising them that their email is being held for review.

Note: To maintain compatibility with behavior before this enhancement was added, the Enable Notifications option will be checked by default, along with the Internal Recipient.
PermError
  • Reject: Inbound messages are rejected when the DMARC check returns a "PermError" result.
  • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DMARC check results in a "PermError" result.
  • Take No Action: No specific actions are applied to a message when the DMARC check returns a "PermError" result.
TempError
  • Reject: Inbound messages are rejected when the DMARC check returns a "TempError" result.
  • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DMARC check results in a "TempError" result.
  • Take No Action: No specific actions are applied to a message when the DMARC check returns a "TempError" result.

Click on the Save and Exit button.

Configuring an Outbound DNS Authentication Definition

This definition allows you to select the appropriate internal domain and generate the public DKIM key for outbound mail. It also provides all the information to be inserted into your domain's DNS entry. To configure an Outbound DNS Authentication definition:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies.
  3. Click on the Definitions drop-down.
  4. Select the DNS Authentication - Outbound Signing definition type from the list.
  5. Either click on the:
    • Definition to be changed.
    • New DNS Authentication - Outbound Signing button to create a definition. 
  1. Complete the DNS Authentication - Outbound Signing Properties section as follows:
  • Items highlighted in Bold are the recommended default settings for most customers.

Other than the Description, these fields are only displayed if the "Sign Outbound Messages with DKIM" option is selected.

Field / Option Description
Description Enter a description for the definition that allows you to identify it at a later date easily.
Sign Outbound Messages with DKIM Select this to enable DNS authentication checks on outbound mail.
Is External Domain

Select this to enable DKIM signing of emails that are not in the list of authorized domains. 

  • DKIM signing will only sign using 1024-bit encryption.
  • The external domain must have MX records associated. If not, an Alert Message stating "The external domain has no MX records, you cannot sign emails on its behalf" will be displayed. This is not an error that Mimecast can correct and you would be advised to liaise with the owner of the external domain.
DKIM Key Length

Allows you to configure the key length of the DKIM signature to be generated. You'll choose between creating DKIM keys with 1024 or 2048 bits. This option is only displayed after an internal domain is selected.

  • Using a DKIM key length of 2048 bits exceeds the 255-character limit imposed in TXT records.  Contact your ISP to ensure that 2048-bit key lengths are supported.
Domain

Use the Lookup button to select an internal domain. This field is only displayed if the "Sign Outbound Messages with DKIM" option is selected.

 

A definition must be configured for each and added to a policy if you have multiple internal domains. Do this to avoid DKIM checks failing due to the definition listing an incorrect domain.
DNS Address Format: selector._domainkey.domain
The DNS Address is the hostname when entering the DKIM key into your DNS record at your DNS Provider. If your DNS provider automatically appends your domain name to the hostname entered for DNS TXT records, you should remove the domain name from the "DNS Address" value before entering it as the hostname (i.e., mimecastYYYYMMDD._domainkey).
Public Key
  1. Click the Generate button to create the private and public key pairs. The private key is automatically saved in Mimecast but is not displayed for security reasons. The public key is displayed in the Public Key field.
  2. Copy the Public Key value to your clipboard.
  3. In the DNS management tool of your DNS provider, enter the “DNS Address” as the hostname and the “Public Key” as the TXT record. If your DNS provider automatically appends your domain name to the hostname entered for DNS TXT records, you should remove the domain name from the “DNS Address” value before entering it as the hostname.
  4. Click the Check DNS button to perform a DNS TXT lookup for 'selector._domainkey.domain'.
  5. Compare the string with the published string in the Public Key field.

 

Ensure the key contains spaces, as some DNS providers do not automatically include them in the public key.

 

If the test fails due to Mimecast not finding a TXT record, allow up to 72 hours of propagation time after publishing the TXT record in DNS. It's important to ensure that the correct TXT record has been published to match the Public Key field entry. The definition will only activate after a successful DNS check.

Click on the  Save and Exit button. If you do not save after validating your DNS Authentication Outbound DKIM Key, it will not be used to sign your outbound email.

Configuring a DNS Authentication (Inbound or Outbound) Policy

See the Email Security Cloud Gateway - Configuring DNS Authentication Policy page.

See Also...

Related to

Was this article helpful?
1 out of 1 found this helpful

Comments

2 comments
Date Votes
  • Avatar
    DCronin

    Column text wordwraps make reading the articles tedious, and changing browser zoom settings do not have much effect.  Also random numbers like “5” and “7” in front of lines of text (at the beginning of sentences, for example) are clumsy, do they serve a purpose in Zen Desk editing?

     

    -1
  • Avatar
    DCronin
    1. Select the DNS Authentication - Outbound Signing definition type from the list.
    2. Either click on the:
      • Definition to be changed.
      • New DNS Authentication - Outbound Signing button to create a definition.

    3. Complete the DNS Authentication - Outbound Signing Properties section as follows:

      Note:

      Other than the Description, these fields are only displayed if the "Sign Outbound Messages with DKIM" option is selected.

    0

Please sign in to leave a comment.