Hexamail Guard Administration Guide - SPAM Blocking - detection - Sender - DKIM

DKIM

DKIM

   DomainKeys Identified Mail (DKIM)

EnableDomainKeys
This setting enables Yahoo Domain Keys processing for received email. Domain Key processing involves verfiying incoming email using cryptogtraphic signatures. This can help verify the identity of senders, and therefore ensure that forged or spoofed email can be eliminated at the earliest opportunity. It must look up domain keys for signed email from a DNS host so there may be some latency introduced when receiving email. Using Domain Key processing may have some impact on CPU usage as it needs to verify each signed email using encryption. For further information please consult the Yahoo Domain Keys pages: http://antispam.yahoo.com/domainkeys/
off
Policy Breach
Domain Keys specifies that signing domains should publish a policy record specifying how they sign email. If an email is NOT signed the policy for that domain is looked up and the email checked for breaches to the policy. For example, a policy may state that ALL email from the domain must be signed. In this case any unsigned email from that domain is either blocked (and quarantined) or rejected at the SMTP level as soon as it is submitted.
Example interface
Accept, Block, Reject
Block
Invalid Signature
If a Domain Key signed email is enountered, its Domain Key signature is verified against the email headers and content. If the signature doesn't match (so the email may be forged) this setting selects the action to take. Remember that in some cases email may have been modified or corrupted on their way to your server (e..g if via a mialing list or news list server), so sometimes signatures fail for legitimate email. In addition bear in mind that anyone can sign email from their own domain: so even spammers sometimes sign email with Domain Keys! Domain key signatures verify that the email does indeed come from the specified domain, not that the domain itself is one you wish to receive email from!
Example interface
Accept, Block, Reject
Block
Require signatures for
Currently many domains have policies that state that only SOME email may be signed, and that Domain Keys is in'testmode'. These policies mean that email cannot be rejected according to policy breaches if it lacks a Domain Keys signature. If you wish to insist that selected domains MUST send Domain Key signed email, add the domains to the list. BE SURE TO CHECK that the domains you add are indeed adding Domain Key signatures to their outgoing email and intend to continue to do so!
yahoo.com,yahoo.co.uk,gmail.com,e-mail.egg.com,btinternet.com
Missing required signature
Once you have listed domains for which you REQUIRE a signature (regardless of policy), use this setting to select the action to take for email with no signatures from those domains.
Example interface
Accept, Block, Reject
Block
Missing Key
Sometimes a signed email points to a domain which doesn't have a public key DNS entry published. This means the signature CANNOT be verified. Often these are SPAM email.
Example interface
Accept, Block, Reject
Block
Revoked Key
Sometimes a signed email points to a domain for which the key has been revoked. Use this setting to select an action for such email.
Example interface
Accept, Block, Reject
Block
Invalid MIME
Sometimes a signed email contains MIME syntax errors. Use this setting to block such email.
Example interface
Accept, Block, Reject
Block
DomainKeyDebug
Due to the complexity of Domain Key processing this features allows the full MIME of Domain Key signed email to be dumped to disk if the verification fails. This will allow better debugging of what may be wrong with the MIME of the email in question.
off