|Email Plug-in (Reporting):||1.1.0-129|
|Email Plug-in (Encryption):||1.2.1-151|
We have in cluster 2 x C170 ESA devices. Now we like to implement DMARC. Related to this, we have bunch of questions posted below for the answers from experts
Can you provide more clarity on the below:
1- We do have a GeoTrust SSL CA - G3 cert. on our Ironport. As I believe we need to publish our public key on the DNS, would this cert. suffice? If yes, how do we go about achieving this publishing?
2- Do we also need to publish our Intermediate cert.?
3- Are there any other pre-requisites at our end?
4- Do we need to extract the private key and have it stored on the Ironport?
5- Are there any pre-requisites at the recipient end?
Just to clarify, you're asking questions about DKIM (or in the ESA "Domain Keys"), not DMARC.
1. Yes, it should work, but you can also have the ESA generate the cert or certs you need, and its pretty easy. You create a dns record that looks something like this and publish it in your public dns:
<selector>._domainkey.<domain>.com. IN TXT "v=DKIM1; p=<publickey>;"
Selector is set in Mail Policies/Domain Signing Proflies
2. No, generally you don't have to do this. DKIM doesn't follow/verify the chain, it just makes sure the mail is signed by a key that matches the cert in DNS.
3. You have to define a DKIM profile and publish the dns record. The profile sets what key is used to sign mail for each domain you send mail as. Set up the profile, publish the DNS record, WAIT A DAY OR 2 for DNS to update everywhere, then turn on signing.
4. Yes. Do that under Mail Polices/Signing Keys.
5. Not really... they have to be configured to check DKIM, but you can't control that...
a) decide on an external DMARC aggregator like dmarcian.com for DMARC record aggregation
b) create DMARC DNS record in domain and activate it in monitoring mode set RUF and RUa to external DMARC aggregator address.
c) check, valdiate and allign SPF and DKIm records of all internal and external system
d) create a policy to bypass non DMARC complaint senders,
e) modify DMARC DNS policy to first quarantine and then later reject
What sounds like only 5 points keeps me already busy since 1 year for 120 domains
Start here :
Chapter Email Authentication