Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3327
Views
0
Helpful
5
Replies

Cisco ESA C170 DMARC Implementation

arumugasamy
Level 1
Level 1

‎01-28-2018 01:07 AM - edited ‎03-08-2019 07:32 PM

Team,

We have in cluster 2 x C170 ESA devices. Now we like to implement DMARC. Related to this, we have bunch of questions posted below for the answers from experts

Can you provide more clarity on the below:

1- We do have a GeoTrust SSL CA - G3 cert. on our Ironport. As I believe we need to publish our public key on the DNS, would this cert. suffice? If yes, how do we go about achieving this publishing?

2- Do we also need to publish our Intermediate cert.?

3- Are there any other pre-requisites at our end?

4- Do we need to extract the private key and have it stored on the Ironport?

5- Are there any pre-requisites at the recipient end?

2 people had this problem
Labels:
0 Helpful
5 Replies 5

Ken Stieers
VIP
VIP

‎01-28-2018 09:06 AM

Just to clarify, you're asking questions about DKIM (or in the ESA "Domain Keys"), not DMARC. 

 

1. Yes, it should work, but you can also have the ESA generate the cert or certs you need, and its pretty easy.  You create a dns record that looks something like this and publish it in your public dns:

<selector>._domainkey.<domain>.com. IN TXT "v=DKIM1; p=<publickey>;"

Selector is set in Mail Policies/Domain Signing Proflies 

2. No, generally you don't have to do this.  DKIM doesn't follow/verify the chain, it just makes sure the mail is signed by a key that matches the cert in DNS.

3. You have to define a DKIM profile and publish the dns record.   The profile sets what key is used to sign mail for each domain you send mail as.  Set up the profile, publish the DNS record, WAIT A DAY OR 2 for DNS to update everywhere, then turn on signing.   

4. Yes.  Do that under Mail Polices/Signing Keys. 

5.  Not really... they have to be configured to check DKIM, but you can't control that...

 

 

0 Helpful

arumugasamy
Level 1
Level 1
In response to Ken Stieers

‎01-28-2018 10:52 AM

Dear Ken,

Customer wants to implement DMARC. Pls clarify all possible things in deployment way.

Thanks

 

 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to arumugasamy

‎01-29-2018 12:16 PM

Hi there,

 

a) decide on an external DMARC aggregator like dmarcian.com for DMARC record aggregation

b) create DMARC DNS record in domain and activate it in monitoring mode set RUF and RUa to external DMARC aggregator address.

c) check, valdiate and allign SPF and DKIm records of all internal and external system

d) create a policy to bypass non DMARC complaint senders,

e) modify DMARC DNS policy to first quarantine and then later reject

 

What sounds like only 5 points keeps me already busy since 1 year for 120 domains

 

0 Helpful

arumugasamy
Level 1
Level 1
In response to marc.luescherFRE

‎01-29-2018 12:32 PM

Dear Marc,

Thanks for your reply.

Is it possible to give me the deployment guide to implement DMARC .

0 Helpful
Customers Also Viewed These Support Documents