cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2227
Views
0
Helpful
5
Replies
Highlighted
Beginner

Cisco ESA C170 DMARC Implementation

Team,

We have in cluster 2 x C170 ESA devices. Now we like to implement DMARC. Related to this, we have bunch of questions posted below for the answers from experts

Can you provide more clarity on the below:

1- We do have a GeoTrust SSL CA - G3 cert. on our Ironport. As I believe we need to publish our public key on the DNS, would this cert. suffice? If yes, how do we go about achieving this publishing?

2- Do we also need to publish our Intermediate cert.?

3- Are there any other pre-requisites at our end?

4- Do we need to extract the private key and have it stored on the Ironport?

5- Are there any pre-requisites at the recipient end?

5 REPLIES 5
Highlighted
Engager

Re: Cisco ESA C170 DMARC Implementation

Just to clarify, you're asking questions about DKIM (or in the ESA "Domain Keys"), not DMARC. 

 

1. Yes, it should work, but you can also have the ESA generate the cert or certs you need, and its pretty easy.  You create a dns record that looks something like this and publish it in your public dns:

<selector>._domainkey.<domain>.com. IN TXT "v=DKIM1; p=<publickey>;"

Selector is set in Mail Policies/Domain Signing Proflies 

2. No, generally you don't have to do this.  DKIM doesn't follow/verify the chain, it just makes sure the mail is signed by a key that matches the cert in DNS.

3. You have to define a DKIM profile and publish the dns record.   The profile sets what key is used to sign mail for each domain you send mail as.  Set up the profile, publish the DNS record, WAIT A DAY OR 2 for DNS to update everywhere, then turn on signing.   

4. Yes.  Do that under Mail Polices/Signing Keys. 

5.  Not really... they have to be configured to check DKIM, but you can't control that...

 

 

Highlighted
Beginner

Re: Cisco ESA C170 DMARC Implementation

Dear Ken,

Customer wants to implement DMARC. Pls clarify all possible things in deployment way.

Thanks

 

 

Highlighted
Participant

Re: Cisco ESA C170 DMARC Implementation

Hi there,

 

a) decide on an external DMARC aggregator like dmarcian.com for DMARC record aggregation

b) create DMARC DNS record in domain and activate it in monitoring mode set RUF and RUa to external DMARC aggregator address.

c) check, valdiate and allign SPF and DKIm records of all internal and external system

d) create a policy to bypass non DMARC complaint senders,

e) modify DMARC DNS policy to first quarantine and then later reject

 

What sounds like only 5 points keeps me already busy since 1 year for 120 domains

 

Highlighted
Beginner

Re: Cisco ESA C170 DMARC Implementation

Dear Marc,

Thanks for your reply.

Is it possible to give me the deployment guide to implement DMARC .

Highlighted
Participant

Re: Cisco ESA C170 DMARC Implementation