cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1416
Views
1
Helpful
6
Replies

DKIM signing and cloud mail service

Greg.Howley
Level 1
Level 1

We are migrating to a cloud vendor for email.  

Some of our internal systems still send mail to the internet.  We have not enabled dkim signing on the ironports, but our cloud vendor signs everything.  

How do I sync dkim between Ironports and our cloud vendor?   

6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

You don't have to dkim sign your email on your Ironports if you don't want to.

Also the keys do not have to be synchronised.  Your cloud provider can use one set of DKIM signing keys and your Ironports their own DKIM signing keys.  In fact, this is highly likely to be the way it would be done.

OK, follow up question.

We are trying to enforce DMARC.

I have DKIM signing enabled everywhere I can see on the Ironports.  DMARCIAN reports show that one of our domains still sends a number of unsigned emails to our cloud provider (via our Ironports).  How do I determine why these aren't being signed?

Hangon, trolling through the logs I found a bunch of stuff that says DomainKeys: cannot sign - no profile matches usrname@DOMAIN.com

My signing profile is for domain.com.  Is it case sensitive?

 

Hello,

The reason you're seeing this message is because the ESA is checking for both a DomainKeys /and/ a DKIM profile prior to signing the message. As long as you have DKIM setup successfully you should see this message along with a successful DKIM signing right after. If that is the case then you can ignore the DomainKeys log as it's non-impacting.

You should see something similar to the following : 

DKIM: signing with dkim-sign - matches user@domain.com

Thanks!

-Dennis M.

I am having issue of getting DKIM to work on Cisco ESA for outgoing email.

I get the “dkim permerror” below.

 

 

  1. Scenario: DKIM Signing for Outgoing Mail

 

Email Setup:

MTA (Relay Host) -> ESA (Relay Server) -> Internet. MTA sits behind the ESA.

 

For Outgoing Email, does the MTA perform DKIM Signing or ESA or both? Can you please advise which method is the best practice.

 

 

 

May I please seek your assistance.ESA DKIM Signing Issue.jpg

Generally, the last hop outbound should sign the mail.

Did the dkim dns entry get published to your dns servers?

Hi Ken,

My apologies for a delayed response.
Good advice, I will disable the DKIM signing on the "MTA (Relay Host)", the Originating Internal MTA.

I will double check.

I recall I published a dkim dns entry on the internal dns server for the "MTA (Relay Host)", and a different dkim entry on the external dns server (Internet facing), for the ESA (last hop outbound) dkim signing .

PLEAS NOTE: this topology is in a lab environment to simulate Internet Mail.