OK, follow up question.

We are trying to enforce DMARC.

I have DKIM signing enabled everywhere I can see on the Ironports.  DMARCIAN reports show that one of our domains still sends a number of unsigned emails to our cloud provider (via our Ironports).  How do I determine why these aren't being signed?

Hangon, trolling through the logs I found a bunch of stuff that says DomainKeys: cannot sign - no profile matches usrname@DOMAIN.com

My signing profile is for domain.com.  Is it case sensitive?

Hello,

The reason you're seeing this message is because the ESA is checking for both a DomainKeys /and/ a DKIM profile prior to signing the message. As long as you have DKIM setup successfully you should see this message along with a successful DKIM signing right after. If that is the case then you can ignore the DomainKeys log as it's non-impacting.

You should see something similar to the following : 

DKIM: signing with dkim-sign - matches user@domain.com

Thanks!

-Dennis M.

I am having issue of getting DKIM to work on Cisco ESA for outgoing email.

I get the “dkim permerror” below.

1. Scenario: DKIM Signing for Outgoing Mail

Email Setup:

MTA (Relay Host) -> ESA (Relay Server) -> Internet. MTA sits behind the ESA.

For Outgoing Email, does the MTA perform DKIM Signing or ESA or both? Can you please advise which method is the best practice.

May I please seek your assistance.

Hi Ken,

My apologies for a delayed response.
Good advice, I will disable the DKIM signing on the "MTA (Relay Host)", the Originating Internal MTA.

I will double check.

I recall I published a dkim dns entry on the internal dns server for the "MTA (Relay Host)", and a different dkim entry on the external dns server (Internet facing), for the ESA (last hop outbound) dkim signing .

PLEAS NOTE: this topology is in a lab environment to simulate Internet Mail.

Hi Ken,

My dns server has the correct dkim record. Please refer to results below.

ESA tested successfully.

Receiving Mail Server responded correctly with dig.

However, dkim faile because 'no key found in DNS' , as shown below.

DKIM:'FAIL'

Can you please assist?

Using Mxtoolbox.com, I'm not finding your dkim record at all... 

Hi Ken,

I really appreciate for your prompt response.

My apologies, these are private domains exist in home lab environment.

RE: What's more important to me to implement TLS on Cisco ESA.

May I please make the following inquiries about on how to do it.

I know it's for email encryption but that's about it, but then...:

What is it used for?

How does it work?

Can TLS be implemented for both outgoing and incoming mails?

If only for outgoing email from me to the recipient, then does the receiving mail server require to have TLS implemented?

Regards

Lee

Hey Lee... 

So TLS between email servers is like putting certs/and https on web servers.  It works pretty much the same way.   The client (eg sending server) connects to the receiving server and the server sends its cert and they agree on the encryption and then send the data through the encrypted connection.  

The intent is to keep the emails from being easily sniffed/read by others.   It can be on both incoming out going mails.

You technically don't need a certificate on the ESA for outgoing mail to be encrypted, you configure that in the Mail Policy/Destination Controls.

For inbound mail, you put a certificate on your ESA, and in the various Mail Flow Policies you can set it much like you do with destination controls... (none/preferred/required) 

Hi Ken,

That's great. Thank you for your assistance.

Have a nice day.

Hi Ken,

Can you please confirm for me if Destination Controls is used for incoming mail or outgoing mail or both

Thank you very much for the explanation.

Have a nice weekend