DNS Authentication - Inbound Checks

Document created by user.3AEuBpAOr2 Expert on Jan 25, 2017Last modified by user.oxriBaJeN4 on Mar 29, 2017
Version 6Show Document
  • View in full screen mode

Inbound Emails

 

DNS Authentication is helpful in preventing unwanted and potentially harmful messages from reaching users. When enabled, inbound DNS authentication checks are performed against all messages regardless of any Auto Allow or Permitted Sender entries being present. The following actions can be applied depending on the result of the inbound checks performed:

  • Reject
  • Ignore Managed / Permitted Sender entries
  • Take no action
The configuration for Outbound DKIM signing has been moved to a separate policy and definition. More information can be found in the DNS Authentication - Outbound Signing article.

Configuring a DNS Authentication Definition

 

This definition controls the various email authentication checks performed when Mimecast receives an inbound email. It also allows for different actions to be applied depending on the result returned by the checks being performed.

 

To configure an inbound DNS Authentication definition.

  1. Log on to the Administration Console.
  2. Open the Gateway Policy Editor.
  3. Select the Definitions drop down. A list of the definition types is displayed.
  4. Select the DNS Authentication - Inbound definition type from the list. Any definitions that already exist are displayed.
  5. Either select the:
    • Policy to be changed.
    • New DNS Authentication - Inbound Checks button to create a definition.
  6. Complete the DNS Authentication - Inbound Check Properties section as follows:

    FieldConfigurable ActionsDescription
    DescriptionN/AEnter a description for the definition that allows you to easily identify it at a later date.
    Verify SPF for Inbound MailEnabled / DisabledSelect this option to enable SPF checks on inbound messages. We'll only be able to perform these checks if the sender has published SPF records for their domain. When at least one of them has been published, we will perform the check.
    Verify DKIM for Inbound MailEnabled / DisabledSelect this option to enable DKIM checks on inbound messages. We'll only be able to perform these checks if the sender has published a valid DKIM public key for their domain.
    Verify DMARC for Inbound MailEnabled / DisabledSelect this option to enable DMARC checks on inbound messages. We'll only be able to perform these checks if the sender has published a valid DMARC record for their domain.
  7. Configure the action you wish to apply for each of the possible results that can occur, based upon the enabled inbound checks.

    SPF

    Scan Result
    Configurable Actions
    Description

    None

    • Reject
    • Ignore Managed / Permitted Sender Entries
    • Take No Action (Default)
    • Reject: Inbound messages are rejected when the SPF check returns a "None" result.
    • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "None" result.
    • Take No Action: No specific actions are applied to a message when the SPF check returns a "None" result.
    Neutral
    • Reject
    • Ignore Managed / Permitted Sender Entries
    • Take No Action (Default)
    • Reject: Inbound messages are rejected when the SPF check returns a "Neutral" result.
    • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "Neutral" result.
    • Take No Action: No specific actions are applied to a message when the SPF check returns a "Neutral" result.

    SoftFail

    • Reject
    • Ignore Managed / Permitted Sender Entries
    • Take No Action (Default)
    • Reject: Inbound messages are rejected when the SPF check returns a "SoftFail" result.
    • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "SoftFail" result.
    • Take No Action: No specific actions are applied to a message when the SPF check returns a "SoftFail" result.

    HardFail

    • Reject
    • Ignore Managed / Permitted Sender Entries (Default)
    • Take No Action
    • Reject: Inbound messages are rejected when the SPF check returns a "HardFail" result.
    • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "HardFail" result.
    • Take No Action: No specific actions are applied to a message when the SPF check returns a "HardFail" result.

    PermError

    • Reject
    • Ignore Managed / Permitted Sender Entries
    • Take No Action (Default)
    • Reject: Inbound messages are rejected when the SPF check returns a "PermError" result.
    • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "PermError" result.
    • Take No Action: No specific actions are applied to a message when the SPF check returns a "PermError" result.

    TempError

    • Reject
    • Ignore Managed / Permitted Sender Entries
    • Take No Action (Default)
    • Reject: Inbound messages are rejected when the SPF check returns a "TempError" result.
    • Ignore Managed / Permitted Sender Entries: Reputation, greylisting, and spam checks are performed when the SPF check returns a "TempError" result.
    • Take No Action: No specific actions are applied to a message when the SPF check returns a "TempError" result.

     

    DKIM

     

    Scan ResultConfigurable ActionsDescription
    None
    • Reject
    • Ignore Auto Allow or Permitted Sender Entries
    • Take No Action (Default)
    • Reject: Inbound messages are rejected when the DKIM check returns a "None" result.
    • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DKIM check results in a "None" result.
    • Take No Action: No specific actions are applied to a message when the DKIM check returns a "None" result.
    Fail
    • Reject
    • Ignore Auto Allow or Permitted Sender Entries
    • Take No Action (Default)
    • Reject: Inbound messages are rejected when the DKIM check returns a "Fail" result.
    • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DKIM check results in a "Fail" result.
    • Take No Action: No specific actions are applied to a message when the DKIM check returns a "Fail" result.
    PermError
    • Reject
    • Ignore Auto Allow or Permitted Sender Entries
    • Take No Action (Default)
    • Reject: Inbound messages are rejected when the DKIM check returns a "PermError" result.
    • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DKIM check results in a "PermError" result.
    • Take No Action: No specific actions are applied to a message when the DKIM check returns a "PermError" result.
    TempError
    • Reject
    • Ignore Auto Allow or Permitted Sender Entries
    • Take No Action (Default)
    • Reject: Inbound messages are rejected when the DKIM check returns a "TempError" result.
    • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DKIM check results in a "TempError" result.
    • Take No Action: No specific actions are applied to a message when the DKIM check returns a "TempError" result.

     

    DMARC

    Scan ResultConfigurable ActionsDescription
    None
    • Reject
    • Ignore Auto Allow or Permitted Sender Entries
    • Take No Action
    • Reject: Inbound messages are rejected when the DMARC check returns a "None" result.
    • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DMARC check results in a "None" result.
    • Take No Action: No specific actions are applied to a message when the DMARC check returns a "None" result.
    Fail
    • Reject
    • Ignore Auto Allow or Permitted Sender Entries
    • Honor DMARC DNS Record Action
    • Take No Action
    • Reject: Inbound messages are rejected when the DMARC check returns a "Fail" result.
    • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DMARC check results in a "Fail" result.
    • Honor DMARC DNS Record Action: Applies the action specified in the DMARC record for the sending domain specified by the domain owner.
      If a DMARC policy uses the 'Quarantine' action, Mimecast places the message in hold for review.
    • Take No Action: No specific actions are applied to a message when the DMARC check returns a "Fail" result.
    PermError
    • Reject
    • Ignore Auto Allow or Permitted Sender Entries
    • Take No Action
    • Reject: Inbound messages are rejected when the DMARC check returns a "PermError" result.
    • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DMARC check results in a "PermError" result.
    • Take No Action: No specific actions are applied to a message when the DMARC check returns a "PermError" result.
    TempError
    • Reject
    • Ignore Auto Allow or Permitted Sender Entries
    • Take No Action
    • Reject: Inbound messages are rejected when the DMARC check returns a "TempError" result.
    • Ignore Auto Allow or Permitted Sender Entries: Spam checks are performed when the DMARC check results in a "TempError" result.
    • Take No Action: No specific actions are applied to a message when the DMARC check returns a "TempError" result.
  8. Select the Save and Exit button to save the definition.

 

See Also...

 

Attachments

    Outcomes