DNS Authentication: Outbound Signing

Document created by user.3AEuBpAOr2 Expert on Jan 25, 2017Last modified by user.oxriBaJeN4 on Apr 20, 2017
Version 9Show Document
  • View in full screen mode

If you require DKIM signing for outbound emails, your organization's DNS record must be populated with the appropriate public key. In order to generate the DKIM Public key, a DNS Authentication: Outbound Signing definition must be created. This allows you to select the appropriate internal domain, and generate the Public DKIM key. This definition will also provide all of the information that needs to be inserted into your domain's DNS entry.

 

Once Mimecast has validated the new DNS Record TXT entry and a corresponding DNS Authentication: Outbound Signing policy is in place, all outbound messages that meet the policy criteria will be DKIM signed.

 

Configuring a DNS Authentication Definition

 

To configure a DNS Authentication definition:

  1. Log on to the Administration Console.
  2. Open the Gateway Policy Editor.
  3. Click on the Definitions drop down. A list of the definition types is displayed.
  4. Click on the DNS Authentication - Outbound Signing definition type from the list. The list of definitions is displayed.
  5. Either select the:
    • Policy to be changed.
    • New DNS Authentication - Outbound Signing button to create a definition.
  6. Complete the DNS Authentication - Outbound Signing Properties section as follows:

    FieldDescription
    DescriptionEnter a description for the definition that allows you to easily identify it at a later date.
    Sign Outbound Messages with DKIMSelect this option to enable DNS authentication checks on outbound email. When enabling DKIM signing, the "Domain", "Selector", and  "Public Key" fields must be populated.
    DKIM Key Length

    This option allows you configure the key length of the DKIM signature that is to be generated. You will have the choice between creating DKIM keys with the length of 1024 or 2048 bits.

    This option is only displayed after an internal domain is selected.

    Using a DKIM key length of 2048 bits, will exceed the 255 character limit imposed in TXT records. Contact your DNS provider who should be able to assist you in creating the required TXT records.
    DomainThis field is only displayed if the "Sign Outbound Messages with DKIM" option is selected. Use the Lookup button to select an internal domain.
    SelectorThis field is only displayed if the "Sign outbound messages with DKIM" option is selected. Selectors allow a domain to have more than one public key advertised in DNS. The default selector is "mimecastYYYYMMDD". Although this text entry can be adjusted, we recommend regularly switching to a new DNS Authentication policy. For this reason use "YYYYMMDD" in your selector.
    Public KeyThis field is only displayed if the "Sign Outbound Messages with DKIM" option is selected.
    1. Click the Generate button to create the private and public key pairs. The private key is automatically saved in Mimecast, and will not be displayed for security reasons. The public key is displayed in the Public Key field.
    2. Copy the Public Key value to your clipboard.
    3. Add the Public Key to the DNS TXT record for 'selector._domainkey.domain' where:
      • 'selector' equals the selector you have configured.
      • 'domain' equals the domain you are creating the DNS Authentication policy for.
    4. Click the Check DNS button to perform a DNS TXT lookup for 'selector._domainkey.domain'.
    5. Compare the string with the published string in the Public Key field.
    If the test fails due to Mimecast not finding a TXT record, allow up to 72 hours of propagation time after publishing the TXT record in DNS. It is important to ensure that the correct TXT record has been published, so that it matches the Public Key field entry. The definition will only activate after a successful DNS check.
  7. Click on the Save and Exit button to save the definition.

 

Implementing SPF for Outbound Email Delivery

 

To ensure a successful implementation of SPF with us, include a comprehensive list of our outbound IP addresses in your DNS SPF record. This is a long list (24 distinct IP4 ranges at the time of writing) and new ranges may be added in the future without notice. You can ensure your record is always up to date by including the "_netblocks.mimecast.com" statement.

 

Some typical examples are suggested below as a starting point for constructing an appropriate record.

 

ScenarioDescriptionExample
Simple CaseRelaxed configuration which only sends external mail for a given domain via Mimecast."v=spf1 include:_netblocks.mimecast.com ~all"
Strict CaseImplements a strict SPF reject for unmatched requests. We recommend testing with the relaxed syntax first."v=spf1 include:_netblocks.mimecast.com –all"
Customers with an Existing SPF Record for a Given DomainIf you've an existing SPF record representing a range of possible senders, these examples show how you can include Mimecast as a legitimate sender.
Old"v=spf1 mx ~all"
New"v=spf1 mx include:_netblocks.mimecast.com ~all"
Old"v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all"
New"v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a include:_netblocks.mimecast.com -all"
Customers with an Existing SPF Include Record for a Given DomainCustomers with existing SPF records should review their entries to ensure Mimecast servers are referenced only once. Any previous Mimecast references should be removed in favour of _netblocks.mimecast.com. Customers using a domain include mechanism to refer to a DNS entry which already references _netblocks.mimecast.com, need take no further action.
Old"v=spf1 ?include:example.com -all"
New"v=spf1 ?include:example.com include:_netblocks.mimecast.com -all"

 

Creating the DNS Entry

 

If you wish to implement SPF for your domain, you'll need to create a corresponding TXT DNS record. To check your existing TXT/SPF records, use an available DNS query service. There are many tools for this available on the internet as well as command line applications.

Some DNS providers will not allow for TXT records to exceed 255 characters. If this is the case, contact your DNS provider for assistance.

See Also...

 

Attachments

    Outcomes