6.5 Creating a DKIM Verification Policy

Unlike the typical filter in Secure Messaging Gateway, instead of looking for things to filter a message out by, this will filter searches for something to allow a message in. Depending on the use case the "Invert mode logic" switch may be needed. For more information on DKIM please see OpenDKIM.org.

6.5.1 Blocking Messages Without a Valid DKIM Signature

This is useful for blocking spammers attempting to spoof a legitimate email domain.

  1. If you know that a sending domain applies DKIM signatures to all of their outboundemail, you can define a rule chain to protect against spoofed email attempts of that domain. This setup will start with an email address filter connected to a child DKIM filter, followed by a block service connected to the DKIM filter.

  2. The address filter will be set to include sender addresses, and have a pattern for the source domain (i.e. *@microfocus.com). This primary address filter determines whether the DKIM filter will be checked. Enable Run children if activated so the rest of the chain will complete.

  3. As the DKIM filter activates when a valid signature is detected, this node must be configured with 'Invert node logic' to detect messages that do not have a valid signature.

  4. The results of this logic chain is, "If the email address IS from *@microfocus.com AND the DKIM signature IS NOT valid THEN block the message".

6.5.2 Sending a Notification That a Message Has a Valid DKIM Signature

This policy is useful to notify users that a message has a valid DKIM signature. While using a Tag service would appear to make sense, that would alter the message and break DKIM.

Configure the Notify Service to send a message alerting the user that the message has a valid DKIM signature. It is recommended to include the subject.