Configure DKIM Large Key Verification for Secure Email Gateway

Available Languages

Download Options

  • PDF     (150.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (220.8 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (178.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 5, 2024
Document ID:221900

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the expanded DKIM larger key size verification capability for signed emails. 

    Prerequisites

    General knowledge of the SEG settings and configuration is desired.

    Components Used

    • Cisco Secure Email Gateway (SEG) AsyncOS 15.5.1 and newer
    • DKIM Verification Profiles
    • Mail Flow Policies

    "The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command."

    Overview

    The SEG can perform inbound verification of DKIM signed email.

    Historically the SEG verification key range was 512-2048 before 15.5 AsyncOS. 

    AsyncOS 15.5 supports the key range of 1024-4096 bits

    512 and 768-bit sized keys15.5 are now deprecated, although profiles containing 512-768 before the upgrade remain in service.

    Configure

    The SEG setup is very minimal to accommodate the new key sizes.

    Navigate within the WebUI to:

    • Mail Policies
      • Domain Keys
        • DKIM Verification Profiles

    DKIM Verification ProfileDKIM Verification Profile

    DKIM Verification Profiles Summary PageDKIM Verification Profiles Summary Page

    Apply the new DKIM Verification Profiles to the desired Incoming Mail Flow Policies:

    • Mail Policies
      • Mail Flow Policies
        • Choose the desired Mail Flow Policy to apply the new DKIM Verification Profile based on your organizational preferences.
          • Scroll down to the Security Features section and locate "DKIM Verification:"
            • Select the appropriate profile of your choosing.

    MFP_profile_selection_650

    Note: Prior to AsyncOS 15.5, DKIM Verification was limited to 2048 bit and would pass a larger key size as unsigned.

    Verify

    The SEG does not log details regarding the key size within the Mail Logs or Message Tracking.

    Before AsyncOS 15.5 a large 1024-4096 DKIM signing would pass as unsigned.

    Some small indicators of the DKIM large key size require post-processing checks.

    • Header retrieval and review of the b= value. This value is larger with the larger key size although it is not a direct value to compute.
    • DKIM DNS record displays the public key of the pair which increases in size from (estimated) 180 bytes for 512-bit to 800 bytes for 4096-bit.
    • A public search for "DKIM key size check," could produce multiple websites containing search tools to retrieve DKIM records. Using the Selector and domain, these sites query the DNS record and generate the key bit size, and DNS query results in the output.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    17-Apr-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Chris Arellano
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products