Sender Authentication

Symantec Messaging Gateway provides sender authentication to check whether the apparent senders of inbound messages are genuine or forged. You can enable
Sender Policy Framework (SPF)
, the
Sender ID
standard,
DomainKeys Identified Mail (DKIM)
, and
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
on the
Spam > Settings > Sender Authentication
page. You can then assign sender authentication policies to your policy groups to direct how the messages that fail authentication should be treated.
Symantec Email Fraud Protection is a cloud service that helps customers implement the DMARC standard to prevent attackers from spoofing their domain names. Email Fraud Protection is offered as an add-on for Symantec Messaging Gateway. Customers who purchase the service point their DMARC, SPF, and DKIM records to the Email Fraud Protection platform, which responds to authentication requests in real time and ensures that email sent using the customer’s domain name is authorized. For information about how Email Fraud Protection works, see the service’s online help at FRAUD_PRO?locale=EN_US.
Sender Authentication page settings and controls
Item
Description
Authentication Service Identifier
SMG inserts the
Authentication Service Identifier
string into the Authentication-Results message header, followed by the sender authentication results.
Enter a string that may identify the site to you when you look at the Authentication-Results message header. Use the syntax of a fully qualified domain name; for example:
  • example.com
  • mail.example.org
  • ms1.newyork.example.com
  • example-auth
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Select to enable DMARC for sender authentication. DMARC uses SPF and DKIM to authenticate email messages. For this reason, SMG automatically enables SPF and DKIM when you enable DMARC.
If you did not deploy SMG at the gateway, DMARC and DKIM results are useful, but the SPF result is always
None
. SMG does not perform SPF validation when the connecting IP address is internal.
The following is an example of a DMARC authentication results header:
Authentication-Results: symauth.service.identifier; spf=pass; senderid=none; dkim=pass header.d=sendercompany.ccsend.com header.s=1000027527 header.v=1 header.q=dns header.a=rsa-sha256; dmarc=fail (p=QUARANTINE dis=QUARANTINE) [email protected]
DMARC may reduce processing performance, but provides more effective spam protection.
Sender Policy Framework (SPF)
Select to enable SPF for sender authentication.
Examples of SPF results:
Authentication-Results: symauth.service.identifier; spf=fail;
Authentication-Results: symauth.service.identifier; spf=pass;
Authentication-Results: symauth.service.identifier; spf=neutral;
Authentication-Results: symauth.service.identifier; spf=softfail;
DomainKeys Identified Mail (DKIM)
Select to enable DKIM validation. You can also change the
Maximum number of DKIM signature validations
to any number between 1 and 20, inclusive.
  • If any DKIM signature passes before the
    Maximum number of DKIM signature validations
    , the message passes DKIM validation.
  • When the
    Maximum number of DKIM signature validations
    is exceeded for a single message, Symantec Messaging Gateway stops DKIM validation for the message and reports a result of
    dkim=policy
    .
All DKIM validated mail has the DKIM results inserted into the Authentication-Results message header.
Examples of formats for DKIM results:
Authentication-Results: auth.example.com; dkim=pass (good signature) header.d=sender.com header.s=gamma header.v=1 header.a=rsa-sha256
or
Authentication-Results: auth.example.com; dkim=fail (reason) header.d=sender.com header.s=gamma header.v=1 header.a=rsa-sha256
DKIM validation may reduce processing performance, but provides more effective spam protection.
Sender ID
Select to enable Sender ID for sender authentication.
SPF
is automatically enabled when you check
Sender ID
, because authenticating Sender ID with DNS also provides SPF authentication.
Examples of senderid results:
Authentication-Results: symauth.service.identifier; senderid=fail;
Authentication-Results: symauth.service.identifier; senderid=pass;
Authentication-Results: symauth.service.identifier; senderid=neutral;
Authentication-Results: symauth.service.identifier; senderid=softfail;
Enable Failure Reports
Select this option if you want SMG to email a report to the sending domain after a message fails DMARC validation. You must enable
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
before you can enable failure reports.
The sending domain must have a
ruf
tag in the DMARC DNS record that provides an email address to receive forensic reports. For more information, visit
Sender Address
If you enable failure reports, enter the address that you want to appear in the
From
header of the failure reports. This address must be a valid email address on your mail system.
SMG sends failure reports only to domains that supply an email address in their DMARC DNS records. If a failure report can't be delivered to a domain that supplies an address, your Sender Address mailbox receives a bounceback message. If you want to monitor when failure reports can't be delivered, enter an administrator address as the Sender Address. If you do not want to monitor these delivery failures, enter the address of an email account that is not monitored.
Domain Authentication
Select which domains to authenticate.
  • Authenticate all domains
    performs sender authentication on messages from all domains (recommended). This setting may reduce processing performance, but provides the most effective spam protection.
  • Authenticate only the following domains
    performs sender authentication only on messages from the listed domains. This setting provides the least spam protection.
  • Authenticate all domains except the following domains
    excludes messages from the listed domains from sender authentication. This setting lets you skip sender authentication on the messages that appear to originate from trusted domains.
When you select
Authenticate only the following domains
or
Authenticate all domains except the following domains
, SMG checks the domain of the envelope sender against the domains in the list. SMG does not check whether the sender domain in the message
From
header is in the list.
Add
Adds a new domain to the list for
Authenticate only the following domains
or
Authenticate all domains except the following domains
.
Symantec Messaging Gateway performs exact matches against the domains that you add. For example, if you add the top domain, SMG does not automatically match the subdomains. You must explicitly add each subdomain that you also want to match. You cannot use wildcards.
Edit (domain)
Edits the domain that you select.
Delete (domain)
Deletes the domain that you select
Save
Saves your changes.
Cancel
Cancels your changes and reverts back to the configuration settings as of the last time you saved.