Symantec Messaging Gateway provides sender authentication to check whether the apparent senders of inbound messages are genuine or forged. You can enable
Sender Policy Framework (SPF), the
DomainKeys Identified Mail (DKIM), and
Domain-based Message Authentication, Reporting, and Conformance (DMARC)on the
Spam > Settings > Sender Authenticationpage. You can then assign sender authentication policies to your policy groups to direct how the messages that fail authentication should be treated.
Symantec Email Fraud Protection is a cloud service that helps customers implement the DMARC standard to prevent attackers from spoofing their domain names. Email Fraud Protection is offered as an add-on for Symantec Messaging Gateway. Customers who purchase the service point their DMARC, SPF, and DKIM records to the Email Fraud Protection platform, which responds to authentication requests in real time and ensures that email sent using the customer’s domain name is authorized. For information about how Email Fraud Protection works, see the service’s online help at FRAUD_PRO?locale=EN_US.
Authentication Service Identifier
SMG inserts the
Authentication Service Identifierstring into the Authentication-Results message header, followed by the sender authentication results.
Enter a string that may identify the site to you when you look at the Authentication-Results message header. Use the syntax of a fully qualified domain name; for example:
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Select to enable DMARC for sender authentication. DMARC uses SPF and DKIM to authenticate email messages. For this reason, SMG automatically enables SPF and DKIM when you enable DMARC.
If you did not deploy SMG at the gateway, DMARC and DKIM results are useful, but the SPF result is always
None. SMG does not perform SPF validation when the connecting IP address is internal.
The following is an example of a DMARC authentication results header:
Authentication-Results: symauth.service.identifier; spf=pass; senderid=none; dkim=pass header.d=sendercompany.ccsend.com header.s=1000027527 header.v=1 header.q=dns header.a=rsa-sha256; dmarc=fail (p=QUARANTINE dis=QUARANTINE) [email protected]
DMARC may reduce processing performance, but provides more effective spam protection.
Sender Policy Framework (SPF)
Select to enable SPF for sender authentication.
Examples of SPF results:
Authentication-Results: symauth.service.identifier; spf=fail;
Authentication-Results: symauth.service.identifier; spf=pass;
Authentication-Results: symauth.service.identifier; spf=neutral;
Authentication-Results: symauth.service.identifier; spf=softfail;
DomainKeys Identified Mail (DKIM)
Select to enable DKIM validation. You can also change the
Maximum number of DKIM signature validationsto any number between 1 and 20, inclusive.
All DKIM validated mail has the DKIM results inserted into the Authentication-Results message header.
Examples of formats for DKIM results:
Authentication-Results: auth.example.com; dkim=pass (good signature) header.d=sender.com header.s=gamma header.v=1 header.a=rsa-sha256
Authentication-Results: auth.example.com; dkim=fail (reason) header.d=sender.com header.s=gamma header.v=1 header.a=rsa-sha256
DKIM validation may reduce processing performance, but provides more effective spam protection.
Select to enable Sender ID for sender authentication.
SPFis automatically enabled when you check
Sender ID, because authenticating Sender ID with DNS also provides SPF authentication.
Examples of senderid results:
Authentication-Results: symauth.service.identifier; senderid=fail;
Authentication-Results: symauth.service.identifier; senderid=pass;
Authentication-Results: symauth.service.identifier; senderid=neutral;
Authentication-Results: symauth.service.identifier; senderid=softfail;
Enable Failure Reports
Select this option if you want SMG to email a report to the sending domain after a message fails DMARC validation. You must enable
Domain-based Message Authentication, Reporting, and Conformance (DMARC)before you can enable failure reports.
If you enable failure reports, enter the address that you want to appear in the
Fromheader of the failure reports. This address must be a valid email address on your mail system.
SMG sends failure reports only to domains that supply an email address in their DMARC DNS records. If a failure report can't be delivered to a domain that supplies an address, your Sender Address mailbox receives a bounceback message. If you want to monitor when failure reports can't be delivered, enter an administrator address as the Sender Address. If you do not want to monitor these delivery failures, enter the address of an email account that is not monitored.
Select which domains to authenticate.
When you select
Authenticate only the following domainsor
Authenticate all domains except the following domains, SMG checks the domain of the envelope sender against the domains in the list. SMG does not check whether the sender domain in the message
Fromheader is in the list.
Adds a new domain to the list for
Authenticate only the following domainsor
Authenticate all domains except the following domains.
Symantec Messaging Gateway performs exact matches against the domains that you add. For example, if you add the top domain, SMG does not automatically match the subdomains. You must explicitly add each subdomain that you also want to match. You cannot use wildcards.
Edits the domain that you select.
Deletes the domain that you select
Saves your changes.
Cancels your changes and reverts back to the configuration settings as of the last time you saved.