Setting up sender authentication for inbound mail

Inbound sender authentication detects when spammers attempt to forge the mail server name, the sending domain, or other metadata in the email messages your users receive. SMG offers SPF, Sender ID, DKIM, and DMARC sender authentication options to provide comprehensive spam detection.
Symantec Email Fraud Protection is a cloud service that helps customers implement the DMARC standard to prevent attackers from spoofing their domain names. Email Fraud Protection is offered as an add-on for Symantec Messaging Gateway. Customers who purchase the service point their DMARC, SPF, and DKIM records to the Email Fraud Protection platform, which responds to authentication requests in real time and ensures that email sent using the customer’s domain name is authorized. For information about how Email Fraud Protection works, see the service’s online help at FRAUD_PRO?locale=EN_US.
  1. To set up inbound sender authentication
  2. Set up the sender authentication methods that you want to use for spam detection.
    Inbound sender authentication setup instructions summarizes how to set up SPF, Sender ID, DKIM, and DMARC authentication for inbound mail. You enable each authentication method that you want to SMG to use on the
    Spam > Settings > Sender Authentication
    page. Then you assign the related content filtering policies to your policy groups. These content filtering policies are located on the
    Content > Policies > Email > Email Content Filtering Policies
    page.
    When a message fails sender authentication, SMG process the message according to the policy that matches the authentication method and failure condition.
  3. Select which external domains to test.
    Sender authentication uses significant processing resources, but it is most effective against spam when SMG authenticates inbound messages from all domains. When you select a
    Domain Authentication
    setting, you decide how to balance spam protection against performance for your particular installation.
  4. Inbound sender authentication setup instructions
    Sender authentication method
    Inbound implementation steps
    SPF
    1. On the
      Spam > Settings > Sender Authentication
      page, in the
      Authentication Types
      panel, enable
      SPF
      .
    2. On the
      Content > Policies > Email > Email Content Filtering Policies
      page, assign policy groups to the related content filtering policies, to process messages that do not pass SPF validation.
    Sender ID
    1. On the
      Spam > Settings > Sender Authentication
      page, in the
      Authentication Types
      panel, enable
      Sender ID
      .
      When you enable Sender ID, SMG also enables SPF because when SMG authenticates the Sender ID with DNS, the process also provides SPF authentication.
    2. On the
      Content > Policies > Email > Email Content Filtering Policies
      page, assign policy groups to the related content filtering policies, to process the messages that do not pass Sender ID validation.
    DKIM
    1. On the
      Spam > Settings > Sender Authentication
      page, in the
      Authentication Types
      panel, enable
      DKIM
      .
    2. You can also change the Maximum number of DKIM signature validations to any number between 1 and 20, inclusive.
      When the
      Maximum number of DKIM signature validations
      is exceeded for a single message, Symantec Messaging Gateway stops DKIM validation for that message. Additional signatures are ignored.
      If any DKIM signature passes, the message passes DKIM validation. If no signature passes when the
      Maximum number of DKIM signature validations
      is reached, the message fails DKIM validation.
    3. On the
      Content > Policies > Email > Email Content Filtering Policies
      page, assign policy groups to the related content filtering policies, to process the messages that do not pass DKIM validation.
    DMARC
    1. On the
      Spam > Settings > Sender Authentication
      page, in the
      Authentication Types
      panel, enable
      DMARC
      .
    2. In the
      DMARC Reporting Settings
      panel, select DMARC reporting options.
    3. On the
      Content > Policies > Email > Email Content Filtering Policies
      page, assign policy groups to the related content filtering policies, to process the messages that do not pass DMARC validation.
    Selecting domains for sender authentication
    Symantec recommends that you perform sender authentication on all sender domains. However, the
    Domain Authentication
    settings let you create a list of sending domains and then choose to include or exclude the domains from sender authentication. When SMG receives a message, it checks the domain of the envelope sender against the list to determine whether or not to perform the sender authentication checks that you enabled.
    To select which sender domains to authenticate
  5. In the
    Domain Authentication
    panel:
    • Select
      Authenticate all domains
      to perform sender authentication on inbound mail from all domains. Then click
      Save
      .
      Authenticate all domains
      provides the most effective spam protection, but has the greatest effect on performance.
    • Select
      Authenticate only the following domains
      to perform sender authentication on inbound mail that appears to originate from the listed domains. Then go to Step 4 to build the domain list.
      This option affect performance the least, but provides the least effective spam protection.
    • Select
      Authenticate all domains except the following domains
      to exclude the listed domains from sender authentication. Then go to Step 4 to build the domain list.
      When you select this option, SMG does not test any inbound messages that appear to come from these domains. You can use this option to prevent SMG from testing the sending domains that are known to be safe, which may improve performance.
  6. Build the domain list to authenticate or exclude domains from authentication. SMG provides a default list of domains.
    • To add a new domain to the list, click
      Add
      . Type a domain name in the text field and click
      Save
      .
      Symantec Messaging Gateway performs exact matches against the domains that you add. For example, if you add the top domain, SMG does not automatically match the subdomains. You must explicitly add each subdomain that you also want to match. You cannot use wildcards.
    • To edit the spelling of a domain, select the domain and click
      Edit
      . Make changes and click
      Save
      .
    • To delete a domain from the list, select the domain and click
      Delete
      .
  7. Click
    Save
    .