Multi-string DNS text records may be generated if the key size of the signing key used to generate the DNS text records are larger than 1024 bits. This is because not more than 255 characters are allowed in a single string of a DNS text record. The DKIM authentication may fail as some of the DNS servers do not accept or serve multi-string DNS text records.

To avoid this scenario, it is recommended that you use double quotes to break up the multi-string DNS text record into smaller strings not exceeding 255 bytes. The following is an example.

s._domainkey.domain.com. IN TXT "v=DKIM1;" 
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQE"
"A4Vbhjq2n/3DbEk6EHdeVXlIXFT7OEl81amoZLbvwMX+bej"
"CdxcsFV3uS7G8oOJSWBP0z++nTQmy9ZDWfaiopU6k7tzoi"
"+oRDlKkhCQrM4oP2B2F5sTDkYwPY3Pen2jgC2OgbPnbo3o"
"m3c1wMWgSoZxoZUE4ly5kPuK9fTtpeJHNiZAqkFICiev4yrkL"
"R+SmFsJn9MYH5+lchyZ74BVm+16Xq2mptWXEwpiwOxWI"
"YHXsZo2zRjedrQ45vmgb8xUx5ioYY9/yBLHudGc+GUKTj1i4"
"mQg48yCD/HVNfsSRXaPinliEkypH9cSnvgvWuIYUQz0dHU;" 

DKIM implementations reassemble DNS text records broken down this way into the full original single string before processing them.

• Removing Selected DKIM Verification Profiles
• Removing All DKIM Verification Profiles

To use SPF and SIDF with a appliance, publish the SPF record according to the RFCs 4406, 4408, and 7208. Review RFC 4407 for a definition of how the PRA identity is determined. You may also want to refer to the following website to view common mistakes made when creating SPF and SIDF records:

http:/​/​www.openspf.org/​FAQ/​Common_​mistakes

The AsyncOS CLI supports more control settings for each SPF/SIDF conformance level. When configuring the default settings for a listener’s Host Access Table, you can choose the listener’s SPF/SIDF conformance level and the SMTP actions (ACCEPT or REJECT) that the appliance performs, based on the SPF/SIDF verification results. You can also define the SMTP response that the appliance sends when it rejects a message.

Depending on the conformance level, the appliance performs a check against the HELO identity, MAIL FROM identity, or PRA identity. You can specify whether the appliance proceeds with the session (ACCEPT) or terminates the session (REJECT) for each of the following SPF/SIDF verification results for each identity check:

• None. No verification can be performed due to the lack of information.
• Neutral. The domain owner does not assert whether the client is authorized to use the given identity.
• SoftFail. The domain owner believes the host is not authorized to use the given identity but is not willing to make a definitive statement.
• Fail. The client is not authorized to send mail with the given identity.
• TempError. A transient error occurred during verification.

• PermError. A permanent error occurred during verification.

The appliance accepts the message for a Pass result unless you configure the SIDF Compatible conformance level to downgrade a Pass result of the PRA identity to None if there are Resent-Sender: or Resent-From: headers present in the message. The appliance then takes the SMTP action specified for when the PRA check returns None.

If you choose not to define the SMTP actions for an identity check, the appliance automatically accepts all verification results, including Fail.

The appliance terminates the session if the identity verification result matches a REJECT action for any of the enabled identity checks. For example, an administrator configures a listener to accept messages based on all HELO identity check results, including Fail, but also configures it to reject messages for a Fail result from the MAIL FROM identity check. If a message fails the HELO identity check, the session proceeds because the appliance accepts that result. If the message then fails the MAIL FROM identity check, the listener terminates the session and then returns the STMP response for the REJECT action.

The SMTP response is a code number and message that the appliance returns when it rejects a message based on the SPF/SIDF verification result. The TempError result returns a different SMTP response from the other verification results. For TempError, the default response code is 451 and the default message text is #4.4.3 Temporary error occurred during SPF verification . For all other verification results, the default response code is 550 and the default message text is #5.7.1 SPF unauthorized mail is prohibited . You can specify your own response code and message text for TempError and the other verification results.

Optionally, you can configure the appliance to return a third-party response from the SPF publisher domain if the REJECT action is taken for Neutral, SoftFail, or Fail verification result. By default, the appliance returns the following response:

550-#5.7.1 SPF unauthorized mail is prohibited.

550-The domain example.com explains:

550 <Response text from SPF domain publisher>

To enable these SPF/SIDF settings, use the listenerconfig -> edit subcommand and select a listener. Then use the hostaccess -> default subcommand to edit the Host Access Table’s default settings.

The following SPF control settings are available for the Host Access Table

SPF Control Settings via the CLI

The appliance performs the HELO identity check and accepts the None and Neutral verification results and rejects the others. The CLI prompts for the SMTP actions are the same for all identity types. The user does not define the SMTP actions for the MAIL FROM identity. The appliance automatically accepts all verification results for the identity. The appliance uses the default reject code and text for all REJECT results.

You can also configure this in the command-line interface using the listenerconfig command.

When you configure AsyncOS for SPF/SIDF verification, it places an SPF/SIDF verification header ( Received-SPF ) in the email. The Received-SPF header contains the following information:

• verification result - the SPF verification result (see Verification Results).
• identity - the identity that SPF verification checked: HELO, MAIL FROM, or PRA.
• receiver - the verifying host name (which performs the check).
• client IP address - the IP address of the SMTP client.
• ENVELOPE FROM - the envelope sender mailbox. (Note that this may be different from the MAIL FROM identity, as the MAIL FROM identity cannot be empty.)
• x-sender - the value of the HELO, MAIL FROM, or PRA identity.
• x-conformance - the level of conformance (see Table - SPF/SIDF Conformance Levels ) and whether a downgrade of the PRA check was performed.

The following example shows a header added for a message that passed the SPF/SIDF check:

Received-SPF: Pass identity=pra; receiver=box.example.com;

client-ip=1.2.3.4; envelope-from="alice@fooo.com";

x-sender="alice@company.com"; x-conformance=sidf_compatible

Note	The spf-status and spf-passed filter rules use the received-SPF header to determine the status of the SPF/SIDF verification.

If you use the spf-status filter rule, you can check against the SPF/SIDF verification results using the following syntax:

if (spf-status == "Pass")

If you want a single condition to check against multiple status verdicts, you can use the following syntax:

if (spf-status == "PermError, TempError")

You can also check the verification results against the HELO, MAIL FROM, and PRA identities using the following syntax:

if (spf-status("pra") == "Fail")

Note	You can only use the spf-status message filter rule to check results against HELO, MAIL FROM, and PRA identities. You cannot use the spf-status content filter rule to check against identities. The spf-status content filter checks only the PRA identity.

You can receive any of the following verification results:

• None - no verification can be performed due to the lack of information.
• Pass - the client is authorized to send mail with the given identity.
• Neutral - the domain owner does not assert whether the client is authorized to use the given identity.
• SoftFail - the domain owner believes the host is not authorized to use the given identity but is not willing to make a definitive statement.
• Fail - the client is not authorized to send mail with the given identity.
• TempError - a transient error occurred during verification.
• PermError - a permanent error occurred during verification.

The following example shows the spf-status message filter in use:

skip-spam-check-for-verified-senders:


if (sendergroup == "TRUSTED" and spf-status == "Pass"){

skip-spamcheck();

}

quarantine-spf-failed-mail:

if (spf-status("pra") == "Fail") {

if (spf-status("mailfrom") == "Fail"){

# completely malicious mail

quarantine("Policy");

} else {

if(spf-status("mailfrom") == "SoftFail") {

# malicious mail, but tempting

quarantine("Policy");

}

}

} else {

if(spf-status("pra") == "SoftFail"){

if (spf-status("mailfrom") == "Fail"

or spf-status("mailfrom") == "SoftFail"){

# malicious mail, but tempting

quarantine("Policy");

}

}

}

stamp-mail-with-spf-verification-error:

if (spf-status("pra") == "PermError, TempError"

or spf-status("mailfrom") == "PermError, TempError"

or spf-status("helo") == "PermError, TempError"){

# permanent error - stamp message subject

strip-header("Subject");

insert-header("Subject", "[POTENTIAL PHISHING] $Subject"); 

}

.

You can also enable the spf-status rule from the content filters in the GUI. However, you cannot check results against HELO, MAIL FROM, and PRA identities when using the spf-status content filter rule.

To add the spf-status content filter rule from the GUI, click Mail Policies > Incoming Content Filters. Then add the SPF Verification filter rule from the Add Condition dialog box. Specify one or more verification results for the condition.

After you add the SPF Verification condition, specify an action to perform based on the SPF status. For example, if the SPF status is SoftFail, you might quarantine the message.

The spf-passed rule shows the results of SPF verification as a Boolean value. The following example shows an spf-passed rule used to quarantine emails that are not marked as spf-passed:

quarantine-spf-unauthorized-mail:

if (not spf-passed) {


quarantine("Policy");

}

Note

Unlike the spf-status rule, the spf-passed rule reduces the SPF/SIDF verification values to a simple Boolean. The following verification results are treated as not passed in the spf-passed rule: None, Neutral, Softfail, TempError, PermError, and Fail. To perform actions on messages based on more granular results, use the spf-status rule.

The following describes how AsyncOS performs DMARC verification.

1. A listener configured on AsyncOS receives an SMTP connection.
2. AsyncOS performs SPF and DKIM verification on the message.
3. AsyncOS fetches the DMARC record for the sender’s domain from the DNS.
   • If no record is found, AsyncOS skips the DMARC verification and continues processing.
   • If the DNS lookup fails, AsyncOS takes action based on the specified DMARC verification profile.

4. Depending on DKIM and SPF verification results, AsyncOS performs DMARC verification on the message.

   Note	If DKIM and SPF verification is enabled, DMARC verification reuses the DKIM and SPF verification results.

5. Depending on the DMARC verification result and the specified DMARC verification profile, AsyncOS accepts, quarantines, or rejects the message. If the message is not rejected due to DMARC verification failure, AsyncOS continues processing.
6. AsyncOS sends an appropriate SMTP response and continues processing.

7. If sending of aggregate reports is enabled, AsyncOS gathers DMARC verification data and includes it in the daily report sent to the domain owners. For more information about the DMARC aggregate feedback report, see DMARC Aggregate Reports.

   Note	If the aggregate report size exceeds 10 MB or the size specified in the RUA tag of the DMARC record, AsyncOS sends delivery error reports to the domain owners.

How to Verify Incoming Messages Using DMARC

1. Identify the users in your organization (for example, executives) whose messages are likely to be forged. Create a new content dictionary and add the names of the identified users to it.

   While creating a content dictionary,

   • Enter the name of the user and not the email address. For example, enter “ Olivia Smith ” instead of “ olivia.smith@example.com .”
   • Do not configure Advanced Matching and Smart Identifiers.
   • Do not choose weight for the terms used.
   • Do not use regular expressions.

   The following figure shows a sample content dictionary created for Forged Email Detection.

   Figure 3. Content Dictionary for Forged Email Detection
   
   
   

   

   
   

   For instructions to configure a content dictionary, see Adding Dictionaries.

2. Create an incoming content or message filter to detect forged messages and the actions that the appliance must take on such messages. Use the following:
   • Condition/Rule: Forged Email Detection (See Content Filter Conditions and Message Filter Rules)
   • Action: Forged Email Detection or any other actions based on your requirement. (See Content Filter Conditions and Message Filter Rules)
3. Add the newly created content filter to an incoming mail policy. See How to Enforce Mail Policies on a Per-User Basis.

To view data about forged messages detected, see the Forged Email Matches report page (Monitor > Forged Email Matches). This report page includes the following reports:

• Top Forged Email Matches. Displays the top ten users in the content dictionary that matched the forged From: header in the incoming messages.
• Forged Email Matches: Details. Displays a list of all the users in the content dictionary that matched the forged From: header in the incoming messages and for a given user, the number of messages matched. Click on the number to view a list of messages in Message Tracking.

To display details of forged messages detected by the appliance in Message Tracking, make sure that:

• Message Tracking is enabled. See Tracking Messages.
• Content or message filters for detecting forged messages are operational.