en-US
search-icon

Email Security 9.0 Admin Guide

Anti-Spoofing

SonicWall Email Security solution allows you to enable and configure settings to prevent illegitimate messages from entering your organization. Spoofing consists of an attacker forging the source IP address of a message, making it seem like the message came from a trusted host. By configuring SPF, DKIM, and DMARC settings, your Email Security solution runs the proper validation and enforcement methods on all incoming messages to your organization. This chapter provides configuration information specific to Anti-Spoofing, including:

The Anti-Spoofing feature works in an order of precedence, where features at the top of the page are of a lower priority than features towards the bottom of the page. Generally, a message is subjected to SPF, DKIM, and DMARC if all are enabled. The results from DKIM validation will take precedence over the results from SPF validation, and DMARC validation results will take precedence over DKIM validation results.

Inbound SPF Settings

The Anti-Spoofing > Inbound tab features SPF (Sender Policy Framework) validation for inbound email messages. SPF is an email validation system designed to prevent email spam by verifying that sender IP addresses are valid. SPF records, which are published in the DNS records, contain descriptions of the attributes of valid IP addresses. SPF is then able to validate against these records if a mail message is sent from an authorized source. If a message does not originate from an authorized source, the message fails. You can configure the actions against messages that fail.

Two types of SPF failures include:

SPF HardFail—The SPF has determined that the host is not allowed to send messages and does not allow those messages through to the recipient.
SPF SoftFail—When a SPF soft fail occurs (the system determines that the sending host is probably not authorized to send messages), mail messages from senders in the Allow list are not sent through to the recipient. This feature is enabled by default.
To enable SPF:
1
Select the Enable SPF validation for incoming messages check box.

2
For hard failures, configure the action to take:
a
Decide if you want to Ignore allow lists. A check ignores the allowed lists and unchecked uses the lists.
b
Select an action to take for messages marked as SPF hard fail. Actions to Take for Hard Failures describes the options.
 

Actions to Take for Hard Failures

No Action

No action is taken against messages marked as SPF hard fail.

Permanently delete

Messages marked as SPF hard fail are permanently deleted.

Reject with SMTP error code 550

Messages marked as SPF hard fail are rejected with an SMTP error code 550.

Store in Junk Box (recommended for most configurations)

Messages marked as SPF hard fail are stored in the Junk Box. This is the recommended setting for most configurations.

Send to [field]

Messages marked as SPF hard fail are sent to the user specified in the available field. For example, you can send to postmaster.

Tag with [field] added to the subject

Messages marked as SPF hard fail are tagged with a term in the subject line. For example, you may tag the messages [SPF Hard Failed].

Add X-Header: X-[field]:[field]

Messages marked as SPF hard failed add an X-Header to the email with the key and value specified to the email message. The first text field defines the X-Header. The second text field is the value of the X-Header. For example, a header of type X-EMSJudgedThisEmail with value spfhard results in the email header as: X-EMSJudgedThisEmail:spfhard.

c
Click Add Domain if you want to define specific actions for an identified domain.

d
List the domains in the Domains field. Separate domains with a comma.
e
Select one of the actions for a hard failure. Refer to Step b above for definitions of the options.
f
Click Save.
3
For soft failures, decide if you want to Ignore allow lists. A check ignores the allowed lists and unchecked uses the lists.
4
Click on Apply Changes.

Inbound DKIM Settings

DKIM (Domain Keys Identified Mail) uses a secure digital signature to verify that the sender of a message is who it claims to be and that the contents of the message have not been altered in transit. A valid DKIM signature is a strong indicator of a message’s authenticity, while an invalid DKIM signature is a strong indicator that the sender is attempting to fake his identity. For some commonly phished domains, the absence of a DKIM signature can also be a strong indicator that the message is fraudulent. Users benefit from DKIM because it verifies legitimate messages and prevents against phishing. Remember that DKIM does not prevent spam - proper measures should still be taken against fraudulent content.

To configure DKIM signature settings:
1
Navigate to the Anti-Spoofing > Inbound page and scroll down to the section labeled DKIM Settings.

2
To enable DKIM, select the Enable DKIM validation for incoming messages check box.
3
Decide if you want to Ignore allow lists when a failure occurs. A check ignores the allowed lists and unchecked uses the lists.
4
Choose the action to take for messages marked as DKIM signature failed. The options are the same as those listed in Actions to Take for Hard Failures. In the Tag with field, you can use text to indicate a DKIM failure.
5
Click Add Domain if you want to define specific actions for an identified domain.
a
List the domains in the Domains field. Separate domains with a comma.
b
Select one of the actions for a hard failure. Refer to Actions to Take for Hard Failures above for the options.
c
Decide if Domain is required to have DKIM signature. A check requires the signature and unchecked doesn’t require it.
d
Click Save to configure domain specific settings.
6
Click on Apply Changes to save the DKIM definitions.

Inbound DMARC Settings

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a policy that works in tandem with SPF and DKIM to fully authenticate incoming and outgoing email messages. A DMARC policy allows a sender to indicate that his emails are protected by SPF and/or DKIM, and also tells a receiver what to do if neither of those authentication methods passes, such as junk or reject the message.

To configure DMARC settings:
1
Navigate to the Anti-Spoofing > Inbound page, and scroll down to the section labeled DMARC Settings.

2
Select the Enable DMARC judgment for incoming messages check box.
 
* 
NOTE: To use DMARC, you must also enable DKIM and SPF.
3
Select the Enable DMARC Policy Enforcement for incoming messages check box.
4
In the field provided, Exclude these sender domains, enter any sender domains (for example, sonicwall.com or gmail.com) you want excluded from DMARC policy enforcement. Multiple domains can be entered and should be separated by a comma.
5
Chose whether to Enable DMARC Outgoing Reports.
 
* 
IMPORTANT: By default, this feature is enabled when the “Enable DMARC” check box is also enabled. Select the check box to disable the sending of DMARC reports to outside domains.

Once DMARC is enabled, outgoing reports are automatically sent. You can configure an Outbound Path for RUA delivery of the reports by clicking the provided link (System > Network Architecture > Server Configuration page).

6
If you want to override reporting attributes for a specific domain, select Add Domain:

a
Enter the domain name to send DMARC reports to. You have the option of using ‘*’ as a value for the domain field. A few considerations:
A configuration created with the domain name * is considered the default domain.
If the domain is not provided, DMARC uses configuration settings from the * domain.
If no * domain is added, then a hard-coded default value, such as postmaster@domain, is used as the Sender ID.
b
Enter the email address from which the report originates in the field called Report From: address.
c
Optionally add any Notes regarding this domain.
 
* 
NOTE: The RUA is the aggregated report for domains with published domain records. Reports are sent daily.
d
Select Save
7
Click on Apply Changes to save the DMARC definitions.

Inbound DMARC Report Settings

You can configure DMARC incoming report settings by clicking the Add Domain button in the DMARC Reports Settings section. DMARC Incoming Reports are collected and processed only for the domains added.

To set up the DMARC reports:
1
Select Add Domain.

2
Enter the Domain name for DMARC incoming reports.
3
Check the box to override reports being sent to the RUA email address specified in the DNS record. An example from the DNS record is rua=mailto:aggrep@yourcompany.com.
4
If you selected the Override DNS RUA Email Address, specify the RUA Email Address to which the reports should be sent. Multiple addresses can be entered and should be separated by a comma.
 
* 
NOTE: The RUA is the aggregated report for domains with published domain records. Reports are sent daily.
5
Click Save to save the report definition.
6
Select Apply Changes to update the report settings.
 
* 
NOTE: You can select the Refresh button to refresh the data in report domains table.

Outbound DKIM Settings

Set up the DKIM signature options for the outbound mail.

To set up DKIM settings on the outbound path:
1
Navigate to the Anti-Spoofing > Outbound.

2
Click the Add Configuration button. The DKIM Outbound Configuration page displays:

3
To define the Settings for DKIM Signature, complete the fields as described below:
 

Domain

Enter the Domain name.

Identity of Signer

Enter an Identity of Signer. Select the Same as domain check box to use the specified Domain name as the Identity of Signer.

Selector

Enter a value for the Selector. The selector is used to differentiate between multiple DKIM DNS records within the same organization (for example, feb2014.domainkey.yourorganization.com.

List of Header fields for Signing

Check the Sign all standard headers box to include all headers, or specify the headers in the designated field. Separate multiple headers with a colon (for example, from:to:subject).

4
To set up the Public Private key pair for SKIM Signing, complete the fields as described below:
 

Generate Key Pair

If you want to generate key pair for the DKIM signing, select Generate key pair. Specify the Key Size from the values in the drop down list, then click the Generate Key Pair button.

Key Size

Specify the Key Size from the values in the drop down list, then select the Generate Key Pair button.

Import existing public-private key pair

Choose Import existing public-private key pair, if you want to use an existing pair. Click on Browse... to Upload Public key and click on Browse... to Upload Private key. Type in the Passphrase for private key. Use only alphanumeric characters.

5
Click the Save button to finish. The signature is added to the DKIM Signature Configurations list.

Generating DNS Record

Once a domain has been successfully added to the DKIM Signature Configurations table, you can generate a DNS Record.

To generate a DNS record:
1
Under the DNS Record column for the domain you want to generate a record for, click the Generate button.

2
Set the following options on the Generate DNS Record page:
Domain—This field auto-populates with the Domain you entered when adding a new configuration. This field cannot be edited.
Selector—This field auto-populates with the Selector you entered when adding a new configuration. This field cannot be edited.
Public Key—This field populates with the Public Key for your DNS record. You can copy and paste from this field.
Domain is testing DKIM—Select the check box to enable testing DKIM for this domain.
Subdomains required to have their own DKIM keys—Select the check box to enable the requirement for all subdomains to have their own DKIM keys.
3
Click the Generate DNS Record button to save the settings and generate your DNS record.

Managing Outbound DKIM Settings

The Settings column of each domain listed in the DKIM Signature Configurations table has the following icons:

Edit—Click this icon to edit the DKIM Signature settings. Note that not all fields are editable.
Delete—Click this icon to delete the DKIM Signature.
Download—Click this icon to download the Public Key for this DKIM Signature.
Status—The status icon notifies you if the DKIM Signature is enabled (green icon) or disabled (gray icon).