If you think your system's DMARC authentication and reporting are already set up correctly, please review this guide and compare it to your current settings. These are industry best practices, and it's important not to deviate from them. Ensure your ESA's AsyncOS version is 13+ or 14.0.2 or greater due to a bug in earlier versions of 14.
Important Notes:
Steps to Update Mail Policies in Cisco's ESA
Follow these steps in the order listed to update your settings. You can find these actions under the Mail Policies menu in the ESA user interface:
By following these steps, you'll ensure that your email security settings are up-to-date and effective.
/msdyn_blobfile/$value)
DKIM Verification Profiles
Technically, this should be "DKIM verification profiles" since "DomainKeys" was deprecated in 2007.
Update or create the profile to match the setting shown in the following screenshot.
/msdyn_blobfile/$value)
Verification Profiles - Notes
DMARC Configuration/msdyn_blobfile/$value)
DMARC Configuration – Global Settings
/msdyn_blobfile/$value)
Schedule
To comply with RFC standards and recommendations, set the report generation time to about 15 minutes before the end of the day in UTC. This means the settings will differ based on your time zone (e.g., East Coast vs. West Coast in the USA). Note that Cisco has a bug (CSCun35657) related to this configuration, so you may need to contact them for assistance.
Entity
This should be your company or organization and must be consistent across all your ESAs.
Additional Contact
This field is included in the XML data sent to domain owners. Use a real email address from your domain, ideally with strong antispam and garbage collection settings. This address should be able to receive feedback or questions about your system XML reports, through this is rare.
Other Settings
Leave the other settings as shown in the screenshot.
DMARC Configuration - Verification Profiles
Set up two profiles exactly as shown in the screenshot below.
/msdyn_blobfile/$value)
Mail Flow Policies
The changes here will apply the settings from the previous sections. From these three steps:
Mail Flow Policies - Update Defaults
Open your Default Policy Parameters, locate the section shown in the screenshot, and ensure all settings match. Ignore the S/MIME settings unless you have specific requirements for them.
/msdyn_blobfile/$value)
DKIM Signing
S/MIME
SPF Verification
Mail Flow Policies/msdyn_blobfile/$value)
Mail Flow Policies – Update Inbound Policies
Update Inbound policies to accept defaults: For example, by checking on Accepted and the relevant section, you should see the following:
/msdyn_blobfile/$value)
All other non-relay policies should be the same.
Mail Flow Policies - Correct Outbound/Relay Policies
Correct Outbound/Relay policies to override defaults. When you check into the one Relay type policy, the settings should be made to look like the following:
/msdyn_blobfile/$value)
DKIM Signing
Final Step
We're Here to Help
With a team of email security experts and a mission to make email and the internet more trustworthy through domain security, Tangent is here to help assess your organization's domain catalog and implement and manage DMARC for the long haul.
Important Notes:
- Correct Setup is Crucial: Incorrect setup can pollute valid data from other sources, and your DMARC data might be blacklisted by aggregators.
- SPF and DKIM Verification: Varying from recommended settings can affect DMARC analysis and degrade the quality of reporting data.
- DMARC Enforcement. Altering enforcement actions undermines the efforts of domain owners who have setup authentication and policies. Adhere to their policies to maintain the integrity of email authentication.
- SPF and DKIM Authentication: Your ESA will correctly determine SPF and DKIM results for incoming messages without altering delivery results.
- SPF and DKIM Authentication and Enforcement: Your ESA will determine DMARC results based on SPF and DKIM and enforce the domain's policy, providing additional protection from spam and phishing.
- Logging and Reporting: There will be additional logging in mail logs and useful information in message headers. Your ESA will generate and send DMARC RUA reports to domain owners as specified in their DMARC records.
- p=Reject: If DMARC authentication fails, the messages will be rejected during the SMTP conversation.
- p=Quarantine: If DMARC authentication fails, the message will be quarantined.
- p=None: If DMARC authentication fails, no action will be taken on the message.
Steps to Update Mail Policies in Cisco's ESA
Follow these steps in the order listed to update your settings. You can find these actions under the Mail Policies menu in the ESA user interface:
- DKIM Verification Profiles: Setup and verify DKIM to ensure your emails are properly authenticated.
- DMARC: Configure DMARC to manage and report on email authentication results.
- Mail Flow Policies: Adjust mail flow policies to control how your SEA handles incoming and outgoing emails.
By following these steps, you'll ensure that your email security settings are up-to-date and effective.
DKIM Verification Profiles
Technically, this should be "DKIM verification profiles" since "DomainKeys" was deprecated in 2007.
- Default Profile: We recommend creating, keeping, or changing only the DEFAULT profile. You shouldn't need any other profiles.
- Impact on Delivery: Remember, DKIM verification by itself (configured this way) does not impact message delivery.
Update or create the profile to match the setting shown in the following screenshot.
Verification Profiles - Notes
- Key Size: Do not use or accept DKIM keys smaller than 1024 bits, as they are too weak for production use.
- Large Keys: While there are keys larger than 2048 bits, the ESA currently cannot create or verify these due to a Cisco bug.
- Setting for Rejections or Delays: Avoid using settings that causes message rejections or delays based solely on DKIM results or DNS verification failures.
DMARC Configuration
- Custom Settings: Unlike the previous section, some settings here need to be adjusted based on your specific environment. Use the provided screenshot as a reference and consult the following section for guidance on what to change for your setup.
DMARC Configuration – Global Settings
Schedule
To comply with RFC standards and recommendations, set the report generation time to about 15 minutes before the end of the day in UTC. This means the settings will differ based on your time zone (e.g., East Coast vs. West Coast in the USA). Note that Cisco has a bug (CSCun35657) related to this configuration, so you may need to contact them for assistance.
Entity
This should be your company or organization and must be consistent across all your ESAs.
Additional Contact
This field is included in the XML data sent to domain owners. Use a real email address from your domain, ideally with strong antispam and garbage collection settings. This address should be able to receive feedback or questions about your system XML reports, through this is rare.
Other Settings
Leave the other settings as shown in the screenshot.
DMARC Configuration - Verification Profiles
Set up two profiles exactly as shown in the screenshot below.
Mail Flow Policies
The changes here will apply the settings from the previous sections. From these three steps:
- Update Defaults: Adjust the default settings.
- Update Inbound Policies: Set inbound policies to accept the default settings.
- Correct Outbound/Relay Policies: Override default for outbound/relay policies.
Mail Flow Policies - Update Defaults
Open your Default Policy Parameters, locate the section shown in the screenshot, and ensure all settings match. Ignore the S/MIME settings unless you have specific requirements for them.
DKIM Signing
- Default Setting: The default is Off, assuming most HAT policies and other MFPs are for inbound traffic. If your system is set up differently, you may need to adjust these instructions accordingly. If unsure, seek help.
- Setting: Turn this On and use the DEFAULT profile we set up earlier.
S/MIME
- Setting: Ignore this section.
SPF Verification
- Setting: Turn this On and ensure it conforms to SPF standards. Use the settings as shown.
Mail Flow Policies
- Inbound Policies: Ensure they accept the default settings we just configured.
- Outbound Policies (Relay Policies): These should have different behavior, generally the opposite of the inbound policies.
Mail Flow Policies – Update Inbound Policies
Update Inbound policies to accept defaults: For example, by checking on Accepted and the relevant section, you should see the following:
All other non-relay policies should be the same.
Mail Flow Policies - Correct Outbound/Relay Policies
Correct Outbound/Relay policies to override defaults. When you check into the one Relay type policy, the settings should be made to look like the following:
DKIM Signing
- Setting: Turn this On if you already have DKIM signing configured for outbound messages. If not, leave it Off and consider setting up outbound DKIM signing if appropriate for your ESA environment.
Final Step
- Commit Changes: Click the orange "Commit Change" button to save your settings.
We're Here to Help
With a team of email security experts and a mission to make email and the internet more trustworthy through domain security, Tangent is here to help assess your organization's domain catalog and implement and manage DMARC for the long haul.