Message authentication

This section describes the message authentication technologies used by Kaspersky Secure Mail Gateway and provides instructions on how to configure message authentication.

About message authentication

Message authentication is designed to provide additional protection for your corporate mail infrastructure against spam and phishing.

Kaspersky Secure Mail Gateway uses the following message authentication technologies:

• SPF (Sender Policy Framework) authentication.
• DKIM (DomainKeys Identified Mail) authentication.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) authentication.

SPF message authentication – comparing IP addresses of message senders with the list of possible message sources, which has been created by the mail server administrator.

Kaspersky Secure Mail Gateway receives lists of possible message sources from the DNS server.

Enable SPF message authentication if Kaspersky Secure Mail Gateway receives messages directly from the Internet. Disable SPF message authentication if Kaspersky Secure Mail Gateway receives messages from an intermediate internal server.

DKIM message authentication – verification of the digital signature added to messages.

A digital signature associated with the name of the organization's domain is added to messages. Kaspersky Secure Mail Gateway verifies this digital signature.

DMARC message authentication – authentication performed to verify that the message was actually sent from the specified domain.

After the message has passed SPF and DKIM authentication, the application verifies that the domain containing the sender's address in the From field of the email message header matches the SPF and DKIM IDs and the SPF and DKIM statuses.

To enable SPF, DKIM, and DMARC message authentication, you have to allow Kaspersky Secure Mail Gateway to connect to the DNS server. If the connection to the DNS server is prohibited, SPF, DKIM, and DMARC message authentication is disabled.

If Kaspersky Secure Mail Gateway detects violations during SPF, DKIM, or DMARC message authentication, it is considered that SPF, DKIM, or DMARC message authentication has revealed violations of message senders' authenticity.

Connecting to a DNS to perform message authentication

To enable message authentication, you have to allow Kaspersky Secure Mail Gateway to connect to the DNS server. If the connection to the DNS server is prohibited, SPF, DKIM, and DMARC message authentication is disabled.

You can also specify the maximum DNS server response wait time. When this time elapses, the DNS server is considered unavailable, and the message is processed by Kaspersky Secure Mail Gateway without message authentication. The default value is 10 seconds.

To allow Kaspersky Secure Mail Gateway to connect to the DNS server:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
2. In the External services section, click the Allow connection to DNS server link to open the External services window.
3. In the list to the right of the name of the Allow connection to DNS server setting, select Yes.
4. Click the Apply button.

To specify the maximum DNS server response wait time:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
2. In the External services section, click the Allow connection to DNS server link to open the External services window.
3. In the field to the right of the Allow connection to DNS server setting, specify the maximum DNS server response wait time.

   The default value is 10 seconds.

4. Click the Apply button.

Enabling and disabling SPF message authentication

To enable or disable SPF message authentication:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
2. In the External services section, click the Enable SPF authentication of mail senders link to open the External services window.
3. In the list to the right of the Enable SPF authentication of mail senders setting, select one of the following options:
   • Yes, if you want to enable SPF authentication.
   • No, if you want to disable SPF authentication.
4. Click the Apply button.

To enable SPF message authentication, you have to allow Kaspersky Secure Mail Gateway to connect to the DNS server. If the connection to the DNS server is prohibited, SPF message authentication is disabled.

Enabling and disabling DKIM message authentication

To enable or disable DKIM message authentication:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
2. In the External services section, click the Enable DKIM authentication of mail senders link to open the External services window.
3. In the list to the right of the Enable DKIM authentication of mail senders setting, select one of the following options:
   • Yes, if you want to enable DKIM authentication.
   • No, if you want to disable DKIM authentication.
4. Click the Apply button.

To enable DKIM message authentication, you have to allow Kaspersky Secure Mail Gateway to connect to the DNS server. If the connection to the DNS server is prohibited, DKIM message authentication is disabled.

Enabling and disabling DMARC message authentication

To enable or disable DMARC message authentication:

1. In the main window of the application web interface, open the management console tree and select the Settings section and Protection subsection.
2. In the External services section, click the Enable DMARC authentication of mail senders link to open the External services window.
3. In the list to the right of the Enable DMARC authentication of mail senders setting, select one of the following options:
   • Yes, if you want to enable DMARC authentication.
   • No, if you want to disable DMARC authentication.
4. Click the Apply button.

To enable DMARC message authentication, you have to allow Kaspersky Secure Mail Gateway to connect to the DNS server. If the connection to the DNS server is prohibited, DMARC message authentication is disabled.

Enabling and disabling message authentication for a rule

You can enable or disable message authentication for one or several rules.

Before enabling or disabling message authentication for a rule, make sure that at least one type of message authentication is enabled in the settings of Kaspersky Secure Mail Gateway (Enabling and disabling SPF message authentication, Enabling and disabling DKIM message authentication, Enabling and disabling DMARC message authentication).

To enable or disable message authentication for a rule:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to enable or disable message authentication.
3. Select the Authentication of Mail Sender section.
4. Do one of the following:
   • Flip on the toggle switch next to the name of the Authentication of Mail Sender settings group to enable message authentication.
   • Flip off the toggle switch next to the name of the Authentication of Mail Sender settings group to disable message authentication.
5. Click the Apply button in the lower part of the workspace.

Configuring additional SPF message authentication settings for a rule

You can configure additional settings of SPF message authentication for one or several rules.

Before configuring additional settings of SPF message authentication for a rule, make sure that SPF message authentication is enabled in the settings of Kaspersky Secure Mail Gateway.

To configure additional settings of SPF message authentication for a rule:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the link with the name of the rule to open the rule for which you want to configure additional settings of SPF message authentication.
3. Select the Authentication of Mail Sender section.
4. Flip on the toggle switch next to the name of the Authentication of Mail Sender settings group if it is off.
5. In the SPF authentication of mail senders section, do one of the following:
   • Select the check box next to the name of the Consider SPF softfail as a violation if you want Kaspersky Secure Mail Gateway to consider an SPF softfail error detected during SPF authentication as a message authentication violation.
   • Clear the check box next to the name of the Consider SPF softfail as a violation if you do not want Kaspersky Secure Mail Gateway to consider an SPF softfail error detected during SPF authentication as a message authentication violation.
6. Click the Apply button in the lower part of the workspace.

Configuring additional DKIM message authentication settings for a rule

You can configure additional settings of DKIM message authentication for one or several rules.

Before configuring additional settings of DKIM message authentication for a rule, make sure that DKIM message authentication is enabled in the settings of Kaspersky Secure Mail Gateway.

To configure additional settings of DKIM message authentication for a rule:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the link with the name of the rule to open the rule for which you want to configure additional settings of DKIM message authentication.
3. Select the Authentication of Mail Sender section.
4. Flip on the toggle switch next to the name of the Authentication of Mail Sender settings group if it is off.
5. In the DKIM authentication of mail senders section, do one of the following:
   • Select the check box next to the name of the Consider absence of DKIM signature as an authentication violation setting if you want Kaspersky Secure Mail Gateway to consider the absence of a DKIM signature of a message detected during DKIM authentication as a violation of the message sender's authenticity.
   • Clear the check box next to the name of the Consider absence of DKIM signature as an authentication violation setting if you do not want Kaspersky Secure Mail Gateway to consider the absence of a DKIM signature of a message detected during DKIM authentication as a violation of the message sender's authenticity.
6. Click the Apply button in the lower part of the workspace.

Configuring tags added to message subjects after SPF message authentication

To configure tags that Kaspersky Secure Mail Gateway adds to the message subject after SPF message authentication:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to configure labels added to message subjects after SPF message authentication.
3. Select the Authentication of Mail Sender section.
4. Flip on the toggle switch next to the name of the Authentication of Mail Sender settings group if it is off.
5. In the SPF authentication of mail senders settings group, click the link to the right of the name of the Add the following text to subject of email message setting to open the Tag for SPF authentication violation window.
6. In the field under the name of the window, enter the text that you want to add at the beginning of the message subject when an SPF message authentication violation is detected.
7. Click OK.

   The Tag for SPF authentication violation window closes.

8. Click the Apply button in the lower part of the workspace.

Configuring tags added to message subjects after DKIM message authentication

To configure labels that Kaspersky Secure Mail Gateway adds to the message subject after DKIM message authentication:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to configure labels added to message subjects after DKIM message authentication.
3. Select the Authentication of Mail Sender section.
4. Flip on the toggle switch next to the name of the Authentication of Mail Sender settings group if it is off.
5. In the DKIM authentication of mail senders settings group, click the link to the right of the name of the Add the following text to subject of email message setting to open the Tag for DKIM authentication violation window.
6. In the field under the name of the window, enter the text that you want to add at the beginning of the message subject when a DKIM message authentication violation is detected.
7. Click OK.

   The Tag for DKIM authentication violation window closes.

8. Click the Apply button in the lower part of the workspace.

Configuring tags added to message subjects after DMARC message authentication

To configure labels that Kaspersky Secure Mail Gateway adds to the message subject after DMARC message authentication:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to configure labels added to message subjects after DMARC message authentication.
3. Select the Authentication of Mail Sender section.
4. Flip on the toggle switch next to the name of the Authentication of Mail Sender settings group if it is off.
5. In the If DMARC violation detected settings group, click the link to the right of the name of the Add the following text to subject of email message setting to open the Tag for DMARC authentication violation window.
6. In the field under the name of the window, enter the text that you want to add at the beginning of the message subject when a DMARC message authentication violation is detected.
7. Click OK.

   The Tag for DMARC authentication violation window closes.

8. Click the Apply button in the lower part of the workspace.

Configuring actions on messages during DMARC message authentication

You can configure the actions to take on messages DMARC message authentication for one or several rules.

Before configuring actions on messages during DMARC message authentication, make sure that DMARC message authentication is enabled in the settings of Kaspersky Secure Mail Gateway.

To configure actions on messages during DMARC message authentication:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the link with the name of the rule to open the rule for which you want to configure actions on messages during DMARC message authentication.
3. Select the Authentication of Mail Sender section.
4. Flip on the toggle switch next to the name of the Authentication of Mail Sender settings group if it is off.
5. In the If DMARC violation detected drop-down list, select one of the following actions to take on messages found to cause an authentication violation during DMARC message authentication:
   • Apply DMARC policy.

     The DMARC policy is configured by the mail server administrator on the DNS server.

   • Reject.
   • Delete message.
   • Skip.
6. Click the Apply button in the lower part of the workspace.

Configuring detection of TempError during message authentication

If you want the TempError temporary error to be considered a message authentication violation, you can specify this setting for one or several rules.

Before specifying whether the TempError temporary error should be considered a message authentication violation, make sure that at least one type of message authentication is enabled in the settings of Kaspersky Secure Mail Gateway (Enabling and disabling SPF message authentication, Enabling and disabling DKIM message authentication, Enabling and disabling DMARC message authentication).

To specify whether the TempError temporary error should be considered a message authentication violation:

1. In the main window of the application web interface, open the management console tree and select the Rules section.
2. In the list of rules, click the name of the rule to open the rule for which you want to specify whether the TempError temporary error should be considered a message authentication violation.
3. In the Authentication of Mail Sender section, do one of the following:
   • Select the check box next to the name of the Consider temporary errors (TempError) as an authentication violation setting, if you want Kaspersky Secure Mail Gateway to consider temporary errors (TempError) as a message authentication violation.
   • Clear the check box next to the name of the Consider temporary errors (TempError) as an authentication violation setting, if you do not want Kaspersky Secure Mail Gateway to consider temporary errors (TempError) as a message authentication violation.
4. Click the Apply button in the lower part of the workspace.

Preparing to configure SPF and DMARC message authentication for outgoing messages

In order for the remote mail server to be able to perform message authentication when the message sender is Kaspersky Secure Mail Gateway (authentication of the sender of outgoing messages), you have to add the SPF and DMARC records to the settings of your DNS server.

To add SPF and DMARC records to the settings of your DNS server:

1. Sign in to your DNS server under the administrator account.
2. Locate the page with information on updating DNS records of the domain for whose addresses you want to configure authentication of senders of outgoing messages.

   For example, this page can be named "DNS Management", "Name Server Management", or "Advanced Settings".

3. Find records in TXT format for the domain for whose addresses you want to configure authentication of senders of outgoing messages.
4. In the list of records in TXT format, add the SPF record for a certain domain with the following contents:

   <name of the domain for whose addresses you want to configure SPF authentication of the sender of outgoing messages> IN TXT "v=<SPF version> +all>"

   For example, you can add the following string:

   example.com IN TXT "v=spf1 +all"

   See Document RFC 4408 for details on configuring settings of the SPF record.

5. In the list of records in TXT format, add the DMARC record for a certain domain with the following contents:

   _dmarc.<name of the domain for whose addresses you want to configure DMARC authentication of the sender of outgoing messages>. IN TXT "v=<DMARC version>; p=<action that the remote mail server will perform on all email messages that do not satisfy the DMARC requirements>;"

   For example, you can add the following string:

   _dmarc.example.com. IN TXT "v=DMARC1; p=quarantine;"

   See DMARC documentation for details on configuring settings of the DMARC record.

6. Save changes.

The syntax of the sample SPF and DMARC records is provided for purposes of adding it to the settings of a BIND DNS server. The syntax of the SPF and DMARC records to be added to other DNS servers may differ slightly from the examples provided.