Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Scope of Enable DKIM signing for outgoing mess...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scope of Enable DKIM signing for outgoing messages
Hello everybody,
I do have a FortiMail question that may seem very basic but it may potentially have a big impact on the whole configuration. Basically, I just want to make sure that I do understand "Enable DKIM signing for outgoing messages" correctly.
I'm currently in the process of testing DKIM for outgoing messages on a production FortiMail (v. 7.2.0).
- I've configured the test domain as a separate protected domain,
- configured a matching selector (is it true that the selector has to be named just like the domain? If so: Why can you even configure different names? It would make sense to use different names if the resulting dns-name is already taken. Moreover, it can only be applied to the protected domain, no associated domains) and
- downloaded and implemented the TXT in our DNS.
Now, all that seems to be left is to "Enable DKIM signing for outgoing messages" in the SessionProfile for Outgoing Mails. My concern is the following: If I do this, it will be enabled for all of our outgoing mails from our mailserver environment. My guess is that the setting will only be applied to mails that match my test domain that is currently the only domain with a DKIM selector configured on the FortiMail. Is that correct? We do have another protected domain with a number of associatiated domains. Will the setting have any impact on the Domains without a DKIM selector? I see no other way than to enable it for all of our outgoing traffic as it is merely IP-based and session profiles and IP policies cannot be configured domain-based.
Thank you in advance for your help!
Labels:
- Labels:
-
FortiMail
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Anonymous
Not applicable
Created on 07-20-2022 01:30 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @prin,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Prin,
Based on the information provided, If you enable DKIM signing for outgoing messages for a protected domain from the given settings as shown below:
This setting will be only applied to the domain that is enabled, in your case will be the test domain that has the only DKIM selector configured.
This setting doesn't impact the other domains without the DKIM selector.
Please also notice that you can use any name for the DKIM selector, there is not a restriction in this option.
Best regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gtreminio and Aashiq_Z,
thank you very much for your replies. We'll start testing soon. One more piece of advice: In the Fortinet Document Library it says: "Note that the selector name must match its corresponding domain name (in this example fortinet.com)". Source: docs.fortinet.com If this is incorrent, it should be changed.
Thanks and kind regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello!
Just implementing DKIM signing of outgoing mails on a FortiMail. FortiMail is acting as a smarthost for M365 mail accounts. At M365 side DKIM signing is deactivated for both initial "onmicrosoft.com" and custom domain.
My understanding is that at FortiMail side BOTH settings
1) "Enable DKIM signing for outgoing messages" in the SessionProfile for outgoing mails
AND
2) "DKIM signing for outgoing email" for the protected domain (together with an active key selector)
have to be enabled in order to effectively have DKIM signing really in place (by FortiMail).
If 1) or 2) is not enabled then there should be no DKIM signing for outgoing mails.
Though my observations are different: If either 1) OR 2) is enabled then the DKIM signature is visible at the mail recipient side (for the mails sent by FortiMail acting as smarthost).
Is there anything missing or is my understanding wrong?
Thanks in advance for your feedback !
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Yoda
So if I understand well:
- Use 1 to enable dkim signing at session profile level (cause you may need it disabled on other session profiles)
- Use 2 to enable it globally for the domain
(My assumption needs to be double checked)
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AEK,
Yes - 1) and 2) settings are both enabled, so DKIM signing is taking place - as expected.
But I would expect that if one of "DKIM signing for outgoing messages/email" setting in 1) OR 2) is disabled then DKIM signing should NOT take place. In fact it needs only one of both settings to have DKIM signing in place (as observed at mail recipient side).
Yoda
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Can't see emails between my two... 485 Views
- Problem with DKIM associated domains 737 Views
- Fortimail - No incoming mails(external) -... 1357 Views
- Persistent One Way Audio Issues, no... 1698 Views
- OSPF hello message received on outgoing... 1121 Views
Labels
-
FortiGate
8,498 -
FortiClient
1,721 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
187 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.