DomainKeys Identified Mail (DKIM) is a method for email senders to digitally sign email messages in a way that can be verified by email receivers. This allows receivers to verify that the message truly came from the sender, and has not been tampered with. DKIM is intended to address some of the flaws in the existing email system, such as spoofing, phishing, and message tampering. 

How to Setup DKIM in Forcepoint-Websense

• Log in as an administrator to your Forcepoint control panel and navigate to the Settings > Inbound/Outbound > DKIM Settings page.
• Click “Add” under the DKIM Signing Keys section of the menu.
• It will launch the Add Signing Key page.
• Enter a name for your key in the Key Name area.

To create your key, perform the following action:

Select the Generate key (default) option where only a 1024-bit private key is supported by Forcepoint.

By going to the Settings > Inbound/Outbound > DKIM Settings page, you can import a DKIM signing key. To open a browser window, click“Import” and then click “Open” after finding the desired key file.

You can export a key by checking the box next to the key you wish to export in the signing keys table and clicking “Export” to open a browser window. Click “Save” after navigating to the chosen directory location

Creating a DKIM signing rule

A DKIM private and public key are connected to domains and email addresses using a DKIM signing rule. A DKIM signing rule, as its name implies, assists you in controlling DKIM signatures. It gives you the ability to sign only certain message headers, only a portion of the message body, or add additional signature tags as required.

With Forcepoint, deleting a DKIM signing rule is simple. Simply click “Delete” after checking the box next to the rule you want to remove.

How to Setup DKIM signing rule for your domain on Forcepoint.

1. To access the Add Signing Rule page, click “Add” under the DKIM Signing Rules section of the DKIM Settings page.
2. Enter a name for your rule in the Rule name entry area.
3. Type the domain name to which this signing rule applies in the space provided.
4. By choosing “Include user identification,” providing the name of the agent, and checking the box next to it, you can additionally include the identity of the user for whom the communications are signed. Keep in mind that this functionality is optional.
5. Enter the domain name selector you want to use in the Selector entry area.
6. You can now choose a signature key from the Signing key drop-down list to go along with your chosen DKIM signing rule.
7. To choose and add more signing guidelines and signature tags, click on “Advanced Options.”
8. To save changes to your DKIM signing rule, click “OK.” It should be noted that the procedure used to import or export your private key on Forcepoint is the same as the process used to import or export a DKIM signing rule.

Creating a DKIM public key 

Go to the DKIM Signing Rules table by selecting the link for the chosen rule in the DNS Text Record column to produce your DKIM public key for that rule. To create your DNS TXT record box with your public key information, a dialogue box will open. To view the public keys associated with each private key you’ve produced, click View.

Be aware that in order to query a domain during verification, the public keys for that domain must be published in the public-facing DNS. Multiple DKIM records for the same domain are not permitted in the DNS.

Note that by selecting “Test” against your desired rule on the DKIM Signing Rules table, you may check your setup signing rule on Forcepoint to make sure it is legal.

Activating DKIM authentication on Forcepoint

Go to Settings > Inbound/Outbound > DKIM Settings on Forcepoint to turn on DKIM signing and authentication. Select any one or more of the following alternatives for verification offered by Forcepoint by going to the “DomainKeys Identified Mail (DKIM) Verification” section:

• For inbound communications, enable DKIM verification. Only emails being sent to you by senders outside of your associated domains would be eligible for DKIM verification.
• For outgoing communications, enable DKIM verification. Only emails sent from your associated domains to your recipients would be eligible for DKIM verification.
• Activate DKIM verification for emails sent and received within your company.

You can use Skysnag’s free DKIM Checker to check the health of your DKIM record here

Enable DMARC for your domains to protect against spoofing. Sign up for a free trial today!

For more information on Forcepoint-Websense DKIM setup, you can refer to their reference documentation