Skip to main content

Define external records

To help combat impersonation/spoofing attacks ensure that External DNS, DKIM and DMARC records are defined to take advantage of default out of the box rules.

Follow these steps, in the order they are presented:

DomainKeys Identified Mail (DKIM) adds a digital signature to safeguard the email content of your outbound source. Configuring DKIM increases your domain reputation with different providers.

Each domain covered by GravityZone Security for Email will have its own key, so each domain will need to be configured before it can be DKIM-enabled.


GravityZone Security for Email comes with a default system Message Rule called Apply DKIM which is enabled by default; however, outbound messages won't be signed unless you have configured outbound DKIM, by following the steps below.

  1. Go to Products > Product Configuration > Domains.

  2. To view the DKIM public key, click on the view email_sec_dkim.png button. Click the icon next to the domain you wish to configure to display the DKIM.

  3. Write a DNS txt entry for the domain.


    You need to create a txt record for ussems._domainkey.xxxxxx, where xxxxxx is your domain name.

    Here is an example of what should be seen on a nslookup. This entry should match the entry found in step 2.

  4. Repeat steps 1 to 3 for all of your domains and then wait for the domain TTL to expire.

  5. Return to the Domains section and click the Verify and Enable DKIM button. The DKIM status will be updated to Success if the DKIM key can be verified against the domain DNS. At least one domain must have DKIM verified in order to enable DKIM on your account.


    If you remove all DKIM verified domains, or wish to disable DKIM on your account please remember to verify DKIM again. If no domains can be verified then DKIM will be fully disabled.

If you want outbound mail to be DKIM-signed for some, but not all, of the domains on your account, follow the steps below.

  1. Go to Products > Custom Rule Data.

  2. Click the New button at the bottom of the screen and select Rule Data

  3. Enter a name, and Click Update.

  4. Add the domain(s) for which you would like to enable DKIM under Value.


    Keep each domain as a separate line.

  5. Click Save.

    A window appears with your domain’s DKIM key (public key).

  6. Go to Products > Message Rules.

  7. Click the Add Rule button.

  8. Enter a name click the Add button.

  9. Configure the new rule:

    1. Add the following conditions:

      Condition name

      Match type

      Condition value




      DKIM Enabled





      Select the Custom Rule Data previously created at step 3.

    2. Add the following action:

      Action name


      DKIM Signing

      RSA Key

  10. Click Save.

  11. Drag the rule to top of the Message Rules list to give it the highest priority.

  12. Search for the Apply DKIM signing system message rule in the Message Rule list and click the On button to turn the rule off.


GravityZone Security for Email provides the ability to participate in DMARC (Domain Message Authentication Reporting and Conformance) for email authentication.


For more information refer to How DMARC works.

Before configuring any DMARC DNS entry, you must ensure that the following are true:

Create a DNS Resource Record of type TEXT with a record name like _dmarc.domain.TLD. For example, the Resource Record name for domain is


The record name must start with _dmarc (including the underscore).

The text content of a simple starter record should be similar to:

v=DMARC1; p=none; ruf=mailto:[email protected]; aspf=s
  • aspf=s specifies "strict" checking of SPF (the default is "relaxed").

  • ruf= provides the email address to which DMARC failure reports should be sent.

  • p=none specifies a policy of "none" - the recipient should not reject or quarantine any messages simply because they do not align with this DMARC policy. The recipient could of course reject or quarantine the messages for other reasons.

You should start to receive reports to the email address you specified every 24 hours. After reviewing the reports and confirming that valid messages from your domains do pass evaluation, you may then request that recipients act on messages that do not align with the policy, by changing the policy to quarantine or reject.