DKIM Signing
DomainKeys Identified Mail (DKIM) is an authentication method designed to protect recipients from spoofed messages. DKIM authenticates the message sender address and message body to provide validation that the sender has not been forged and that the message has not been altered.
When DKIM signing is enabled, the cloud service signs outgoing messages from specified sender domains/subdomains with a private key, adding a DKIM-Signature header. Recipient servers can use the information in this header to perform a DNS lookup. The DNS response provides the Forcepoint public key, which can be used to decrypt the signed header and authenticate the message.
A DKIM signing rule defines which of your sender domains/subdomains to protect with a specified signing domain. Granular sender/recipient options can be applied, to include or exclude specific sender addresses, or sender/recipient combinations.
a single signing domain can be used by multiple rules to validate different sender subdomains. A sender domain/subdomain can only be signed by one signing domain, and consequently can only be added to one rule.
Before enabling a signing rule, you must publish DNS CNAME records for your signing domain. CNAME records enable the DNS lookup to Forcepoint in order to provide the public key to recipient mail servers. Details of the CNAME records you must publish can be found on the DNS Records and Service IPs page. See DNS records and service IP addresses for more information.