DNS records and service IP addresses

MX record DNS entries

Forcepoint Email Security Cloud uses customer-specific DNS records to route email from the service to your email gateway, and from your email gateway back to the service. You can view your customer-specific DNS records by selecting Email > Settings > DNS Records & Service IPs. The records are listed under MX Record DNS entries.

CNAME records

The CNAME Records section lists the DNS CNAME records you must publish in order to enable DKIM signing for outbound messages (see DKIM Signing). The domains listed on this page include a code that is unique to your account.

Prior to enabling a DKIM signing rule, you must create CNAME records in each domain you wish to use as the DKIM signing domain (note that the same DKIM signing domain can be used for all sender domains that are sub-domains of the signing domain).

The public/private key pairs used for DKIM signing are managed by Forcepoint, and are rotated periodically, with a period of validity overlap to allow the successful signing of delayed messages. Two CNAME records must be published for each of your signing domains, enabling a DNS lookup to validate signed messages.

In the DNS records for your signing domain, map the host subdomains listed in the table to the corresponding out.mailcontrol.com domain. For example:

Type Host Points to
CNAME fpkeyNNN-1._domainkey fpkeyNNN-1._domainkey.out.mailcontrol.com
CNAME fpkeyNNN-2._domainkey fpkeyNNN-2._domainkey.out.mailcontrol.com
Note:

Keys are automatically rotated after six months. Forcepoint will publish the TXT record for the secondary key (fpkeyNNN-2) six months after the creation of the fpkeyNNN-1 record. Customers are required to add both CNAME entries at the outset, so that key rotation can occur without further action needed.

Note that NNN in the examples above represents a number unique to your account.

Use the CNAME Record check function on the Antispoofing tab to ensure that your CNAME records have been published correctly. See Enabling a DKIM signing rule.

Service IP addresses

Because Forcepoint Email Security Cloud is a hosted service, we are responsible for managing system capacity. For this reason, we may occasionally choose to alter the route of your email within our service. To enable us to do this seamlessly without requiring you to make further changes, you must allow SMTP connections from all the IP ranges listed under Service IP Addresses on this page. To access the cloud portal, ensure that ports 80 and 443 are also permitted for these IP ranges.