How to configure DKIM and DMARC in Messaging Security Gateway?
To configure DKIM:
Navigate to Email Protection > Email Authentication > DKIM > General For Enable, select On. A Policy Routes section appears Enable Restrict processing to selected policy routes... Confirm that the policy route default_inbound is present in the Require Any Of-list Add any other required inbound policy routes to the Require Any Of-list Click Save Changes
To enable DKIM signing: DKIM signing is not required for authenticating incoming email, but needs to be set up if you want others to be able to authenticate emails coming from your organization.
Navigate to Email Protection > Email Authentication > DKIM Signing> General For Enable, select On Set the DKIM Signing Error to Reject the message temporarily
Click Edit Rule... Make sure Delivery Method is set to Retry Click Save Changes
Navigate to Email Protection > Email Authentication > DKIM Signing> Keys Click Generate Key Set Domain to the domain that the key should be signing Set Selector to any alphanumeric string, at your discretion. The important thing is to NOT leave the field empty Set Scope to either Any, Domain Including Sub-Domains or Exact Domain Tick the Disable processing for selected policy routes...-checkbox Add all inbound policy routes to the Disable For Any Of-list
Once the key is generated, a DNS text record is also generated which will need to be published to your DNS servers. Click View in the DNS Text Record column to see the record for a specific key.
To enable DMARC:
If SPF is not enabled:
Navigate to Email Protection > Email Authentication > SPF > General For Enable, select On. A Policy Routes section appears Enable Restrict processing to selected policy routes... Confirm that the policy route default_inbound is present in the Require Any Of-list Add any other required inbound policy routes to the Require Any Of-list Click Save Changes
If DKIM is not enabled:
Refer back to the instructions above, "To configure DKIM", regarding how to set up DKIM
Before you enable DMARC, ensure that you have also enabled the SPF and DKIM modules Navigate to Email Protection > Email Authentication > DMARC > General For Enable, select On. A Policy Routes section appears Enable Restrict processing to selected policy routes... Confirm that the policy route default_inbound is present in the Require Any Of-list Add any other required inbound policy routes to the Require Any Of-list
Important: Ensure that the same inbound policy routes that you selected for the SPF and DKIM modules are also on the Require Any Of-list
Click Save Changes
Article no: 000003216
Email messages are delivered but the sender gets an empty permerror email notification from MSG.
The PermError condition means the sender published SPF record could not be verified. Permerror are usually caused by an incorrect SPF syntax or format error in the SPF record. You may advise the sender to ensure their SPF record is set up correctly and does not have any extra spaces or unrecognizable characters in the DNS TXT record. To prevent the sender from getting the same message, please follow these instructions: 1. Logon to your MSG admin web user interface. 2. Click Email Protection tab. 3. Expand Email Authentication > SPF > Rules. 4. Click on the Edit Rule option of SPF Permanent Error. 5. Under Dispositions, untick the "Reply to sender based on detected language" check box. By disabling the option, senders should not receive the e-mail notification. If you want to use that option, leave the check box ticked and write some message in the Subject and Message field.
Article no: 000016530
A software in our environment sends out regular emails to internal and external recipients. A tag is added to the subject line to have these messages encrypted by MSG. Only the messages intended for internal recipients are being encrypted, all messages from the software to external recipients arrive unencrypted.
Start by verifying that these messages are being routed through the MSG-appliance. It is possible that the software has different routing rules based on domains and that the external traffic isn't routed to the MSG-appliance at all. In MSG, you can check the details of a message using Smart Search:
Log in to the MSG Web UI Make sure the System-tab is selected at the top On the left-hand menu, navigate down to Smart Search-> Search Use the sender and/or recipient information to search for the message. Do note that the Time-field usually is set to Last 24 Hours, which might be too restrictive, so expanding it to for example Last 7 Days is recommended. If you find messages, you can verify their encryption status by checking the envelope symbol at the left of the message row. If it has a small lock on it, the message is encrypted. Expand the message info by clicking the small + next to the envelope symbol to see more details. Here the Encryption-field should also be set to Proofpoint Encryption/Secure Reader Encrypted if the message is encrypted.
If you find messages that should be encrypted but aren't, open a support ticket so that it can be investigated. Provide the appliance-ID and information about the messages so that we can identify them (sender/recipient info, time when it was sent, subject field text). A sample message saved as .eml or .msg is also useful. To ensure that we can help you efficiently, please make sure that the following IP-addresses can access the MSG-appliance on ports 22 and 10000: 184.108.40.206 F-Secure Support / Kuala Lumpur 220.127.116.11 F-Secure Support / HTC Helsinki 18.104.22.168 Proofpoint 22.214.171.124 Proofpoint 126.96.36.199 Proofpoint
Article no: 000018154
Does MSG message encryption work normally when sending emails from a distribution list?
Yes, sending from a distribution list has no effect on the MSG message encryption functionality.
Article no: 000018149
After creating or modifying a Branding template, when adding the Title -information and clicking Save, the saving request keeps hanging (Saving... Please wait) and the Title -information is not being saved.
This happens if you are using empty spaces in the Title and also possibly when using different special characters, which are not supported. To resolve the issue, you will need to remove the spaces and the special characters.
Article no: 000006820
How to allow users to be able to see and manage the encrypted messages they have sent through Messaging Security Gateway using the end user web service?
To enable management of sent encrypted messages in the end user web service (euweb):
Log into the Messaging Security Gateway Web UI. Click on the System tab. From the left-side menu, navigate to End User Services > Web Application. Under Settings, change Show Encryption Key Management to On. Click Save Changes at the top left corner.
Article no: 000015840
Submitting a False positive or False negative for MSG
This article explains how you can send false spam positives and false spam negatives to Proofpoint for further analysis.
Both administrators and end users can report false positives and false negatives. For end users, the administrator must first enable end user digests. End users can then report false positives and false negatives from the digest. Reporting false negatives requires the use of the Audit folder in the Quarantine.
It also requires setting up a Spam Reporting Group.
False negatives are messages that are considered spam by the end user, but since they were scored below 50 by the MLX engine, they were delivered to the end user. By reporting these messages to the Proofpoint Attack Response Center (PARC), you can help improve spam effectiveness against that specific type of message.
In order to fully examine the reported message, PARC requires the entire original/unaltered message. Since the best way to capture the original message is in the quarantine (before it arrives at your mail server), we use the "Audit Messages" feature to store Not Spam messages in the Audit folder.
There are two steps required to enable the reporting of false negatives:
Enable Auditing in all Spam Policies Enable Audit Messages for users
Enable Auditing in all Spam Policies
This option will quarantine (into the Audit folder) any message (<200K) marked as Not Spam that is also not being quarantined by any other rule.
Click Spam Detection > Policies. Edit the Default policy. Edit the Not Spam rule. Select the Include in Audit folder box. Click Save Changes. Repeat these steps for all other spam policies.
Note: The "Not Spam" messages will not be copied into the Audit folder until the "Audit Message" feature is actually enabled for one or more users (next step).
Enable Audit Messages for users
Navigate to Groups and Users / Users and select the checkbox next to each user who will use this feature.
Click the Groups button. Under "Available Groups" column, click Spam Reporting, then click >> to move it under the "Add" column. Click Save Changes.
Once these steps have been completed, mail marked as "Not Spam" will begin appearing in the Audit folder in the quarantine.
For performance reasons, we do not recommend that you enable Audit Messages for all users. If you do decide to enable it for all users, do so on Groups and Users / Global.
False positives are messages are scored as spam but are considered valid e-mail by the end user. False positives are very rare and are treated with the highest priority by Proofpoint. Digests allow for the reporting of false positives in the default configuration. Users click the Not Spam link next to an individual message and that e-mail is then delivered directly from the Quarantine to the Proofpoint Attack Response Center.
If this link does not appear in your digest, check the following:
Click Digest / Commands / Display Spam False-Positive Link (on). Click Digest / Filters / Modules. Click Spam, Options and then Digest Commands. "Report False Positive Spam" should be on the right-hand side. Digest / Content / Labels. Verify the name assigned to "Report False Positive Spam".
Reporting directly from the Quarantine
An administrator can perform the same reporting function, but directly from the Quarantine:
Navigate to Quarantine / Messages. Search for message by Subject, Sender, Recipient, etc. Select the checkbox next to the message and click Options / Report.
If you do not want your users to be able to report messages directly from their digest, and wish to only have administrators report directly from the quarantine, change the following options:
Digest > Commands. Disable "Report False Positive Spam". Digest > Commands. Disable "Report False Negative Spam". Groups and Users > Groups. Select the checkbox next to Spam Reporting and click Attributes. Set "Include Audit Messages in Digest" to "Default" and save.
These changes will still store both spam and not spam in the quarantine, but the end users will no longer see the Audit section in their digest and they will no longer see the "Not Spam" option in the Quarantine section.
Article no: 000001938
A user has forgotten their password to Secure Reader and there is no direct way to reset it.
For internal users, the password can be reset through the appliance webGUI:
Log in to the appliance webGUI Go to the System-tab Navigate to User Management->Users on the right Search for the users email-address Click the email address to bring up the user details Go to the Authentication-tab Click the Reset-button next to the password The user will get a welcome email with a temporary password and a link to the end user services that is valid for 30 minutes
For external users, the recommendation from Proofpooint is to remove the user and have them re-register:
Log in to the appliance webGUI Go to the System-tab Navigate to User Management->Users on the right Search for the users email-address Check the box to the left of the account that needs to be removed Click the Delete-button on top of the user list The next time the user tries to access the Secure Reader, they will be prompted to create a new account
Removing a user has no impact on how the user can access mails in the future. After the re-registering they will be able to access all their secure mails as before, as long as they are still stored on the appliance. Although the temporary password sent by the welcome-email will work for an external user to access the Secure Reader, the link in the mail to the end user services will not. As this might cause unwanted confusion the better solution is to remove the current user completely.
Article no: 000007798
Is it possible to schedule monthly reporting in MSG?
No, it's not possible. You can can have reporting scheduled for selected days, so the longest interval is one week.
Article no: 000005286