The scenario describes implementing DomainKeys Identified Mail (DKIM), a method that uses a digital signature to prove an email was sent and authorized by the owner of a specific domain. On a Cisco Secure Email Gateway, configuring DKIM signing involves two primary components. First, a Public/Private keypair is required; the gateway uses the private key to cryptographically sign outgoing messages. Second, a Domain signing profile must be configured. This profile associates a domain name with the specific private key and a selector, instructing the appliance on how to apply the DKIM signature to emails originating from that domain.

A. DMARC verification profile: This is used to check the authenticity of incoming emails based on SPF and DKIM results, not for signing outgoing mail.

B. SPF record: This is a DNS record used by receiving servers to verify the sending server's IP address; it does not involve creating a digital signature on the email itself.

E. PKI certificate: DKIM uses a raw public/private keypair published in DNS. PKI certificates (X.509) are used for other technologies like S/MIME or TLS, not for domain-level DKIM signing.

1. Cisco Secure Email Gateway Configuration Guide

14.0

"Email Authentication" chapter

"Configuring the System to Sign Outgoing Messages Using DKIM" section.

This document outlines the precise procedure. Step 1 is "Create signing keys

" which corresponds to the Public/Private keypair. Step 2 is "Create a domain profile for each domain for which you want to sign messages

" which corresponds to the Domain signing profile. The guide states

"A domain profile specifies the domain name

the selector

and the private key to use when signing messages from that domain." This directly supports the selection of C and D.

2. Cisco Secure Email Gateway Configuration Guide

14.0

"Email Authentication" chapter

"About DomainKeys Identified Mail (DKIM) Signing" section.

This section explains the mechanism: "DKIM signing adds a digital signature to messages

using a private key. The corresponding public key is published in the DNS." This confirms the fundamental role of the Public/Private keypair (Option C) in the DKIM process.

3. Cisco Secure Email Gateway Configuration Guide

14.0

"Email Authentication" chapter

"About Domain-based Message Authentication

Reporting

and Conformance (DMARC)" section.

This section clarifies that DMARC is used for "DMARC verification for incoming mail

" confirming that a DMARC verification profile (Option A) is for inbound mail processing

not outbound signing.