Forcepoint SPF and DKIM configuration: Step By Step Guideline

November 17, 2023

4 Min Read

This instructional article will demonstrate the Forcepoint configuration process of Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures to ensure Forcepoint passes the DMARC alignment check and eliminates spam from your domain, and increases security.

The SPF record identifies the mail servers and domains that are allowed to send email on behalf of your domain. The DKIM record, on the other hand, is a specially formatted DNS TXT record that stores the public key the receiving mail server will use to verify a message’s signature. These email authentication methods will be used to prove to ISPs and mail services that senders are truly authorized to send emails from a particular domain and are a way of verifying your email-sending server is sending emails through your domain.

The process of configuring SPF

In order to authenticate Forcepoint on SPF, please follow these steps:

Login and head to your DNS Zone provider
Create a new TXT record
Input the DNS name as @ or your domain name
Input the DNS value as v=spf1 include:mailcontrol.com ~all
Save the record
Wait up to 72 hours to allow your DNS to process the changes

Screenshot below will show you an example of the SPF record. We’ll be using CloudFlare for this example.

Important Note: Each domain must have only one SPF TXT Record. If you have multiple SPF Records, SPF will return a PermError.

If you are using multiple IPs, ESPs, Third-Party services for your various email strategies, you should include them in a single SPF Record.
E.g v=spf1 ip4:18.57.156.221 include:mailcontrol.com include:thirdpartyservice.com ~all

The process of configuring DKIM

In order to authenticate Forcepoint on DKIM, you need to configure a DKIM signing key, create a DKIM signing rule, and enable DKIM verification.

Use the following steps to create a DKIM signing key:

Head to your ForcePoint platform
Head to the Settings > Inbound/Outbound > DKIM Settings page
Click Add in the DKIM Signing Keys section to open the Add Signing Key page.
Enter a name for your key in the Key name entry field.
Select one of the following options for creating your key:

Generate key (default) to create the private key. Only 1024-bit keys are supported.
Private key to enter a key you have already created. Paste the key in the entry box.

6. Click OK.

Use the following steps to create a DKIM signing rule in the Settings > Inbound/Outbound > DKIM Settings page:

Click Add in the DKIM Signing Rules section to open the Add Signing Rule page
Enter a name for your rule in the Rule name entry field
Enter the name of the domain to which this signing rule applies
If desired, mark the Include user identifier check box to include the identity of the user or agent for whom the message is signed
Enter the user identifier in the User identifier entry field (optional). This field is not enabled if the Include user identifier check box is not marked
Enter the domain name selector in the Selector entry field. A selector is a name component provided in addition to the domain name used in the DNS public key query. A given domain may have multiple selectors
Select the signing key you want to associate with this rule from the Signing key drop-down list of existing keys

Import Note: you can click Advanced Options to open a box with additional optional rule settings if you intend to create additional rules.

8.From the Signing rule options drop-down list, select Sign email messages. Then create a list of email addresses to which this option applies.

9.Click OK

To enable DKIM verification, please follow the steps below:

Head to the Settings > Inbound/Outbound > DKIM Settings page
In the DomainKeys Identified Mail (DKIM) Verification section, mark the following check box to activate DKIM verification: