This article outlines how to manage DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) when using the KnowBe4 gateway. Proper configuration ensures that your secure emails are delivered reliably without being flagged as spam.

DKIM Considerations

DKIM signatures are calculated based on the email headers and body content. If an email is signed before it reaches the KnowBe4 Gateway, the encryption process alters the message body, causing DKIM verification to fail at the recipient's end.

This most commonly occurs in Microsoft 365 Exchange Online environments, where mail is signed before being routed to the gateway.

To prevent verification failures, KnowBe4 can adjust the gateway behavior to handle signatures correctly:

1. The gateway scans incoming mail for existing DKIM signatures.
2. The gateway removes the original, invalid signatures from the email headers.
3. The gateway applies the required encryption.
4. The mail is passed back to your mail server, which applies a new and valid signature before final delivery.

If your email environment signs emails before encryption, contact our support team to enable DKIM header stripping for your gateway.

DMARC Considerations

DMARC is a policy that instructs receiving servers on how to handle mail that fails Sender Policy Framework (SPF) or DKIM checks. If the KnowBe4 gateway is not properly integrated into your mail flow, returned mail might be routed to junk or quarantine folders.

To ensure DMARC policies do not negatively impact your mail flow, you must add the KnowBe4 gateway IP address to your Connection Filter in Exchange or Microsoft 365. This action excludes the gateway from internal spam checks that could trigger DMARC failures.