The following settings can be used in this section:
Enable
You can turn off all secure email features using this switch
bool
On/Off, True/False, Yes/No, 1/0
On
Enable=On
DKIMEnable
DomainKeys Identified Mail (DKIM) defines a mechanism by which email messages can be cryptographically signed,
permitting a signing domain to claim responsibility for the introduction of a message into the mail stream.
Message recipients can verify the signature by querying the signer's domain directly to retrieve the appropriate
public key, and thereby confirm that the message was attested to by a party in possession of the private key for the signing domain.
false
DKIMEnable=false
DKIMSPx
The legacy of the Internet is such that not all messages will be signed, and the absence of a signature on a message is not
an a priori indication of forgery. In fact, during early phases of deployment it is very likely that most messages will remain unsigned.
However, some domains might decide to sign all of their outgoing mail, for example, to protect their brand names.
It is desirable for such domains to be able to advertise that fact to other hosts.
This is the topic of Author Domain Signing Practices (ADSP).
Hosts implementing this specification can inquire what Author Signing Practices a domain advertises.
This inquiry is called an Author Signing Practices check.
If you make the DNS entries specified in your DNS management console you can insist that some email (unknown) or all email (All) be signed
and remote servers will take appropriate action when they detect email that is not signed but should be.
If you specify Discardable it means you are happy for email from your domain to be discarded if it is not signed.
Unknown
DKIMSP%d=Unknown
DMARCdptypex
The policy that defines how you would like the ISPs to handle messages that failed SPF and DKIM. If you are unsure if your domain is authenticating all emails choose 'None'. You will still receive reports.
None
DMARCdptype%d=None
DMARCsdptypex
The policy that defines how you would like the ISPs to handle messages that failed SPF and DKIM from a sub domain. If you are unsure if your sub domains is authenticating all emails choose 'None'. You will still receive reports.
None
DMARCsdptype%d=None
DMARCaggemailx
The email where you want to receive reports from the ISPs of which messages failed SPF and DKIM checks (DMARC) for your domain.
DMARCruasizex
The maximum size of of the RUA email files to send, most email servers have size restrictions. Set to 0 to not enforce a size restriction.
2 mbytes
DMARCruasize%d=2
DMARCfemailx
The email where you want to receive sample messages that are failing SPF and DKIM checks (DMARC) for your domain.
DMARCrufsizex
The maximum size of the RUF email files to send, most email servers have size restrictions. Set to 0 to not enforce a size restriction.
2 mbytes
DMARCrufsize%d=2
DMARCrepfmtx
You can choose to have reports sent in one of two different formats, 'iodef' Incident Object Description Exchange Format or 'afrf' Authentication Failure Reporting Format.
afrf
DMARCrepfmt%d=afrf
DMARCrepintervalx
The time in minutes that aggregate reports should be generate between 1 and 999999. 1440 represents 1 day
1440 mins
DMARCrepinterval%d=1440
DMARCpercentx
The percent of the messages from your domain you want to ISPs to check, we recommend 100%
100 %
DMARCpercent%d=100
DMARCdkimalignx
If your emails adhere to strict DKIM, you can set to "Strict".
We recommend leaving it as "relaxed".
Relaxed
DMARCdkimalign%d=Relaxed
DMARCspfalignx
If your emails adhere to strict SPF, you can set to "Strict". We recommend leaving it as "relaxed".
Relaxed
DMARCspfalign%d=Relaxed
DKIMSelectorxEnable
You can turn off this DKIM selector signing using this switch.
DomainKeys Identified Mail (DKIM) defines a mechanism by which email messages can be cryptographically signed,
and they are signed using a specific 'selector' which is essentially a named public/private key pair.
The recipient server looks up the public key using a DNS check. The signing server takes a hash of the email, and encrypts it using the
private key. The recipient server can then decrypt the hash and check it against a hash it makes of the email to verify the email has
not been tampered with. Be sure to republish your selector DNS entries if you change any settings and be aware that if some email has already been signed but not yet
delivered changing the selector settings may result in the email with signatures already generated email becoming invalidated and not accepted by remote servers.
If you wish to change settings it is best to create a new selector, DNS record and start using that to sign email, and disable old selectors that are no longer required.
true
DKIMSelector%dEnable=true
DKIMSelectorxDomain
DKIMSelectorxUID
text
DKIMSelector%dUID=MySelector
DKIMSelectorxSelector
To support multiple concurrent public keys per signing domain,
the key namespace is subdivided using "selectors".
For example, selectors might indicate the names of office locations (e.g., "sanfrancisco", "coolumbeach", and "reykjavik"), the signing date (e.g., "january2005", "february2005", etc.), or even the individual user.
Selectors are needed to support some important use cases. For example:
Domains that want to delegate signing capability for a specific address for a given duration to a partner, such as an advertising provider or other outsourced function.
Domains that want to allow frequent travelers to send messages locally without the need to connect with a particular MSA.
"Affinity" domains (e.g., college alumni associations) that provide forwarding of incoming mail, but that do not operate a mail submission agent for outgoing mail.
Periods are allowed in selectors and are component separators.
When keys are retrieved from the DNS, periods in selectors define DNS label boundaries in a manner similar to the conventional use in domain names.
Selector components might be used to combine dates with locations, for example, "march2005.reykjavik".
In a DNS implementation, this can be used to allow delegation of a portion of the selector namespace.
DKIMSelector%dSelector=general
DKIMSelectorxGranularity
This is used to allow you to use specific selectors for specific addresses. For example if you specify offers* then all email with the From field matching offers* (e.g. offers-now@mydomain.com) will
be signed with this selector, and verification will take place as expected by the recipient.
Hexamail ensures the Local-part of the "i=" tag of the DKIM-Signature header field (or its default value of the empty string if "i=" is not specified) will match this granularity settings.
A single, optional "*" character matching a sequence of zero or more arbitrary characters ("wildcarding").
An email with a signing address that does not match the value of this tag constitutes a failed verification.
The intent of this tag is to constrain which signing address can legitimately use this selector, for example,
when delegating a key to a third party that should only be used for special purposes.
Wildcarding allows matching for addresses such as "user+*" or "*-offer". An empty granularity value never matches any addresses, you should have * to mean any address at your domain.
*
DKIMSelector%dGranularity=*
DKIMSelectorxNotes
Notes that might be of interest to a human, e.g. a URL like http://www.hexamail.com/
No interpretation is made by any program.
This tag should be used sparingly due to space limitations in DNS.
This is intended for use by administrators, not end users.
DKIMSelector%dNotes=This is for general use, setup by Geoff
DKIMSelectorxSub
This setting controls whether subdomains are allowed in the identity tag of email signatures.
If subdomains are not allowed, the following applies:
Any DKIM-Signature header fields using the "i=" tag MUST have the same domain value on the right-hand side of the "@" in the "i=" tag and the value of the "d=" tag.
That is, the "i=" domain MUST NOT be a subdomain of "d=".
Prohibiting subdomaining is RECOMMENDED unless subdomaining is required.
Off
DKIMSelector%dSub=Off
DKIMSelectorxSigAlg
sha256
DKIMSelector%dSigAlg=sha256
DKIMSelectorxCanHeader
Relaxed
DKIMSelector%dCanHeader=Simple
DKIMSelectorxCanBody
Relaxed
DKIMSelector%dCanBody=Simple
DKIMSelectorxTesting
If you are testing then you can enable this test setting to be sure that remote recipient servers will ignore signatures signed using this selector
. If enabled verifiers MUST NOT treat messages from signers in testing mode differently from unsigned email,
even should the signature fail to verify. Verifiers MAY wish to track testing mode results to assist the signer.
Off
DKIMSelector%dTesting=Off
SecureUseWindows
Hexamail can optionally use suitable certificates from the Windows certificates store
Off
SecureUseWindows=Off
SecureDecryptTagSubject
SecureDecryptTagSubject=Decrypted:
SecureDecryptTagHeader
SecureDecryptTagHeader=X-HXM-Decrypted: true
SecureVerify
Turn on or off all inbound email verification using this switch
bool
On/Off, True/False, Yes/No, 1/0
On
SecureVerify=On
SecureVerifyRulexEnable
Enable this rule
bool
On/Off, True/False, Yes/No, 1/0
on
SecureVerifyRule%dEnable=on
SecureVerifyRulexName
the name by which you wish to call this rule
number
SecureVerifyRulexSubjectMatches
emails with subjects that match any of these wildcard/phrase/substring will be verified. Leave blank to match for all emails (equivalent to *)
text
SecureVerifyRulexContentMatches
The text and html content parts of the email are scanned for the content match expressions. The expressions are substrings and can include the wildcards * ('one or more of any character') and ? ('any single character')
text
SecureVerifyRulexFromMatches
emails from any of these addresses will be verified. Leave blank to match for all emails (equivalent to *)
text
SecureVerifyRule%dFromMatches=user1@mydomain.com
SecureVerifyRulexToMatches
emails from any of these addresses will be verified. Leave blank to match for all emails (equivalent to *)
Use this setting to have email tagged by subject if an email matches the rule, for example you can set this setting to [Some Tag]: <subject> to make the email with a subject 'Sales enquiry' get tagged to [Some Tag]: Sales Enquiry
Use this setting to have an extra MIME header inserted into the email. If an email matches the rule, you can insert a custom header, e.g. specify "X-MyTagHeader: TagValue" for this setting to insert the MIME header X-MyTagHeader with the value TagValue.
You should only specify MIME compliant header strings for this setting, otherwise the MIME of the email may no longer be MIME compliant and messages transfer agents further down the line may report errors or warnings. The MIME standard can be found online as W3C RFC number 822 and 2822
text
SecureVerifyRule%dHeaderTag=X-HXM-Verifyed:
SecureVerifyRulexHeaderTagValue
Use this setting to have an extra MIME header inserted into the email. If an email matches the rule, you can insert a custom header, e.g. specify "X-MyTagHeader: TagValue" for this setting to insert the MIME header X-MyTagHeader with the value TagValue.
You should only specify MIME compliant header strings for this setting, otherwise the MIME of the email may no longer be MIME compliant and messages transfer agents further down the line may report errors or warnings. The MIME standard can be found online as W3C RFC number 822 and 2822
text
SecureVerifyRule%dHeaderTagValue=<result>
SecureVerifyRulexActionFail
Allows you to configure the action that happens if the email matching the rule could not be verified
select
Allow, Tag, Quarantine
Allow
SecureVerifyRule%dActionFail=Allow
SecureVerifyRulexAlertAdmin
Allows you to alert the administrator when a failure occurs
bool
On/Off, True/False, Yes/No, 1/0
Off
SecureVerifyRule%dAlertAdmin=Off
SecureVerifyRulexAction
Allows you to configure the action that happens if the rules is matched. You can either verify or skip verification
bool
On/Off, True/False, Yes/No, 1/0
On
SecureVerifyRule%dAction=On
SecureVerifyActionFail
Allows you to configure the action that happens if the email could not be verified
select
Allow, Tag, Quarantine
Quarantine
SecureVerifyActionFail=Quarantine
SecureVerifyRulexPriority
Allows you to configure the precedence of this rule
bool
On/Off, True/False, Yes/No, 1/0
1
SecureVerifyRule%dPriority=1
SecureAllowExpiredCerts
You can allow use of expired certificates with this switch
bool
On/Off, True/False, Yes/No, 1/0
On
SecureAllowExpiredCerts=On
SecureSign
Turn on or off all outbound email signing using this switch
bool
On/Off, True/False, Yes/No, 1/0
On
SecureSign=On
SecureSignRulexEnable
Enable this rule
bool
On/Off, True/False, Yes/No, 1/0
on
SecureSignRule%dEnable=on
SecureSignRulexName
the name by which you wish to call this rule
number
SecureSignRulexSubjectMatches
emails with subjects that match any of these wildcard/phrase/substring will be signed. Leave blank to match for all emails (equivalent to *)
text
SecureSignRulexContentMatches
The text and html content parts of the email are scanned for the content match expressions. The expressions are substrings and can include the wildcards * ('one or more of any character') and ? ('any single character')
text
SecureSignRulexFromMatches
emails from any of these addresses will be signed. Leave blank to match for all emails (equivalent to *)
text
SecureSignRule%dFromMatches=user1@mydomain.com
SecureSignRulexToMatches
emails from any of these addresses will be signed. Leave blank to match for all emails (equivalent to *)
text
SecureSignRule%dToMatches=customer1@customer.com
SecureSignRulexSubjectTag
Use this setting to have email tagged by subject if an email matches the rule, for example you can set this setting to [Some Tag]: <subject> to make the email with a subject 'Sales enquiry' get tagged to [Some Tag]: Sales Enquiry
Use this setting to have an extra MIME header inserted into the email. If an email matches the rule, you can insert a custom header, e.g. specify "X-MyTagHeader: TagValue" for this setting to insert the MIME header X-MyTagHeader with the value TagValue.
You should only specify MIME compliant header strings for this setting, otherwise the MIME of the email may no longer be MIME compliant and messages transfer agents further down the line may report errors or warnings. The MIME standard can be found online as W3C RFC number 822 and 2822
text
SecureSignRule%dHeaderTag=X-HXM-Signed:
SecureSignRulexHeaderTagValue
Use this setting to have an extra MIME header inserted into the email. If an email matches the rule, you can insert a custom header, e.g. specify "X-MyTagHeader: TagValue" for this setting to insert the MIME header X-MyTagHeader with the value TagValue.
You should only specify MIME compliant header strings for this setting, otherwise the MIME of the email may no longer be MIME compliant and messages transfer agents further down the line may report errors or warnings. The MIME standard can be found online as W3C RFC number 822 and 2822
text
SecureSignRule%dHeaderTagValue=<result>
SecureSignRulexActionFail
Allows you to configure the action that happens if the email matching the rule could not be signed
select
Allow, Tag, Quarantine
Allow
SecureSignRule%dActionFail=Allow
SecureSignRulexAlertAdmin
Allows you to alert the administrator when a failure occurs
bool
On/Off, True/False, Yes/No, 1/0
Off
SecureSignRule%dAlertAdmin=Off
SecureSignRulexAction
Allows you to configure the action that happens if the rule is matched. You can either sign or skip signing
bool
On/Off, True/False, Yes/No, 1/0
On
SecureSignRule%dAction=On
SecureSignActionFail
Allows you to configure the action that happens if the email could not be signed
select
Allow, Tag, Quarantine
Allow
SecureSignActionFail=Allow
SecureSignRulexPriority
Allows you to configure the precedence of this rule
bool
On/Off, True/False, Yes/No, 1/0
1
SecureSignRule%dPriority=1
SecureEncrypt
Turn on or off all inbound email verification using this switch
bool
On/Off, True/False, Yes/No, 1/0
On
SecureEncrypt=On
SecureEncryptRulexEnable
Enable this rule
bool
On/Off, True/False, Yes/No, 1/0
on
SecureEncryptRule%dEnable=on
SecureEncryptRulexName
the name by which you wish to call this rule
number
SecureEncryptRulexSubjectMatches
emails with subjects that match any of these wildcard/phrase/substring will be encrypted. Leave blank to match for all emails (equivalent to *)
text
SecureEncryptRulexContentMatches
The text and html content parts of the email are scanned for the content match expressions. The expressions are substrings and can include the wildcards * ('one or more of any character') and ? ('any single character')
text
SecureEncryptRulexFromMatches
emails from any of these addresses will be encrypted. Leave blank to match for all emails (equivalent to *)
text
SecureEncryptRule%dFromMatches=user1@mydomain.com
SecureEncryptRulexToMatches
emails from any of these addresses will be encrypted. Leave blank to match for all emails (equivalent to *)
Use this setting to have email tagged by subject if an email matches the rule, for example you can set this setting to [Some Tag]: <subject> to make the email with a subject 'Sales enquiry' get tagged to [Some Tag]: Sales Enquiry
Use this setting to have an extra MIME header inserted into the email. If an email matches the rule, you can insert a custom header, e.g. specify "X-MyTagHeader: TagValue" for this setting to insert the MIME header X-MyTagHeader with the value TagValue.
You should only specify MIME compliant header strings for this setting, otherwise the MIME of the email may no longer be MIME compliant and messages transfer agents further down the line may report errors or warnings. The MIME standard can be found online as W3C RFC number 822 and 2822
text
SecureEncryptRule%dHeaderTag=X-HXM-Encrypted:
SecureEncryptRulexHeaderTagValue
Use this setting to have an extra MIME header inserted into the email. If an email matches the rule, you can insert a custom header, e.g. specify "X-MyTagHeader: TagValue" for this setting to insert the MIME header X-MyTagHeader with the value TagValue.
You should only specify MIME compliant header strings for this setting, otherwise the MIME of the email may no longer be MIME compliant and messages transfer agents further down the line may report errors or warnings. The MIME standard can be found online as W3C RFC number 822 and 2822
text
SecureEncryptRule%dHeaderTagValue=<result>
SecureEncryptRulexActionFail
Allows you to configure the action that happens if the email matching the rule could not be encrypted
select
Allow, Tag, Quarantine
Allow
SecureEncryptRule%dActionFail=Allow
SecureEncryptRulexAlertAdmin
Allows you to alert the administrator when a failure occurs
bool
On/Off, True/False, Yes/No, 1/0
Off
SecureEncryptRule%dAlertAdmin=Off
SecureEncryptRulexAction
Allows you to configure the action that happens if the rule is matched. You can either encrypt or skip encryption
bool
On/Off, True/False, Yes/No, 1/0
On
SecureEncryptRule%dAction=On
SecureEncryptRulexPriority
Allows you to configure the precedence of this rule
bool
On/Off, True/False, Yes/No, 1/0
1
SecureEncryptRule%dPriority=1
SecureEncryptActionFail
Allows you to configure the action that happens if the email could not be encrypted
select
Allow, Tag, Quarantine
Quarantine
SecureEncryptActionFail=Quarantine
SecureEncryptIncludeMeta
Enable this to include the unencrypted MIME meta data fields in the encrypted email. This includes Date, From, To and Subject
bool
On/Off, True/False, Yes/No, 1/0
On
SecureEncryptIncludeMeta=On
SecureEncryptAlgorithm
This sets the default encryption algorithm used for SMIME email encryption
https://tools.ietf.org/html/rfc3851#page-12
text
RSA_DES_EDE3_CBC
SecureEncryptAlgorithm=RSA_DES_EDE3_CBC
SecureSignHashAlgorithm
This sets the default signing hash algorithm used for SMIME email encryption
https://tools.ietf.org/html/rfc3851#page-5
You will need OIWSEC_sha1 for Thunderbird to recognize email signatures and not complain that they have been tampered with.
text
OIWSEC_sha1
SecureSignHashAlgorithm=OIWSEC_sha1
SecureDecrypt
Turn on or off all inbound email verification using this switch
bool
On/Off, True/False, Yes/No, 1/0
On
SecureDecrypt=On
SecureDecryptRulexEnable
Enable this rule
bool
On/Off, True/False, Yes/No, 1/0
on
SecureDecryptRule%dEnable=on
SecureDecryptRulexName
the name by which you wish to call this rule
number
SecureDecryptRulexSubjectMatches
emails with subjects that match any of these wildcard/phrase/substring will be decrypted. Leave blank to match for all emails (equivalent to *)
text
SecureDecryptRulexContentMatches
The text and html content parts of the email are scanned for the content match expressions. The expressions are substrings and can include the wildcards * ('one or more of any character') and ? ('any single character')
text
SecureDecryptRulexFromMatches
emails from any of these addresses will be decrypted. Leave blank to match for all emails (equivalent to *)
text
SecureDecryptRule%dFromMatches=user1@mydomain.com
SecureDecryptRulexToMatches
emails from any of these addresses will be decrypted. Leave blank to match for all emails (equivalent to *)
Use this setting to have email tagged by subject if an email matches the rule, for example you can set this setting to [Some Tag]: <subject> to make the email with a subject 'Sales enquiry' get tagged to [Some Tag]: Sales Enquiry
Use this setting to have an extra MIME header inserted into the email. If an email matches the rule, you can insert a custom header, e.g. specify "X-MyTagHeader: TagValue" for this setting to insert the MIME header X-MyTagHeader with the value TagValue.
You should only specify MIME compliant header strings for this setting, otherwise the MIME of the email may no longer be MIME compliant and messages transfer agents further down the line may report errors or warnings. The MIME standard can be found online as W3C RFC number 822 and 2822
text
SecureDecryptRule%dHeaderTag=X-HXM-Decrypted:
SecureDecryptRulexHeaderTagValue
Use this setting to have an extra MIME header inserted into the email. If an email matches the rule, you can insert a custom header, e.g. specify "X-MyTagHeader: TagValue" for this setting to insert the MIME header X-MyTagHeader with the value TagValue.
You should only specify MIME compliant header strings for this setting, otherwise the MIME of the email may no longer be MIME compliant and messages transfer agents further down the line may report errors or warnings. The MIME standard can be found online as W3C RFC number 822 and 2822
text
SecureDecryptRule%dHeaderTagValue=<result>
SecureDecryptRulexActionFail
Allows you to configure the action that happens if the email matching the rule could not be decrypted
select
Allow, Tag, Quarantine
Allow
SecureDecryptRule%dActionFail=Allow
SecureDecryptRulexAlertAdmin
Allows you to alert the administrator when a failure occurs
bool
On/Off, True/False, Yes/No, 1/0
Off
SecureDecryptRule%dAlertAdmin=Off
SecureDecryptRulexAction
Allows you to configure the action that happens if the rule is matched. You can either decrypt or skip decryption
bool
On/Off, True/False, Yes/No, 1/0
On
SecureDecryptRule%dAction=On
SecureDecryptRulexPriority
Allows you to configure the precedence of this rule
bool
On/Off, True/False, Yes/No, 1/0
1
SecureDecryptRule%dPriority=1
SecureDecryptActionFail
Allows you to configure the action that happens if the email could not be decrypted
select
Allow, Tag, Quarantine
Quarantine
SecureDecryptActionFail=Quarantine
StoreMax
This setting allows automatic removal of old email when the maximum number to store is exceeded.
number
250 - 250000 email
75000 email
StoreMax=75000
StoreCache
This sets the maximum amount of memory used to cache email in the quarantine, sent and error stores.
NOTE if you change this setting you will need to press APPLY and then stop and start the service.
number
1 - 1024 mbytes
132 mbytes
StoreCache=132
StoreReap
This setting allows automatic deletion of email when it has been in the store for longer than the specified number of days
bool
On/Off, True/False, Yes/No, 1/0
off
StoreReap=off
StoreReapAgeDays
Automatically delete email older than the specified number of days
number
1 - 365 Days
30 Days
StoreReapAgeDays=4
StorePurgeAgeDays
Automatically purge deleted email older than the specified number of days
number
1 - 120 Days
15 Days
StorePurgeAgeDays=4
StoreNormalizedSubjects
Show automatically normalized subject lines. Only applies to the spam email store
bool
On/Off, True/False, Yes/No, 1/0
On
StoreNormalizedSubjects=On
ErrorStoreMax
This setting allows automatic removal of old email when the maximum number to store is exceeded.
number
250 - 100000 email
20000 email
ErrorStoreMax=20000
ErrorStoreReap
This setting allows automatic deletion of email when it has been in the store for longer than the specified number of days
bool
On/Off, True/False, Yes/No, 1/0
on
ErrorStoreReap=on
ErrorStoreReapAgeDays
Automatically delete email older than the specified number of days
number
1 - 200 Days
30 Days
ErrorStoreReapAgeDays=4
ErrorStorePurgeAgeDays
Automatically purge deleted email older than the specified number of days
number
1 - 120 Days
15 Days
ErrorStorePurgeAgeDays=4
SecureDiagCopy
Store original copy of all email that is processed for signing or encryption