-
Home
-
Knowledge Base
-
Caleb Hill
- DKIM & DMARC: Beyond Elementary Email
Knowledge Base
DKIM & DMARC: Beyond Elementary Email
Email: we may love it, hate it, or fall somewhere in between, but we all know it. The opaque system of servers, addresses, and distribution groups enables the familiar game of corporate tag around which so much of our life depends. I can’t tell you how many tickets I’ve dealt with concerning email: some have and can’t access it, others need it and don’t have it yet. Some have lost emails they need to find, and others have emails they are unsure if they need to lose. I’ve traversed spam filters and message traces, pored over headers and message IDs till my eyes water, and configured enough email clients to last a lifetime. But, for every email ticket I do that I’ve done before, I do a couple that are new.
Information technology is constantly changing and evolving, especially in security. Email infrastructure is no exception. Those whose livelihoods involve assessing cyber threats estimate that 90% or more of hacks begin with successful phishing emails. That’s why email authentication is so important, which is how emails prove that they have not been spoofed or tampered with. DMARC and DKIM are difficult-to-pronounce (and type) acronyms that mean “methods of making your emails more secure.”
However, cyber security is not the only concern with email. DMARC and DKIM could also be described as making your emails more trustworthy: when you send mail to other companies, your emails have a better reputation and are more likely to be delivered without being blocked, quarantined, or marked as spam.
The Flyover
 |
Let me back up a moment: any salesperson can reel off the benefits of a product without giving you any real ground to stand on concerning what it does. DKIM stands for Domain Keys Identified Mail, while DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. Fully aware that that may not have made anything clearer, let me explain.
Domain Keys Identified Mail (or DKIM) is very straightforward. When it is set up for your domain, your domain “locks” a version of the email and stores it in a corner of the email itself. The receiving email server uses a public key that your server makes available on the Internet to unlock that box and check that the version of the email it received matches the version locked by your server. If it does, the email has not been changed or tampered with. If it does not, the server knows that the email wasn’t sent by your server or was compromised, which can lead to the email being blocked or quarantined.
Domain-based Message Authentication, Reporting, and Conformance (or DMARC) allows your domain to check whether an email passes DKIM, check whether it passes SPF (another method of email authentication), and combine the results into a single decision of whether to reject or quarantine non-compliant emails. It also sends all the information to a specific “reporting address” where you can consolidate reports to see exactly where and how email is failing for your domain. DMARC is a powerful tool, not only for improving the deliverability of your emails but also for giving you visibility into how you can continue to make improvements.
The Nitty Gritty
To set up DKIM for your domain, I won’t bore you with my attempt at a guide. The process is different depending on your email provider, but it almost always involves two parts:
- Generating a key through your mail provider and
- Publishing that key publicly using a DNS record.
If you use Microsoft 365 for email, you can find a step-by-step guide here. If you use Google Workspace, the guide can be found here. If you have an on-premise exchange server, you may have to jump through a few extra hoops using a third-party plugin to sign outgoing mail. For other email providers, the specific methods differ, but the concepts are the same: one key to lock the emails, another published to your domain so that email servers can unlock them.
Setting up DMARC requires a DNS record containing your DMARC policy (what you do with mail depending on how it passes SPF and DKIM) published to your domain, with the prerequisite that you have SPF and DKIM both functional already. You may also benefit from using a service like EasyDMARC, which consolidates and clarifies the reports sent by your new DMARC policy, making it much easier to take action on deliverability issues.
A Parting Thought
This may sound like more trouble than it’s worth, and ten years ago, I would have agreed with you. But times change quickly in IT, and the field is constantly being pushed forward by corporations like Microsoft and Google, which continue to set higher and higher standards for security. I was working recently with a client who couldn’t email more than one or two Gmail users at once. I thought this was odd because his email was hosted through 365, so Microsoft should be taking care of most of his issues.
However, as I researched the problem, I found that countless other individuals were reporting the same thing with no solution offered by Microsoft. I reluctantly instructed my client to put in a ticket with Microsoft. There was nothing more I could do. Then, a couple of days later, I noticed an alert from Microsoft on several of the tenants we manage, letting us know that since September 19, domains in Microsoft 365 may have issues sending to multiple recipients at once.
There was one exception, though. Microsoft stated (and I quote), “If your sending domain is configured with email authentication records like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) in Domain Name System (DNS)… you’re not impacted and your organization requires no action.”
You never know what new glitch might lie around the corner in the world of electronic mail, but configuring DMARC and DKIM for your domain will go a long way toward making sure that your emails stay high, dry, and untouched by the grubby fingers of spam filters or the rejection notices of adamantine Gmail servers.
About the author
Contact Us
|
Contact Information: |
Hours of Operation: |
OUR FOCUS
Intrada Technologies is a full-service web development and network management company with a focus on creating ongoing, trusted partnerships with each of our clients.
We make sure our clients have what they require to run their businesses with maximum efficiency and reliability, as many of their needs are mission-critical.
Our unique, collaborative partnerships allow us to provide our clients with the assurance that we will be there when they need us.