Blog

Blog

DKIM, DMARC and email delivery

The methods to secure email delivery have improved significantly over the last few years in order to combat the growing impact of email scams. It is now very important that your email security methods are up to date to ensure the highest delivery into your customer’s inboxes.
DKIM and DMARC for email deliverability

DKIM stands for DomainKeys Identified Mail. It is aimed at ensuring that only authorised senders and unmodified emails are delivered to email inboxes, by digitally signing your emails with a private key to which only authorised senders have access. Then upon receiving the message, the email gateway of the recipient checks the key by looking up the domain record, and ensuring that the signed email content hasn’t been altered. ‘DomainKeys’ refers to a pair of cryptographic keys – a public key which works together with a private key only known by authorised senders. You can read more about DKIM here: dkim.org

DKIM works hand in hand with DMARC. DMARC stands for Domain Message Authentication Reporting & Conformance, and comprises a record on your domain which works alongside your digitally signed emails to give email gateways a method of informing you when problematic emails, with your domain as the sender, have arrived at their email gateway. The DMARC record gives you the ability to not only be informed when there is something phishy going out allegedly from your email address, but also to tell email gateways to drop (delete) the email without sending it on. You can read much more about DMARC here: dmarc.org

Implementing DKIM and DMARC involves the following steps:

  1. Generate a DKIM key pair – this can be performed using a service such as DKIMcore.org
  2. Generate a DMARC record – this can be performed using a generator such as those promoted on the dmarc.org website. Initially you should configure your DMARC record such that all emails are passed through, no matter whether they are from an authorised sender… more about this in a moment. One of the DMARC settings is an email address to which all reports about the sending activity of your domain are sent. You will likely receive lots of emails to this email address, so choose this wisely.
  3. Add a TXT record for your DKIM Public Key to the DNS of your domain. You may need to ask your web host for help to add the record.
  4. Add a TXT record for your DMARC to the DNS of your domain. You may need to ask your web host for help to add the record.
  5. Ensure that all mail gateways, email services providers (such as Enudge) and SaaS platforms that send out email on your behalf are configured with your private key, to be used to digitally sign your emails as they are sent out.
  6. Test that all emails sent out by you and other parties pass the DKIM and DMARC tests. You can test your emails using a service such as www.mail-tester.com
  7. Monitor the emails coming to you in relation the DMARC, in order to ensure that all valid emails are being digitally signed. You will want to monitor for some weeks / months to give it enough time to check all the services sending on your behalf. Ultimately you will want to quarantine, and then drop, unsigned emails, but only once you are sure that all authorised emails are correctly signed.

If you would like our assistance to arrange DKIM certificates, and setup your web server and other senders to use DKIM, please don’t hesitate to get in contact.

Leave a Reply

Your email address will not be published. Required fields are marked *