What is DKIM and DMARC (and why you need it)

Once upon a time, we could simply say that email security was a growing concern.

Unfortunately, today we have to acknowledge it as an everyday concern that creates an urgent need to keep ahead of cyberattacks, phishing scams, and other email vulnerabilities to protect individuals and businesses.

Thankfully, a number of improved authentication protocols can strengthen your email practices to help protect you from malicious emails. What’s more, they can protect both the receiver and the sender.

Sender policy framework (SPF)

Every email you send includes a text file that serves as a “return address” for that email and details the IP addresses and servers used to send it. This is called the domain name system (DNS) record. One method that spammers and phishing emails employ is “spoofing” an email address. In a spoofing email,  the “From” line in an incoming email claims to be from a trusted or reliable source but, in fact, comes from a different source.

A sender policy framework (SFP) is a validation protocol that detects and blocks email spoofing by comparing the IP address the email came from (in the DNS record) with the IP address listed in the SPF record to confirm a match. If they match, then SPF authentication is confirmed and the message is delivered.

DomainKeys identified mail (DKIM)

To make sure that no information has been altered while an email is in transit, senders can use DomainKeys Identified Mail (DKIM) to add another layer of email security. Use of DKIM is meant to foster a growing trust between the sending and receiving servers.

A DKIM adds a new domain name identifier to the email, separate from any of the other identifiers. This new information is encrypted with a public key and private key. The public key is sent within the DNS record and stored on the sender’s email server, and the private key is kept on the sender’s computer.

The information sent in the public key is compared to the decrypted private key and can determine if the email headers have been altered during either transmission or reception.

Domain-based Message Authentication Reporting and Conformance (DMARC)

Domain-based Message Authentication Reporting and Conformance (DMARC) is another layer of authentication that requires both SPF and DKIM to verify that an email was truthfully sent by the owner of the “Friendly-From” domain that appears in the user’s DNS report. For this to happen, both SPF and DKIM must pass, and at least one of them must be aligned.

If both SPF and DKIM pass, that shows the email is coming from an authorized server and that the header information has not been altered. For aligning, one of the two authentication protocols must show that the sender owns the DNS field “Friendly-From” and confirms who they say they are.

For the aligning SPF, the “From” domain and its “Return-Path” domain must match. In the case of aligning DKIM, the email’s “From” domain and DKIM d= should match.

When the DMARC fails, the receiving computer can choose one of three actions: 1) receive all email from that domain as-is, 2) accept the email but place it somewhere other than the Inbox (such as a spam folder), or 3) reject it completely.

Threat prevention and building trust

Why are these authentication protocols so important?

Many businesses rely on the ability to send bulk emails in order to better serve their customers. Some bulk emails can contain important service updates, recall notices, upgrade notifications, and other crucial business information. Other emails are sent by legitimate marketers trying to reach their customer base with valuable offers and sales information.

With the daily risk of phishing scams and spam emails, many businesses tend to adopt an overprotective email stance. This approach can lead to important, legitimate email being redirected to spam folders or rejected altogether.

Google, Microsoft, and other services are adopting these authentication protocols in their filtering methods, which will go far in strengthening safe and secure email. Using SPF, DKIM and DMARC authentication shows internet service providers and your clients that you are serious about maintaining security and mutual trust.

Setting up the files for these protocols requires a little technical knowledge and involves logging into your domain registrar to configure the DNS settings. A qualified IT support team or managed service provider should be able to help you with this.