Navigating Email Authentication: DKIM and DMARC Explained

Despite the rise of new digital marketing channels, emails remain a powerful, cost-effective marketing strategy that enable businesses to connect with their customers and prospects. The first step to guarantee the success of your email marketing is to ensure seamless email deliverability.

Two email authentication protocols you can use to ensure your emails reach the inbox of your targets are DKIM and DMARC. What are DKIM and DMARC, and why are they essential? Make sure you keep reading!

First, What Is Email Authentication?

Let's say that you receive an email from your bank claiming that there has been suspicious activity on your account, and they ask you to click on a link to verify your information. The email contains the bank’s logo and email format, appearing to protect you from cybercriminals, and includes urgent language to create a sense of urgency.

Some emails look good – when in reality, they are dangerous. Email authentication is a method used to verify the authenticity and integrity of email messages. By implementing email authentication protocols, the likelihood of successfully detecting and mitigating email-based threats, like phishing attempts, would increase.

In the scenario above, if the email fails any authentication checks in place, it would raise red flags for both the email service provider (e.g., Microsoft Outlook, Gmail) and the recipient, helping to prevent potential harm or unauthorized access to personal information.

As a marketer, it is important to understand how email filtering algorithms work and to properly set up DNS (Domain Name System) records to prevent emails from being marked as spam and increase their deliverability rate.

Think about it - if your emails get flagged as spam or phishing messages, they will likely end up not being opened or read. Implementing email authentication protocols can enhance email security, reduce the risk of email impersonation, and provide better protection against phishing attacks.

Two of the commonly used authentication protocols today are DKIM and DMARC. In simple terms, the purpose of DKIM and DMARC is to verify that a sender is authorized to send emails on their domain's behalf and verify the authenticity of email messages.

What Is DKIM?

DKIM, or DomainKeys Identified Mail, is a method that allows the sender of an email to digitally sign the message using cryptographic techniques. In the same way that the signature on a check helps confirm who wrote it, the DKIM signature is added to the email header, and the receiving end’s mail server can check it to verify the email’s legitimacy.

The DKIM signature assures that the email was not tampered with during transit and genuinely came from the stated domain. By validating the DKIM signature, the recipient can determine if the email is authentic and from a trusted source. If the DKIM signature was used, the message is considered legitimate, and the receiving mail server gives it a PASS and lets it in the recipient’s inbox.

Here's a simplified overview of how DKIM works:

1. Sender Domain Setup - The sender's domain sets up DKIM by generating a pair of cryptographic keys - a private key and a corresponding public key.
2. Message Signing - When an email is sent from the sender's domain, the sender's email server uses the private key to generate a unique cryptographic signature for that specific email.
3. DNS Record Publishing - The sender's domain publishes the public key in its DNS records, which allows the recipient's mail server to retrieve the public key when verifying the DKIM signature.
4. Email Transmission - The email, including the DKIM signature, is sent to the recipient.
5. DKIM Verification - The recipient's email server receives the email and retrieves the public key from the DNS records of the original sender using the domain extracted from the email headers.
6. Signature Verification - The recipient's email server uses the public key to decrypt and verify the DKIM signature attached to the email. It validates if the generated signature matches the DKIM signature, which means the email is authentic and has not been altered during transit.
7. Authentication Result - If the private key is valid, the mail server lets the email in the inbox. Otherwise, the message is considered suspicious, and the receiving mail server gives it a FAIL, rejecting or sending the email to the spam folder.
   
   

DKIM helps combat email spoofing and tampering, providing a mechanism to verify that an email is legitimately sent by the claimed sender domain and that email content is original and unaltered. It enhances email security, reduces the risk of phishing, and keeps you away from spam folders by establishing your sender reputation.

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds upon DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework). In other words, for DMARC to work, it requires either an SPF or a DKIM record or both of them to be set.

DMARC lets domain owners specify policies for how incoming emails that originate from their domain should be handled by the recipient's mail servers. DMARC helps combat email spoofing by providing a framework for email senders to authenticate their messages using DKIM and SPF and instruct the recipient's mail server on what should happen to emails if they fail authentication.

DMARC policies can be set to three different levels:

1. "None" - The DMARC policy is set to "none" when the sender is initially deploying DMARC and indicates that the sender is in monitoring mode. In this case, the email messages are treated the same as if no DMARC was set up. The sender receives reports on email authentication failures without specifying any strict actions to be taken based on the results.
2. "Quarantine" - The DMARC policy is set to "quarantine" for suspicious emails that fail authentication. Usually, the recipient's mail server chooses to deliver the email to the recipient's spam or junk folder.
3. "Reject" - The DMARC policy is set to "reject" for emails that fail authentication. In this case, the recipient's mail server is instructed to reject the email that failed authentication right away, preventing it from reaching the recipient's inbox.
   
   

DMARC helps prevent email spoofing, phishing attacks, and domain abuse by allowing domain administrators to control how their domain is handled in terms of email authentication failures. Below is a simplified overview of how DMARC works:

1. Sender Domain Setup - The mail administrator sets up a DMARC policy by publishing a DMARC DNS record. This record includes instructions for recipient email servers on how to handle emails claiming to be from the sender domain.
2. SPF and DKIM Alignment – As mentioned above, DMARC relies on the alignment of SPF and DKIM (DomainKeys Identified Mail) authentication results. SPF checks if the IP address of the sending server is authorized to send emails on behalf of the domain, while DKIM validates if the email is genuine and coming from a legitimate sender address using cryptographic signatures.
3. DMARC Policy - The DMARC policy in the DNS record specifies one of three actions to be taken by the receiving email server (None, Quarantine, or Reject) when an email fails SPF and/or DKIM authentication:
4. DMARC Reports - As the receiving mail server encounter emails from the sending domain, they generate DMARC reports containing information about the authentication results and send them back to the sender's specified email address. These reports provide visibility into the usage and authentication status of the sending domain.
5. Policy Enforcement - Following DMARC policy and authentication results, the destination email system decides how to handle the incoming email. It checks SPF and DKIM alignment, verifies the DMARC policy, and takes the appropriate action that was specified in the DMARC policy (e.g., deliver, quarantine, or reject).
   
   

As a sender, performing routine monitoring of DMARC reports is crucial, particularly if you run multiple email campaigns regularly and send emails to a large group of people all at once.

DMARC reports will let you know of any phishing or spoofing attempts to your domain, as well as informs you if your own emails are getting rejected because of failed DKIM or failed SPF checks. By monitoring your DMARC record, you can adjust your authentication policies in cases where legitimate emails are erroneously getting marked as spam.

Key Takeaways

DKIM and DMARC, along with SPF records, have to be set up in the domain’s Domain Name System (DNS) settings. These email authentication protocols help establish trust in the email system by ensuring that the sender's identity can be verified and that the message has not been tampered with while in transit from server to server.

Both DKIM and DMARC helps combat various types of email messaging threats, including spam, phishing, and email spoofing. These protocols work together to provide a layered approach to email authentication. As a sender, implementing these protocols can improve the chances of your emails being delivered successfully and mitigate the risk of your domain being abused for illegitimate purposes. Meanwhile, email recipients can use these protocols to determine the authenticity of incoming emails and identify potentially fraudulent or malicious email messages.