Domainkeys Identified Mail, or DKIM, is a standard that prevents email senders and recipients from spam, spoofing, and phishing. This form of email authentication allows an organization to add digital Signature to the emails that can be validated by the recipient to check if the email belongs to the legitimate Sender. To verify the authorization of email Server, it uses approach called “public key cryptography”. It supplements SMTP, the basic protocol used to send email, because it does not itself include any authentication mechanisms.

How it works?

It works by adding a digital signature to the headers of an email message. That signature can be validated against a public cryptographic key in the organization’s Domain Name System (DNS) records. A domain owner publishes a cryptographic public key as a specially-formatted TXT record in the domain’s overall DNS records. When a mail message is sent by an outbound mail server, the server generates and attaches a unique DKIM signature header to the message. This header includes two cryptographic hashes, one of specified headers, and one of the message body (or part of it). The header contains information about how the signature was generated.

When an inbound mail server receives an incoming email, it looks up the sender’s public DKIM key in DNS. The inbound server uses this key to decrypt the signature and compare it against a freshly computed version. If the two values match, the message can be proved to authentic and unaltered in transit.

How is it related to SPF, DMARC, or other standards?

  • SPF allows senders to define which IP addresses are allowed to send mail for a particular domain.
  • DKIM provides an encryption key and digital signature that verifies that an email message was not faked or altered.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test. DMARC is still in its early age and unfortunately not used as much as hoped to make a huge difference. DMARC can (and will) break your mail flow if you don’t set up both SPF and DKIM before changing DMARC policy to anything above “none”.
  • Please work through the proper process carefully, otherwise your precious messages won’t be delivered to your users as potentially seen as fraudulent by a wrong SPF, DKIM or DMARC setup.

Does Spambrella support DKIM and DMARC?

Yes – Prior to signing messages, please ensure you implement your SPF records correctly. The correct SPF record is: (US) (EU)

Full details are found here:

Spambrella Email Security natively supports DKIM and DMARC records for customers

A DKIM record ensures that messages are not altered from sending to recipient server. The exception we have is URL Defense. The DNS gives the public-key of the DKIM signature to match against the private key sent in the email header.

Although not required, a DKIM record assists to prevent domain spoofing, which helps reduce the risk of your email being marked as spam on the recipient side. This, in addition to SPF, validates your email sources.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC itself is a DNS setting, which tells other sources where to report emails that fail against the DMARC record. DMARC requires one of two items to pass: SPF or DKIM. It is important you properly add all your services to your SPF record and correctly set your DKIM.

SPF Check on Spambrella for Inbound Email

SPF Checking with Office 365

DMARC set-up