Leveraging the Power of Email Authentication – Part 2: Using DKIM to Enable DMARC

DKIM
Share Button

This article is Part 2 of our “Leveraging the Power of Email Authentication” series. Read Part 1: What is DMARC? and Part 3: Implementing DKIM

What is DKIM?

Domain Keys Identified Mail (DKIM) is an email authentication mechanism that allows an email receiver to verify the sender of a message. Email receivers such as Gmail, Yahoo and corporate email servers use DKIM to identify which emails are authentic and should be delivered versus which emails are spoofed or spear-phishing and should be rejected. DKIM is not an anti-spam filter, but the mechanism can assist in controlling spam and phishing because it permits the verification of a responsible organization, as well as the integrity of the message’s content. DKIM will increase email deliverability because it legitimizes marketing and other emails, ensuring these messages land in consumer inboxes while simultaneously blocking spam email.

DKIM is one of two email protocols (the other is Sender Policy Framework) used in the DMARC standard. DMARC (Domain-based Message Authentication Reporting and Conformance) is an additional layer that empowers SPF and DKIM as validation mechanisms. And while DKIM is not required, using DKIM will ensure a message has not been altered and maintains its trustworthiness throughout its transit to the intended recipient.

Organizations that don’t leverage DKIM aren’t taking full advantage of email authentication opportunities. For an email to pass DMARC, it needs to pass and align with either SPF or DKIM. Unfortunately, many senders assume it’s perfectly acceptable to focus on passing and aligning with one or the other rather than passing and aligning for both, which, for a truly secure email channel, is ideal.

Easy Solutions recommends all organizations implement DKIM to increase their protection from email fraud.

Why DKIM?

Corporate domains with DKIM-signed email have higher deliverability than those without. At the same time, domains with DKIM pose more problems for fraudsters for the following reasons:

  • DKIM with DMARC can verify that the FROM: address displayed in the email was not spoofed. This allows mail receivers to identify when a fraudster spoofs emails using the CEO’s email address, for example.
  • DKIM verifies that the email message was not modified after leaving the sender. It ensures that a business’ emails to consumers have not been modified with phishing links while in transit. DKIM also ensures that links containing malware or false instructions such as “wire money to this bank account” have not been inserted into emails between corporate employees during delivery, for example.
  • DKIM can be used to authenticate email even when forwarded from one receiver to another. The SPF protocol does not provide a mechanism to authenticate email that has been forwarded. Therefore, DMARC will not pass for forwarded email unless DKIM is also implemented. When email receivers cannot authenticate email with SPF or DKIM, then the forwarded email will likely suffer from low deliverability and either land in the user’s spam box or be rejected.

DKIM

  • DKIM can authenticate email when SPF is unsuccessful. If an organization uses only SPF to authenticate email, they will likely see their DMARC pass rates be less than 100 percent because SPF can fail when a DNS server times out between the email sender and receiver. In fact, many organizations reach a maximum DMARC pass rate of only somewhere between 95.2 percent and 95.7 percent until DKIM is implemented. DKIM gives email authentication a second chance so to speak.

Recommendation

Use DMARC reports to monitor DKIM pass rates for each corporate and third-party email sending IP address.

Monitor the DKIM pass rate of each IP address to identify configuration or deliverability errors with a receiver. The image below displays the pass rate for Easy Solutions’ email domains.

DKIM

For more information about DKIM, see the DKIM working group and its technical specification, or contact us with questions.

We will continue to explore the next steps in securing the corporate email channel as part of our “Leveraging the Power of Email Authentication” series. Read Part 1 and Part 3

Related Posts

Seven Fraud Events that Shook the World in 2017 As 2017 draws to a close, we here at Easy Solutions have been reflecting on the biggest fraud events of the year. These seven events changed the fraud landscape and left lasting effects on organizations and their outlook on security for years to come.
Machine Learning Algorithms Explained – K-Means Clustering In our series, Machine Learning Algorithms Explained, our goal is to give you a good sense of how the algorithms behind machine learning work, as well as the strengths and weaknesses of different methods.

Leave a Reply

Your email address will not be published. Required fields are marked *