DKIM: Another Step to DMARC Compliance | EasyDMARC

DKIM: Another Step to DMARC Compliance

7 Min Read
Three email images and a lock image in the middle, a person's hand pointing on the lock

If you’re heading a business with a solid online presence, achieving DMARC compliance should be your primary goal. DMARC is an authentication protocol applied to your domain so only authorized sources can send emails on your behalf. 

This is important if you want to be known as a reputed sender and increase your profile as a respected brand on the Internet. DMARC not only prevents malicious actors from sending fraudulent, spam, spoofed, or phishing emails in your company’s name, but it also improves deliverability rates of your legitimate emails. 

When it comes to DMARC vs. DKIM or even DKIM vs. SPF, there’s really no true comparison. All three protocols are unique email authentication standards working differently but all requiring correctly configured DNS records.

SPF is the first step towards DMARC compliance. It’s a protocol that allows you to specify which IP addresses and third-party entities are authorized to send emails on your behalf. 

DKIM is an equally vital step. It allows you to digitally sign your emails with a cryptographic key, ensuring only unaltered and authentic emails are sent on your domain’s behalf.

DMARC enhances both of these standards and offers unrivaled email domain security and fraud prevention through SPF/DKIM authentication and alignment. But reaching 100% DMARC compliance is a process. 

In this blog post, we discuss what’s required to achieve DMARC compliance, what it is, and the role DKIM plays. There’s more to it than simply adding a DKIM record to your DNS. Ready? Let’s jump in.

DMARC Compliance: What is it Built on?

To learn why DMARC compliance is so important, it helps to understand the basics of DMARC itself. It’s an anti-spoofing protocol that authenticates your email sending domain, allowing only verified emails to enter the recipient’s inbox. DMARC relies upon both SPF and DKIM. But implementation on its own doesn’t suffice.

SPF or the Sender Policy Framework authenticates emails by verifying whether a sender is authorized. That’s where the SPF record comes in. It’s a TXT record, which is a type of DNS record containing the list of IP addresses and third parties allowed to send emails on behalf of your company’s domain.

DKIM is short for DomainKeys Identified Mail. It validates emails and verifies their authenticity using a cryptographic key pair—one private and one public. The private key is used to generate an encrypted digital signature for every message sent from your website’s domain. 

The public key is included in a domain’s DNS records as a modified TXT record, known as a DKIM record. It’s used by receiving senders to match the digital signature and authenticate a message.

When an email is sent, SPF uses the return-path address, while DKIM uses the DKIM signature header for verification checks. But neither use the visible “From:” address, meaning malicious actors can still use a fake “From:” address to scam recipients.

Enter DMARC. It requires the “From:” address to match the DKIM signature header domain (for DKIM) or the return-path domain (for SPF). Essentially, that’s what DMARC alignment is—ensuring the “From:” field contains a verified domain.

DMARC compliance requires an email to pass SPF or DKIM authentication and the return-path or DKIM header to match the “From:” address. 

In other words, an email can only achieve DMARC compliance after SPF or DKIM authentication and alignment.

What’s DKIM’s Role in DMARC Compliance?

Understanding a DKIM signature and knowing how a DKIM record works can help answer this question.

When an inbound server receives an email, it retrieves the DKIM record of the domain cited as the sender. It then locates the public key and uses it to decrypt and match the digital DKIM signature (that was generated by the private key) in the email.

If the DKIM signature matches the public key contained in the DKIM record, then the email passes DKIM authentication.

Alignment is the second stage. In this process, the receiving server checks if the domain in the email’s “From:” header that’s visible to the receiver matches the “d=” tag domain used in the DKIM header.

If you want your emails to achieve full DMARC compliance, authentication and alignment must pass flawlessly. Both verification procedures look at the primary domain and how it syncs with any other subdomains you might have. That’s why it’s crucial to create a DKIM record for every domain or subdomain authorized to send email on your company’s behalf.

Syntax plays a prominent role in getting DKIM right. If you’re unsure how to handle a DKIM record properly, ask a professional for help. EasyDMARC has a team of specialists ready to configure your DKIM record to be 100% DMARC compliant. By going this route, you’ll avoid mistakes and risks of getting error messages or bounced emails.

DMARC Alignment: When SPF and DKIM Come Together

Essentially, implementing SPF and DKIM to achieve DMARC compliance is the best way to tell recipient servers precisely how to handle emails sent on your company’s behalf.

This way, you have control over how recipient servers determine whether an email should be delivered to the inbox or not. When an email is sent, the receiving server checks which DNS records are stored for the associated domain. 

When a DMARC record is found, the receiving server then proceeds to check the message being sent based on the policies dictated by SPF and DKIM.

  • If an email passes both SPF and DKIM authentication, it’s from an authorized server and hasn’t been altered in transit.
  • If an email passes SPF and DKIM authentication AND at least one alignment (where the “From:” address matches the domain used by SPF or DKIM), then it passes DMARC authentication. This indicates that the sender is indeed genuine and permitted to send emails on that domain’s behalf.
  • If an email fails either SPF authentication or alignment, but passes DKIM authentication and alignment, then it still passes DMARC authentication.
  • If an email fails either DKIM authentication or alignment, but passes SPF authentication and alignment, then it still passes DMARC authentication.
  • If an email fails both SPF and DKIM authentication OR both SPF and DKIM alignment, then it still fails DMARC authentication.

DMARC also captures the message’s deliverability by sending reports to the sender indicating whether SPF, DKIM, or DMARC checks failed.

The best way to check DMARC compliance is by testing the configuration of both SPF and DKIM. When SPF and DKIM identifiers are correctly aligned, DMARC lets everyone in your network know your website and servers have been authorized to send messages on your behalf. With the right DMARC policies aligned, you can instruct email receivers to discard and reject anything you disapprove of.

Complete DMARC compliance is a synonym for domain control. However, this process takes time since you have to configure your SPF, DKIM, and DMARC policies correctly for each authorized source that sends messages on your behalf.

Every email service provider (ESP)  has slight differences in its infrastructure and configurations, so it’s crucial to adapt your DMARC strategy accordingly. All reputed ESPs have an understanding of DMARC. Many of them apply DMARC policies and add-ons, such as BIMI verification.

Final Thoughts

DKIM is an authentication standard that plays a significant role in DMARC compliance. It adds a digital signature header to every email, created with the sender’s private key, which matches the sending domain’s public key found in its DKIM record.

Setting up SPF and getting your DKIM record configured correctly is the first step to improving your DMARC compliance rates. You can check your DKIM record right now with EasyDMARC’s DKIM lookup tool

If you get negative results, use our DKIM generator tool or reach out to our team. We’ll guide you with a step-by-step solution to protect your domain and authenticate your emails.

Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us