DKIM works with Private and Public keys. Private keys are stored in email servers, while Public keys are implemented in domain's DNS. There are multiple use-cases for DKIM implementation:
- If you are using Third-Party ESPs (Google, Microsoft365, Mailchimp, etc.) DKIM Public keys are obtained from their portals. ESPs won't share their Private Keys for privacy and security concerns.
- For dedicated servers, EasyDMARC's DKIM Generator tool can be used. You will securely store the Private key in your own server, while implementing the Public key in your DNS.
There can be multiple cases for this. Most common cases include:
1. Syntax issue with subdomain added in the "Host" or "Name" section. DMARC needs to be implemented on _dmarc.yourdomain.com subdomain. Make sure you got that right.
2. Some DNS Zones (e.g GoDaddy) will not inherit but overwrite the subdomain name once added in the "Host" section. (For e,g, when you input your whole subdomain "_dmarc.yourdomain.com", GoDaddy will read that as "_dmarc.yourdomain.com.yourdomain.com" which invalidates your DMARC Record. To fix this, simply remove your domain name and just keep "_dmarc".
3. You have multiple DMARC Records implemented in your DNS. Make sure you have only one DMARC TXT Record on per your root/subdomain level.
4. You are still with DMARC None policy (Monitoring mode) and you are getting an error indicating "DMARC record is valid, but you are not protected against email spoofing and phishing". This is a warning sign from our side that your DMARC Policy is not enforced, and your domain is still open to any spoofing attempts.
EasyDMARC segments DMARC Reports into 4 tabs to make your DMARC enforcement journey easier and successful.
DMARC Compliant: Under this tab, our system discovers and shows you all the email sources that are sending DMARC Compliant emails on your domain behalf. These are your legitimate sources that are meeting compliance via SPF and/or DKIM authentication and alignment.
DMARC Non-Compliant: This tab identifies all your sending sources that are failing DMARC compliance checks. These sources are failing both SPF and DKIM authentication and alignment.
Threat/Unknown: This tab identifies all the spoofing or fraudulent attempts on your domain behalf that are being sent from Source IPs that are blacklisted in multiple RBLs (Blacklist checks) or a Source IP which doesn't resolve to a Reverse DNS (PTR). You may, at some point, discover your legitimate servers labeled under this tab, which indicates your server is either blacklisted in multiple lists or lacks Reverse DNS (PTR).
Forwarded: Forwarding happens when your receiver forwards your email to another recipient. This is usually caused by Auto-Forwarding or Routing rules that are applied in major Mailbox Providers.