DKIM is a vital email authentication method. Let’s dive into what DKIM is, why it’s important, and how Emarsys has enhanced its approach to DKIM to keep up with industry best practices and evolving standards.
First things first – abbreviations and terms that we will use in the article:
DKIM – DomainKeys Identified Mail
SPF – Sender Policy Framework
DMARC – Domain-based Message Authentication, Reporting, and Conformance
DNS – Domain Name System
“From” header – the sender address, visible to the recipient
Understanding DKIM
DKIM is an email authentication method that helps ensure the email you send hasn’t been tampered with during transit. When an email is sent, DKIM adds a cryptographic signature to it. This signature is generated using a private key that only your domain (or your email sending platform, like Emarsys) has access to.
When the email reaches the recipient’s server, the server uses the public key published in your domain's DNS records to verify the signature. If the signature matches, it means:
1. The email content wasn’t altered.
2. The email genuinely came from your domain.
This builds trust with mailbox providers like Gmail, Yahoo, and others, increasing the chances of your emails landing in the inbox.
DKIM’s Connection to Yahoo/Google Requirements
Mailbox providers like Google and Yahoo have established strict requirements for email authentication to enhance security and reduce phishing attempts. These requirements include having SPF, DKIM, and DMARC records in place, and ensuring that the “From” header is aligned with either the SPF domain OR the DKIM domain.
At Emarsys, our standards fully comply with these requirements. We require these standards for all new sender domains for many years. For our customers, DKIM is always aligned with the “From” domain, ensuring DMARC passes even in cases where SPF is not aligned. This alignment meets the expectations of major mailbox providers.
Understanding Alignment and Google Postmaster Tools
One common concern we hear is about SPF success rate in Google Postmaster Tools.
Here’s the deal: Google Postmaster Tools evaluate not just if the SPF record is valid, but also whether it aligns with the “From” domain. If the SPF domain isn’t aligned, Google will show a success rate of 0% for the SPF alignment, even if SPF itself is correctly setup.
Thankfully, Emarsys strict DKIM alignment ensures that DMARC will still pass even if SPF is not aligned in some setups.
If you’re worried about SPF alignment metrics, a simple test can give you peace of mind. Send a test email to a Gmail account and check the headers to ensure that SPF=PASS and DKIM=PASS appear in the headers. If DMARC passes, your setup is working as intended.
Emarsys Offers Secure DKIM Keys
Since 2024, Emarsys has implemented 2048-bit DKIM keys by default, enhancing even more the security strength compared to the older 1024-bit keys. This change aligns with industry best practices and ensures that your emails are more resilient against attacks.
But simply upgrading the key strength isn’t enough. Maintaining the integrity of DKIM keys over time is crucial, which brings us to the concept of DKIM rotation.
Publishing Public Keys and DKIM Rotation
To verify DKIM signatures, your public DKIM key must be available in your domain’s DNS records. There are two ways to publish this public key:
1. As a static TXT record in your DNS (this method was used by Emarsys until 2022)
2. Through a CNAME record that points to the key hosted by Emarsys.
At Emarsys, we’ve adopted the CNAME approach, because it is dynamic and allows us to perform DKIM key rotation seamlessly.
DKIM key rotation means regularly replacing your DKIM keys with new ones. This is a critical security practice because:
- It minimizes the risk of key compromise.
- It keeps your email authentication fresh and aligned with evolving security requirements.
By using CNAME records, Emarsys can handle DKIM rotation on your behalf without requiring to manually update your DNS records. This ensures that your DKIM setup stays secure and up to date with minimal effort from your part.
In case your sender domain was configured before 2022, and you want to update to the new secure setup, check our guidance here.
Takeaways
Email deliverability is about trust, and DKIM is a cornerstone of that trust. By implementing DKIM with 2048-bit keys, leveraging CNAME-based key publishing, and performing regular key rotation, Emarsys ensures your emails meet the highest standards of security and authenticity.
Moreover, our strict DKIM alignment policy guarantees DMARC compliance. This is a crucial safeguard in an era where mailbox providers demand increasingly stringent authentication practices.
So, if you’re using Emarsys, rest assured that your email authentication is robust, secure, and future-proof. And if you ever see SPF alignment at 0% in Google Postmaster Tools, remember—it’s not necessarily a problem as long as DKIM alignment ensures DMARC passes.