Technical Guidance
This article takes a look at DKIM Selectors in particular, and we explain: What DKIM Selectors are Where to find your own DKIM Selector Third-Party providers and DKIM Signing How does DKIM work? DKIM (DomainKeys Identified Mail) is an email authentication method that allows an email receiver to check that an email that claimed to come from a specific domain was indeed authorized by the owner of that domain and received without any unauthorized modification to its content during transit. This is achieved through the use of cryptographic authentication with the use of a cryptographic key pair—a private key and a public key. The Mechanics of DKIM Digital Signature Creation: When an email is sent, the originating email server generates a unique digital signature for the message. This signature is based on the content of the email itself, including headers and body, ensuring that any alteration of the email during
In February 2024, Google and Yahoo started implementing a series of gradual enforcements for organisations that send over 5000 emails daily, also defined as bulk email senders. These enforcements are especially relevant to Domain-based Message Authentication, Reporting & Conformance (DMARC). With this initiative, Google and Yahoo intend to reduce the overall amount of spam and spoofed content sent across the internet, especially focusing on the authentication of an organisation’s email infrastructure. This move, aimed at combating spam and improving email security, involves using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and DMARC standards. This article covers the Google and Yahoo requirement specifications and focuses on the potential impacts on European businesses. In particular, it addresses the complications of implementing DMARC across the European email ecosystem and the necessary steps to comply with the enforcement. Impact on European Email Senders: A Closer Look Popular Email Providers in Europe Challenges of
DomainKeys Identified Mail (DKIM) is an email security standard designed to help prevent email spoofing. It works by adding a “tamper-proof” seal to email messages, ensuring their authenticity and integrity. However, sometimes legitimate emails fail DKIM signature verification due to canonicalization issues, leading to email delivery problems. This article explains how to resolve these issues by adjusting DKIM canonicalization settings on your email gateway systems. Below is a representation of how DKIM works in an email infrastructure: Video: DKIM Overview Here’s a brief DKIM overview to help you understand its role in email authentication and DMARC. Understanding DKIM Canonicalization Canonicalization in DKIM refers to the method used to prepare an email’s header and body for signing. According to RFC 6376 Section 3.4, there are two canonicalization algorithms for header and body: simple and relaxed. The choice between these settings affects how strictly the email’s content must match the sending and
What is a PTR Record? A PTR (Pointer) record, also known as a Reverse DNS record, maps an IP address to a domain name; essentially, it’s the opposite of what an A record does in DNS. While A records are used to translate domain names to IP addresses, PTR records are used to verify that an IP address indeed corresponds to a domain name. This is a common verification step for receivers and part of many checks to determine the legitimacy of a connection’s origin, such as email servers. Why Does it Matter? PTR records hold significance for a myriad of reasons across various aspects of internet communication and network management. They facilitate smoother network operations, aid in troubleshooting, and enhance the trustworthiness of servers. However, for the purpose of this article, we will focus on their role in email security and delivery where their impact can be profound. Focusing
Google and Yahoo’s DMARC requirements will be enforced in February 2024 for higher volume senders. We have resources to help you prepare for DMARC and other sender requirements to ensure your email delivery won’t be disrupted. Why DMARC now? There are few mechanisms that prohibit bad actors from sending an email pretending to be you. DMARC is the main control for fighting domain abuse. It’s a free and open technical specification that authenticates emails with SPF and DKIM. By publishing a DMARC record in your domain’s DNS, you can fight business email compromise, phishing and spoofing. DMARC, SPF and DKIM aren’t newcomers to the email authentication scene—they’ve been around for over a decade and have grown to become a best practice. Email is involved in more than 90% of all network attacks; without DMARC, it can be hard to tell if an email is real or fake. Because of the
For those of you that use GoDaddy as your DNS provider, here are brief instructions for adding a DMARC record . If your domain has been added to GoDaddy through one of their partners you’ll manage your DNS records through that hosting partner. Create your domain’s DMARC record. If you have already generated a DMARC record, you can verify it with our free diagnostic tool . If you need to generate a DMARC record, you can use our free DMARC Record Wizard When you have created and verified your DMARC record, log in to your GoDaddy account. Select your domain to access the Domain Settings page. Select DNS to view your DNS records. Select Add New Record Select TXT from the Type menu. Enter the details for your TXT record: Make sure the record Type is TXT. Name/Host is set to _dmarc. Set Value to the DMARC record generated in
A DMARC record will need to be created and published in your domain’s DNS hosting provider. Some popular hosting providers are GoDaddy, Namecheap, DNS Made Easy and Cloudflare. We have several guides listed below for many of the top hosting providers to help you with each step of publishing your record. If you do not see your hosting provider listed below, you’ll want to get the step-by-step instructions directly from your provider’s website and follow their help documentation if you get stuck. Domain Name System (DNS) is an important service for all traffic that is sent or received over the internet (email, web traffic, etc.). DNS helps provide all of our connected devices with routing directions and instructions on how to perform a specific task, such as sending an email or visiting your favorite news site. Your DMARC record will inform others how to handle email that claims to come
With Google and Yahoo transitioning several long-standing best practices to enforced sender requirements, we created the following guide to ensure you understand where you can find evidence of delivery issues and begin to understand what additional steps you need to take in order to ensure you are sending according to their guidelines. What are error codes? Email error codes and bounce strings are generated when one email server attempts delivery to another email server that results in a failure. Error codes are also commonly referred to as bounce codes, SMTP errors, or Delivery Status Notifications (DSN). You can use the messages and codes to help understand the underlying reason and attempt to troubleshoot them. Most often, the source sending emails on your behalf will have developed software to handle errors in an automated fashion for you. Where some email sources may expose these errors to you through their interface, the
A domain’s DMARC record can tell the world to send DMARC reports to a different domain. For example, the domain example.org might have a DMARC record of: v=DMARC1; p=none; rua=mailto:dmarc_reports@sample.net This DMARC record tells people to send reports regarding example.org to the email address of dmarc_reports@sample.net. Before reports are sent, sample.net must tell the world that it is OK to send example.org’s reports to sample.net. Otherwise, reports will not be sent to sample.net. Allowing “external” domains to accept DMARC reports is called “External Domain Verification.” For those who like too much information, the DMARC RFC describes in detail how report generators determine if sample.net is allowed to receive reports related to example.org. External Domain Verification is made possible when sample.net publishes a special TXT record at a specific location in the DNS. If example.org tells the world to send DMARC reports to the sample.net domain, people who are sending reports will
Email forwarding can sometimes throw a wrench in DMARC authentication results, and we often get questions about how to manage forwarded emails, especially with mailing lists. Emails are forwarded automatically all the time, more so than most people expect. Forwarding happens automatically when you send an email to myfriend@example.com and that person has set up their email to be forwarded to a separate inbox, like myfriend@dmarcian.com. Another common instance of automatic forwarding is a mailing list, like Google Groups. From the perspective of the email receiver—the one that is generating DMARC XML reports—your email appears to be coming from an infrastructure that has nothing to do with you. In Google Groups, DMARC data that displays forwarding will show your domain as a sender, a Google IP as the sender, and a variety of receivers who send the DMARC report as part of their DMARC check. This number can increase quite