Today we are here to talk about DMARC vs DKIM. Both DMARC and DKIM are email authentication protocols helping organizations combat impersonation attacks and email compromise. Both DMARC and DKIM are important tools for protecting your brand, but they do not replace each other. So it’s important that you understand what each one does before deciding on which one works best for your needs.
What do DMARC and DKIM stand for?
First, let’s break down the acronyms:
DMARC is an acronym for Domain-based Message Authentication Reporting and Conformance. It is a protocol that uses SPF and/or DKIM records to authenticate emails. It also allows you to monitor and control what happens to unauthenticated emails sent from your domain.
DKIM is an acronym for DomainKeys Identified Mail. It is a method of verifying the authenticity of emails using cryptographic authentication.
DMARC definition & how it works
DMARC is based on SPF (Sender Policy Framework) and DKIM. It verifies if the message aligns with these standards. DMARC allows for the rejection of fraudulent messages and it also allows for reports to be emailed to you from the recipient’s mail server. It is a protocol that allows an organization to say “if you send mail from my domain, I will authenticate it.” It also creates a feedback loop between the sender and receiver that lets both parties know if the other party is following the specified policy.
DMARC can be used by both senders and receivers of emails. If a message fails DMARC checks, the receiver can take different actions, like rejecting the message or sending it back to the sender with a notice explaining why it failed authentication. The goal of DMARC is to reduce email compromise while still letting legitimate emails through.
How does DMARC work?
To begin with, the basic function of DMARC is to determine whether or not an email should be delivered to its intended recipient. In order to do this, it determines what kind of DNS records are stored for a particular domain. The DMARC record itself contains instructions as to where the email should be sent if it fails either SPF or DKIM checks.
It also provides instructions as to how much of the message should be delivered if it fails authentication. There are three possible options here:
- ‘none’ means that all failed messages should be treated as normal
- ‘quarantine’ means that some portion of the message should be delivered, but only with a warning
- ‘reject’ means that no part of the message should be delivered at all
DKIM definition & how it works
DKIM stands for DomainKeys Identified Mail and was developed by Yahoo! back in 2004 as a way to verify that an email is authentic. It works similarly to SPF (see below), but instead of sending an authentication signature with each message, it signs the headers of every message sent by your server so that recipients can verify their authenticity using public keys listed in DNS records associated with your domain name.
DKIM is a cryptographic method of verifying that an email is sent from an authorized server. This is done by cryptographically signing each email with a private key, which then allows it to be verified by the recipient using a public key. DKIM performs a different role in email authentication as opposed to DMARC. DKIM is a form of email authentication that allows you to verify if a message has been sent by someone using your domain name.
How does DKIM work?
The verification is done by adding a digital signature to each message sent from your server. This signature is added by adding a header to the email that contains a few key pieces of information:
- The domain name used to send the email
- A DKIM selector is used to help locate the DKIM public keys in the DNS in case there are multiple DKIM records published
- The public key will be used by the recipient’s mail server to decrypt part of the message and compare it against another part of the message in order to verify that it was sent from an authorized server
- A hash value is generated from parts of the message so that those parts can be verified by anyone who has authorized access
DMARC Vs DKIM: Which to use and when?
DMARC and DKIM are both email authentication techniques that help improve the security and deliverability of your emails. While they’re often confused, and many companies have a hard time understanding the differences between these two protocols, DMARC and DKIM are actually quite distinct from each other as explained above.
It is important to note that neither of the two protocols is interdependent, and can be configured individually. Let’s find out how:
Configuring DMARC paired with SPF
You can skip setting up DKIM for your domain and still configure DMARC by pairing it up with SPF. This is because for your emails to pass DMARC, either SPF or DKIM identifier alignment is required. To implement DMARC without DKIM:
- Make a list of all your authorized sending sources
- Create an SPF record using our free SPF record generator and include all your sending sources to authorize them
- Paste the record on your DNS
- Create a DMARC TXT record for your domain using our free DMARC record generator
- Copy and paste this record on your DNS to activate DMARC
Configuring DKIM on its own
If you want to skip DMARC configuration, you can choose to implement DKIM on its own. To do so head over to the PowerDMARC DKIM record generator tool and enter the following information:
- A unique DKIM selector key (it can be a 1024 or 2048 bits long alphanumeric value)
- Your domain name (without any prefixes, for example, if your website URL is https://www.domainname.com, your domain name will be domainname.com)
Once you hit the generate record button our AI generates your DKIM TXT record along with instructions on how to publish it on your DNS to activate the protocol.
DMARC VS DKIM VS SPF
SPF stands for Sender Policy Framework and was created by AOL back in 2001 as a way for email senders to tell recipient mail servers which IP addresses are authorized to send mail from.
When you’re trying to figure out which email authentication method is best for your business, the decision can get a little confusing. There are a lot of things to consider: SPF, DKIM, and DMARC all play important roles in ensuring that your emails are delivered and received as intended.
DMARC is the best method for protecting your brand from phishing scams, but it’s not as effective at stopping spam as DKIM or SPF. DKIM is better than DMARC for preventing spam, but it’s not as good at stopping phishing scams. SPF stops phishing scams better than any other method, but it doesn’t do much against spam or ransomware.
DMARC, SPF, and DKIM: How they can work in unison for well-rounded email protection
We believe that having a multi-factor approach to email authentication can be a game-changer in terms of domain and information security. This is why experts in the industry recommend organizations implement DMARC, SPF as well DKIM for well-rounded email protection.
Aligning your emails against both SPF and DKIM authentication standards while using DMARC for special instructions and reverse feedback can help you gain 100% compliance on your emails. It also helps build trust and create a solid foundation for your organization’s domain, and ensure deliverability.
The PowerDMARC email authentication suite gives you an automated experience while configuring your protocols. Our DMARC services come paired with SPF and DKIM to take your email’s security to the next level. Sign up for our free DMARC today to try out the benefits yourself!
- How to Implement Mail Domain Authentication in Your Email Infrastructure - February 22, 2023
- How to fix “SPF alignment failed”? - January 3, 2023
- Why does DKIM fail? - January 2, 2023