DEV Community: getdmarcly

How to Receive DMARC Reports: DMARC Reporting Setup Guide

getdmarcly — Thu, 12 May 2022 09:16:47 +0000

DMARC reports on the current status of your email authentication program by sending DMARC reports to the specified mailboxes. We will go over how to set up DMARC reporting to receive DMARC reports in this post.

When you publish a DMARC record in the DNS, not only can you specify the policy which instructs email servers how to dispose of unauthenticated emails, but also you can request mailbox providers to send DMARC reports via the rua and ruf tags.

These reports contain information about your email streams or even individual email messages, which provides you with insights into the authentication statuses of your email streams. You should keep monitoring such information to properly authenticate all your legitimate email streams.

A typical DMARC reporting scenario

First things first, let's take a look at the parties involved in a typical DMARC reporting scenario: brand, ESP, mailbox provider, and report recipient.

The brand is the owner of the domain on which one implements DMARC to monitor the email authentication status. For example, if a company called AcmeCorp and it owns acmecorp.com, AcmeCorp is the brand.

The ESP (Email Service Provider) provides an email delivery service through which the brand can send emails to its customers, partners, etc. For example, SendGrid is an ESP used by AcmeCorp to deliver emails.

The mailbox provider hosts mailboxes for email end users. For example, Gmail, as a mailbox provider, hosts over 1 billion mailboxes for its whopping user base. Email messages from ESPs are delivered and saved in mailboxes and end users can view them later.

The report recipient is the email address that the DMARC reporting emails will be sent to. The brand can choose an arbitrary email address as long as it's accessible to the brand. The brand's IT administrator will download and analyze the reports attached to the DMARC reporting emails.

The scenario is illustrated below:

To string things together, picture this:

AcmeCorp's IT administrator Adam publishes a DMARC record on domain acmecorp.com.
The DMARC record points the rua (and possible ruf) tag to the email address reports@acmecorp.org.
AcmeCorp (and possibly scammers) sends tons of business emails via domain acmecorp.com to its customers everyday.
Mailbox providers like Gmail send DMARC reports on these business emails to reports@acmecorp.org as requested.

2 types of DMARC reports

DMARC supports 2 types of reports: aggregate reports and failure (forensic) reports. These 2 reports serve different purposes.

Aggregate reports contain information about groups of email messages, including:

source IP;
organization that sent the report;
SPF domain;
SPF outcome: pass or fail;
SPF authentication result: none, neutral, pass, fail, softfail, temperror, or permerror;
DKIM domain;
DKIM outcome: pass or fail;
DKIM authentication result: none, neutral, pass, fail, policy, temperror, permerror;
disposition: none, quarantine, or reject;
sent date.

For the most part, aggregate reports are used to analyze the authentication statuses of email streams and reach a full DMARC implementation (p=reject).

Failure (forensic) reports contain all the information about individual email messages, including:

arrival date;
source IP;
from;
to;
subject;
content;

and more...

As you can see, failure reports contain Personally Identifiable Information (PII). Due to privacy concerns , many mailbox providers including Gmail have dropped support for DMARC failure reports. As a result, only a few mailbox providers still send failure reports, including LinkedIn and 163.com. Keep this in mind when you are not receiving failure reports as expected.

Request to send aggregate reports

Requesting mailbox providers to send DMARC aggregate reports to your specified email addresses is a straightforward process. It's nothing more than specifying an email address in the rua tag of your DMARC record.

For example, if you want to request that aggregate reports be sent to an email address that you have access to: aggregate_reports@reporting.org, you can publish a DMARC record like this:

v=DMARC1; p=none; rua=mailto:aggregate_reports@reporting.org;

Request to send failure reports

Similar to requesting for aggregate reports, you can request to send failure reports to an arbitrary email address accessible to you.

For example, if you want to request that failure reports be sent to: failure_reports@reporting.org, you can add a ruf tag with that email to your DMARC record:

v=DMARC1; p=none; rua=mailto:aggregate_reports@reporting.org; ruf=mailto:failure_reports@reporting.org;

Set up External Destination Verification (EDV)

In the discussion above, I assume you own reporting.org, therefore it's completely legitimate for you to request to send reports to an email address on that domain. However, what if someone with malicious intent outside your organization requests to send DMARC reports to aggregate_reports@reporting.org? Wouldn't that spam your mailbox allocated for receiving your own DMARC reports?

The answer is yes. This is why DMARC won't send reports until the owners of the domains specified in rua and ruf tags have explicitly granted permissions.

To learn how to set up EDV, refer to: Why Am I Not Receiving DMARC Aggregate or Forensic Reports?

DMARC reporting interval

You can request DMARC to send reports at a certain interval via the optional ri tag. The value of the ri tag is in seconds.

For example, the following DMARC record requests to send reports every 86400 seconds, which is 24 hours:

v=DMARC1; p=none; rua=mailto:aggregate_reports@reporting.org; ruf=mailto:failure_reports@reporting.org; ri=86400;

Note that not all mailbox providers honor requests with intervals shorter than 86400 seconds. If you specify an interval value under 86400, it's possible that the value is ignored and aggregate reports are sent daily instead.

Set up mailboxes for incoming DMARC reports

There are a couple of ways to prepare mailboxes for receiving DMARC reports. You can choose the one that works the best for you:

use DMARCLY's auto-generated mailboxes; this is the simplest method as it handles the downloading, parsing and rendering of DMARC reports for you as well. Sign up to use DMARCLY's mailboxes;
use your own mailboxes; you will need to maintain your own mailboxes and handle report downloading, parsing and rendering.

Troubleshooting

If you've set up DMARC reporting, and are not receiving reports after a few days, you might need to check your DMARC implementation.

Check out this post Why Am I Not Receiving DMARC Aggregate or Forensic Reports? on how to troubleshoot DMARC reporting issues.

Original post: How to Receive DMARC Reports: DMARC Reporting Setup Guide

Everything about a DMARC Record

getdmarcly — Thu, 12 May 2022 09:00:10 +0000

A DMARC record lies at the center of every DMARC implementation, bearing crucial importance for the ultimate success of the implementation. In this post, we are going to take a deep dive into DMARC records.

What is a DMARC record?

A DMARC record is a TXT record published in the DNS on your domain, under dmarc.yourdomain.com, where “yourdomain.com” is your actual domain or subdomain. It tells the email receiver what to do when an email message fails DMARC authentication, and also where to send reports on email delivery statistics.

A DMARC record consists of a list of DMARC tags. Each tag is a pair of key/value separated by =.The table below shows what each tag possibly found in a DMARC record means:

v: DMARC protocol version. The default is "DMARC1";
p: Apply this policy to emails that fail the DMARC check. This policy can be set to 'none', 'quarantine', or 'reject'. 'none' is used to collect the DMARC report and gain insight into the current emailflows and their status;
rua: A list of URIs for email service providers to send aggregate reports to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form 'mailto:test@example.com';
ruf: A list of URIs for ISPs to send forensic reports to. NOTE: this is not a list of email addresses. DMARC requires a list of URIs of the form 'mailto:test@example.org';
sp: This policy should be applied to email from a subdomain of this domain that fail the DMARC check. Using this tag domain owners can publish a 'wildcard' policy for all subdomains;
fo: Forensic options. Allowed values: '0' to generate reports if both DKIM and SPF fail, '1' to generate reports if either DKIM or SPF fails to produce a DMARC pass result, 'd' to generate report if DKIM has failed or 's' if SPF failed;
rf: The reporting format for forensic reports;
pct: The percentage tag instructs ISPs to only apply the DMARC policy to a percentage of failing email's. 'pct = 50' will tell receivers to only apply the 'p = ' policy 50% of the time against email's that fail the DMARC check. NOTE: this will not work for the 'none' policy, but only for 'quarantine' or 'reject' policies;
adkim: Specifies the 'Alignment Mode' for DKIM signatures, this can be either 'r' (Relaxed) or 's' (Strict). In Relaxed mode also authenticated DKIM signing domains (d=) that share a Organizational Domain with an emails From domain will pass the DMARC check. In Strict mode an exact match is required;
aspf: Specifies the 'Alignment Mode' for SPF, this can be either 'r' (Relaxed) or 's' (Strict). In Relaxed mode also authenticated SPF domains that share a Organizational Domain with an emails From domain will pass the DMARC check. In Strict mode an exact match is required;
ri: The reporting interval for how often you'd like to receive aggregate XML reports. This is a preference and ISPs could (and most likely will) send the report on different intervals (normally this will be daily).

DMARC record VS DMARC policy

A DMARC policy is an important part of a DMARC record: it's the value of the p= tag in the record. It specifies how an ESP (Email Service Provider) like Gmail should handle an incoming email message if it fails DMARC authentication. There are 3 options: none (monitor), quarantine, and reject, with each one representing a different level of protection against spoofing.

DMARC record examples

Here are a few DMARC record examples:

v=DMARC1; p=none; rua=mailto:5b18acdef12f1@ag.dmarcly.com; this DMARC record sets DMARC policy to monitoring mode (p=none), which allows you to monitor email delivery, without sending failed emails to spam or rejecting them; also, sends aggregate reports to 5b18acdef12f1@ag.dmarcly.com;
v=DMARC1; p=quarantine; rua=mailto:5b18acdef12f1@ag.dmarcly.com; this DMARC record sets DMARC policy to quarantine mode (p=quarantine), which allows you to monitor email delivery, and sends emails that fail DMARC authentication to spam; also, sends aggregate reports to 5b18acdef12f1@ag.dmarcly.com;
v=DMARC1; p=reject; rua=mailto:5b18acdef12f1@ag.dmarcly.com; this DMARC record sets DMARC policy to reject mode (p=reject), which allows you to monitor email delivery, and rejects emails that fail DMARC authentication; also, sends aggregate reports to 5b18acdef12f1@ag.dmarcly.com. This DMARC record offers complete email protection against spoofing.

How is a DMARC record used?

There are 2 aspects when a DMARC record is put to use: publishing and checking. The publishing part happens on the domain owner side, while the checking part happens on the ESP side.

At implementation time, the domain owner publishes a DMARC record to the DNS, with DMARC tags appropriately set up. Each time the ESP receives an email, it looks up the DNS for the DMARC record, if any, and enforces the policy per the DMARC authentication result.

Together, the domain owner and ESP work towards an ultimate reject DMARC policy, where any email that fails DMARC authentication is rejected.

How to generate a DMARC record?

There are 2 ways to generate a DMARC record: manually and using a DMARC record generator.

If you are generating a DMARC record manually, you can use any text editor to create the record. 3 tags are essential: v, p, and rua. The v tag must be DMARC1. Depending on the phase of your DMARC implementation, p can be none, quarantine, or reject. Finally you can specify the mailbox of your choice using rua.

Using a tool like DMARC record generator, it's easier and less error-prone. Enter the settings like policy, aggregate email address, etc. and click the Generate DMARC Record button, like this:

A DMARC record will be generated instantly. If you make changes to the settings, make sure to generate the DMARC record again, so that it can be updated.

How to publish a DMARC record?

After a DMARC record is generated, you need to publish it to the DNS, so that the ESP can pick the DMARC record up and enforce it.

To do so, log in to your DNS management console, choose the domain you need to publish the DMARC record on, e.g., mydomain.com.

Create a TXT entry on mydomain.com with these settings:

Type: TXT
Host: _dmarc
TXT Value: (DMARC record generated above)
TTL: 1 hour

For example, here is what it looks like in GoDaddy's DNS management console:

If you are using CloudFlare, here is what it looks like:

How to check a DMARC record?

After published, it takes up to 1 hour for the DMARC record to become accessible (usually much faster though). You can then use our DMARC checker to confirm that you have published the DMARC record successfully: DMARC Checker.

Use modern DMARC software to automate DMARC report analysis

A few days into the deployment, you should be receiving DMARC aggregate reports in your mailbox. At this point, it's time to parse and analyze the reports to check if your email flow is set up correctly or not. It's recommended that you use modern DMARC software like DMARCLY to automate the steps required for DMARC report analysis: setting up mailbox, downloading reports, parsing and rendering reports. Here is an example screenshot of rendered DMARC chart:

Using DMARCLY, all you need to do is to log in to the dashboard, and view the chart readily available. No doubt it's a big time-saver!

Original post: Everything about a DMARC Record

How to Check Email for Spam Using a Free Email Spam Checker?

getdmarcly — Thu, 12 May 2022 07:12:25 +0000

This post introduces a quick way to check for email spam by sending a test message to check@dmarcly.com.

Why is email spam checking important?

No matter how pretty your email template looks or how powerful your copy sounds, unless a significant portion of your messages land in the inbox, your campaign doesn't really matter.

A quick check on your email comes in handy in this case before you send the email blast to your audience. Such a check returns information about email authentication, IP blacklisting, spam score, etc. It helps give confidence that your email infrastructure is in good standing and your messages will probably land properly.

How to use the free email spam checker?

To use DMARCLY's free email spam checker, all it takes is to send an email message to check@dmarcly.com. After DMARCLY receives the message, it will perform an fairly comprehensive analysis of the message and send a report back to your email address.

In a matter of minutes (usually seconds), you will find the report in your inbox. Just open the email and make sure everything looks OK to you.

An example email spam check report looks like this:

Email spam report analysis

Here is a breakdown of the above email spam check report.

The report consists of a few sections covering email authentication, BIMI, MTA-STS, IP blacklists, and spam score.

The email authentication sections, including DMARC, DKIM, and SPF indicate if your email authentication settings are correct and if your test email message was properly authenticated on the receiving server.

Refer to this post on how to set up email authentication: How to Implement DMARC/DKIM/SPF.

The BIMI section shows if you have BIMI set up on your domain. BIMI helps improves your click through rates (CTR) by displaying your brand logo next to your email messages.

Learn more about BIMI here: What is BIMI?

The MTA-STS/TLS-RPT section indicates if you have MTA-STS set up on your email domain. MTA-STS helps mitigate MiTM attacks by dictating that email servers that support MTA-STS will not send emails to their domain via an unencrypted connection.

Learn more about MTA-STS/TLS-RPT here: How to Set Up MTA-STS and TLS Reporting?

The IP blacklisting section indicates if your sending IP address is blacklisted by any of these mainstream blacklists: Spamhaus ZEN, SpamCop Blocking List, Barracuda Reputation Block List, and Passive Spam Block List.

The spam score section shows the spam score returned by SpamAssassin, a popular email spam filter. Any email message with a spam score above 5 is considered spam, otherwise not.

Original post: How to Check Email for Spam Using a Free Email Spam Checker?

No Auth, No Entry: Don't Let Your Email Go to Spam or Be Rejected

getdmarcly — Thu, 12 May 2022 00:55:45 +0000

"No auth, no entry" is a catchy phrase commonly used in the email industry to mean an email won't be considered for delivery unless it's properly authenticated. "auth" here means email authentication based on modern email authentication technologies like SPF, DKIM, and DMARC.

That's is to say, if your email is not authenticated, it will either go to spam or be rejected outright.

What is email authentication

Email authentication is a DNS-based mechanism that allows the receiving email server to check if an email is actually from where it claims to have originated from. For example, if an email claims to have originated from (From address: joe@example.com) the domain example.com, AKA sender domain, with email authentication properly implemented, the receiving email server will be able to verify one of the following:

the email is from one of the in-house email servers at example.com;
the email is from one of the 3rd-party email servers authorized by example.com's administrator to deliver emails on behalf of example.com.

If either one of the above is true, we say the email passes email authentication; otherwise it fails.

Email authentication can effectively prevent or stop email spoofing, a commonly used vehicle to initiate email-borne attacks like email phishing, business email compromise (BEC), malware, etc.

Some email service providers (ESPs) like Gmail put unauthenticated emails in spam by default; while Microsoft Office 365 takes a step even further: they block email sender domains automatically if they fail DMARC authentication.

The Antispam policy allows administrators to “Allow” domains regardless of the reputation of the domain. We’re changing our policies to not honor Allow rules when the domain fails authentication.

— Microsoft Office 365, April 2020

Learn more about this rollout.

Benefits of implementing email authentication

As "no auth, no entry" indicates, email service providers are increasingly using email authentication technologies to verify that an email is really from the claimed source before even considering it for inbox placement.

If an email fails both the SPF and DKIM checks, it probably goes to spam or rejected outright, depending on your DMARC settings or the email service provider's policy. Either way, the intended recipient is unlikely to open and read it.

Plus, if your sender domain is not protected by a DMARC p=quarantine or p=reject policy, chances are good that your domain is spoofed. A spoofed sender domain usually has a low sender reputation which results from low engagement rates. Consequently, even legitimate emails sent from your domain might end up going to spam due to the low sender reputation.

Therefore, your best bet is to implement full email authentication using SPF, DKIM, and DMARC to fight off malicious email spoofing attacks, and improve deliverability for legitimate emails.

How to implement email authentication

Implementing email authentication involves 2 things:

set up SPF and DKIM for your email domain; here are a few tutorials for common email delivery services:
set up DMARC monitoring to ensure all legitimate email streams are authorized, and authorize new email streams as they come in; here is a 5-minute guide:
- How To Set Up DMARC In 3 Easy Steps

To relieve the burden of having to receive and parse DMARC reports everyday, you can use a dedicated DMARC monitoring service to ensure that all your legitimate email streams are properly authenticated.

What is BIMI: BIMI Explained.

getdmarcly — Wed, 11 May 2022 12:00:06 +0000

This article explains what BIMI is, how to implement it to increase email credibility, boost engagement rate, and improve email deliverability and open rates.

What is BIMI?

BIMI, short for Brand Indicator for Message Identification, allows domain owners to coordinate with email clients to display brand logos next to authenticated email messages.

Why BIMI?

Without BIMI, email clients display a generic placeholder logo with brand initials. The recipient might have a hard time recognizing your brand without resorting to the brand name.

However, with BIMI implemented, the brand logo is displayed next to your email message, boosting brand awareness.

A comparison between email message without BIMI enabled and with BIMI enabled can be see from below:

As you can see from the illustration, on the left where BIMI is not enabled, a generic logo is displayed, which is not very interesting. However, on the right where BIMI is enabled, a brand logo appears next to the email message, instantly boosting trust and invites the recipient to open the message.

Here is what an email message with a trusted brand logo looks like, when BIMI is enabled:

In contrast, an email message sent from a domain without BIMI implemented displays no brand logo:

Obviously, BIMI helps build/increase brand awareness and user trust, and consequently boosts engagement rate, which ultimately improves email deliverability.

Prerequisites for BIMI

Since brand logos are displayed only for authenticated messages, you need to set up SPF, DKIM and DMARC first.

To set up SPF, DKIM and DMARC on your domain, refer to our ultimate guide.

In addition, make sure your DMARC policy is either p=quarantine or p=reject.

Once these requirements are met, you can proceed to implement BIMI.

How to implement BIMI?

Implementing BIMI on your domain takes these steps:

register a trademark for the brand logo;
buy a Verified Mark Certificate (VMC);
upload the VMC to your server;
upload your brand logo;
create a BIMI record;
publish your BIMI record in the DNS;
check the BIMI record to ensure success.

We will walk through the steps in detail below.

1 Register a trademark for the brand logo

Some mailbox service providers like Gmail require a Verified Mark Certificate (VMC) for a BIMI implementation. Before you buy and set up a VMC though, you must register your brand logo as a trademark with an intellectual property office recognized by VMC issuers like DigiCert and Entrust.

You can search for your brand logo on this Brand Database run by World Intellectual Property Organization (WIPO).

2 Buy a VMC

Once your brand logo is registered as a trademark, you can navigate to one of the following VMC issuers' websites to acquire a VMC: DigiCert and Entrust.

During this process, you will need to submit an SVG file of your brand logo, and obtain a PEM file referencing the SVG file from the issuer service.

3 Upload the VMC to your server

After you obtain the PEM file from the Certificate Authority (CA) of your choice, you will need to upload it to your web server so that it becomes accessible to anyone.

Note that your web server must be secured with HTTPS, and the url to the PEM file must start with https://, otherwise it will fail.

As a result, you will get a url to the PEM file that looks like:

https://yourserver.com/vmc.pem

4 Upload your brand logo

Similar to the PEM file, you need to upload your brand logo, in SVG format, to a server so that it's accessible from anywhere.

As a result, you will get a url to the logo that looks like:

https://yourserver.com/logo.svg

We will need this url when creating a BIMI record in step 5.

5 Create a BIMI record

Similar to DMARC records, a BIMI record is a string that consists of multiple tags, separated by semicolons.

There are 2 mandatory tags in a BIMI record: v and l.

The v tag specifies the BIMI version. Currently it must be BIMI1.

The l tag specifies the logo url.

The a tag contains the url of the VMC PEM file. This tag is required by some mailbox service providers like Gmail.

Here is an example BIMI record that specifies the logo SVG and the PEM file uploaded:

v=BIMI1; l=https://yourserver.com/logo.svg;a=https://yourserver.com/vmc.pem

One thing to note here is that the content of the SVG that is referenced in the BIMI record should be identical to that of the SVG file that is referenced in your PEM file. Otherwise, BIMI can fail.

6 Publish your BIMI record in the DNS

A BIMI record is a TXT record published in the DNS at default._bimi.yourdomain.com.

A complete BIMI record in the DNS looks like this:

Record Type	Name	Value	TTL
TXT	default._bimi	v=BIMI1; l=https://yourserver.com/logo.svg;a=https://yourserver.com/vmc.pem	Default

7 Check the BIMI record

It's always a good idea to check the validity of your BIMI record after you publish it.

You can use our free BIMI record checker to check if the BIMI record has been published correctly on your domain. Simply enter your domain and hit the Check Domain button.

For example, checking BIMI on cnn.com returns:

If BIMI is set up, the checker will fetch the logo and display it, as shown above.

It can take up to 48 hours before BIMI displays your brand logo in the mailbox, if set up correctly.

That's it! You've successfully implemented BIMI on your domain.

Original post: What is BIMI: BIMI Explained.

What Is DKIM Selector and How Does It Work: DKIM Selector Explained

getdmarcly — Wed, 11 May 2022 08:53:47 +0000

In this article we will explain various concepts related to DKIM selectors: what are they, why do we need them, and how they work in DKIM authentication.

What is DKIM selector?

A DKIM selector, as indicated by the name, is a string used by the outgoing server to locate the private key to sign the email message, and by the receiving server to locate the public key in the DNS to verify the integrity of the email message.

Each time a private/public key pair is generated, a tuple { selector, private key, public key } is created, where the selector is used to locate the private key and the public key.

How to choose a DKIM selector?

A DKIM selector is specified when the user creates a private/public key pair with the email delivery service like SendGrid. It can be any arbitrary string.

How to find my DKIM selectors?

When asked for the DKIM selectors on a domain in DMARCLY like this:

you need to log in to your ESP dashboard to find them, as these are ESP specific.

For example, if you use Salesforce to deliver emails, you need to log in to their dashboard and find the DKIM selectors specified there.

Why do we need multiple DKIM selectors?

Multiple private/public key pairs are required due to the following reasons:

DKIM key rotation which we will explain in the next section;
setting up DKIM with multiple email delivery services on a single domain; each service can have their own separate selectors so that signing/verifying with one service doesn't interfere with that with another.

Each time an email message is sent/verified, only one key pair is used. This is where a DKIM selector comes into play: the DKIM selector is chosen by the signing server to locate (select) the public key in the key pair; and the receiving server uses the same selector to find the public key in the key pair.

How do DKIM selectors work in DKIM authentication?

Once the signing server has chosen the selector, the server uses it to find the private key only accessible to the server, to compute the signature. After the signature is computed, the DKIM selector is inserted into the email headers as an s= tag, then the email is sent.

For example, let's assume that the selector chosen by the signing server is s1, the tag will look like s=s1. Again the selector can be any arbitrarily chosen string like thisismyselector1234, as long as it points to a valid private/public key pair.

Here is a practical example of DKIM signature header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dmarcly.com; h=content-transfer-encoding:content-type:from:mime-version:subject: x-feedback-id:to; s=s1; bh=jCC0oQBCKfJ10bCI3PCG52Zwowyeh1haGJPACkWN9F4=; b=GzLBVZ0M1hMt1Y7hVT+ajaNrswTv+/FFVMrcaixD70hpTJwAmNwZUKJIzLslSC+iWHby 9gm+yfx6Z1qnXIL6qgBPnlZD4zwyK4D3Umd1je82jniuD7RJWYDqJH0zL+EevCDdoVZGmT IlxzZB6v95bws6539z/5qee+Xmu5KYe4Y=

The DKIM selector used in the above DKIM signature is s=s1.

When the email hits the receiving server, the server looks at the email headers to find the s= tag. If the tag is present, the server extracts the selector from the tag, then looks up the DNS for the public key at the following location:

s1._domainkey.example.com

If the public key is found, the server uses it to decrypt the message to check its integrity. If the check passes, DKIM authentication succeeds; otherwise it fails.

If no public key is found, DKIM authentication fails.

What is DKIM key rotation?

DKIM has proven to be a highly effective means by which a receiver can verify that the signed fields of an email have not been modified in transit. DKIM is as secure as the weakest link - the private key, though. The private key of a DKIM keypair is vulnerable to being stolen if an attacker is able to compromise the system in which it is stored. Therefore, to minimize the risk of active DKIM keys being compromised, they should be changed frequently. This is a practice known as DKIM key rotation.

Each time a key is rotated, a new {selector, private key, public key} tuple is created. Then the public key will need to be published in the DNS, and you need to re-configure the outgoing email server to use the new private key. After this is done, the outgoing email server will use the new private key to sign all outgoing email messages.

The old key should be kept for a period of 7 days, after which it can be safely removed. The reason for that is there might be some delay between when an email leaves the originating server and when it's accepted by the receiving server. Sometimes this delay can be as long as several days due to some temporary errors on the receiving server. For DKIM authentication to pass though, the receiving server must be able to find the public key in the DNS using the selector set in the email headers.

Note that manual DKIM key rotation is necessary only if you run your own email delivery service in-house. If you are using services like SendGrid, Office 365, or Google Workspace (formerly known as G Suite) to deliver emails, you don't have to do anything - DKIM key rotation is done automatically for you and is transparent to you.

DKIM selector VS DKIM record

If you use an email delivery service like SendGrid, it creates CNAME-typed DKIM records for you when you set up DKIM with them. A CNAME-typed DKIM record looks like this:

s1.domainkey.u5022280.wl431.sendgrid.net

You will need to publish such records in the DNS so that the receiving server has access to them. Note that the s1 part in the record above: it's the DKIM selector the receiving server uses to fetch the record for the public key, which is in turn used for DKIM authentication.

How to check DKIM record by DKIM selector

If you want to check if a DKIM record exists at a selector on a domain, you can use this free DKIM record checker.

Simply enter the domain you want to check and the selector, as shown below:

In this example, salesforce.com has a DKIM record of 1024 bits in length created at selector s1.

Refer to the DKIM RFC for more information: DKIM RFC6376.

Original post: What Is DKIM Selector and How Does It Work: DKIM Selector Explained

DKIM FAQs (Frequently Asked Questions)

getdmarcly — Wed, 11 May 2022 03:02:07 +0000

What is DKIM?

DKIM, which stands for DomainKeys Identified Mail, is an email authentication method designed to detect forged header fields and content in emails. DKIM enables the receiver to check if email headers and content have been altered in transit.

Why use DKIM?

DKIM enables the receiving email server to check if the email headers and content have been altered in transit. If that's true, a DKIM check will return the fail result, indicating the message's integrity has been compromised.

On the DMARC level, you can specify a p=reject policy to reject messages that have failed DKIM authentication (and SPF authentication). This way, you can prevent malicious emails from reaching your recipients' inboxes.

Who signs the email message?

The outgoing server that actually sends the email message by initiating an SMTP session does. It signs the message using a private key saved locally on the same machine.

How does DKIM signing work?

DKIM signing an email message on the originating email server involves these steps:

choose which header fields and/or body to be included in the data;
compute the hash sum of the data, including message headers and message body;
encrypt the hash sum with the private key. The result is called the "signature";
append a DKIM-Signature header containing the signature to the email.

Who verifies the email messages?

The receiving server of the email message does.

After the verification, it returns one of these results (possibly to a controlling module like DMARC): none, pass, fail, policy, neutral, temperror, and permerror.

How does DKIM verification work?

When the email reaches the destination, the receiver checks if a DKIM-Signature field exists in the header.

If a DKIM-signature field is found, the server verifies the authenticity of the email:

look up the DKIM record of the domain in the DNS, using the selector in DKIM-Signature specified by the s= tag;
if found, extract the public key which is part of the keypair from the record;
compute a hash sum using the algorithm specified by the a= tag, of the incoming data specified by the h= tag;
decrypt the signature with the public key to reveal the hash sum computed by the sender;
if hash sum in 4 is equal to hash sum in 3, it passes the check, meaning the message hasn't been tampered with; otherwise it fails.

Learn more about DKIM verification.

What if there are multiple DKIM signatures?

Multiple DKIM signatures can be found if an email message is forwarded. Learn more here.

How DKIM Works With Subdomains?

getdmarcly — Wed, 11 May 2022 02:57:47 +0000

We will go over how DKIM works with subdomains in this article.

How DKIM works in the subdomain scenario?

If you want to send an email from a subdomain, like bob@marketing.acmecorp.com, you will need to create a private/public key pair for DKIM, save the private key on the sending server, and publish the public key on the subdomain in the DNS so that it becomes accessible to the receiving server.

Before an email message leaves the sending server, the server uses the private key to generate a signature and insert it into the message along with the DKIM selector used for the signature.

After the receiving server receives the message, it extracts the subdomain and the DKIM selector from the message, uses them to fetch the public key from the DNS, then performs DKIM verification as in the domain scenario.

How to publish an DKIM record on a subdomain

Publishing an DKIM record on a subdomain is very similar to that on an organizational domain. All you need is to create a TXT record on that subdomain:

selector._domainkey.subdomain IN TXT    "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChO2bjcaTip6yeIZ0BDQ70YH+fzqqVeIOztZFQ8kZFqUSDwBhh3aad/3kGH95OQZyXCMv0DmrHa9z99c7p7VnOBtrZ6vkEv84kLabsNL//ABydUbxFT+8SSc0EJxXL6k9S3NEvbL+5rJGjcAtWMJSxj9rOZ79C8AoJEKVnk2m9awIDAQAB"

For example, here is how you publish the DKIM record under selector dkim on subdomain mail.dmarcly.com on CloudFlare:

Original post: How DKIM Works With Subdomains?

Can I Have Multiple DKIM Records on My Domain?

getdmarcly — Tue, 10 May 2022 11:49:41 +0000

Can you have multiple DKIM records on a single domain? The answer is yes, you can have as many DKIM records on your domain as allowed by your DNS provider.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. It is an email authentication method designed to detect forged header fields and content in emails. DKIM allows the receiving email server to check if email headers and content have been tampered with in transit.

DKIM is based on asymmetric cryptography, which uses pairs of keys: private keys which are known only to the sending server, and public keys which are published in the DNS and accessible to the receiving server.

Before leaving the outgoing email server, an email message is signed with the private key stashed on the server; upon arriving at the receiving server, the email message is checked by the server with the public key published in the DNS.

What is a DKIM record?

A DKIM record is a TXT record published in the DNS. It consists of a list of tags, one of which is the "p=" tag, which contains the public DKIM key.

Here is an example DKIM record:

k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnVgd0NyrRE261IIiPqi+0H1baNyKcdj8Kea/VlSP4exzvKx8pJ01EWMwd094FV/6OCBIf7KGKgowMnWl3tW3Z5G++uZHkdgF+6xg7b9PynmX/NTo2kx92hlGgegwyulF5B7d2FM0doaCeoO4rD05jZzwi3cXx/156Gg9Xwd/Z/QIDAQAB

The DKIM record above consists of a list of tags defining the parameters of the record. The p tag in the record specifies the base64 encoded public key, which is used by the receiving server to validate the DKIM signature.

A DKIM record can also be a CNAME record, in which case, it maps the CNAME record to a TXT-typed DKIM record.

For example, if you set up DKIM in SendGrid, it creates a CNAME-typed DKIM record which looks like:

s1.domainkey.uXXX.wlXXX.sendgrid.net

This record maps to a TXT-typed DKIM record:

k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnVgd0NyrRE261IIiPqi+0H1baNyKcdj8Kea/VlSP4exzvKx8pJ01EWMwd094FV/6OCBIf7KGKgowMnWl3tW3Z5G++uZHkdgF+6xg7b9PynmX/NTo2kx92hlGgegwyulF5B7d2FM0doaCeoO4rD05jZzwi3cXx/156Gg9Xwd/Z/QIDAQAB

All DKIM records on domain example.com exist on xxx._domainkey.example.com, with xxx being the DKIM selector, regardless of the record type.

What is a DKIM selector?

A DKIM selector is a string used to specify the location of the DKIM public key on a domain. The main purpose of DKIM selectors is to allow for multiple DKIM key pairs on the same organization's domain name.

For example, you can choose a selector "may10" and create a DKIM public key at that selector on domain "example.com":
may10._domainkey.example.com.

You can also choose another selector "july29" and create a DKIM public key at that selector on domain "example.com":
july29._domainkey.example.com.

To learn more about DKIM selectors, refer to: What is a DKIM selector.

Can I have multiple DKIM records on a single domain?

As mentioned in the previous section, multiple DKIM records on a single domain are made possible by creating multiple DKIM selectors on that domain, with each selector pointing to a DKIM record.

The possibility of having multiple DKIM records on a single domain is instrumental in the following scenarios:

An organization uses multiple email delivery services to send emails on behalf of a single domain, in which case, multiple DKIM selectors and private/public key pairs must be used to separate these services.

For example, if you authorize both SendGrid and Mailgun to send emails on behalf of your domain, you need to have at least one DKIM record for SendGrid and one for Mailgun. This way, the signing/verification servers of the two services can locate the their respective key pairs correctly.

If you are using only one email delivery service, having multiple selectors/key pairs is essential to a DKIM security mechanism called "DKIM key rotation". This is basically a process where the key pairs are updated periodically to lower the risk of the key pairs being compromised.

Learn more about this process in What is a DKIM selector.

Unlike SPF and DMARC, having multiple DKIM records on a single domain is not only possible, but oftentimes necessary.

Original post: Can I Have Multiple DKIM Records on My Domain?

Which Domains Send DMARC Forensic (Failure) Reports?

getdmarcly — Tue, 10 May 2022 10:17:33 +0000

As DMARC forensic (failure) reports leak Personally Identifiable Information (PII), many mainstream ESP's don't send forensic reports nowadays. As a result, you won't see any forensic reports in the DMARCLY dashboard if you don't send emails to any ESP that supports DMARC forensic reports.

Notably, Gmail and Office 365 don't send DMARC forensic reports.

List of domains that send DMARC forensic (failure) reports

Below is an incomplete list of the top domains that have sent DMARC forensic (failure) reports to us in the past:

linkedin.com
wrike.com
laposte.net
seznam.cz
163.com
emailsrvr.com
ing.com
clouduss.com
vestel.com.tr
dar.com
kfmc.med.sa
bankofsharjah.com
bcb.gov.br
icicibank.com
and more...

If you want to test the forensic report feature of DMARCLY, you can send an unauthenticated email to a mailbox hosted on one of the above domains like linkedin.com, you should see a forensic report appear in the dashboard shortly after.

Original post: Which Domains Send DMARC Forensic (Failure) Reports?

How To Set Up DMARC In 3 Easy Steps

getdmarcly — Tue, 10 May 2022 10:13:11 +0000

Contrary to popular belief, setting up DMARC to protect your company email is much easier than it seems. In this post, we will show you 3 easy steps to set up DMARC: generate, publish, and analyze, as illustrated below:

Step 1. Generate a DMARC record

A DMARC record is a TXT record to be published to the DNS to instruct the mailbox service provider how to handle an incoming email that fails authentication, depending on SPF and DKIM check results. Here is a more detailed explanation on this topic: Getting Started With DMARC. However, you are not required to fully understand it here in order to proceed.

To generate a DMARC record for your company domain to be protected, log in to the DMARCLY dashboard. Then go to: DNS Records -> Publish DMARC Record, simply copy the snippet highlighted on the page in orange. Here is a screenshot of an example snippet:

Step 2. Publish the DMARC record to DNS

Now you have the DMARC record, let's publish it to the DNS, so that it becomes accessible to email service provides to perform DMARC checks.

To do so, log in to your DNS management console, choose the domain you need to publish the DMARC record on, e.g., mydomain.com.

Create a TXT entry on mydomain.com with these settings:

Type: TXT
Host: _dmarc
TXT Value: (DMARC record generated above)
TTL: 1 hour

For example, here is what it looks like in GoDaddy's DNS management console:

It looks like below in Cloudflare:

After published, it takes up to 1 hour for the DMARC record to become accessible (usually much faster though). You can then use our tool to confirm that you have published it successfully: DMARC Checker.

Step 3. Analyze aggregate reports

Many email service providers send aggregate reports daily. This means you might get aggregate reports the day you publish the DMARC record.

However, it could take up to 72 hours before your first aggregate reports arrive. If you are not seeing any report after 72 hours, refer to this post for troubleshooting tips.

Once you've got the data, you need to use it to rectify your email streams.

Sparky! You have now set up DMARC for your domain.

Original post: How To Set Up DMARC In 3 Easy Steps

What is DMARC (Domain-based Message Authentication, Reporting & Conformance)?

getdmarcly — Tue, 10 May 2022 00:05:25 +0000

DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is an email authentication protocol to check if an email message really originates from where it claims to have, based on SPF and DKIM, another two email authentication protocols. In addition to email authentication, it also adds reporting capabilities, so that domain owners can examine email authentication statistics on their domains.

What's the purpose of DMARC?

The main purpose of DMARC is to prevent email spoofing and phishing. Email phishing has been a major security issue in recent years. Research shows that over 90 percent of network breaches start with a phishing email and almost 50 percent of cyberattacks targeting small businesses. Once a business falls victim to a security breach, many things are suddenly at risk: blemished brand reputation, intellectual property stolen, direct financial loss, etc.

DMARC is designed to be a strong line of defense against email spoofing and phishing. If properly implemented in the p=reject mode, DMARC can thwart all unauthenticated emails from the subject domain, while allowing all legitimate emails through.

How does DMARC work?

On a high level, there are two aspects in a typical DMARC implementation: DMARC record publication on the domain owner's end, and DMARC policy enforcement and reporting on the receiving email server's end. These two parts need to collaborate for DMARC to take effect.

On the domain owner's end, he publishes a DMARC record on the domain in the domain name system (DNS) with proper settings, mainly the DMARC policy and aggregate report recipient mailboxes. The DMARC policy has 3 options, indicating how the receiving email server should handle unauthenticated emails: none (monitoring), quarantine, and reject.

On the receiving email server's end, whenever an email that claims to have originated from that domain comes in, the server calls the DMARC module to check the email based on the connecting host's IP address, envelope from address, header from address, and the d= tag inside the DKIM signature if any. The result is called DMARC authentication result, which can be pass or failure. If the result is failure, the server consults the DMARC policy for the disposition of the email message. Here is how DMARC handles unauthenticated email messages:

none (monitoring): this is the monitoring mode, meaning nothing is done about unauthenticated email messages. This mode is mainly used to request DMARC aggregate reports, so that domain owners have a clear idea what the email streams on their domain look like;
quarantine: this is the quarantine mode, in which an unauthenticated email is placed in the spam folder; this is a more stringent mode than the monitoring mode, in that the end user does get some protection by moving the email from the inbox;
reject: this is the reject mode, which is the most stringent mode of all three. In the reject mode, any unauthenticated email is rejected outright in the SMTP session, therefore the email never hits the end user's mailbox, not even the spam folder. The result is that the end user will never see any unauthenticated email.

What does DMARC offer on top of SPF and DKIM?

DMARC works by evaluating SPF and DKIM authentication results. DMARC authentication result is pass when one of the following is true:

SPF authentication result is pass, and has SPF identifier alignment;
DKIM authentication result is pass, and has DKIM identifier alignment.

Note that there is the "identifier alignment" concept in both of the options above: DMARC introduces the identifier alignment concept to ensure that what the end user perceives as the email sender in his email agent is indeed authenticated. SPF by itself doesn't authenticate the header from address, neither does DKIM.

What's more, neither SPF nor DKIM has reporting capabilities built in, therefore, it's hard for implementers to know the percentages of authenticated and unauthenticated emails. This lack of reporting capabilities has hindered SPF and DKIM implementations in the past.

DMARC has reporting capabilities for both aggregate and forensic reports. DMARC aggregate reports contain aggregate statistics on email authentication, and are sent periodically to the designated mailbox specified by the rua tag in the DMARC record. DMARC forensic (failure) reports are sent almost immediately after an email fails authentication, to the mailbox specified by the ruf tag in the DMARC record. Please bear in mind though, only a few email service providers support forensic reports, while all mainstream email service providers now support aggregate reports.

How effective is DMARC?

In short, very effective. If properly implemented in the reject mode, DMARC should be 100% effective in rejecting spoofing emails on the subject domain, providing that neither SPF nor DKIM is compromised.

Should every business implement DMARC?

Most businesses nowadays haven't caught up on DMARC. They might have SPF or DKIM implemented, but not DMARC. This still leaves huge security loopholes for email spoofing/phishing, as neither SPF nor DKIM has identifier alignment.

If your business hasn't implemented DMARC, I suggest that you do so as soon as possible. Implementing DMARC is not hard. You can simply start by generating a DMARC record in the monitoring mode, and publish it in the DNS. Then you can check the aggregate reports to see how the email authentication statistics on your domain look like.

Once you are getting hang of it, move on to the quarantine mode, and ultimately to the reject mode for full protection.

Lock down your business domain tight. Don't let cyberattackers spoof it!

To get started with DMARC, you can read our complete guide to DMARC here: How to Implement DMARC/DKIM/SPF to Stop Email Spoofing/Phishing: The Definitive Guide.

Here are a few DMARC deployment tools you will find useful during your implementation: DMARC/DKIM/SPF deployment tools.

To get the quickest result possible, try this all-in-one, end-to-end SPF/DKIM/DMARC wizard.

Original post: What is DMARC (Domain-based Message Authentication, Reporting & Conformance)?