SOLVED: A Simple Explanation of Email Security with DKIM and DMARC

A long time ago when the earth was green and everyone was good, email was sent in plain text from a senders outbox, to a their mail server, then to the recipients mail server, then to the recipients inbox, all was happy.

Unfortunately scumbags hackers and thieves decided to take advantage of this lack of security and so a great number of email new security features were developed in the early 2000s. DKIM and DMARC are two of those very important security features EVERY company with a mail server should have configured by now.

Are DKIM and DMARC Required?

If you’re reading that statement and thinking that DKIM and DMARC are optional, you are correct. Although more and more mail servers will refuse to accept email but do not have DKIM and / or DMARC DNS entries.

Let’s explain these two important email security features in simple terms:

What is DMARC?

DMARC is a simple text record in DNS and it lets everyone in the world know which servers are authorized to send email from your domain.

Let’s say you own abcd.com and you have created a DMARC DNS record which states only GoDaddy email servers can send email FROM your domain (i.e. you are using GoDaddy as your mail server). What happens if some scumbag hacker thief in Russia spoofs your email address (i.e. JohnnyBeGood@abcd.com)? Most email servers in the world will receive that email, check your DMARC DNS record, and find that the sending email server is not authorized to send abcd.com email. Your DMARC DNS entry will tell the receiving mail server to send such spoofed messages to either the recipient’s quarantine or their junk folder.

In practice, many organizations start with a “Quarantine” policy and gradually move to “Reject” as they gain confidence in their email authentication setup.

In case you care, DMARC is an acronym for “Domain-based Message Authentication, Reporting & Conformance”

What Does a DMARC DNS Entry Look Like?

Here is a example of what a DMARC record might look like for a fictitious domain named abcd.com:

_dmarc.abcd.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@abcd.com; ruf=mailto:dmarc-failures@abcd.com; pct=100; sp=none"

And this is what it means

• _dmarc.abcd.com.: This is the subdomain used for the DMARC record
• IN TXT: This indicates that the record is a TXT record
• v=DMARC1: Specifies the version of DMARC being used, which is DMARC version 1
• p=quarantine: This sets the policy for how to handle emails that fail DMARC checks. In this case, emails are sent to quarantine. Other possible values are none and reject
• rua=mailto:dmarc-reports@abcd.com: This specifies the email address to receive aggregate reports about DMARC alignment
• ruf=mailto:dmarc-failures@abcd.com: This specifies the email address to receive reports of individual message failures
• pct=100: This indicates that the policy applies to 100% of emails. You can set this to a lower value to gradually implement DMARC
• sp=none: This specifies the policy for subdomains. In this case, it is set to none, meaning no special handling for subdomain emails

This DMARC record would be published in the DNS settings for the domain abcd.com. It helps ensure that only authorized servers can send emails on behalf of abcd.com and provides a mechanism for reporting and handling potential email spoofing attempts.

---

What is DKIM?

DKIM is another simple DNS entry which ensures that an email has not been modified while it is in transit from your computer to the recipient.

You might have heard that the Internet is a big place and so if you send an email it’s going to go through a lot of different servers and routers and gateways and firewalls and mail servers on its way to its destination. Any one of those could be programmed to modify the email and that would not be good.

When a mail server receives an email, it compares the DKIM signature in the email with the public key published in the DNS entry. If they don’t match, it means the email has been modified and is likely not trustworthy.

Is DKIM Encryption?

DKIM (DomainKeys Identified Mail) is not encryption in the traditional sense. (We have a great little video on email encryption with M365 HERE, if you are interested in that). It just provides a way to verify the integrity and authenticity of an email. Here’s how it works:

• Digital Signature: When an email is sent, DKIM adds a digital signature to the email headers. This signature is created using the sending domain’s private key
• Public Key Verification: The receiving mail server retrieves the public key from the DKIM DNS record (like the one you shared earlier) and uses it to verify the signature. If the signature matches, it confirms that the email has not been tampered with and is indeed from the authorized domain
• Integrity Check: This process ensures that the content of the email (both headers and body) has remained unchanged from when it was signed by the sender’s mail server

In summary, while DKIM does involve cryptographic techniques, it’s primarily focused on verifying the integrity and authenticity of emails rather than encrypting the email content itself.

What Does a DKIM DNS Entry Look Like?

Here is example of what a DKIM record might look like for a fictitious domain named abcd.com:

default._domainkey.abcd.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArbTnVGjl4Ry86VsIRfl6jmL2yH7M29TYbW0nVF7gphmb0VIb7bcEZ/f2UqMQ6Lx8NePzm4R7BvD03NrH6cOFOO2K7gNZk0efkMf/vpZuS9RShR3aOQNGZlZJ1JGbLL9QkJa1/WXNivE2Is9NmYnQHnYVFE44IFN8Y9rKZKJcYrN/Cl/U5dcvln9frV/k06aTL5HgAXdrKvJ3K7Bp0XwkkjEghLT0/xCZj+PRsXk+FZ/mFQIDAQAB"

And here is what the mess of text means:

• default._domainkey.abcd.com.: This is the subdomain used for the DKIM record. The “default” is the selector, which helps identify which key is being used
• IN TXT: This indicates that this record is a TXT record
• v=DKIM1: Specifies the version of DKIM being used, which is DKIM version 1
• k=rsa: Indicates that the key type used for the DKIM signature is RSA
• p=MIIBIjANBgkqhki…IDAQAB: This is the public key used to verify the digital signature in the email. The public key is a long string of characters

This DKIM record would be published in the DNS settings for the domain abcd.com. When an email is sent from abcd.com, the DKIM signature is included in the email headers, and the receiving mail server can use this public key to verify the email’s authenticity and integrity.

---