How do DKIM and DMARC affect email deliverability?

Victor Minev May 27 2021 Share

Who cares?

Many mail hosts, local and global, large and small, urge senders to set up DKIM and DMARC as soon as possible. Combine that with the public adoption of these email authentication systems by almost all the major global ISPs (and offering their clients with the ability to set them up, backed by numerous knowledge-base articles) and you can be certain this is something ISPs monitor very rigorously in the inbound traffic they process.

DKIM and DMARC

DKIM (DomainKeys Identified Mail) is an email authentication protocol that serves as a way to prove cryptographically that an email comes from the owner of the domain it claims to be sent from, and that its contents have not been tampered with. This is achieved by a combination of a unique private signature attached to the email, and a public key available on the sending domain. When the email is received, the recipient server verifies the value of that private signature against the public key and ascertains whether the check passes or fails.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is another email authentication protocol that serves several purposes. Firstly, it aligns two other main email authentication protocols – SPF and DKIM, the results of which don’t otherwise ‘connect’ or work together. If one or more checks fail then it instructs the recipient server to do one of the following:

  1. Do nothing
  2. Send the email to the spam folder/quarantine, or
  3. Directly reject the email

Secondly, it asks for feedback from recipient servers as to how the sending domain is being used (i.e. who and when tried to use the sending domain).

DKIM and DMARC vs delivery and deliverability

Every now and then someone makes the bold claim they’ve found the holy grail of email deliverability. In reality there is no silver bullet, there is no definitive set of actions we can take as email senders that would ensure top email deliverability 100% of the time. 

The primary reason for that is nested within the complex and unique structure of each receiving email server and the extreme variations they have when processing inbound email traffic. Each has its own set of complex algorithms that takes into account various factors when deciding whether or not to accept an email and where to place it afterwards. Let’s examine the factors.

Industry standards

Herein lies the first benefit of DKIM and DMARC for email deliverability; both protocols are industry standards and all reputable email receivers take their presence (and the results of the checks associated with them) into account when assessing email. Using DKIM and DMARC signals to other servers that you have reached a minimum degree of quallity in your mailops. The goal of these technologies is to verify your identity as the sender, and that the contents of your messages are genuine (i.e. haven’t been altered in transit). And that’s very important to recipient mailservers working to protect their users from illegitimate mail.

Alignment

The next benefit which is sometimes underestimated by senders is the alignment of the sending domains that comes as a result of a properly implemented DMARC record. While this might not seem important at first, when we remember the complexity and variety of email servers, we can confidently assume that they look at every single aspect of our mailserver profile and configuration. Going the extra mile to make sure the domains referenced within an email’s friendly From, return-path, and DKIM domain in our emails all match, gets rewarded by the algorithms.

Public reputation and brand

A somewhat neglected positive effect of DMARC on deliverability is the public indication that the sender cares about their email reputation and their brand and has taken an extra step to make sure they’re well protected. Simply put – having a DMARC record (and especially deploying it correctly and incrementally moving towards enforcement) indicates clearly to receivers that you’re paying attention to all the little details that are related to your sending profile.

Don’t enforce directly

Another very important thing to consider is how you deploy DMARC, and the disastrous effect a poorly deployed record could have on your entire sending. In other words – it’s always a good idea to start slow (at p=none), observe the results of your sending, identify your vendors (sources through which you send emails), align the identifiers – and then move to enforcement (p=quarantine and then p=reject). Otherwise if you move directly to p=quarantine or p=reject, you risk having important messages directly blocked or put in the spam folder if your underlying authentication and sending isn’t set up correctly and it fails – don’t shoot yourself in the foot!

DMARC and DKIM for Deliverability and more

As we’ve seen DMARC and DKIM have a major impact on deliverability, and for that reason alone it’s worth taking time to configure them correctly. As free and Open Source software for DMARC and DKIM are available for all major mailservers, there’s no reason not to do so.

DMARC and DKIM testing and monitoring

Want to check DMARC and DKIM are set up correctly? Lightmeter is the mailops control center for Postfix, and soon it will add DMARC and DKIM monitoring to the list of real-time health checks it already provides. It’s free and Open Source, and supported by the same organisation which enabled OpenDKIM and OpenDMARC. Download Lightmeter Now.

Leave a Reply

Your email address will not be published.