Why monitor DMARC compliance? DKIM Compliance Changes

DKIM is an important part of DMARC compliance and your email delivery reputation. DKIM allows you to cryptographically sign your outbound email, taking ownership of the email you send out: in a sense, binding your email to your reputation. If your DKIM compliance suddenly drops, it could reduce acceptance of your email or move your email from the Inbox to the Junk folder.

The Issues

DKIM is by nature and design a bit finicky. The signature is encrypted using the message itself. Changes to the message after the initial send, either via forwarding or a separate gateway or other alteration of the message breaks the signature. Forwarding is the most common reason for a message to fail DKIM checks. Since forwarding is fairly common, you should expect to always have a less than perfect DKIM pass rate, however, properly configured SPF records should ensure DMARC compliance.

Another potential issue is also a maintenance requirement: rotating keys and/or selectors. It’s a best practice to modify security codes regularly to prevent malicious actors from having access to systems if existing codes get into the wild. When you change them, there is however, the potential to omit a sender or DNS record. In addition, there is potential for slow DNS propagation. This could result in a higher-than-normal DKIM failure rate.

A common issue with 3rd party senders is the use of their own DKIM domain. In this case, the sender does not support using your sending domain and DKIM signatures but only their own. Email from these senders will pass SPF checks if properly included in your SPF record but fail DKIM alignment.

Remedies

To detect and understand these and other potential DKIM issues, you must be monitoring changes to your SPF, DKIM and DMARC compliance rates through DMARC reporting. If you have significant email volume, this is impossible to do without a tool that aggregates your DMARC reports from multiple inbox providers to get a complete picture of your email.

How does MxToolbox Help?

 MxToolbox Delivery Center provides everything you need to manage and maintain DMARC compliance rates to maintain a solid email delivery reputation, including:

  • Setup SPF, DKIM and DMARC for your Domain
  • Carefully migrate to a DMARC Reject policy
  • Setup your BIMI record
  • Verify compatibility of your SVG image
  • Monitor your certificates for expiration
  • Manage the on-going changes to the DMARC, SPF, DKIM and BIMI standards

If this sounds complicated, MxToolbox also offers Managed Services team that can help you setup DMARC, DKIM, SPF, BIMI and get your domain aligned with Google, Yahoo! and Outlook.com bulk sender policies.