Email Security - Breaking Down DKIM & DMARC

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it essentially allows sends to digitally sign outgoing messages and include signatures in an email header. DKIM provides the ability to authenticate message headers & content for integrity concerns. The sender public keys are published in DNS TXT records.


DKIM will add a signature header to the message & secures it with encryption. The receiving side uses the public key published for the domain in DNS to determine that an email is signed with a valid DKIM signature. Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.


Next I will cover the ESA DKIM components:


From Sender's perspective:

  • Configure DKIM keypair

  • Create a DKIM Signing Profile

  • Create and publish DKIM record

  • Enable DKIM signing in the mail flow policy

From Recipient Perspective:

  • Enable DKIM verification in Mail flow policy

  • Configure Content Filtering Conditions/Actions

  • Apply to Incoming Mail Policy

Understanding DKIM creation/verification is rather straightforward. DKIM lookups will list a domain name and selector for a valid published DKIM key record. The ESA has a tool to aide in generating the DKIM key.


Lastly, I will cover DMARC. Remember that DMARC uses both SPF & DKIM. DMARC will perform an additional SPF check on the header. It will also ensure that all available identities are aligned. Identities being: HELO, Mail From, DKIM Signing Domain, Header From. DMARC aides in specifying a policy for receivers on how they will handle messages.


A published DMARC record basically serves two purposes:

  1. Tell the recipient server to either:

  • Do Nothing with the Message

  • Quarantine the Message

  • Reject the Message

  1. Sends reports to an email address or addresses with data about all the messages seen from the domain

DMARC is another record in DNS just like SPF/DKIM. There are a total of 11 tags that can be applied to a DMARC policy. Of those 11, the "v" and "p" tags are required and it is strongly recommend the "rua" tag as well in order to receive the reports.

  1. v = version

  2. p = policy (quarantine/reject/none)

  3. pct = percentage of email messages subject to filtering. Example, pct=100 means all of your company emails will be filtered by the recipient

  4. rua = This optional tag is designed for reporting URI(s) for aggregate data. An rua example is rua=mailto:CUSTOMER@for.example.com.

  5. ruf = Like the rua tag, the ruf designation is an optional tag. It directs addresses to which message-specific forensic information is to be reported

  6. fo = pertains to how forensic reports are created and presented to users

  7. aspf = represents alignment mode for SPF

  8. adkim = optional alignment mode for DKIM protocol

  9. rf = forensic reporting format

  10. ri = ri tag corresponds to the aggregate reporting interval and provides DMARC feedback

  11. sp = represents the requested handling policy for subdomains

An example is as follows:

_dmarc.google.com IN TXT


"v=DMARC1" = Depicts version

"p=reject" = Failure Policy

"rua = mailauth-reports@google.com" = Aggregate reports uri


The DMARC operation overview is as follows:

Sender point of view:

  • Publish SPF DNS TXT record

  • Publish DKIM DNS TXT record

  • Publish DMARC DNS TXT record

  • Prepares outgoing message

  • Insert DKIM-Signature

Recipient point of view:

  • Check SPF

  • Check DKIM

  • Fetch DMARC Policy

  • Align Identifiers

  • Apply DMARC Policy Send DMARC Report(s)

That about wraps up this post covering DKIM & DMARC. Check out other email security posts. Cheers!

0 comments

Recent Posts

See All

Email Security - Breaking Down SPF

In the post I want to breakdown & cover SPF in more detail. Especially as I continue to embark on the email security journey/track. before beginning, here is another brief overview of what SPF entai

Understanding FTD Multi-Instance Capability Mode

In this post I want to cover running the multi-instance capability with Firepower Threat Detection (FTD). This capability lets you run containers that use a batch of resources of the security module/

Configuring & Verifying FTD NAT

"The What?" - In this post I will cover configuring NAT on Cisco FTD. Then I will walkthrough how to verify deployment with successful translations. The topology used to demo is below: "The Why?" -