Domain-based Message Authentication, Reporting, and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) are both security protocols for email. The difference between them, in a nutshell, is that DKIM attempts to verify whether mail is legitimate, and DMARC suggests what to do with mail that isn’t legitimate.
How DKIM Works
With DKIM, administrators have two keys: a private key that the server uses to cryptographically sign all outgoing emails and a public key that recipients can use to verify that the domain’s real private key signed an email. If the signature verification using the public key is successful, the recipient knows that the secret, private key that only the sender possesses must have signed the email, so the email passes DKIM. The verification also proves that the email has not been altered in transit because if it had been, the signature would not match the content.
How DMARC Works
Unlike DKIM, DMARC is configured entirely in DNS, so no additional server-side work is necessary. DMARC involves two separate functions: reporting and enforcement.
Enforcement refers to what should happen when an email fails DMARC validation. The enforcement options include “none,” which just ignores the failure, “quarantine,” which requests that the email be marked as potentially problematic and usually results in the email being placed in the spam folder, and “reject,” which means that the domain owner requests that the message be rejected.
Reporting, the other prominent feature of DMARC, offers admins visibility into what kind of mail is being rejected because of DKIM and SPF. It’s useful for intrusion detection because we can review reports for signs of spoofing attacks that have occurred. It’s also helpful for debugging because we can see if we are rejecting mail that actually should be accepted.
DMARC offers one additional security benefit. Let’s say a man-in-the-middle attack enabled an attacker to remove the DKIM-Signature header in transit, making it look like the email didn’t have DKIM implemented. If the recipient checks the sender’s DMARC record and finds that a DKIM policy is supposed to be in place, it can assume something has gone wrong and reject or quarantine the email accordingly. Even then, the message may pass DMARC if it passes SPF, even if it fails DKIM.
Deploy SPF
Excessive faith in DKIM can be misguided because it’s possible for a sender’s DKIM private signing key to be stolen by attackers, enabling them to pass DKIM verification completely. Domain admins can mitigate this risk by implementing SPF in addition to DKIM. That way, even if DKIM keys are leaked, mail can still be restricted to authorized sending IPs.
Conclusion
DMARC works with DKIM as one way to prevent unauthorized use of a domain in email. DKIM provides strong cryptographic validation of message authenticity and DMARC enables visibility into possible attacks. Beyond security, DMARC also helps debug DKIM misconfigurations thanks to the increased visibility a DMARC report offers administrators into which messages are failing and why. At the end of the day, secure email requires deploying both DKIM and DMARC as well as other essential security mechanisms like SPF.
