Big Email Changes: DMARC and DKIM Enforcement
.png)
30 Apr 2025
Microsoft, Google, and Yahoo are enforcing DKIM and DMARC, along with SPF, for high-volume email senders, with enforcement starting in May 2025. DKIM verifies the legitimacy of an email, while DMARC dictates what to do with emails that fail DKIM or SPF authentication. They work together to enhance email security and reduce the risk of spoofing and phishing.
Comprehensive Overview of DMARC and DKIM for Email Security
Implementing DMARC (Domain-based Message Authentication, Reporting & Conformance) and DKIM (DomainKeys Identified Mail) correctly is essential for businesses seeking to protect their email channels from spoofing, phishing, and delivery failures. Below is an in-depth look at each protocol’s features, the benefits they bring when properly configured, and the potential risks or pitfalls that organisations should be aware of.
What Are DKIM and DMARC?
DKIM is an email authentication mechanism that appends a cryptographic signature to every outgoing message. The sending mail server signs the message headers with a private key; recipients verify the signature using the matching public key published in DNS. This ensures the message has not been altered in transit and confirms it originated from an authorised mail source.
DMARC sits on top of SPF and DKIM. It enables the sending domain’s owner to publish a policy in DNS that tells receiving servers what to do if incoming mail fails SPF and/or DKIM checks (“none,” “quarantine,” or “reject”), and to send aggregate and forensic reports back to the sender. DMARC helps close the loop by providing visibility and enforcement against unauthorised use of your domain.
Key Features
DKIM Features
- Cryptographic Signing: Uses RSA or Ed25519 keys to sign message headers.
- Selective Header Signing: You can choose which headers (e.g., From, Subject) to sign for flexibility.
- Key Rotation: Periodic replacement of keys minimises the risk of compromise.
DMARC Features
- Policy Enforcement: Defines how strictly receivers should treat unauthenticated email.
- Alignment Rules: Requires that the “From” domain aligns with the signing domain (DKIM) or envelope-from (SPF).
- Reporting: Provides two types of XML reports:
- Aggregate Reports (RUA): Daily summaries of all DMARC pass/fail events.
- Forensic Reports (RUF): Detailed records for individual failures (optional, privacy-sensitive).
Benefits of Correct Configuration
-
Enhanced Brand Protection:
Prevents attackers from spoofing your domain in phishing campaigns, safeguarding customer trust and brand reputation. -
Improved Deliverability:
Authenticated emails are more likely to land in the recipient’s inbox rather than spam or quarantine folders. -
Visibility and Intelligence:
DMARC reports give you actionable insight into who is sending email on behalf of your domain—legitimate third parties and potentially malicious actors. -
Regulatory Compliance:
Many data-protection frameworks (e.g., GDPR, HIPAA) consider strong email controls a best practice for safeguarding personal data in communications. -
Reduced Fraud & Phishing:
By rejecting fraudulent messages, you protect employees and customers from credential theft, account takeover attempts, and malware distribution.
Potential Risks and Pitfalls
-
Incorrect Policy Enforcement (DMARC):
A “reject” policy applied too soon or without full visibility can block legitimate mail streams (e.g., marketing platforms, partner systems) that aren’t yet fully authenticated. -
Key Management Challenges (DKIM):
Loss, theft, or failure to rotate private keys can undermine authentication integrity or render all signed messages unverifiable. -
Overreliance on One Protocol:
DKIM protects integrity but not envelope spoofing; SPF protects envelope-from but not header-from. DMARC unifies them, but misconfigurations in SPF (e.g., overly permissive “+all” mechanisms) can nullify DMARC’s protection. -
Report Overload:
Large organisations can generate thousands of DMARC aggregate reports daily. Without automation or a DMARC analytics platform, it can be overwhelming to parse and act on these. -
Privacy Concerns (Forensic Reports):
Detailed failure reports can contain sensitive email content. Improper handling of forensic reports may expose confidential information.
Best Practices and Recommendations
-
Phase in Enforcement:
Start with p=none to collect data, then gradually move to quarantine and finally reject over weeks or months. -
Maintain Comprehensive SPF Records:
Ensure all legitimate sending IPs are included, using include mechanisms sparingly and avoiding wildcard allowances. -
Automate DMARC Report Processing:
Use a specialised tool or service to aggregate, visualise, and alert on DMARC data so you can quickly identify unauthorised senders and adjust policies. -
Rotate DKIM Keys Regularly:
Establish a key rotation schedule (e.g., every 3–6 months) and monitor for any DKIM failures after rotation. -
Document Your Email Ecosystem:
Keep an up-to-date inventory of all third-party services that send on your behalf (marketing, CRM, payment gateways) and ensure they support DKIM signing or SPF alignment. -
Monitor Policy Impact:
After each policy change, review bounce rates, user reports, and deliverability metrics to catch unintended disruptions early.
By correctly implementing and managing DKIM and DMARC, businesses can dramatically improve their email security posture, protect their brand, and reduce the risk of costly phishing and spoofing attacks. However, these protocols require careful configuration, ongoing monitoring, and key management discipline to maximise benefits without inadvertently disrupting legitimate communications.
Microsoft, Google, and Yahoo are enforcing DKIM and DMARC, along with SPF, for high-volume email senders, with enforcement starting in May 2025 for Microsoft and from February 2024 for Google and Yahoo. These changes aim to improve email security and reduce spam by authenticating emails and ensuring they are sent from legitimate sources.
Enforcement Details:
Microsoft:
Microsoft is enforcing SPF, DKIM, and DMARC for high-volume senders, starting May 5, 2025. After this date, Outlook will begin routing messages from non-compliant domains to the junk folder, giving senders time to address any issues.
Google and Yahoo:
For bulk senders (those sending over 5,000 emails daily), Google and Yahoo have announced new requirements to be enforced back in February 2024. These requirements include having a DMARC record with a minimum policy of "none" (p=none) and including a one-click unsubscribe in marketing messages.
If you need help setting up DMARC or DKIM please reach out to us.
LoughTec are cyber security experts, if you want to find out more on how LoughTec can help protect your business in other ways, see some recommended options below.
Click to find out more about how much a cyber attack could potentially cost your business.
Click to find out more about Security Operations Centre SOC 24-7-365 protection.
Click to find out more about Staff Cyber Security Awareness Training.
Click to find out more about Ransomware Protection.
Back Top