E-mail security: How to protect your communi­cations with DKIM and DMARC

E-mail security: How to protect your communi­cations with DKIM and DMARC

E-mail is one of the most important means of communi­cation, but also a common target for cybercriminals. The DKIM and DMARC security protocols help protect e-mails and prevent the misuse of domains. This article explains how these technologies work and how they enhance e-mail security.

Patrik Peng Patrik Peng · System Engineer

E-mail security is a key issue for companies as billions of e-mails – often with sensitive content – are sent and received every day. Attacks like phishing and spoofing not only pose data protection risks, but also threaten the perceived trustworthiness of the sender domain. This is where e-mail security protocols like DKIM and DMARC come in: They ensure that e-mails are authenticated, the senders are verified and the e-mail traffic itself is protected against manipulation.

But for DKIM and DMARC to work effectively, they also require the “Sender Policy Framework”, or SPF for short. This authentication method defines which servers are authorized to send e-mails on behalf of a domain. Together, SPF, DKIM and DMARC form a strong protection system that makes it significantly more difficult for attackers to manipulate e-mails. In this article, we explain why domain owners should activate these protective measures.

SPF – protection against fake senders

The “Sender Policy Framework” (SPF) is an important component of e-mail authenti­cation and works hand in hand with DKIM and DMARC to provide a comprehensive security solution. SPF is used to check whether the sending server is authorized to send e-mails on behalf of a particular domain.

The owner of a domain stores an SPF record in the DNS zone for their domain. This record contains a list of IP addresses and servers that are authorized to send e-mails on behalf of the domain. When a recipient mail server receives an e-mail, it checks the SPF record of the sender domain and compares the IP address of the sending server with the authorized addresses in the SPF record. If the check is successful, this is an indi­cation that the e-mail is legitimate. Otherwise, it may be rejected or marked as spam.

An SPF record thus protects against attackers sending e-mails from unauthorized servers that pretend to come from a legitimate domain. To ensure reliable delivery of e-mails, the valid outgoing mail server provided by web hosting providers such as Hostpoint should be used. This reduces the risk that e-mails will be rejected by the recipient due to a negative SPF check.

DKIM – protection against e-mail manipulation

Domain Keys Identified Mail (DKIM) is an e-mail authentication method that adds a digital signature to e-mails. This signature enables the recipient to check if the e-mail is really from the sender domain’s server and that the contents of the e-mail have not been changed. To do this, DKIM uses an asymmetric encryption method consisting of two keys. When an e-mail is sent by a domain, the sender’s mail server creates a digital signature stored in a special header in the e-mail. This signature is created using a private key that is known only to the sender.

The receiving server, in turn, can use the public key stored in the DNS zone of the sender’s domain to verify the signature. If the calculated hash value matches the one in the e-mail, this indicates that the e-mail is authentic and unchanged.

DKIM provides e-mails with a digital signature (lock) that can only be validated with the associated public key. (Image source: Schluesseldienst/pixabay)

DKIM makes it easier to detect manipulated emails. This protects both the sender and the recipient against phishing and spoofing attacks. For companies, DKIM also reduces the likelihood that their e-mails will erroneously end up in the spam folder. With some providers (e.g. Google, Yahoo), the use of DKIM is already required when sending mass e-mails.

Since May 2024, Hostpoint has automatically activated DKIM for all domains that were assigned to a web hosting account or a Cloud Office group. For older domains, this must be done manually, as described in more detail in this guide. By default, Hostpoint creates three DKIM records per domain with different key types (rsa1024, rsa2048, ed25519) so that as many recipients as possible can validate the signature. For a successful DKIM check, it is sufficient if at least one of the signatures can be verified.

For users who want to use Hostpoint for e-mail traffic and activate DKIM for domains managed externally, DKIM must be activated with Hostpoint and the DKIM information stored with the external DNS provider. For precise instructions, we recommend reading the article in our Support Center.

Tip:
You can use various online tools (e.g. called “DKIM test” or “DKIM record checker”) to test whether DKIM has been correctly configured for your domain and that your e-mails are correctly signed.

DMARC – rules for non-authenticated e-mails

Domain-based Message Authentication, Reporting and Conformance (DMARC) provides an additional protective layer and builds on DKIM and SPF, enabling them to achieve their full effectiveness.

With DMARC, domain owners can define how they want to handle e-mails that do not pass the SPF or DKIM check. They can decide whether such e-mails should be placed in the spam folder or rejected directly. There are three DMARC policies for this:

With Hostpoint, the Quarantine policy is the default setting. This can be changed in the Hostpoint Control Panel.

We recommend initially using the DMARC Quarantine policy. This sends suspicious e-mails to the spam folder to test deliverability before stricter measures such as complete rejection are introduced.

Using DMARC, companies can significantly reduce the misuse of their domains through phishing and spoofing attacks. It protects not just the e-mail recipient, but also the reputation of the sender by ensuring that only legitimate messages reach the recipient.

Please note:
Since August 2024, Hostpoint has automatically activated DMARC for all domains that were assigned to a web hosting account or a Cloud Office group. In all other cases, manual activation is possible. A guide to activating DMARC is available here.

Why domain owners should use DKIM and DMARC

For domain owners and companies, implementing DKIM and DMARC is an important instrument for making e-mail communications more secure. These technologies offer protection against phishing, spoofing and other threats that can be posed by manipulated or fake e-mails.

One common scenario is phishing attacks in which attackers send fake e-mails and pretend to be from a legitimate company. In spoofing attacks, fraudsters attempt to falsify the sender’s address in order to send e-mails with malicious content.

With DKIM and DMARC, such attempts to manipulate e-mails either land harmlessly in the spam folder or are blocked directly before they reach the recipient, depending on the configuration. At the same time, legitimate e-mails that are protected with these techno­logies are less likely to be blocked by spam filters. This increases the likelihood that these e-mails will arrive in their recipients’ inboxes. Nevertheless, it’s always a good idea to be on the lookout for phishing as even the safest methods can’t protect against it entirely.

If you have questions about DKIM, DMARC or other topics related to e-mail security, Hostpoint Support is at your service. Our team can help with the setup and configuration of these protective measures to make sure that your e-mail communications stay secure.

Contact us via e-mail at support@hostpoint.ch or by phone at 0844 04 04 04 – we’re at your service, in your language, seven days a week from 8 am to 6 pm!

Visualization of an email inbox in a laptop screen with Cloud Office icon. Visualization of an email inbox in a laptop screen with Cloud Office icon.

An e-mail address with your own domain

Discover the new e-mail packages with Cloud Office from Hostpoint. The domain of your choice for your email addresses, generous mailbox and Drive storage, various Office tools and much more.

Cookie Cookie

We use Cookies 🍪

Hostpoint's digital presences (website, Control Panel, Support Center, etc.) use cookies. These are used to collect data on visitor interactions. If you click “Accept”, you agree to the use of these cookies for advertising purposes, website analysis and support. However, certain cookies are essential for the proper functioning of these pages and therefore cannot be disabled. Even without your consent, certain data may be used in anonymized form for statistical purposes and to improve our websites. Please note our Privacy policy.

Decline
Accept