FeedBlitz is an email and social media subscription automation service for blogs and social media, and the premium FeedBurner alternative.

Get free email updates:

Preview | By FeedBlitz

FeedBlitz News

Subscribe to the FeedBlitz Blog for news, customer service and feature updates by mail or RSS.


New: DKIM Delegation for Enterprise Email Marketing

Monday, March 08, 2010

DKIM (DomainKeys Identified Email) is an email authentication technology that enables recipients to determine whether an email is genuine. (I'm simplifying here, but that's the gist of it).  DKIM builds on what's known as public key encryption and domain name technologies, and is being increasingly adopted by ISPs and corporations alike to help decide how best to treat inbound email.

Now, it's important to understand that genuine doesn't mean not spam. Passing DKIM verification just means the email is "real" or "duly authorized".  Whether you trust the sender, now you can prove who they are, is a different matter. Even DKIM validated mail can still be unsolicited, unwelcome, or junk. 

So what's the point?

Actually, there are several.  To greatly oversimplify again, one advantage of using DKIM is that email that purports to come from an organization using DKIM but which, when checked, fails DKIM authentication is almost certainly spam.  So DKIM enables some smarter filtering by receiving ISPs. 

Secondly, DKIM also links a sender's reputation to the sender's domain as opposed to the IP of any individual mail server. So an organization with a good reputation can sign their emails using DKIM and pretty much send them (within reason) from any mail server they please. As long as the recipient's mail server is using DKIM verification (and major ISPs do) then the mail will be provably mapped back to the sender's excellent reputation, and the mail is routed accordingly to the recipient's mailbox.

Thirdly, there's also a benefit in that DKIM allows a recipient to determine whether an email has been tampered with en route, but that's not so important for the purposes of this post.

DKIM and FeedBlitz

DKIM is ultimately a Good Thing and something all reputable senders are (or should be) using already as part of their arsenal of best practices. Amongst other things, FeedBlitz has been signing the emails we send for some time now using DKIM, proving that it's FeedBlitz that's really sending the message.  It's easy for a receiving ISP to determine whether an email that says it's from FeedBlitz really is. We have a good reputation and DKIM certainly helps. All our clients reap these rewards. So far, then, so good. 

DKIM and the Enterprise

Now, say you work for MegaCorp, Inc., and you want to save time and effort by automating your corporate email updates using FeedBlitz.  Yay, right? Not so fast, though - there's a snag. Your IT security team requires all email from the company to be authenticated properly (using MegaCorp DKIM of course), and the marketing team does not want to sacrifice the great reputation they've earned from their best practice in-house efforts.  How can MegaCorp outsource (saving time and money) while meeting these constraints? 

DKIM Delegation

The answer is DKIM delegation, now available in FeedBlitz's enterprise features area (My Account / Enterprise / DKIM Delegation). DKIM delegation enables outsourcing to a third party (such as FeedBlitz) but allows that third party to send email which authenticates as if it had come from MegaCorp.

Here's how it works.
  1. MegaCorp tells FeedBlitz about the MegaCorp domain it wants FeedBlitz to use for DKIM.
  2. FeedBlitz tells MegaCorp's IT guys what to add to their DNS entries. 
  3. When MegaCorp is ready to roll out their FeedBlitz email marketing automation, they activate their FeedBlitz DKIM delegation in the enterprise area.
  4. From then on, email sent by FeedBlitz on MegaCorp's behalf will be signed using MegaCorp's DKIM set up in step (2), not FeedBlitz's default DKIM keys.
  5. All email received by MegaCorp's subscribers will then be validated using MegaCorp's domain and DKIM parameters, not FeedBlitz's.
The result is that the email FeedBlitz sends on behalf of MegaCorp will be verified using DKIM against MegaCorp's DNS, which is where the public side of the DKIM cryptography equation lives. DKIM delegation therefore meets MegaCorp's IT Security requirements - authentication is done using MegaCorp DNS records. Plus, since DKIM delegation uses a MegaCorp domain, Marketing also wins: It is MegaCorp's domain and their sender reputation that recipients should use to decide the email's ultimate fate. Finally, the corporation wins by saving time, resources and money by outsourcing to FeedBlitz.  In one fell swoop all MegaCorp's objectives have been met.

Better yet, outsourced this way, it is also easy for MegaCorp to revoke its DKIM keys simply by changing the relevant DNS entries.  MegaCorp outsources to FeedBlitz, gains all the benefits they were seeking, AND remains in complete control the whole way.  Truly a win all around!

About FeedBlitz Enterprise Features

DKIM delegation is available now as part of FeedBlitz's enterprise feature set, which is priced at a premium over and above our standard list pricing.  Visit FeedBlitz.com and go to My Account / Enterprise to see what's available.

Contact FeedBlitz support for questions about how FeedBlitz can help your business with our powerful email and social media marketing automation.

Labels: , , ,



Blogger Jim Fenton said...

You wrote, "email that purports to come from an organization using DKIM but which, when checked, fails DKIM authentication is almost certainly spam."

Some messaging paths, such as many mailing lists and some forwarders, may break DKIM signatures, so you shouldn't assume that messages with broken signatures are spam. A best practice is to treat these messages as though they were unsigned, which might mean that they receive extra content filtering scrutiny or that their filtering score is lowered as compared with a signed message from a trusted domain.

11:17 PM, March 09, 2010  
Blogger Phil Hollows said...

That's true - I have greatly simplified some of DKIM's inherent (and many) complexities here for the sake of my audience. It's true that it is up to the receiving entity to figure out what to do with failed DKIM signatures.

The news here is that we can alter DKIM signatures for *senders* to better match their onine brand and reputation as defined by the signing domain.

11:31 AM, March 10, 2010  

Post a Comment

Note: Only a member of this blog may post a comment.

Links to this post:

Create a Link

<< Home

© FeedBlitz - Blog and RSS Email Solutions | www.feedblitz.com | info@feedblitz.com | Privacy | Terms of Service

Related Posts with Thumbnails Quantcast