|
Monday, March 08, 2010
DKIM (DomainKeys Identified Email) is an email authentication technology that enables recipients to determine whether an email is genuine. (I'm simplifying here, but that's the gist of it). DKIM builds on what's known as public key encryption and domain name technologies, and is being increasingly adopted by ISPs and corporations alike to help decide how best to treat inbound email.
Now, it's important to understand that genuine doesn't mean not spam. Passing DKIM verification just means the email is "real" or "duly authorized". Whether you trust the sender, now you can prove who they are, is a different matter. Even DKIM validated mail can still be unsolicited, unwelcome, or junk.
So what's the point?
Actually, there are several. To greatly oversimplify again, one advantage of using DKIM is that email that purports to come from an organization using DKIM but which, when checked, fails DKIM authentication is almost certainly spam. So DKIM enables some smarter filtering by receiving ISPs.
Secondly, DKIM also links a sender's reputation to the sender's domain as opposed to the IP of any individual mail server. So an organization with a good reputation can sign their emails using DKIM and pretty much send them (within reason) from any mail server they please. As long as the recipient's mail server is using DKIM verification (and major ISPs do) then the mail will be provably mapped back to the sender's excellent reputation, and the mail is routed accordingly to the recipient's mailbox.
Thirdly, there's also a benefit in that DKIM allows a recipient to determine whether an email has been tampered with en route, but that's not so important for the purposes of this post.
DKIM and FeedBlitz
DKIM is ultimately a Good Thing and something all reputable senders are (or should be) using already as part of their arsenal of best practices. Amongst other things, FeedBlitz has been signing the emails we send for some time now using DKIM, proving that it's FeedBlitz that's really sending the message. It's easy for a receiving ISP to determine whether an email that says it's from FeedBlitz really is. We have a good reputation and DKIM certainly helps. All our clients reap these rewards. So far, then, so good.
DKIM and the Enterprise
Now, say you work for MegaCorp, Inc., and you want to save time and effort by automating your corporate email updates using FeedBlitz. Yay, right? Not so fast, though - there's a snag. Your IT security team requires all email from the company to be authenticated properly (using MegaCorp DKIM of course), and the marketing team does not want to sacrifice the great reputation they've earned from their best practice in-house efforts. How can MegaCorp outsource (saving time and money) while meeting these constraints?
DKIM Delegation
The answer is DKIM delegation, now available in FeedBlitz's enterprise features area (My Account / Enterprise / DKIM Delegation). DKIM delegation enables outsourcing to a third party (such as FeedBlitz) but allows that third party to send email which authenticates as if it had come from MegaCorp.
Here's how it works.
Better yet, outsourced this way, it is also easy for MegaCorp to revoke its DKIM keys simply by changing the relevant DNS entries. MegaCorp outsources to FeedBlitz, gains all the benefits they were seeking, AND remains in complete control the whole way. Truly a win all around!
About FeedBlitz Enterprise Features
DKIM delegation is available now as part of FeedBlitz's enterprise feature set, which is priced at a premium over and above our standard list pricing. Visit FeedBlitz.com and go to My Account / Enterprise to see what's available.
Contact FeedBlitz support for questions about how FeedBlitz can help your business with our powerful email and social media marketing automation.
Now, it's important to understand that genuine doesn't mean not spam. Passing DKIM verification just means the email is "real" or "duly authorized". Whether you trust the sender, now you can prove who they are, is a different matter. Even DKIM validated mail can still be unsolicited, unwelcome, or junk.
So what's the point?
Actually, there are several. To greatly oversimplify again, one advantage of using DKIM is that email that purports to come from an organization using DKIM but which, when checked, fails DKIM authentication is almost certainly spam. So DKIM enables some smarter filtering by receiving ISPs.
Secondly, DKIM also links a sender's reputation to the sender's domain as opposed to the IP of any individual mail server. So an organization with a good reputation can sign their emails using DKIM and pretty much send them (within reason) from any mail server they please. As long as the recipient's mail server is using DKIM verification (and major ISPs do) then the mail will be provably mapped back to the sender's excellent reputation, and the mail is routed accordingly to the recipient's mailbox.
Thirdly, there's also a benefit in that DKIM allows a recipient to determine whether an email has been tampered with en route, but that's not so important for the purposes of this post.
DKIM and FeedBlitz
DKIM is ultimately a Good Thing and something all reputable senders are (or should be) using already as part of their arsenal of best practices. Amongst other things, FeedBlitz has been signing the emails we send for some time now using DKIM, proving that it's FeedBlitz that's really sending the message. It's easy for a receiving ISP to determine whether an email that says it's from FeedBlitz really is. We have a good reputation and DKIM certainly helps. All our clients reap these rewards. So far, then, so good.
DKIM and the Enterprise
Now, say you work for MegaCorp, Inc., and you want to save time and effort by automating your corporate email updates using FeedBlitz. Yay, right? Not so fast, though - there's a snag. Your IT security team requires all email from the company to be authenticated properly (using MegaCorp DKIM of course), and the marketing team does not want to sacrifice the great reputation they've earned from their best practice in-house efforts. How can MegaCorp outsource (saving time and money) while meeting these constraints?
DKIM Delegation
The answer is DKIM delegation, now available in FeedBlitz's enterprise features area (My Account / Enterprise / DKIM Delegation). DKIM delegation enables outsourcing to a third party (such as FeedBlitz) but allows that third party to send email which authenticates as if it had come from MegaCorp.
Here's how it works.
- MegaCorp tells FeedBlitz about the MegaCorp domain it wants FeedBlitz to use for DKIM.
- FeedBlitz tells MegaCorp's IT guys what to add to their DNS entries.
- When MegaCorp is ready to roll out their FeedBlitz email marketing automation, they activate their FeedBlitz DKIM delegation in the enterprise area.
- From then on, email sent by FeedBlitz on MegaCorp's behalf will be signed using MegaCorp's DKIM set up in step (2), not FeedBlitz's default DKIM keys.
- All email received by MegaCorp's subscribers will then be validated using MegaCorp's domain and DKIM parameters, not FeedBlitz's.
Better yet, outsourced this way, it is also easy for MegaCorp to revoke its DKIM keys simply by changing the relevant DNS entries. MegaCorp outsources to FeedBlitz, gains all the benefits they were seeking, AND remains in complete control the whole way. Truly a win all around!
About FeedBlitz Enterprise Features
DKIM delegation is available now as part of FeedBlitz's enterprise feature set, which is priced at a premium over and above our standard list pricing. Visit FeedBlitz.com and go to My Account / Enterprise to see what's available.
Contact FeedBlitz support for questions about how FeedBlitz can help your business with our powerful email and social media marketing automation.
Labels: DKIM, enterprise, features, FeedBlitz
|
|
posted at 4:56 PM
2 Comments:
You wrote, "email that purports to come from an organization using DKIM but which, when checked, fails DKIM authentication is almost certainly spam."
Some messaging paths, such as many mailing lists and some forwarders, may break DKIM signatures, so you shouldn't assume that messages with broken signatures are spam. A best practice is to treat these messages as though they were unsigned, which might mean that they receive extra content filtering scrutiny or that their filtering score is lowered as compared with a signed message from a trusted domain.
That's true - I have greatly simplified some of DKIM's inherent (and many) complexities here for the sake of my audience. It's true that it is up to the receiving entity to figure out what to do with failed DKIM signatures.
The news here is that we can alter DKIM signatures for *senders* to better match their onine brand and reputation as defined by the signing domain.
Post a Comment
Note: Only a member of this blog may post a comment.
<< Home