Our usual advice is that implementing sender authentication is a useful way of avoiding your email being incorrectly flagged as spam (i.e., a “false positive”). So you should implement rDNS, DKIM and SPF.
DKIM–DomainKeys Identified Mail–is an important standard for email sender authentication. It allows a recipient to verify that a message really does come from the sending domain that it claims to have come from. Senders publish a public key for their domain and then cryptographically sign their outgoing email, using the corresponding private key. Recipients can then verify the signature, typically as part of the spam filtering process.
DomainKeys is the branded name created by Yahoo (to which Yahoo has a few patents pending and/or granted surrounding this technology). Yahoo created this technique to combat spam.
The new (DKIM) is a similar, but not identical, technique to validate email. DKIM was created by the internet community (IETF) at large in response to Yahoo’s DomainKeys. The Internet community balked at that license and decided to create a separate design that works similarly, but that isn’t under Yahoo’s licensing methodology.
Both methods are based on cryptographic message signing. The two efforts have been merged, and the combined specification is known as DomainKeys Identified Mail (DKIM).
The advice for now is clear: senders should continue to generate the older, DomainKeys style of signature.
How does it work?
DKIM allows a signer to attach a digital signature to each message that is being sent. Any verifier receiving a message can easily determine whether the domain that claimed to have signed the message actually did. For example, if you receive a message that has a valid signature from your bank, you can be quite certain that your bank actually did sign that message. The signature can also be used to validate that the contents of the message have not been altered since it was signed.
The signature itself is included in the header of the message (the portion at the top which includes the sender name, the date of the message, and the message subject). Most end users won't even see this header field.
If your e-mail still triggers the spam or fraud filters at the recipient’s ISP or mail provider, then your e-mail will still end up discarded or sent to the Spam/Bulk folder. If this is happening, you will need to work directly with the recipient’s ISP or mail provider to find out what is causing your e-mails to be marked as spam.
So what will end users see?
That will depend on the email provider. In most cases end users won't have to see forged email at all — if a message claims to come from their bank, and the bank is using DKIM, but the message isn't properly signed, the forged message will be rejected, quarantined, or otherwise hidden from the user's view.
What are the benefits?
Every legitimate player should see benefits from DKIM. The bad guys, on the other hand, should experience a serious case of heartburn.
Senders of marketing messages will see improved delivery rates
As long as the messages are wanted by the recipient, DKIM will allow them to get through. Spammers and Phishers have gotten increasingly clever, creating messages that look more and more like legitimate marketing pieces.
Newsletters are particularly problematic; the only difference between a legitimate newsletter and a spam is often whether the recipient has signed up or not.
Using a DKIM will not guarantee that your sent mail will not be directed to the recipient’s spam or bulk mail folder. However, it will greatly increase the likelihood that it does not.
Messages are more likely to be delivered to the inbox rather than the spam folder.
Not necessarily. The presence or absence of a valid DKIM signature is unlikely to increase inbox delivery on its own. Having a valid DKIM signature and a good reputation for that sender may result in better inbox delivery. The ISPs aren’t currently, or unlikely to, offer preferential inbox delivery just on the basis of a DKIM signature.
- DKIM is a way to authenticate email.
- Senders with good reputation will be able to take advantage of that reputation no matter what IP address they send mail from.
Test and validating DKIM using: