Your communications efforts are only effective when they actually reach their target audience. Granicus is continually working to ensure that the critical information your organization distributes reaches your constituents and stakeholders through a multitude of deliverability strategies.
Using active whitelist management, maintaining clean email lists, and adhering to industry best practices, Granicus is steadily taking efforts to be sure your subscribers are receiving your communications. Some of the best practices Granicus employs are known as DomainKey Identified Mail, or DKIM, and Domain-based Message Authentication Reporting and Conformance, or DMARC.
Table of Contents
What Is DKIM?
The acronym DKIM stands for DomainKey Identified Mail, which is a method of digital verification used to ensure that an email message is authentically associated with the domain name it is sent from.
How Does DKIM Work?
DKIM works by adding a unique and hidden key to both an email and the DNS (Domain Name Server) attached to that email’s from address. Email service providers verify that this token matches in both locations, in order to verify that the message is indeed coming from the location it claims.
Currently, all outbound emails sent from Granicus have an encrypted token attached to their header. Emails from organizations that use one of Granicus’s sending domains (i.e. public.govdelivery.com) will have a token that matches the token on Granicus’s DNS. Emails from organizations that send email from their own domain name will have a token that will match the token they added to their own organization’s DNS.
What Are the Benefits of DKIM?
At Granicus, our deliverability rate is first class, and we are working daily to continue our tradition of the highest deliverability rate in the industry. With DKIM, we have implemented a best practice that gives email service providers better confidence in our messaging. This translates to more emails being delivered into the inboxes of more members of the public.
DKIM also increases Granicus’s reputation as a bulk mail sender, meaning emails get delivered faster. Lastly, as government agencies depend on being authoritative and secure, DKIM creates another protective layer in which malicious senders who might attempt to impersonate or send an email as an organization will be weeded out even more efficiently by this verification system.
What is DMARC?
The acronym DMARC stands for Domain-based Message Authentication Reporting and Conformance, which is a text record on domain that advises mail clients how to handle to email sent from that domain if it does not pass the DMARC test. This additional security measure builds on the existing security measures of SPF and DKIM records helps to protect your domain from spoofing and ensure successful delivery of your communications.
How Does DMARC Work?
When email is received by a mail provider, they perform what is known as a DNS lookup on the sending domain for the email. When performing this lookup, mail providers check to verify SPF records and DKIM are present and that the records for the sending domain match the information for the email sender (e.g. that SPF and DKIM “pass” when checked). A DMARC policy tells a mail server what to do if the SPF check (and in some cases the DKIM check) fail to pass. Please note that while DMARC technically only requires SPF records to be validated to pass, some mail clients, including Gmail, require that both SPF and DKIM align to “pass” a DMARC test.
A DMARC record is made up primarily of two parts, a policy (for how to handle emails that fail the DMARC test) and reporting (where to send DMARC email reports to). A policy can be one of the following:
- None – When “None” is set, no special action is taken on emails that fail to pass the DMARC test.
- Quarantine – When an email is received and fails to pass the DMARC test, the mail provider will (typically) place that email into the subscriber’s spam box.
- Reject – When an email is received and fails to pass the DMARC test, the mail provider will reject the message, not allowing delivery to the subscriber.
If implementing DMARC for the first time it is highly recommended to set a policy of “None” initially and only updating to “Quarantine” or “Reject” once DMARC reports have been reviewed and any domain record issues have been resolved.
The last part of a DMARC record indicates where to send DMARC reports to. Mail providers (e.g. Gmail) will send a report of emails received from your domain and whether they failed or passed the DMARC test.
What are the Benefits of DMARC?
In addition to some mail providers (Gmail) now requiring DMARC policies for bulk senders, DMARC adds an extra layer of protection against the spoofing of your emails. This helps to improve your sending reputation (helping to ensure successful delivery of communications) but also helps to prevent misuse of your domain for malicious activities such as phishing or spam.
How to Add DMARC?
If you are using an @public.govdelivery.com domain for sending from govDelivery then you already covered by the DMARC policy on the govdelivery.com domain(s).
If you are using a custom domain, e.g. @subscriptions.youragency.gov for sending from GovDelivery, then the DMARC record will need to be added to your domain by the individuals in your org responsible for managing DNS records. Unlike many other DNS records, DMARC will apply to sub-domains unless specifically modified to not do so. This means that if your top-level domain (in the example above this would be “youragency.gov”) has a DMARC record then your sub-domain may inherit that record as well. For DMARC, Granicus Support does not need to provide any records in order to update the DNS record.