Authenticating the Most Important Messages
A few weeks ago, in Don’t Make It Easy For The Phishers we explained how you can use DKIM to ensure that all inbound mail which purports to be from your domain is real — and configure your filters to treat all other messages suspiciously.
In the real world, however, things can be a bit more complicated. Legitimate third parties — SalesForce, social networks, the 3rd party benefit sites favored by HR departments — forge your domain in mail to your users all the time. Keeping track of each of these can be impossible. Worse, in an ISP environment, you don’t really have that much control over what your users send.
But that doesn’t mean you can’t still gain some benefit from DKIM.
An easy approach is to separate your mail into multiple categories, multiple streams, each signed with a different key and identified with a different d= string. For example, you could have d=official.example.net for official corporate messages, d=users.example.net for the general userbase, delegate d=promotions.example.net to an ESP for marketing activities, and so forth.
And if you control your users’ mail interface, you can set up filters and rules to highlight these official messages; that way, if they get a message that claims to be official yet doesn’t have the highlighting, they’ll know to be suspicious.
Whether you use one d= string or many, Return Path’s Domain Assurance tool can help you monitor what those (and other) messages are doing. Our monitoring dashboard will show you which mail streams have authentication set up correctly, and which don’t — and which external streams, claiming to be you, need to be gotten under control. Contact us for more info, and be sure to mention this article.