Enhance email deliverability and security for Australian SMB: DKIM and DMARC

Email has become an essential communication channel for most Australian businesses. Over the years there have been many improvements and additional changes to improve security. Some of these changes are implemented automatically, by your email provider. Others require additional setup, configuration, and monitoring.

In this digital age, Australian small businesses must prioritise email security to protect their business and reputation. Implementing a solution such as DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) should not be an afterthought; it should be a strategic move to safeguard your business.

What is spoofing and Phishing?

Email spoofing refers to an attacker impersonating a trusted domain name. They will attempt to use the domain name to send malicious emails. This means that the address you see will look like it came from a trusted source such as a bank, AusPost, a delivery service, or even a business you have dealings with.

Contained in the Spoofed email, is usually a phishing attack. These are designed to deceive and trick you into taking some form of action. Such as clicking a malicious link, logging into a fake system to gain your login credentials or making a financial transfer.

What are DNS records?

A DNS record is a human readable domain name that points to an address that a computer can use. It will translate for example “fordhamit.com.au” into

There are many different types of DNS records, however the most common functions they serve are pointing your domain name to your website, telling mail servers where to send your email, and telling mail servers who can send email on your behalf.

SPF (Sender Policy Framework)

Before implementing DKIM and DMARC, you need to have the most basic authentication method in place. An SPF record is a list of all the providers and IP addresses that are allowed to send email as your domain name. Think of it like a guest list, any server not on the guest list isn’t allowed to send.

Without an SPF record, anyone can send email from your domain (the part of the address after the “@” symbol). They can impersonate you and trick a recipient into opening emails or sharing information that they otherwise would not.

If you use a business email service such as Microsoft 365 or Google Workspace, you will be asked to add an SPF record during setup. Just be sure not to remove them; or when you update them, ensure they are still valid.

DKIM (DomainKeys Identified Mail)

Like SPF, DKIM is used to prevent spammers and malicious actors from impersonating your domain (the part of the address after the “@” symbol) in emails.

DKIM consists of 2 parts. Like SPF there are DKIM records. These records store the public key, this is a randomised string of characters that is used to verify emails that are signed with the private key.

The second part is the DKIM header. All emails sent from your domain have a DKIM header, contained in this header is a digital signature; this is a section of the header that has been signed by the DKIM private key.

When an email server receives an email from your domain, it can then use the DKIM public key to verify the email is legitimate and has not been tampered with or altered.


DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC determines what happens to emails that are deemed spoofed or illegitimate. After a mail server has used DKIM and SPF to verify the email received; DMARC determines to how to handle these emails.

Using a DMARC record you can specify how emails that fail SPF and DKIM are handled, you can choose to outright reject them, send them to quarantine or allow them.

DMARC can also be used for reporting and allow you to see what emails are being blocked and get a better understanding of how your policies are working. At FordhamIT we setup extensive logging and reporting capabilities, allowing you to monitor all aspects of the process.


Final Thoughts

Setting up DKIM and DMARC may seem daunting, but that’s where we can help. We can guide you through the process from initial setup and configuration, to monitoring and reporting. By choosing an email service that supports these protocols, creating the necessary DNS records, and monitoring the systems in place, we can help Australian small businesses enhance their email security posture.