Breadcrumbs

DKIM & DMARC

For the customer's environment to be able to send emails with the customer's sender address, the customer must set (at least) SPF records. This is done by the Scheer IMC project manager directly at the beginning of the implementation project as part of the enhanced technical setup.

For more information related to SPF records, please check SPF Record .

On top of the default SPF records, many organisations protect their email domains with modern security standards such as DKIM and DMARC.

These standards help:

  • prevent spoofing (someone pretending to send as your domain)

  • reduce spam and phishing

  • improve deliverability of legitimate emails

DKIM (DomainKeys Identified Mail)

In addition to the SPF record, the LMS can sign outgoing emails with a cryptographic signature for the customer’s (sub)domain.
Receiving mail servers can then verify that:

  • the email really comes from a server authorised for that domain

  • the content hasn’t been modified

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC is a DNS policy that the customers can define for their domain.

It tells receiving servers:

  • how strictly to enforce SPF/DKIM and what to do with failing mails (quarantine, spam, reject)

  • where to send reports about misuse of your domain (monitoring)

Typical DMARC policies are:

  • p=none – monitor only, no enforcement

  • p=quarantine – treat failures as suspicious (spam/junk)

  • p=reject – reject failures outright

In practice:

  • Scheer IMC ensures that LMS emails can pass SPF and DKIM for the customer’s domain.

  • the customer's DMARC policy then decides whether those emails are accepted, quarantined, or rejected.

Normally all three are being used together:

  1. SPF – which servers may send for your domain

  2. DKIM – sign your emails

  3. DMARC – define policy and reporting

DKIM Setup

DKIM signing is supported by Scheer IMC when using a dedicated and shared Scheer IMC Mail Server and can be implemented as part of an additional order (additional costs might be involved).

If customers are using the Scheer IMC Mail Server and order DKIM support in addition to SPF:

Scheer IMC:

  • creates the corresponding DKIM key pairs (private and public key) and

  • makes them available to the customer's IT department for storage in the customer.com DNS entry (TXT record or CNAME).

Customer's IT:

  • will publish this DKIM record in the DNS zone of the domain that is used in LMS sender addresses, e.g. lms01._domainkey.learning.customer.com

  • ensures that the entry remains in place and is not removed during DNS clean-ups or migrations

Scheer IMC Mail Server will sign all outgoing emails for that domain with the configured DKIM key.

With this setup, receiving mail servers can verify the DKIM signature. In the email headers you will typically see:

  • a DKIM-Signature: header added by the sending system

  • Authentication-Results: line at the recipient side indicating dkim=pass

:info:

DKIM Setup - If customers choose to send emails via their Mail Server

If customers choose to send via their own SMTP server DKIM is configured entirely on their mail infrastructure:

  • The LMS does not sign emails itself but relies on the customer's mail server for DKIM.

  • All key management and DNS entries for DKIM are under the customer's responsibility

DMARC Setup

DMARC is not a feature of the LMS itself, but of the customer’s DNS and mail domain policy.

Scheer IMC:

  • ensures that mails can pass SPF (SPF include / sending IPs)

  • offers DKIM signing (with additional order, see above)

Customer's IT:
defines and maintains the DMARC policy record in DNS for the domain in the From address

DMARC is effectively “supported” in the sense that LMS mails can be made fully DMARC-compliant (SPF+DKIM alignment).

Customers can safely run even strict DMARC policies (p=reject) once DNS and DKIM are correctly configured

:info:

DMARC Setup - If customers choose to send emails via their Mail Server - SMTP

  • DMARC handling is entirely on the customer side (SPF, DKIM, DMARC configuration on their mail gateway + DNS).

  • The LMS only hands over messages; there is no DMARC logic in the LMS itself.

When to Contact Scheer IMC Support?

The technical setup is generally agreed during the project phase.

Please contact Scheer IMC Support by raising a Service Desk Ticket of type Request when:

  • you plan to introduce or tighten DMARC (e.g. moving to p=reject, highest level of protection) and want to ensure LMS emails remain deliverable

  • you have changed SPF, DKIM or DMARC and notice that LMS emails are being rejected or classified as spam

  • you want to switch between sending via Scheer IMC and sending via your own mail server

  • you require the current SPF to include, DKIM selector, or sending IPs for your LMS instance

  • you plan to change the sender domain (DKIM Setup required for the new domain)

We are happy to coordinate between our technical team and your IT team to ensure that your LMS notification emails continue to reach all intended recipients reliably and in compliance with your organisation’s security policies.

There may be setup costs billed to the customer; there is no monthly fee.

Scheer IMC Consulting will coordinate this and involve the required teams via the Desk-Ticket of type Consulting Request (communication with customer, test email to check if it works, answer customer questions).