Empowering government to build better resident and employee experiences and get more value out of their civic engagement technology.

Learn More
Back To Blog

4 Steps You Should Take to Avoid Email Spoofing

Imagine if a criminal could—with a few quick cosmetic changes—impersonate you so well that even your loved ones couldn’t tell the difference. They’d be able to walk right into your house and steal your personal belongings or ruin the trust you’ve built up in social or professional circles.

The above scenario isn’t some wild idea out of a sci-fi movie: in an increasingly digital world, the threat of email spoofing—where someone pretends to be a trusted source in order to conduct a spam or phishing campaign—is very real.

Unfortunately, the public sector is often used in spoofing, because the trust people place in information from the government makes it a ripe target. Each year, the IRS warns taxpayers of phishing and malware schemes intended to steal personal information by posing as the agency.

But there is a way to prevent this and protect your reputation. It’s called Domain Keys Identified Mail (DKIM). While it might sound a bit technical, it’s relatively easy to set up— especially in Granicus’ govDelivery.

The best way to think of DKIM is like adding a signature to your email’s domain that the public can cross-reference to ensure the message is coming from you. As a bonus, having a DKIM signature reduces the likelihood of the recipient email getting marked as spam, since it helps verify that the message isn’t a phishing scheme.

DKIM applies to the “from address” on your govDelivery account, which is visible under your account settings. If your account uses an address that ends with “public.govdelivery.com” or “service.govdelivery.com,” you don’t need to do anything. In other words, you are already using a “from address” with a DKIM key assigned.

However, if your organization is using a different or customized domain associated, you should follow these steps to ensure you have a certifiable DKIM:

1. Use a Subdomain

Make sure that you aren’t using a top-level domain to send out emails (e.g. something that ends with “@granicus.com”). You should always use a subdomain (“@info.granicus.com”).

2. Talk to Your Company’s Tech Support

Once you’ve established a sub-domain to use, find the person at your organization who has the power to update your Domain Name System (DNS) records electronically. That individual needs to add three records: one Sender Policy Framework and two Mailbox Exchange records.

These records verify that your domain is allowing a certified outside party, like govDelivery, to send emails on its behalf. With this record, the mail server knows that messages from public.govdelivery.com are rerouted to a custom domain.

3. Talk to Granicus Tech Support

Once your DNS settings are updated, write to the Granicus support team (help@granicus.com) in order to request a DKIM key. Our engineers will generate the key and selector and send it back to you. Have the same person that updated your DNS records install the provided key. Then, write back to Granicus support to let us know that the work is complete.

4. Test DKIM

Once we hear back from you, our engineers will test and deploy the new DKIM key to make sure it meets DKIM requirements. If it does, that’s it! You can rest a little easier, knowing that it’s much more difficult for people to spoof emails using your agency or department’s name.

While adding DKIM is a technical, multi-step process, it’s an important part of your email security protocol that can help maintain the reputation of your department or agency, as well as the safety of citizens’ private information.

Do you need additional information about setting up a certified DKIM? Check out our DKIM support page. Or, you can reach out to us at help@granicus.com, and we’ll be sure to address your questions!