Send From Email Authentication (DKIM & DMARC)

Overview

Concord sends certain system and product emails on your behalf (for example: notifications, consent or privacy-related messages, and account communications).

To ensure reliable delivery and alignment with modern email security best practices, you may optionally configure DKIM and DMARC for your domain.

This is typically only required if you use stricter DMARC policies (such as p=quarantine or p=reject), or if your internal security policies require authenticated sending.

What Are DKIM and DMARC?

DKIM (DomainKeys Identified Mail)

DKIM cryptographically signs outgoing emails and allows receiving mail servers to verify that:

• The email was authorized by your domain
• The message was not altered in transit

DKIM is configured using DNS records and requires no ongoing maintenance once set up.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells receiving mail servers what to do if authentication fails.

Common DMARC policies include:

Do I Need to Set This Up?

You do not need to configure DKIM if:

• You do not have a DMARC policy
• Your DMARC policy is p=none
• You are not enforcing strict outbound email controls

You should configure DKIM if:

• You use p=quarantine or p=reject
• Your security team requires authenticated email
• You want maximum email deliverability and trust

Recommended Setup (Easy DKIM via CNAME)

For most customers, Concord recommends Easy DKIM using DNS CNAME records.

This method:

• Does not require managing keys
• Does not require sharing sensitive material
• Is fast to set up
• Is fully compatible with strict DMARC policies

How to Configure DKIM (CNAME Method)

Step 1: Request DKIM Records from Concord

Contact Concord support and let us know:

• The domain you send email from (for example: example.com)

We will generate three DKIM CNAME records for your domain.

Step 2: Add the CNAME Records to Your DNS

Add the provided CNAME records to your domain’s DNS provider.

Example

Type: CNAME
Name: abc123._domainkey.example.com
Value: abc123.dkim.amazonses.com

Type: CNAME
Name: def456._domainkey.example.com
Value: def456.dkim.amazonses.com

Type: CNAME
Name: ghi789._domainkey.example.com
Value: ghi789.dkim.amazonses.com

Step 3: DNS Propagation & Verification

• DNS changes typically propagate within minutes, but may take up to 24 hours
• Concord will automatically verify DKIM once records are visible
• No further action is required on your side

About BYODKIM (Bring Your Own DKIM)

Some organizations require full control over DKIM private keys.

In these cases, Concord can support BYODKIM, but it:

• Requires generating and managing DKIM keys on your side
• Requires securely sharing public key details for verification
• Adds operational complexity

If you believe BYODKIM is required due to internal policy, please contact Concord support to discuss next steps.

Updating or Enforcing DMARC

Once DKIM is configured, you may safely enforce stricter DMARC policies such as:

v=DMARC1; p=quarantine; adkim=s; aspf=s;

or

v=DMARC1; p=reject; adkim=s; aspf=s;

If you are unsure what policy to use, we recommend starting with p=none and monitoring DMARC reports before enforcing.

Need Help?

If you’re unsure whether DKIM or DMARC is required for your setup, or want help validating your DNS records, contact Concord support and we’ll be happy to assist.