Email Authentication

Email authentication consists of verifying the sender’s identity. The goal here is to make sure that the sender is who they declared to be; in other words, the message was sent from a confirmed sender.

Messages are sent from one email server to another through a protocol called SMTP (an acronym for Simple Mail Transfer Protocol), but servers and email filters need to make sure they can trust the sender before the message will be delivered to the inbox.

To this end, several validation systems have been approved and standardized to help servers validate these messages. To authenticathe the sender domain, the following DNS settings should be added: SPF, DKIM and DMARC.

1. SPF (Sender Policy Framework)

The SPF protocol is a type of record that is implemented in the DNS of the domain and is used to check if the IP from which the email is sent has express authorization to send emails on behalf of that domain.

2. DKIM (DomainKeys Identified Mail)

DKIM makes use of a public/private key encryption system to sign email messages in the header. This verifies that the emails have been sent from the declared domain and that the e-mail has not been altered prior to delivery to the recipient.

The receiving email server reads the encrypted information using the public key hosted in the DNS of the sending domain, and if it matches, the email is authenticated.

3. DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC, or Domain-based Message Authentication, Reporting & Conformance, generically ensures that the email has the appropriate SPF and DKIM authentications before being delivered to the recipient’s mailbox.

At the same time, it prevents spoofing where the address in the “From” field of an email message is forged.

DMARC was developed by PayPal together with Google, Microsoft and Yahoo!

4. How messages are authenticated

Summarizing how the complex process of authentication is done is complicated, but it can be simplified (for better understanding) in the following steps:

• The person sending the email composes the message, clicks on the send button and the email is delivered to the outgoing mail server.
• Before sending the email, this server identifies the user’s credentials, processes the message, creates the headers and sends it through an outgoing SMTP to the recipient’s server.
• It arrives at the recipient’s email server, which processes the message and checks the DNS of the sender’s domain/outgoing server that delivers the mail, validating that it corresponds to what is expected.
• Again the destination mail server checks the sender reputation, outgoing IP of the email, email content… antispam filters and other security policies are applied to determine whether or not to block the email.
• Ultimately, the message that has been successfully authenticated and has not been blocked, is delivered to the recipient’s mailbox.

Although synthesized, these are in essence the basic steps emails will follow from the sender to the subscriber.