One of my latest task at work was to configure a domain and little application to allows the company to send emails to its customers. This is something I never worked with before, so there was a lot of struggle on this :) I did learn a lot of things about email authentication, and to make sure I don't forget everything in the next week, I decided to write a little article.
At the beginning, there was SMTP ( Simple Mail Transfer Protocol ). SMTP is a communication protocol used to tranfer mails to mail servers. Like its name indicates, it is simple. Because of this simplicity, something important is lacking, and that thing is email authentication.
Email authentication is a technical solution. With email authentication, you can prove that an email comes from who it claims to be from. It proves that an email is not forged, or faked. If a send you a mail claiming that it's coming from Facebook itself, the standards used for email authentication will prove that I am, in fact, not Facebook ( duh...)
Email authentication protects users from harmful or fraudulent uses of emails like phishing or spam. Phishing is a technique where bad people try to get personal informations from you to usurp you identity.
Let's see the different steps involved in this process:
1- A business/organization that sends email defines a policy. This policy explains the rules by which email sent from its domain name can be authenticated. By following these rules, we can prove if a email is indeed send by said business.
2- The email sender ( business/organization ) configures its mail servers to implement and publish these rules.
3- Mail server ( Gmail, Outlook... ) checks the details of an incoming message with the rules defined by the domain owner to prove its authenticity.
4- The mail server proceeds accordingly depending on the results of its investigation: deliver, flag or reject the message.
Email authentication is enabled by certain standards. DKIM, SPF and DMARC are acronyms that you will most likely hear if you start working with emails. There are the most common email authentication standards. They all take care of different aspects of email authentication.
DomainKeys Identified Mail. Provides an encryption key and digital signature that verifies that en email message was not faked or altered.
Sender Policy Framework. Allows senders to define which IP addresses are allowed to send mail for a particular domain.
Domain-based Message Authentication, Reporting and Conformance. Unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test.
These email authentication standards supplements SMTP and most modern email systems support them. They are implemented via the DNS. You would have records in your DNS configuration to specify the standards above for your domain.
Email authentication is something you will have to implement if your business sends emails to its customers ( who doesn't ? ). Hopefully, you'll get a slighly better picture at how these things function together with this little introduction.