Introduction
One of my latest task at work was to configure a domain and little application to allows the company to send emails to its customers. This is something I never worked with before, so there was a lot of struggle on this :) I did learn a lot of things about email authentication, and to make sure I don't forget everything in the next week, I decided to write a little article.
The basics: SMTP
At the beginning, there was SMTP ( Simple Mail Transfer Protocol ). SMTP is a communication protocol used to tranfer mails to mail servers. Like its name indicates, it is simple. Because of this simplicity, something important is lacking, and that thing is email authentication.
Email authentication is a technical solution. With email authentication, you can prove that an email comes from who it claims to be from. It proves that an email is not forged, or faked. If a send you a mail claiming that it's coming from Facebook itself, the standards used for email authentication will prove that I am, in fact, not Facebook ( duh...)
Email authentication protects users from harmful or fraudulent uses of emails like phishing or spam. Phishing is a technique where bad people try to get personal informations from you to usurp you identity.
Email authentication: How does it work?
Let's see the different steps involved in this process:
1- A business/organization that sends email defines a policy. This policy explains the rules by which email sent from its domain name can be authenticated. By following these rules, we can prove if a email is indeed send by said business.
2- The email sender ( business/organization ) configures its mail servers to implement and publish these rules.
3- Mail server ( Gmail, Outlook... ) checks the details of an incoming message with the rules defined by the domain owner to prove its authenticity.
4- The mail server proceeds accordingly depending on the results of its investigation: deliver, flag or reject the message.
Email authentication is enabled by certain standards. DKIM, SPF and DMARC are acronyms that you will most likely hear if you start working with emails. There are the most common email authentication standards. They all take care of different aspects of email authentication.
DKIM
DomainKeys Identified Mail. Provides an encryption key and digital signature that verifies that en email message was not faked or altered.
SPF
Sender Policy Framework. Allows senders to define which IP addresses are allowed to send mail for a particular domain.
DMARC
Domain-based Message Authentication, Reporting and Conformance. Unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test.
These email authentication standards supplements SMTP and most modern email systems support them. They are implemented via the DNS. You would have records in your DNS configuration to specify the standards above for your domain.
Conclusion
Email authentication is something you will have to implement if your business sends emails to its customers ( who doesn't ? ). Hopefully, you'll get a slighly better picture at how these things function together with this little introduction.
Have fun!
Top comments (3)
I created a script for managing DKIM keys on Linux, and I've been using it in prod for about a year now. For me, it's been quite helpful for generating and rotating keys.
CodeMouse92 / dkim_manage
A script to automate most tasks associated with OpenDKIM key rotation.
OpenDKIM Manager
A script to automate most tasks associated with OpenDKIM key rotation.
Credits
Setup
System Requirements
OpenDKIM is designed to work in the Linux BASH (not SH) with minimal dependencies. It works with OpenDKIM, and therefore depends on that being installed on the system. The script also uses Perl for one regex-replacement task.
Installing
We recommend that the
dkim_manage
file be placed in a dedicatedscripts
folder, such as/opt/scripts/root_scripts
Placedkim_manage
into the directory in question, and then change its owner and permissions:Next, create a new file in that same folder called
domains.conf
. (See our example indomains.conf.example
) In that file, list each of the domains that OpenDKIM is signing for, one per…Will check it out!
One more email authentication system:
en.wikipedia.org/wiki/Authenticate...