DEV Community

Cover image for Email Authentication
Damien Cosset
Damien Cosset

Posted on

Email Authentication

Introduction

One of my latest task at work was to configure a domain and little application to allows the company to send emails to its customers. This is something I never worked with before, so there was a lot of struggle on this :) I did learn a lot of things about email authentication, and to make sure I don't forget everything in the next week, I decided to write a little article.

The basics: SMTP

At the beginning, there was SMTP ( Simple Mail Transfer Protocol ). SMTP is a communication protocol used to tranfer mails to mail servers. Like its name indicates, it is simple. Because of this simplicity, something important is lacking, and that thing is email authentication.

Email authentication is a technical solution. With email authentication, you can prove that an email comes from who it claims to be from. It proves that an email is not forged, or faked. If a send you a mail claiming that it's coming from Facebook itself, the standards used for email authentication will prove that I am, in fact, not Facebook ( duh...)

Email authentication protects users from harmful or fraudulent uses of emails like phishing or spam. Phishing is a technique where bad people try to get personal informations from you to usurp you identity.

Email authentication: How does it work?

Let's see the different steps involved in this process:

1- A business/organization that sends email defines a policy. This policy explains the rules by which email sent from its domain name can be authenticated. By following these rules, we can prove if a email is indeed send by said business.

2- The email sender ( business/organization ) configures its mail servers to implement and publish these rules.

3- Mail server ( Gmail, Outlook... ) checks the details of an incoming message with the rules defined by the domain owner to prove its authenticity.

4- The mail server proceeds accordingly depending on the results of its investigation: deliver, flag or reject the message.

Email authentication is enabled by certain standards. DKIM, SPF and DMARC are acronyms that you will most likely hear if you start working with emails. There are the most common email authentication standards. They all take care of different aspects of email authentication.

DKIM

DomainKeys Identified Mail. Provides an encryption key and digital signature that verifies that en email message was not faked or altered.

SPF

Sender Policy Framework. Allows senders to define which IP addresses are allowed to send mail for a particular domain.

DMARC

Domain-based Message Authentication, Reporting and Conformance. Unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test.

These email authentication standards supplements SMTP and most modern email systems support them. They are implemented via the DNS. You would have records in your DNS configuration to specify the standards above for your domain.

Conclusion

Email authentication is something you will have to implement if your business sends emails to its customers ( who doesn't ? ). Hopefully, you'll get a slighly better picture at how these things function together with this little introduction.

Have fun!

Oldest comments (3)

Collapse
 
codemouse92 profile image
Jason C. McDonald • Edited

I created a script for managing DKIM keys on Linux, and I've been using it in prod for about a year now. For me, it's been quite helpful for generating and rotating keys.

CodeMouse92 / dkim_manage

A script to automate most tasks associated with OpenDKIM key rotation.

OpenDKIM Manager

A script to automate most tasks associated with OpenDKIM key rotation.

Credits

  • Written by Jason C. McDonald (@CodeMouse92) for MousePaw Media.
  • Perl code written by Kerin Millar (@kerframil).
  • Additional feedback by Dorian Harmans (@woohooyeah).

Setup

System Requirements

OpenDKIM is designed to work in the Linux BASH (not SH) with minimal dependencies. It works with OpenDKIM, and therefore depends on that being installed on the system. The script also uses Perl for one regex-replacement task.

Installing

We recommend that the dkim_manage file be placed in a dedicated scripts folder, such as /opt/scripts/root_scripts Place dkim_manage into the directory in question, and then change its owner and permissions:

$ chown root:root dkim_manage
$ chmod +x dkim_manage

Next, create a new file in that same folder called domains.conf. (See our example in domains.conf.example) In that file, list each of the domains that OpenDKIM is signing for, one per…

Collapse
 
damcosset profile image
Damien Cosset

Will check it out!

Collapse
 
itenev profile image
Ивелин Тенев

One more email authentication system:

en.wikipedia.org/wiki/Authenticate...