Email authentication techniques are the ways in which a recipient mail server verifies that the email which is being sent is indeed by the sender it claims to be. It is used to block harmful or fraudulent use of emails like phishing and spam. If you are a newbie trying to understand how emails are authenticated or a marketing manager who gets baffled by terms like DMARC, SPF, DKIM etc., this post is intended for you.
How does email authentication work?
There are many ways of email authentication but all of them somewhat follow the below approach
- The sender organization states a policy on how the emails from its domain name can be authenticated and publishes this policy for everyone.
- The receiver organization authenticates the incoming email by the policies that were published by the sender and then takes appropriate action on whether to deliver or flag or reject the email.
Now let us look at a use case where email authentication is really necessary when you are using an email provider for sending emails. For example:
- We have a domain foo.com and an email address app@foo.com. You are using a provider like sendgrid to send the emails.
- When you send an email from app@foo.com to bar@gmail.com, gmail receives an email from domain foo.com but was actually sent by a domain or IP owned by sendgrid. How can gmail actually verify that the email was indeed from foo.com and not from somebody else using sendgrid?
- Foo.com has published an authentication policy (these are usually TXT and CNAME records) where it has authorized sendgrid servers to send email on its behalf. Gmail.com verifies the policy and checks whether sendgrid indeed is authorized.
- Based on verification gmail decides whether to direct the email to junk, inbox or block the email.
There are 2 major policies for email authentication SPF and DKIM.
SPF
SPF is used by the email sender to define which IP addresses are allowed to send email on their behalf.
- The sender domain publishes a TXT record in a standard format specifying the mail servers which are authorized to send email on its behalf. This TXT record added in the DNS is known as SPF record.
- The receiving mail server will check this record to determine whether the mail server from which it has received the email is authorized by checking this record and taking action accordingly.
DKIM
DKIM is used by the email sender to provide an encryption key and digital signature to verify that the email was not modified or altered.
- The sender publishes a specially formatted cryptographic key as a TXT record. While sending the message the sender mail server generates a special DKIM signature and attaches it to the header of the message.
- The DKIM key is then used the the receiving server to decrypt the message signature in the header and compare it with a fresh version. If the values match the message is not altered or modified
- Now that the receiver knows if the email is sent by an authorized server and has not been altered or modified in any way, How does the sender know if someone was trying a malicious activity on their behalf? This is where DMARC comes into picture.
DMARC
A DMARC is also a DNS record which tells the receiver on what action to take if the email does not meet the authentication criteria. It contains a url where the receiver may send the report of a malicious email and a policy which tells what to do with that email. There are three actions that can be taken
- none: Just report, take no action
- quarantine: Report and move the message to junk folder
- reject: Report and bounce the email.
DMARC is optional and a receiving server may choose to not follow it, but lately it has become a standard and almost all major email providers honor DMARC.
To summarise, email authentication is the basic thing that improves email delivery. That being said, It does not guarantee email delivery, there are things like shared IP, email content, receiving server policies etc. that also play an important part in the email delivery. Maybe a topic for next time.
Sagat T.
Top comments (0)