Email Authentication: How it Works, Importance, and Protocols

Written by Alyssa Towns | Dec 20, 2024 7:38:36 AM

Imagine receiving emails from anyone without knowing if the sender is legitimate. How would you know which ones to trust? Which emails would you respond to and why?

Distinguishing between fraudulent and legitimate emails would confuse anybody. Fortunately, email authentication handles most of the grunt work. 

It helps email providers determine whether an email is from the person who claims to have sent it. If the provider feels confident that the sender is who they say they are, the chances increase that the provider will deliver the email to the intended recipient. 

Providers count Domain-based Message Authentication, Reporting, and Conformance (DMARC) as one of the best email authentication protocols. Organizations use DMARC software to verify that emails from their company domain are authenticated against DomainKeys Identified Mail (DKIM) and Sender-Policy Framework (SPF) standards.

How do I authenticate my email? 

To authenticate your email, follow the steps below:

  • Choose a professional email address to enhance your credibility and establish trust.
  • Set up Sender Policy Framework (SPF) to specify which IP addresses can send emails on your behalf.
  • Implement DomainKeys Identified Mail (DKIM) to digitally sign your outgoing emails and ensure message integrity.
  • Configure Domain-based Message Authentication, Reporting & Conformance (DMARC) to combine SPF and DKIM and create a comprehensive email authentication framework.
  • Consider optional authentication methods like BIMI for visual trust through logos or ARC for maintaining authentication with intermediaries.
  • Monitor and adjust settings regularly to maintain consistent email security and reliability.

Why is email authentication necessary?

Email authentication aims to prevent obvious fraudulent activity, like scamming attempts, but there are some more subtle reasons why organizations should prioritize effective email authentication techniques. 

It reduces the risk of phishing and spoofing attempts

Implementing email authentication helps reduce the risk of phishing and spoofing. Without email authentication practices, anyone could email whomever they wanted to at any time. While this still happens occasionally, it would be nearly impossible to determine whether a person emailing you is who they claim to be without proof of identification.

It improves email deliverability

Authenticating emails tries to catch spam and other suspicious messages. An unauthenticated email is more likely to be flagged as spam or rejected entirely. Increasing the odds of your email deliverability goes a long way in ensuring our emails reach the right people. 

It protects a brand's image

Far too often, someone with less-than-great intentions creates an email address similar to an organization's in order to present themselves as an employee and commit fraudulent behaviors like requesting gift cards or money for “urgent” matters. The email may only vary by one or two characters.

Situations like these can damage a brand’s reputation and image. Businesses may lose the trust of their current and potential customers. While these situations aren’t entirely preventable, email authentication can help decrease their likelihood.  

Email authentication protocols

Email authentication works by verifying the legitimacy of an email sender using Domain Name System (DNS) records. The three main email authentication methods that get the most use, each with varying levels of security and DNS setup are mentioned below. 

Sender Policy Framework 

SPF tells email servers who can send emails on behalf of a domain. This method allows domain owners to specify which IP addresses they trust. 

SPF records work like this:

  • You turn on SPF for your domain and add your record to your domain’s DNS settings. 
  • Then, a user on your domain sends an email to an intended recipient.
  • The intended recipient’s provider checks the SPF record to verify the source and legitimacy of that email by determining if it came from an approved IP address .
  • The email provider establishes whether the email should pass through to the recipient and land in their inbox or go to the spam folder.

Source: Mailtrap

While SPF records support authentication, they aren’t foolproof or accurate all of the time, meaning emails that spam might end up in the recipient’s inbox and legit messages might go to spam. Forwarded emails can also cause authentication failures because a user forwards the message from a new IP address for the first time. It’s likely not included in the original sender’s SPF record.

DomainKeys Identified Mail

DKIM uses public and private key cryptography to verify an email sender's legitimacy for its domain. For verification, it matches a public key stored in the DNS records with a private key in the email, similar to a unique digital signature. 

Here’s how DKIM works: 

  • The public key is stored in the domain’s DNS records so receiving servers can access it. 
  • A user sends an email to an intended recipient. DKIM automatically “signs” the email with a private key. 
  • The receiving provider accesses the public key in the DNS settings and attempts to match it to the private key in the email.
  • If the keys match, the provider authenticates the email and confidently delivers it to the intended recipient. 

Source: Mailtrap

Unlike SPF records, DKIM signatures are not typically affected by mail forwarding as long as the forwarder doesn’t drastically alter the email content. 

Domain-based Message Authentication, Reporting, and Conformance

DMARC builds upon the SPF and DKIM validation methods to allow domain owners to specify policies for emails that fail verification points. In other words, DMARC tries to verify an email, and if it can’t, it determines how to handle the email based on what the domain owner has outlined in the policies. 

Here’s how DMARC works:

  • A user sends an email from a company domain with a DMARC policy.
  • The recipient’s email server performs SPF and DKIM checks to validate whether the sender is authorized to send an email on behalf of that domain.
  • During this process, DMARC is looking for:
    • DKIM pass 
    • SPF pass
    • DKIM alignment, meaning the domain the DKIM signature matches the domain in the “From:” header 
    • SPF alignment, meaning the domain in the “From:” header matches the domain in the SPF record
  • If the email passes DMARC, the recipient will receive the email.
  • If the email fails DMARC, the recipient’s email server can determine how to handle failed tests based on what the domain owner’s policy specifies, which includes the following.
    • Rejecting the email and discarding it completely 
    • Quarantining the email by sending it to spam 
    • No action; emails delivered 

Source: Mailtrap

For DMARC to pass, SPF or DKIM must clear the check and the domain used by SPF or DKIM must align with the domain of the email sender’s address in the “From:” line. Possible outcomes include:

  • If both SPF and DKIM checks pass and align, DMARC passes.
  • If SPF passes and aligns, and DKIM does not pass or align, DMARC passes. 
  • If DKIM passes and aligns, and SPF does not pass or align, DMARC passes. 
  • If SPF passes but does not align, and DKIM does not pass or align, DMARC fails. 
  • If DKIM passes but does not align, and SPF does not pass or align, DMARC fails.
  • If SPF and DKIM fail, DMARC fails.

If you want to explore more about DMARC and try it with your domain, check out the “Learn and Test DMARC” console as an excellent place to start. You can send an email and walk through a visual demonstration of how email servers communicate and run SPF, DKIM, and DMARC checks. 

Other email authentication methods

Below are some other methods for verifying the sender’s identity and enhancing email security.

  • Brand Indicators for Message Identification (BIMI) allows senders to display their logo next to authenticated emails. However, it only works with DMARC compliance and a validated logo.
  • Authenticated Received Chain (ARC) adds authentication for all intermediaries to maintain trust in the email’s origin.
  • Sender ID works like SPF and identifies mismatched signals. It however requires a published SPF record to operate.
  • Author Domain Signing Practices (ADSP) which can used as an extension to DKIM.
  • Vouch by Reference (VBR) verifies the legitimacy of email senders by referencing trusted third-party endorsements.
  • IP reverse lookup (iprev) ensures whether the IP’s DNS is correctly configured. However, it doesn’t determine trustworthiness.
  • DNS Whitelist (DNSWL) is a trusted sender list that flags safe emails. It is another complementary authentication method that shouldn't be entirely relied upon.

How to do an email authentication check

Conducting regular email authentication checks makes sure your setup is functioning correctly, and your emails are secure and validated. There are several steps you can take to check email authentication. Here are a few:

  • Use dedicated tools for email authentication testing. You can choose tools like MxToolbox to see how your SPF, DKIM, and DMARC setup is performing. If you use Gmail, the Google Postmaster Tools dashboard can help monitor authentication and information about outgoing emails.
  • Send a test email from the domain you want to test. In Gmail, open the message, click ‘more’ next to the reply icon, and select ‘show original’. This will display the full message headers, including SPF, DKIM, and DMARC authentication results. If all protocols show ‘PASS’, your setup is correct.
  • Review your logs for any DKIM-related errors to spot and fix any issues with your setup.

Top 5 DMARC software

Marked as spam

Email providers use email authentication to validate an email’s sender. When you don’t authenticate your domain’s email addresses, your emails may not reach your intended recipient. Protect yourself and your organization against phishing attempts and a damaged reputation with SPF, DKIM, and DMARC.

Know how to recognize phishing attacks so you can prevent them.

View full post