What is email authentication? Simply speaking, you confirm your identity as a sender when you authenticate your emails. Email authentication is a collection of techniques that provide verifiable information about the received email. It verifies the domain ownership of the message transfer agent which participated in the transfer of an email message. Without authentication, spoofers and spammers have a far easier possibility to impersonate you and cause harm to your reputation. Your reputation? Yes, email authentication also benefits your email reputation. You improve email deliverability by authenticating your emails. With that, you reassure the email servers of your identity and get your emails delivered to primary inboxes without an issue. If you wish to improve , we recommend reading that article for comprehensive guidance. email deliverability How does email authentication work? While the entire email authentication process occurs behind the scenes, the are set by the senders. Those authentication policies define the regulations by which an email can be authenticated. The sender configures the email server and technical infrastructure to conform to those policies. authentication policies Once an email server receives an email it conducts the email authentication process by investigating the details of the received email and comparing them to the defined rules of the domain owner. Afterwards, the email is either delivered to the primary inbox, sent to the spam section or sometimes even flagged or rejected. Without any authentication, the delivered email messages are highly likely to be considered and get rejected. That directly affects the email reputation, which grants us more insight into the question mentioned in the section above - how does email authentication affect email reputation? spam The set policies for email authentication are separated into standards, and there are three prominent email authentication standards. And once you have set all three email authentication protocols - you will be able to send emails freely and confidently. What are email authentication standards? In email authentication, there are three standards used prominently, also called email authentication protocols or methods. Those standards are These standards are supplementary to the basic email transfer protocol, SMTP, as it does not include any authentication mechanisms. SPF, DKIM, DMARC. SPF and DKIM are used most commonly and they serve different purposes. SPF validates if the email was sent from an authorized . DKIM verifies if the content was not changed by any interfering server during the transfer. IP address And even though SPF and DKIM are the most common, DMARC is the most sophisticated one. DMARC conducts both SPF and DKIM verification processes and performs an additional procedure. We shall speak of that procedure further down the article. We suggest reading this article for a more extensive guide on . For now, let us discuss some details on the available email authentication protocols, also called methods and standards. email authentication Sender Policy Framework (SPF) SPF is a simple TXT file included in the of the domain. When creating an SPF record, domain owners specify the IP addresses authorized to send emails on behalf of that domain. DNS records The server receiving an email runs a DNS verification of the return-path address. After locating the SPF record within the DNS it scans the list of authorized addresses. The result of this process is positive if the address is present within the SPF record in the DNS of the server. In an opposite situation the email triggers a soft fail alert. The email is then marked with an authentication failure. A server still accepts the email but has a reason to discard it. SPF is a widely adopted email verification method and is considered essential for any SPF increases the chances of valid email delivery. email sender SPF record example If you were to search the domain and locate the DNS records, an SPF record should look so: v=spf1 include:_spf.google.com include:mailtrap.io include:_spf.reply.io ~all Let us analyze this SPF record and learn how to build one ourselves: is the beginning and is referring to the version of the SPF. SPF1 is the most widely adopted version and is also referred to as the SPF Classic v=spf1 is for specifying the domains used to send emails from. include: concludes the record by specifying all other unauthorized domains. ~all Some records include IP addresses instead of server names, like so: v=spf1 ip0:000.00.00.0 ip6:000.00.00.00 include:_spf.google.com include:mailtrap.io include:_spf.reply.io ~all How to properly authenticate with SPF? If you are using a Mailtrap Email API/SMTP service, then you already have a prepared SPF server you can simply copy and paste in your DNS records. Otherwise, when building an SPF record there are many details to consider. SPF comes with qualifiers, and the details of those qualifiers define the purpose of the SPF record: is used to trigger a soft fail, accepting an email but marking it with SPF fail. ~ is used to reject emails. – is used to trigger a pass, allowing email messages. + is a neutral qualifier, indicating an absence of policy. ? The plus mark qualifier is also automatically assumed if there are no qualifiers indicated by the end of the DNS record. And all of the qualifiers above are simply suggestions and can be entirely ignored by the server if needed. Domain Keys Identified Mail (DKIM) DKIM is also considered an important email authentication method to possess. It is a digital signature attached to the transferred email and is validated by the receiving server upon arrival. Upon each DKIM validation, a public key is generated and added to the DNS records of the domain. The DKIM signature is encrypted with an individual and a private key. The signature itself contains details of the email, such as the email header and body. The entire DKIM signature is created upon the creation — do forgive the tautology — and delivery of the email itself. Upon arrival, the server compares the public key from the DNS records to the private key. If everything matches - the test is passed. But if the email message went under any modification the DKIM test fails and the email message is discarded. DKIM record example DKIM record does look more complicated than an SPF record: DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=newyork; c=relaxed/simple; q=dns/txt; t=1117574938; x=1118006938; h=from:to:subject:date:keywords:keywords; bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=; b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ VoG4ZHRNiYzR As previously, let us dissect the entire record to understand it better to build ourselves: is a selector and labels the associated DNS. s= hashed email message body bh= the digital signature in a hashed format b= These are the most important three. It is also important to understand, that a domain itself can have multiple selectors. Multiple sectors serve different purposes, such as an email for newsletters, promotions, sales, etc. How to properly authenticate with DKIM? DKIM is highly advised to be configurated with SPF. DKIM focuses on a singular aspect of phishing prevention and provides no mechanics for indicating to a server how to treat failed attempts. Authenticating emails with both of these email authentication methods, DKIM and SPF, provides a far more secure email exchange and information on where the email message originated from, and where it has been modified. For proper email authentication with DKIM, it is important to update your private and public keys once or twice a year. verification Domain-based Message Authentication Reporting and Conformance (DMARC) DMARC is not considered an authentication method, as it builds upon other email authentication methods, such as SPF and DKIM. DMARC adds domain alignment, which is an additional layer of security. The domain alignment procedure verifies SPF and DKIM. This procedure can either be “relaxed” or “strict”. Choosing the correct variant is particularly important. If you select “strict”, you need to make sure to include all transactional and marketing domains to avoid rejecting important emails. To clarify, DMARC does not require SPF or DKIM, but having all three is considered a best practice to properly authenticate your emails. The trick would be to select a “relaxed” method, but use to control which emails you interact with and which you do not. With DMARC you are able to configure additional policies for failed verifications. That helps with the generation of email performance reports. email suppression lists DMARC record example DMARC record example is as follows: v=DMARC1; p=none; rua=mailto:postmaster@mailtrap.io; ruf=mailto:postmaster@mailtrap.io; fo=1; adkim=r; aspf=r The tags in the record are more extensive than we have seen in other two email authentication methods: is the version of DMARC. v is the policy of DMARC. p email addresses receiving reports about emails failing DMARC check. rua email addresses receiving individual and instantaneous reports about failed checks. ruf optional domain alignment for DKIM. adkim domain alignment for SPF. aspf How to properly authenticate with DMARC? Even though I mentioned configuring SPF and DKIM with DMARC is the best practice, you might find it surprising that it is not the most popular one. And that is the precise reason spoofing is often a problem. If you have already configured SPF and DKIM, you must add DMARC to have the strongest email authentication method for your domain. However, it is worth taking time when configuring DMARC to ensure proper authentication. If the configuration was flawed the DMARC tests fail. Conclusion And now you know the tips and tricks on how to properly authenticate your email. Many might consider email authentication a complicated procedure, yet proper guidance can help significantly. We understood how email authentication improves email deliverability. And with improved email deliverability you have better control over . It is important to take time in understanding email authentication and patiently configure it within your business. It improves your email reputation and asserts healthier business communication. soft and hard bounces

How to Properly Authenticate Your Emails

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

161 Stories To Learn About Authentication

3 Reasons for B2C Enterprises to Implement Single Sign-on Authentication

4 Dangers of Sticking with Outdated MFA Methods

The Noonification: Tailwindcss? Ill Pass (8/27/2023)

80% Devices in 2023 Are Already Passkey-Ready: Apple, Microsoft, and Google Pushing It Even Higher

A Brief History in Authentication

161 Stories To Learn About Authentication

3 Reasons for B2C Enterprises to Implement Single Sign-on Authentication

4 Dangers of Sticking with Outdated MFA Methods

The Noonification: Tailwindcss? Ill Pass (8/27/2023)

80% Devices in 2023 Are Already Passkey-Ready: Apple, Microsoft, and Google Pushing It Even Higher

A Brief History in Authentication

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps