What You Should Know About Email Authentication
Over decades of using the Internet, we have learned to not spot the most common email scam practices. If in 2020 I would still get a letter from a prince offering me a share in a multi-million dollar fortune, it wouldn’t even be worth a good laugh.
However, scammers didn’t stop at such basic attempts to weed money or confidential data out of email users. While we might be smart enough to ignore self-proclaimed nobles, what would you do if you got an email from the U.S. President? What if, on top of that, it was sent from the official White House mailbox?
Source: Dylan Tweney
No matter how tech-savvy we are, it takes a second of hesitation to realize that an email from, say, the tax service is another carefully constructed scheme.
That’s why faking sender addresses of government agencies and large-scale companies is a popular strategy among scammers.
You may have heard of it as spoofing.
Businesses Should Keep a Careful Eye on Spoofing
Although spoofing targets business clients, it’s equally as dangerous to company managers.
Back in 2014, AOL was hacked by a spoofer. Thousands of users started getting spam messages from a company they trusted with their personal data. The situation got out of control to such an extent that #aolhacked was trending on Twitter.
Six years later, the company’s case is still the poster face of poor security practices. Reputational damage, months of litigation, and the loss of many clients are all the risks business owners face if they don’t protect their sender addresses from spoofing.
How can a company manager protect the brand from being abused by scammers? There’s a way to be confident that a third-party hacker will not have an easy time pretending to be a company representative – we’re talking about email authentication.
How Email Authentication Works
By definition, email authentication is a series of practices that help an email service provider determine whether an email comes from a legitimate sender.
To protect users from scammers, Gmail, Outlook, and other platforms check whether emails from all senders comply with a series of protocols: SPF, DKIM, and DMARC.
If you haven’t set these up for the sender address, to the email platform, you are no different from a spammer. As a result, the email client will block your messages halfway through the delivery process, not allowing you to reach product users, clients, or readers.
Basically, without a proper authentication setup, all the efforts your team puts in to launch a campaign would go to waste.
Let’s spot the difference between three authentication methods
SPF: Sender Policy Framework
Sender Policy Framework is the oldest email authentication system, established back in 2003. The idea behind SPF is to keep track of all senders who are allowed to send emails on the behalf of the company’s domain.
After a domain administrator specifies authorized senders, the email server will make sure that no one outside of that list can share messages using the domain name of the business.
How to set up SPF?
Although setting up a SPF record for your emails might seem complicated, there are only 5 straightforward steps to follow.
- Determine which servers your team uses to send emails and put them together on a list.
- Create a list of all domains the team has access to.
- Create a list of IP addresses (actual senders) who can share messages using selected servers and domain names.
- When done, submit it to the domain name system. In most cases, tech teams do this by contacting a hosting provider.
- Test it using any suitable email testing tool.
DKIM (short for Domain Keys Identified Message) is another effective way to prove the sender’s legitimacy. This protocol relies on public-key cryptography.
How does DKIM work?
Before we discuss the process of setting up DKIM for your business, let’s take a look at why the protocol is so important for email authentication and try to understand its ins and outs.
- The domain manager submits a publicly available key as a TXT file to the domain name system.
- Whenever someone on the team pushes the “Send” button, the outbound server automatically attaches a signature header, unique for every message.
- Once the email has reached the inbound server, the server will verify whether the public DKIM key matches the record in the DNS. If there’s a match, the key will be used to decrypt the signature, attached to the letter.
How to set up DKIM:
Although most email clients (e.g. Gmail) implement default DKIM protection, email service providers recommend senders generate their own domain keys. Here’s a brief guide to setting up the domain-keys identified message protocol:
- Generate a new key. A DKIM record has two components: bit length (1024 or 2048-bit depending on your hosting provider) and prefix (indicates the email client the email is attached to).
- Upload the TXT key to your domain name system using the management console of your hosting provider.
- Enable DKIM signing via your email provider management console. Typically, email clients publish detailed instructions on activating domain-key signing. Here are guidelines for Gmail
Although SPF and DKIM are quite effective recipient protection mechanisms, neither of these protocols offered senders enough visibility into how their campaigns perform, leaving them no chance to improve the infrastructure.
To improve the email experience both to senders and recipients, top companies in different fields (PayPal, Yahoo, Gmail, and more) have come together to create a more refined email authentication protocol, DMARC.
How does DMARC work:
The protocol draws upon the support of SPF and DKIM. However, unlike SPF or DKIM, DMARC isn’t a series of operations – rather a set of practices senders need to follow to prove legitimacy.
When setting up a DMARC record, a domain administrator creates an authentication policy and submits it to the domain name system as a TXT file.
Every email sent (including automatically sent messages) on the domain’s behalf passes a DNS check to ensure compliance with DMARC policies. Here are the criteria the inbound server validates:
- DKIM signature.
- Match between the sender’s email and the addresses allowed in the SPF.
- Email’s domain alignment – ensuring that at least one domain a sender is connected to passes SPF or DKIM authentication.
Based on the results of the check, the inbound server either rejects, accepts, or quarantines an email. The results of the inspection are reported back to the sender.