Authentication 101: The Fundamentals
What is authentication?
Email authentication is the process by which a sender is validated through published records, such as SPF and DKIM, that they are who they purport to be. After hitting send on an email, the originating server sends the message with identifying information to the recipient’s mail server. This server queries DNS with that information and uses the records provided to validate authenticity. The recipient server may choose to block any messages that fail authentication checks.
Why is authentication important?
Authentication provides a foundation upon which senders can build a trustworthy email program. By authenticating messages, senders are taking ownership of their content and sending practices. It also helps to prevent forged emails from being delivered. As JD Falk points out in his blog, forging a sending domain is all too easy, so spammers will use this tactic to trick unsuspecting subscribers into opening messages they weren’t expecting to receive. This can erode trust in the subscriber community and damage brands’ reputations.
Authentication terminology can be confusing with lots of acronyms and unfamiliar terms pointing back to each other. Below is a glossary of some of the most important elements of email authentication.
DNS: The Domain Name Service, or DNS, is a protocol that takes the alphabetic domains human users enter and translates them into numeric IP addresses that computers can recognize. Similar to the way a phone book maps names to phone numbers, DNS maps domains to IPs. See a more detailed explanation here.
TXT Record: TXT is a type of record for storing text information in DNS. It is used verify domain ownership and to implement email security measures such as SPF, DKIM, and DMARC.
MX Record: MX stands for Mail Exchange. This record maps a domain to a list of mail exchange servers. By using value settings like 10, 20, 30, etc. to assign priority, senders determine which servers are used and in what order, which allows mail to be rerouted if a server goes offline. These settings can be adjusted in DNS.
A Record: Sometimes referred to as an Address Record, this maps a hostname to an IP address. When entering a domain, DNS is queried and returns an IP address, allowing the user to access that domain.
PTR Record: Also known as reverse DNS (rDNS), the “pointer” record is the complement of the A record, mapping an IP address to a hostname. When entering an IP address, the PTR records finds and resolves to the associated domain.
SPF Record: SPF, which stands for Sender Policy Framework, describes a list of IP addresses that are allowed to send emails from a specific domain. Mailbox providers check the return-path domain when verifying SPF.
DKIM: DKIM stands for Domain Keys Identified Mail and is the next stage of Domain Keys. DKIM uses a pair of cryptographic keys, one private key that all outgoing messages are signed with and one public key that is published in DNS. Senders can configure DKIM settings to ensure any mail sent using their domain is actually coming from them and can adjust filters to treat all other messages suspiciously.
DMARC: DMARC, or Domain-based Message Authentication, Reporting & Conformance, standardizes how mailbox providers authenticate and deliver mail by utilizing existing SPF and DKIM records. Senders can indicate if their emails are protected by SPF and/or DKIM, and tell receivers to junk or reject a message if neither of those authentication methods passes. See dmarc.org for more information.
Clear as mud? Post your questions in the comments! You can also download our e-book The Ultimate Email Deliverability Glossary for more common email terms and definitions.