Implementing Email Authentication: A Primer
One of the most basic elements of our work at Return Path is ensuring that clients use best practices in their email delivery processes. A common recommendation we give is to implement email authentication. Email authentication has two primary benefits: It stymies forgery of email messages and allows senders to build a positive reputation with receivers based upon their mailing behavior. Yet many companies, particularly small ones, have never heard of email authentication — and those who have heard of it have not yet initiated a project to implement it.
How does email authentication work? The most common schemes today — SPF, SenderID, and DomainKeys — use the Domain Name System (DNS) to publish “records.” Each record, which is available to the entire Internet community, details the specific machines that are authorized to send mail for a specific email domain.
Before a message arrives in a user’s email inbox, the receiving email server can attempt to verify that the mail is coming from an authorized source by checking email authentication records. Suppose a spammer forges your domain in his spam message. Unless he has hacked your network (a different, and bigger, problem) he is transmitting messages from IP addresses different from yours. When he sends his forged message, a receiver who checks for email authentication records will query for your domain’s records in DNS to determine your authorized mail sending hosts. Since your records won’t include the spammer’s IPs, the receiver can now take greater precautions in handling the message: rejecting it outright, subjecting it to spam-filtering technologies, or directing it straight to a junk folder.
In brief, here’s how to implement email authentication:
Step 1. Find the authentication scheme best suited to your needs. You can find detailed information about the three dominant schemes on the following Web sites:
It is also a good idea to coordinate with your IT group early in this process. They are likely to be familiar with the specifications and can help in planning the process and publishing your records once you’ve built them.
Step 2. Take inventory of systems that send your mail. Identify all machines that send mail on your behalf, which includes all internal and external systems — from corporate mail servers to third parties authorized to send mail on behalf of your company. Once you identify these senders, you need to obtain the IP addresses and host names for each. Be sure to consider the following potential sources:
- Advertising/PR agencies
- Bulk mailings
- Corporate email
- Customer support and services
- Events marketing
- Forwarding services
- Human resources
- Investor relations
- Order and shipping confirmations
Step 3. Create your authentication records. There are excellent online tools available for creating valid SPF and Sender ID records. The following wizards can assist you:
DomainKeys differs slightly in that it requires you to create a public and private encryption key pair for your record. The public key is then published in your DomainKeys record in DNS. Details can be found at http://antispam.yahoo.com/domainkeys.
Step 4. Publish your authentication records. Work with whoever manages your DNS records to publish the email authentication records you’ve collected. The actual publishing is easy — finding the responsible party who controls your DNS is often the tricky part.
Step 5. Test your authentication records. SPF, SenderID, and DomainKeys all provide options to publish your records in “test” mode. This provides the opportunity for testing without risking delivery failures for mistakes in your record. Testing will ensure that the mail servers you’ve authorized are being verified by receivers and will determine if you’ve missed identifying any mail servers in your inventory.
Some testing options:
- Return Path’s SPF-SenderID testing tool: senderid.returnpath.net
- Port25’s Email Relay: email@example.com
- Gmail: Send to a Gmail account, login, view message, and view the header. Look for the “Received-SPF:” line for the result of its SPF check on your email.
- DNSSTUFF: www.dnsstuff.com/pages/spf.htm
- OpenSPF: www.openspf.org/why.html
- Yahoo!: Send email to a Yahoo! Account to check DomainKeys signatures. Yahoo! will also display to the recipient in the user interface when the signature is valid.
- DomainKeys at Sourceforge: http://domainkeys.sourceforge.net (step by step instructions, a few testing email addresses, etc)
Once the records are published and tested, appoint a staff person to make sure they remain current.
Since your circumstances and sender inventories will vary, some complexities may emerge in your planning and implementation. The benefits of strengthening your company’s reputation for transparency and accountability, however, will be worth the effort.
About Tom Bartel
Tom Bartel is Return Path’s Senior Vice President of ThreatWave Data. Tom has more than 20 years of email delivery, email data and privacy experience. He most recently joined Return Path through its acquisition of ThreatWave, where he served as CEO/Co-founder. Prior to that, he has held roles at Return Path, MessageMedia (acquired by DoubleClick), and founded several other startups. Tom is actively involved in key industry organizations, such as OTA and M3AAWG, and advises start-ups and non-profits. Tom has a Bachelor in Speech Communication from Colorado State University.