Implementing Email Authentication: A Primer

Posted by Tom Bartel on

One of the most basic elements of our work at Return Path is ensuring that clients use best practices in their email delivery processes. A common recommendation we give is to implement email authentication. Email authentication has two primary benefits: It stymies forgery of email messages and allows senders to build a positive reputation with receivers based upon their mailing behavior. Yet many companies, particularly small ones, have never heard of email authentication — and those who have heard of it have not yet initiated a project to implement it.

How does email authentication work? The most common schemes today — SPF, SenderID, and DomainKeys — use the Domain Name System (DNS) to publish “records.” Each record, which is available to the entire Internet community, details the specific machines that are authorized to send mail for a specific email domain.

Before a message arrives in a user’s email inbox, the receiving email server can attempt to verify that the mail is coming from an authorized source by checking email authentication records. Suppose a spammer forges your domain in his spam message. Unless he has hacked your network (a different, and bigger, problem) he is transmitting messages from IP addresses different from yours. When he sends his forged message, a receiver who checks for email authentication records will query for your domain’s records in DNS to determine your authorized mail sending hosts. Since your records won’t include the spammer’s IPs, the receiver can now take greater precautions in handling the message: rejecting it outright, subjecting it to spam-filtering technologies, or directing it straight to a junk folder.

In brief, here’s how to implement email authentication:

Step 1. Find the authentication scheme best suited to your needs. You can find detailed information about the three dominant schemes on the following Web sites:

SPF: www.openspf.org/wizard.html
SenderID: www.microsoft.com/senderid
DomainKeys: http://antispam.yahoo.com/domainkeys

It is also a good idea to coordinate with your IT group early in this process. They are likely to be familiar with the specifications and can help in planning the process and publishing your records once you’ve built them.

Step 2. Take inventory of systems that send your mail. Identify all machines that send mail on your behalf, which includes all internal and external systems — from corporate mail servers to third parties authorized to send mail on behalf of your company. Once you identify these senders, you need to obtain the IP addresses and host names for each. Be sure to consider the following potential sources:

  • Advertising/PR agencies
  • Bulk mailings
  • Corporate email
  • Customer support and services
  • Events marketing
  • Forwarding services
  • Human resources
  • Investor relations
  • Newsletters
  • Order and shipping confirmations

Step 3. Create your authentication records. There are excellent online tools available for creating valid SPF and Sender ID records. The following wizards can assist you:

SPF: www.openspf.org/wizard.html
Sender ID: http://www.microsoft.com/senderid

DomainKeys differs slightly in that it requires you to create a public and private encryption key pair for your record. The public key is then published in your DomainKeys record in DNS. Details can be found at http://antispam.yahoo.com/domainkeys.

Step 4. Publish your authentication records. Work with whoever manages your DNS records to publish the email authentication records you’ve collected. The actual publishing is easy — finding the responsible party who controls your DNS is often the tricky part.

Step 5. Test your authentication records. SPF, SenderID, and DomainKeys all provide options to publish your records in “test” mode. This provides the opportunity for testing without risking delivery failures for mistakes in your record. Testing will ensure that the mail servers you’ve authorized are being verified by receivers and will determine if you’ve missed identifying any mail servers in your inventory.

Some testing options:

Once the records are published and tested, appoint a staff person to make sure they remain current.

Since your circumstances and sender inventories will vary, some complexities may emerge in your planning and implementation. The benefits of strengthening your company’s reputation for transparency and accountability, however, will be worth the effort.


Popular this Month

 Video in Email: Is It Right For Your Business? (Part 1)

Video in Email: Is It Right For Your Business? (Part 1)

Video in email is nothing new. Marketers have been using some form of video...

Read More

 [New Research] Are These Hidden Metrics Harming Your Deliverability?

[New Research] Are These Hidden Metrics Harming Your Deliverability?

Reaching the inbox is not as simple as hitting send. Once a message is...

Read More

 What Job Is Your Subscriber Hiring Your Email To Do?

What Job Is Your Subscriber Hiring Your Email To Do?

Over the last 16 years, I’ve worked as a product manager, run product...

Read More

Author Image

About Tom Bartel

Tom Bartel is Return Path’s Senior Vice President of ThreatWave Data. Tom has more than 20 years of email delivery, email data and privacy experience. He most recently joined Return Path through its acquisition of ThreatWave, where he served as CEO/Co-founder. Prior to that, he has held roles at Return Path, MessageMedia (acquired by DoubleClick), and founded several other startups. Tom is actively involved in key industry organizations, such as OTA and M3AAWG, and advises start-ups and non-profits. Tom has a Bachelor in Speech Communication from Colorado State University.

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.