• home
• resources
• whitepapers
• email deliverability guide

Email Authentication

Your reputation plays a large part in the deliverability of your email messages but there are other factors you must consider, too. Authentication forms the basis of your reputation as it validates your identity. If you are not already authenticating your emails, now is the time to start. Spammers and phishers try to disguise their emails by saying that the emails were sent from legitimate companies in order to convince recipients that it is safe to open and respond to the messages while avoiding accountability. Email authentication allows ISPs and email servers to verify that the sender of the email is, in fact, who it claims to be. If your emails are not authenticated, ISPs could deliver your messages tagged with “cannot verify sender,” place them in the bulk or junk mail folder, or block them completely.

Authenticating your emails will protect your identity, brand, reputation, and deliverability while providing your recipients with higher levels of trust and security. To help organizations sort through the complexities of authenticating emails, the DMA has recently put together an Email Authentication Help Center and Authentication Checklist, and it is currently developing an Email Reputation Registry along with Return Path to enhance this service. Also, the Email Service and Provider Coalition provides a free Sender ID testing tool that will tell you if your emails validate with SPF and Sender ID. These are valuable tools to help with your authentication process.

IP address based authentication methods are one of the leading solutions available on the Internet today. There are two primary IP address based authentication solutions, which are Sender Policy Framework (SPF) and Sender ID Framework (SIDF). These solutions prove that the sender of the email is authorized by the owner of the domain name, and although they are similar in function, there are a few differences that you must be aware of.

SPF is an open standard and a configuration tool that is available for free at http://old.openspf.org/wizard.html. SPF protects emails from spammers by allowing domain name owners to publish which IP addresses are allowed to send emails from a particular domain by checking that domain’s DNS record for an SPF record. When an email server receives a message, it cross-checks the sender’s IP address against the domain name in the From address in the message envelope. If it is authorized, the message is assumed to be legitimate and it is delivered to the recipients. If not, the email is assumed to be fraudulent and it is either tagged as coming from a questionable source, or it is blocked completely.

SIDF, the authentication method of choice for Microsoft, including MSN and Hotmail, is similar to SPF in that it cross-checks the sender of the message against the published SPF records. However, whereas SPF checks against the envelope From address, SIDF validates the sender’s IPs against the Purported Responsible Address (PRA), which is also known as the email’s visible From address. If the sender is authorized, the email is delivered and, if not, the email is tagged or blocked. A free SIDF configuration tool is available at www.microsoft.com/senderid/wizard.

Another leading method of authentication is the cryptographic solution, DomainKeys Identified Mail (DKIM). Instead of checking IP addresses against domain names, DKIM requires senders to store public keys in their DNS records while providing matching private keys in their outbound email servers. When an email passes through the outbound service, the private key generates a signature that is embedded in the header of the message. ISPs then verify that the signature was created by the private key and match it to the public key in the DNS records to validate the message and ensure that the message was not altered in anyway. Yahoo is the main proponent of DKIM and it uses this method exclusively to authenticate emails. Like SPF and SIDF, there is a free DKIM configuration tool available at www.dkim.org.

Although some companies choose to implement some of these methods, it is in your best interest to implement all three authentication methods for even greater protection. You will be securing your identity while assuring ISPs that your emails are genuine so they can be delivered to your recipients. If you are using an ESP, you should be sure that it understands and supports these technologies as well.