Email Authentication
Email authentication tells inbox providers that they can trust an email message. Authentication prevents malicious actors from spoofing legitimate traffic which reduces forgeries, spam, and phishing attempts. By establishing and maintaining proper authentication records, inbox providers lean toward trusting email originating from your domain.
Email authentication builds on three standards that use the domain name system (DNS):
- DomainKeys Identified Mail (DKIM)
- Sender Policy Framework (SPF)
- Domain-based Message Authentication, Reporting & Conformance (DMARC)
SPF is an email authentication standard developed by AOL that allows you to list all the IP addresses that are authorized to send email on behalf of your domain. The SPF record is a TXT record that lists the IP addresses approved by the domain owner. The receiving server can compare the email sender's actual IP address to the list in the SPF record.
SPF attempts to prevent email sending abuse by ensuring that the IP address from which a message was sent is authorized to send mail on behalf of the domain in the email's Envelope From or return-path.
To sign and verify your email, DKIM uses asymmetric encryption. With DKIM implemented, the sending email server adds a cryptographic signature to your emails' headers. The DKIM record is a TXT record that stores the DKIM public key.
DKIM revolves around the concept of a domain owner who has control over the DNS records for a particular domain. To enable DKIM, the sending server signs outgoing messages using a private key. Simultaneously, the domain owner adds a DKIM record to the DNS records of the sending domain. This DKIM record, essentially a modified TXT record, contains a public key. Receiving mail servers leverage this public key to verify the authenticity of a message's signature. In essence, DKIM public-key cryptography assures recipients of the sender's legitimacy. To learn more about DKIM, see DKIM Records Explained.
DMARC is a protocol that verifies the authenticity of an email's sender. It helps prevent malicious senders from harming your sender reputation. DMARC provides a policy to email service providers, instructing them on the actions to take when they receive an email that fails SPF, DKIM, or both checks, and appears to be from your domain—a sign it may be spoofed.
DMARC verifies the authenticity of an email's sender and prevent malicious senders from damaging your sender reputation, and major inbox providers such as Gmail and Yahoo are increasingly requiring DMARC policies to be in place for bulk mail senders. For more information, see DMARC Records Explained.