Understanding Email Authentication
The main responsibility of email authentication is to confirm that you, the sender, are who you state you are. This makes it much harder for spammers to impersonate you.
Email authentication commonly involves several methods of validating the origin of an email as well as the domain ownership of message transfer agents or MTAs that were involved in transferring or modifying an email to begin with. To simplify, emails are sent from either a domain or a subdomain, and these sending domains have rules or email authentication protocols that are in domain name system records (DNS.) In order to authenticate an email, both the sending and receiving mail servers communicate with each other through the DNS in order to confirm that the email is authentic (i.e.: not malicious.) Email authentication protocols help establish IP address and domain reputation so that those malicious senders can be identified and filtered properly.
How it works:
- The sender/domain owner sets rules for authenticating emails that are sent from its domains.
- The sender then configures sending email servers and publishes the rules in the Domain Name System (DNS) records.
- The mail servers that receive the emails authenticate the messages from the sender using the published rules.
- Finally, the receiving email servers then follow the published rules and either can deliver, quarantine or reject the message.
Since Simple Mail Transfer Protocol (SMTP) does not have any integrated authentication employing separate methods is essential.
There are four main email authentication protocols:
- SPF (sender policy framework)
- Provides a DNS record specifying which IP addresses or hostnames are authorized to send email from a domain.
- DKIM (DomainKeys Identified Mail)
- Uses an encrypted key known as a digital signature which is added to email headers to help verify a sender as well as associate a message with a specific domain.
- DMARC (Domain-Based Message Authentication, Reporting and Conformance)
- DMARC helps determine how to handle a message when it fails authentication.
- BIMI (Brand Indicators for Message Identification)
- A relatively new method of email authentication, the email displays in the inbox with a logo, it provides an additional level of security since phishing emails will not display a logo.