Email authentication is a set of technical methods used to verify that an email message actually comes from the sender it claims to represent. It validates domain ownership and checks if a message was altered during transit. Implementing these protocols is the primary way to prevent your domain from being used in phishing scams and to ensure your marketing campaigns reach the inbox.
What is email authentication?
When the Simple Mail Transfer Protocol (SMTP) was designed in the early 1980s, it lacked features to verify the identity of senders. This allowed forgers to create "spoofed" emails where the "From" address seen by the recipient does not match the actual source.
Email authentication (or validation) fills this gap by adding verifiable records to your Domain Name System (DNS). These records allow the receiving mail server to confirm the message originates from an authorized server. [By 2018, three standards reached wide adoption: SPF, DKIM, and DMARC] (Wikipedia).
Why email authentication matters
Authentication is no longer optional for professional senders. As of 2024, major providers like Gmail and Yahoo require it for anyone sending high volumes of mail.
- Security: [90% of cyberattacks start with email messaging] (Proofpoint). Authentication blocks the delivery of messages from forged senders used in phishing and business email compromise (BEC).
- Deliverability: Mailbox providers are more likely to filter unauthenticated mail into spam folders or reject it entirely.
- User Trust: [Security indicators can lower the click-through ratio by more than ten points, from 48.9% to 37.2% for spoofed messages] (Wikipedia). Authentication removes these warnings.
- Volume Protection: [Proofpoint detected and blocked 66 million business email compromises (BEC) on average per month in 2024] (2024 Proofpoint State of the Phish). Authentication prevents your brand from contributing to these numbers.
How email authentication works
Authentication involves a conversation between the sending domain's DNS and the receiving mail server.
- Rule Establishment: The domain owner creates rules (DNS records) specifying which servers are allowed to send mail.
- Configuration: The owner publishes these rules in their public DNS records.
- Verification: When an email arrives, the receiving server looks up the DNS records for the sending domain.
- Action: The receiving server follows the rules to deliver, quarantine, or reject the message based on whether it passes the checks.
Types of email authentication
Successful email security requires a layered approach using several different protocols.
Sender Policy Framework (SPF)
SPF is a list of IP addresses and hostnames authorized to send email on behalf of your domain. If the receiving server sees an IP address not on this list, the message may fail. SPF only validates the "envelope" sender, not the "From" address shown to the user.
DomainKeys Identified Mail (DKIM)
DKIM adds a cryptographic digital signature to the email header. This acts like a digital seal that breaks if the message content is tampered with during transit. It uses a private key on the sending server and a public key in the DNS to verify the signature.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
DMARC ties SPF and DKIM together. It requires "alignment," meaning the domain in the "From" header must match the domain used by SPF or DKIM. It also gives instructions to the receiver on what to do if checks fail: take no action (p=none), move to spam (p=quarantine), or block delivery (p=reject).
Authenticated Received Chain (ARC)
ARC preserves authentication results when a message passes through intermediate services, such as mailing lists or forwarding servers. This prevents legitimate forwarded mail from failing DMARC checks.
Best practices
- Start with a soft policy: When first implementing DMARC, use "p=none." This allows you to monitor reports and identify legitimate mail sources you might have missed without blocking your mail.
- Rotate your keys: Security professionals recommend changing your DKIM keys several times a year to protect against hackers who might steal them.
- Use a dedicated IP: If you send high volumes of mail, use a dedicated IP address. This prevents the poor sending habits of other companies on a shared IP from damaging your reputation.
- Check subdomains: Each subdomain needs its own SPF record. Subdomains do not automatically inherit the records of the parent domain.
Common mistakes
Mistake: Including too many "include" statements in an SPF record. Fix: SPF is limited to 10 DNS lookups. If you exceed this, the record fails. Use a tool to flatten your record or remove unused services.
Mistake: Having both a parent domain and a different MAIL FROM domain. Fix: Ensure your DMARC alignment is correct. The domain the user sees must match the domain authorized in your DNS records.
Mistake: Using "p=none" as a permanent DMARC strategy. Fix: Treat "p=none" as a temporary monitoring phase. Move to "p=quarantine" or "p=reject" to actually stop spoofing.
Mistake: Forgetting to update records when switching Email Service Providers (ESPs). Fix: Audit your DNS records during any migration to ensure your old ESP is removed and your new one is authorized.
Examples
Example scenario (Valid Transmission): A company sends a newsletter from their own domain (example.com). Their DNS has an SPF record listing their mail server's IP and a DKIM public key. The receiving server checks both, sees they match, and delivers the mail to the primary inbox.
Example scenario (Spoofing Attempt): An attacker sends a fake "Woodgrove Bank Security" email. The "From" address says woodgrovebank.com, but the actual sending server is on a different domain. Because the attacker's IP is not in Woodgrove Bank's SPF record, and they lack a valid DKIM signature for that domain, the message is rejected by the receiver.
FAQ
How do I measure if my authentication is working?
The best way to monitor performance is through DMARC reports. These reports show you which servers are sending mail using your domain and whether they passed or failed authentication. You can also monitor your deliverability rates and engagement metrics. If you see a sudden increase in bounces or spam folder placement, it often indicates an authentication vulnerability.
What is the difference between SPF and DKIM?
SPF focuses on the "where." It checks if the delivery server's IP address is authorized. DKIM focuses on the "what." it uses encryption to prove the message came from the domain and wasn't changed. SPF can break if an email is forwarded, whereas DKIM signatures usually stay valid during forwarding.
Do I need BIMI for email authentication?
Brand Indicators for Message Identification (BIMI) is not a method of authentication itself, but a reward for it. To use BIMI, which displays your brand logo in the inbox, you must have a strong DMARC policy (usually p=quarantine or p=reject). It provides a visual signal to recipients that your email is authentic.
Why does email authentication fail for forwarded emails?
Forwarding changes the message's source from the original server to the forwarding server. Since the forwarding server is not listed in the original sender's SPF record, the check fails. This is why using DKIM and DMARC together is vital, as DKIM can survive the forwarding process.
Does Microsoft 365 handle authentication differently?
Microsoft 365 uses "composite authentication" (compauth). This combines standard SPF, DKIM, and DMARC results with implicit signals like sender reputation and behavioral analysis. A message might fail a standard check but still pass composite authentication if other signals suggest the sender is legitimate.
