Here's a question we get often: What is email authentication and what is it used for?
Answer: Legitimate email marketers and Internet eCommerce professionals are continually trying to implement
standards for email delivery to help reduce unsolicited bulk emails, spam and so-called phishing emails without
impinging on legitimate bulk email campaigns.
Email authentication simply means verifying whether a person or computer is who they say they are.
As it pertains to email marketing, authentication specifically attempts to match the sender of the message to the
domain that the email message is purportedly coming from. Even in today's advanced email marketing environment, it is
relatively easy to spoof unprotected domains.
Currently, there are two common types of authentication that are enjoying widespread use: Sender Policy Framework
(SPF) and Domain Keys.
1) SPF: Sender Policy Framework is an extension of SMTP (Simple Mail Transfer Protocol). SPF specifically
addresses email spoofing, a common spamming practice referring to forging a sender's address. SPF verifies
information from the email message’s envelope, focusing on the return-path email address. Like a regular mail
envelope, the email message envelope describes who sent the e-mail message, and to whom it is going.
The SPF record on the Domain Name System (DNS) server responsible for a particular Web domain is what
determines the status of the email message: pass, fail, softfail, etc. This information is passed to the recipient
mail server. The SPF record specifies which email servers are allowed to send email for a particular domain. SPF
simply performs a check on one or more of these computers to verify to the recipient mail server their status.
It should be noted that SPF by itself does not prevent spam, but the recipient mail server reads the information
in the SPF file and then makes some sort of determination based on the status.
2) DomainKeys: DomainKeys is an authentication system that is independent of SMTP (Simple Mail Transfer Protocol).
Email messages are still sent using SMTP, but DomainKeys is not an SMTP extension. Rather, it deals with the email
headers that are outside the message envelope. DomainKeys was designed to identify e-mail spoofing and does not
prevent abusive behavior. It simply makes it easier to track. Yahoo implemented DomainKeys in 2004 for outbound email,
and since 2005 has tracked incoming keys.
To implement DomainKeys, the SMTP server operator specifies a public/private key pair. The public key is located
on the DNS server, and the private key is configured on the SMTP server. When sending emails, the SMTP checks in
with the DNS, and if verified, adds a DomainKeys signature to the message headers. The receiving server then reads
the signature and checks the public key on the DNS server and verifies the signature.
It then uses that information to apply a rule or deliver the e-mail to the final recipient. If there is no match,
the message can be ignored, because it is apparently a spoof. While Yahoo will still receive an email that doesn't
have a key pair specified, in the future it could reject email messages that are not digitally signed.
Overall, authentication policies are having a limited impact on email marketing today, simply because the
standards are still not fully implemented. These standards will have a greater impact on email delivery, however,
as more recipient ISP mail servers check for them. During an attempt to authenticate, if you don't have SPF or
Domain Keys implemented, your message will most likely still get through with a neutral response.
Eventually, though, a consensus will be reached, and switches will be flipped to tighten up the requirements.
Back to our FAQ section.
