Email Authentication in a nutshell

There are 3 types of authentication currently in use for email.

  • DKIM
  • SPF
  • DMARC

The different strategies do different things with email.

  • DKIM cryptographically signs emails, preventing changes in transit, and designates a “responsible domain” through the d= value in the signature.
  • SPF compare the sending IP and the envelope from (also known as the bounce string, return path or 5321.from) domain to determine if that IP is authorized to send mail using that envelope from domain.
  • DMARC uses DKIM authentication (d= value) or the SPF authentication (envelope from) to authenticate the visible from address (5322.from). DMARC requires that the d= value or the SPF value are in the same “organizational domain” as the visible from address. There is more data about this in my brief DMARC primer post from April 2014. In addition to authenticating the visible from address, there are two things senders can get from publishing a DMARC record. The first is a reporting scheme where you can get reports every time one of your email messages fails SPF or DKIM authentication. The second is a policy process where you ask receiving ISPs to implement a particular policy when the authentication fails (quarantine or reject).

We recommend all our clients authenticate with DKIM and SPF. The specifics of how to authenticate depend on the overall mail stream of the sender and technology available at different service providers.
Our recommendations for DMARC are a little more complex, due to the newness of the protocol and the choices that DMARC offers to senders. We’re currently recommending that clients be aware of the availability of DMARC reporting and start internal discussions and plan to implement reporting in the future. Managing DMARC reports requires some level of infrastructure to accept and process the incoming reports, and this will need to be planned for.
It’s important to understand that even if every message leaves fully authenticated different processes during mail sending (forwarding, etc) may result in authentication failures at the recipients.  This means senders publishing a p=reject policy will lose legitimate mail. In the absence of security concerns, we’re not recommending publishing a policy statement (p=reject or p=quarantine) at this time. For senders who still want to implement DMARC we’re currently recommending that clients collect failure reports for a period of time (6 – 12 months in cases with complex mail systems) before making the decision to publish a p=reject record. Senders with security concerns can implement a p=reject message, but need to be clear that this may result in legitimate mail being lost.
 
 

Related Posts

DMARC: an authentication framework

A new email industry group was announced this morning. DMARC is a group of industry participants, including large senders, large receivers and relevant intermediaries working on a framework to reduce the harm from phishing.
DMARC is working on a standard to allow senders to publish sending policies and receivers to act on those policies. Currently, senders who want receivers to not deliver unauthenticated email have to negotiate private agreements with the ISPs to make that happen. This is a way to expand the existing programs. Without a published standard, the overhead in managing individual agreements would quickly become prohibitive.
It is an anti-phishing technique built on top of current authentication processes. This is the “next step” in the process and one that most people involved in the authentication process were anticipating and planning for. I’m glad to see so many big players participating.
 

Read More

Authenticating with SPF: -all or ~all

What is SPF?

Sender policy framework (SPF, RFC 7208) is an authentication process that ties the 5321.from (also known as the mail from, envelope from or return path) to authorized sending IP addresses. This authorization is published in a TXT record in DNS. Receivers can check SPF at the beginning of a SMTP transaction, compare the 5321.from domain to the connecting IP address and determine if that IP is authorized to transmit mail.

Read More

Gmail and the via

I was hoping to have a detailed post up today about the conditions where gmail presents the user with a “via” but time seems to have gotten away from me. But I can give you the conclusions.

Read More