A short guide to Email Authentication

Keeping your emails safe

For ages, the Internet has been a place for scammers, phishers, and other sorts of cybercriminals to thrive. Sadly, email is a large part of this. Without proper authentication and security, your email domains are susceptible to cybercrime like spoofing. That does not only make you vulnerable to blacklisting but could also cost you reputation, customers, and money. Sending emails using purely traditional methods doesn’t protect you from someone else using your domains to send fake emails. That's why you need to protect yourself using email authentication.

To help you protect your email domains, this guide introduces you to the wondrous world of email authentication. In these five steps, we’ll guide you towards better email protection:

  1. How email deliverability works;
  2. The issues of email deliverability;
  3. Countermeasures;
  4. How to check if your domains are secured;
  5. Implementation of authentication.

Separating legitimate from fake emails is hard for most recipients. It almost requires a trained eye to spot the differences. No matter how many times banks tell their customers they won't ask for personal details through email, people still tend to believe fake emails. Not only the financial world is victimized by cyber criminals. A lot of scam activities (like the Nigerian prince) are aimed directly at random email addresses, hoping to acquire money or personal details. Usually, scammers use forged email addresses which make it look like your business has sent the scam email.

Obviously, you don’t want to be a victim of such practices. If you don’t know how to defend yourself, though, you can’t take action. Let’s start with the basics of how email delivery works.

An introduction to email delivery

  • How mailboxes communicate
  • The difference between what you see and what you get

To understand the point of this guide, a short introduction to the concept of email delivery is needed. In another guide, we will take a deep dive into the subject of email delivery. For now, the general idea of how an email gets from one mail server to another suffices to understand the rest of the guide.

How it works

Basically, when person A wants to send an email to person B, the following happens:

A composes a message. That message travels through different systems to reach B. The email she sends, receives a digital envelope. In the process of email delivery, B's mail server reads the envelope, discards it and lets B read the email A sent him. In this story, the envelope plays a crucial role.

Imagine it like sending a letter. The contents of your letter do not necessarily have to match the envelope you put it in. The same thing happens in email. We know that in a mailbox, you see a 'From' address and a 'To' address -the letter part. On the envelope, though, different addresses can be named than in the actual message. The envelope could say: From A to B & C, but the actual email could well say 'From C to B'. The problem here is that the email recipient (B) can't see the envelope. If your letter does not match your envelope, you'll question the situation. But if the same thing happens to your email, you wouldn't know. This opens up the opportunity for email abuse.

The issues with email delivery

  • How the difference between what you see and what you get is misused
  • The (un)ability of mail servers to distinguish SPAM from HAM
  • The creativity of cyber criminals and how they persuade people

Vulnerable emails

Regular email protocols do not have any mechanism for authentication. This makes it easy for bad-willing people to do what they usually do: bad. Since you now know there is a difference between what you see and what you get, you might have already figured out a way to forge emails yourself. If the mail you're sending contains two different 'from'-addresses, one can obviously be forged. Scammers prefer to forge the address on the 'letter', rather than on the envelope. In a basic email, the receiver will believe the email comes from their bank, while the email server knows it is from your own email address.

In the same primary email protocol, the contents of the email are not checked. Nowadays, with better security, email service providers verify some email content, but not all. This opens up the question on whether we - the people - would want ESPs to check all of the contents of all of our emails.  

The latter makes it rather difficult for ESPs to distinguish SPAM from HAM.

SPAM being the unsolicited emails from unknown senders, HAM being legitimate emails from legitimate senders. This terminology is supposedly due to Monty Python's memorable sketch "I don't like spam!" - referring to the canned food.

Everybody prefers ham over spam. However, since we all agree on the fact that ESPs should not thoroughly check email contents, spam is still very much alive. Not only spam is alive and kicking. Though spam can be annoying, it is rather harmless compared to other techniques cyber criminals use when forging email addresses.

Email spoofing

With poorly set authentication protocols, it is fairly easy for someone to send emails to unknowing recipients pretending to be you. That is what we call email spoofing. With a spoofed email address, a world of villainous possibilities opens.

About spam again: spoofing offers the opportunity to send illegitimate emails through a legitimate sender address. So-called Joe-jobbing results in a high complaint rate for the legitimate sender address, making it end up on a blacklist. The original sender (the true owner of the legal sender address) has no idea of what's going on, sends only valid emails, but ends up in spam because of the joe-jobber.

In this case, the victim is not the person the email is sent to, but the person whose email address has been used. Joe-jobbing makes use of the universal hatred of spam, tempting recipients to mark a valid email address as 'unwanted'.

Phishing for details

More commonly the recipient is the intended victim. Use cases like the Nigerian Prince - or the Spanish Prisoner - are well-known, but people still fall for the trick. The method results in thousands of victims, annually raking in 700.000$. Another 'effective' scam is phishing, where the sender poses as a banker to retrieve banking information, credit card details, et cetera. Despite its current presence in the media, phishing is still often used to trick people. Moreover, media presence focuses on awareness amongst receivers, whilst phishing should be prevented in the first place. Phishing does not solely happen in the banking sector. Most sectors are susceptible to this type of scam, as phishers are after your customers' personal data or money. This way, every organization is vulnerable to phishing, if their email is not well-protected.

Another (relatively old) method is the chain email. Back in the days, people tend to believe they received emails from well-known individuals asking them to forward their messages to prevent or reach something. Some were harmless, but others helped hoaxes spread or made people fall victim to money scams.

Spreading virusses

On a more global scale, email spoofing was and is still used to send viruses and/or worms. Spoofed email addresses accelerate the spreading of both. People tend to believe 'trustworthy' sources, making them likely to download a malicious attachment, like a .exe-file disguised as a .pdf. Taking effective countermeasures prevents spoofing.

Ending up on a blacklist

When your email suddenly stops hitting the inbox, but you’ve never sent spam before, and your complaint rates are minimal, you may have ended up on a blacklist. Blacklisting (opposed to whitelisting) happens if an IP address or a server is thought to send spam. Blacklisting results in the inability to deliver emails. So when you’re sharing your IP address with a notorious spammer, you’re going down with him.

The chances of this happening are small, but if it does, you want to know what to do:

See what you can do when on a blacklist

In between the blacklist and the whitelist is a greylist. Given the fact MTAs greet one another, greylisting happens when the receiving server does not recognize the sender. Recognizing a sender is crucial to determine if the sender can be trusted. Not identifying the sender thus results in greylisting, temporarily refusing or delaying the message.

For healthy servers, attempting to send the message later probably resolves this. For unhealthy (spamming) servers using scripts (instead of a proper mail server) to send their emails, this means the end of their spamming practice.


  • The meaning and use of SPF, DKIM, DMARC

The antidotes called SPF, DKIM, and DMARC

As the basics of email transferring do not protect your domains from abuse, several technical countermeasures have developed over the years. Earlier, this guide mentioned the difference between what we see and what we get, and how cyber criminals misuse this. To protect your domains from spoofing, SPF is the first protocol one should apply.

The Sender Policy Framework

The Sender Policy Framework (SPF) checks if the sender name mentioned on ‘the envelope’ combined with the sending server matches the settings on the Domain Name Server (DNS). The DNS indicates specific IP addresses/servers that are allowed to send messages on its behalf. If the sending IP address does not match the one(s) named in the domains' DNS settings, SPF authentication fails. This failure is the first hint for a receiving mail server that the incoming email might be spoofed or spam.

"Might", because it is still possible that it’s a legitimate email. SPF records are challenging to keep up to date since prominent brands tend to change service providers or add email streams frequently. When the SPF record is not up to date, but new legitimate email streams have been added, a stricter SPF record would mean the discarding of legitimate emails. That’s not something you’d want, and ISPs know that.

That's why SPF on itself does not suffice: Only a few mailbox providers reject emails based solely on SPF failure. Besides, only regulating the envelope does not change the fact recipients can only see what is in the envelope: the actual message. Using only SPF, the envelope is secured, but scammers can still pretend to be who they’re not. That’s where DKIM kicks in.

DomainKeys Identified Mail

Once the mail server opens the envelope, the only thing left is the message. DomainKeys Identified Mail (DKIM) is an email authentication method to ensure its proposed sender has actually sent the message. Using a digital signature, DKIM signs the content of an email to let the receiving mail server know it’s a legitimate message.

Without getting too technical, DKIM signatures are also published in one’s DNS record. This signature requires a cryptographic ‘key’. By checking this key, the receiving server is able to see if the email has not been tampered with. There are, however, some providers that use the same DKIM signature for all their customers, never changing the signature. So if this guide makes sense to you, you’d get that those keys have probably been factorized long ago and everyone wanting to do harm, can. That's why it's crucial to change your key sometimes. DKIM, like SPF, is not very useful on its own, but together with DMARC they provide better email protection.

The missing link called DMARC

Domain-based Message Authorization, Reporting & Conformance (DMARC) tells the world you're taking your email security seriously. This technique helps you deliver legitimate emails as well as protecting your customers from phishing.

With a proper DMARC record, you're telling mail servers that it's allowed to reject all non-conforming emails. DMARC enables the administrative (legitimate) owner of a domain to publish a record on his use of SPF and/or DKIM records, and what the receiving mail server should do when an email fails to conform to these records. So, if a scammer finally factorized a DKIM key, but his SPF record doesn't match the legitimate one, DMARC makes this key worthless.

Using DMARC gives the domain host three options. He can either let the receiving mail server do nothing with failing emails (so-called none policy), place them in quarantine, or reject the whole email. To be sure your domains are protected from any form of phishing, spoofing, or scamming, a reject policy is required.

In this day and age, though, the majority of businesses does not use DMARC records. Even if they do, most of them use a none policy. This policy is, of course, functional for reporting and eliminating domains that aren't legitimate but still isn't optimal.

See how secure your domain actually is

By now, you should realize the importance of a secured email domain. Plus the fact that most companies still do not suffice in actively taking countermeasures to fight the abuse of their domains. It’s not unlikely for you to question if your own company, or maybe the webshop you’re buying your clothing, falls short in email security.

Start securing your email domains

Stop taking spam for granted, but start with actively defending your email domains from criminal activities. Because in this fight, it is not only you that suffers the consequences of poorly executed countermeasures, but your customers as well. With Flowmailer, you're protected with SPF, DKIM and DMARC compliance. This way, we make sure you hit the inbox like you want to, but take out spam and other cyber criminality.

Start your 30-day free trial now.