A Short Guide to Email Authentication

Why Email Authentication is necessary

Telling legitimate and fake emails apart can be tough for unsuspecting recipients. These days, it almost requires a trained eye to spot the differences. Scammers use company design, tone-of-voice and sometimes even company domains to send fraudulous emails to gain personal information, access to databases, or money.

"[Email] spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source."
- HackerInside (2019)

Not only customers fall for this trick, employees do too. BBC reports a worldwide loss of 26 billion dollars worldwide between 2016 and 2019 to email fraud. Where customers are mostly duped for a few thousand dollars, business damage (CEO fraud) can costs millions.

Obviously, you don’t want yourself, your business, nor your customers to fall victim to such practices. If you don’t know how to defend yourself, though, you can’t take action. Let’s start with the basics of how email delivery works.

Email Delivery needs proper authentication

If you're not familiar with how email delivery works, a short introduction to the concept is needed. To do so, we're using a simple metaphor: an actual letter.

Basically, when someone (let's call them Andy) wants to send an email to another person (Ben), the following happens:

Andy composes the message. After hitting "Send", that message travels through different systems to reach Ben. Like a regular letter, the email's in a digital envelope. In the process of email delivery, Ben's mail server reads the envelope, discards it and lets Ben read the email Andy sent them. The envelope plays a crucial role here.

That's because the content of the letter does not necessarily have to match the envelope it's in. We know that in a mailbox, you see a 'From' address and a 'To' address. On the envelope, though, different addresses can be mentioned than in the actual message. The envelope could say: From Andy to Ben, while the letter could say 'From Claire to Ben'. The problem here is that the email recipient (Ben) can't see the envelope. Ben wouldn't know it's a fake email.

Standard old-fashioned email exchange (through SMTP) does not have any mechanism for authentication. This makes it easy for bad-willing people to do what they usually do: bad. And bad comes in many ways.

With poorly set authentication protocols, it is fairly easy for someone to send emails to unknowing recipients pretending to be you. That is what we call email spoofing. With a spoofed email address, a world of villainous possibilities opens.

1. Joe-jobbing: results in a high complaint rate for the legitimate sender address, making it end up on a blacklist. Joe-jobbing makes use of the universal hatred of spam, tempting recipients to mark a valid email address as 'unwanted'.
2. Chain Email: Another (relatively old) method is the chain email. Back in the days, people tend to believe they received emails from well-known individuals asking them to forward their messages to prevent or reach something. Some were harmless, but others helped hoaxes spread or made people fall victim to money scams.
3. Phishing: An 'effective' scam method in which the sender poses as a banker to retrieve banking information, credit card details, et cetera. Despite its current presence in the media, phishing is still often used to trick people in more sectors than just financial.
4. Virus Spreading: On a more global scale, email spoofing was and is still used to send viruses and/or worms. Spoofed email addresses accelerate the spreading of both. People tend to believe 'trustworthy' sources, making them likely to download a malicious attachment.

Authentication Methods to protect your email domain

As the basics of email transferring do not protect your domains from abuse, several technical countermeasures have developed over the years. Earlier, this guide mentioned the difference between what we see and what we get, and how cyber criminals misuse this.

To protect your domains from spoofing, there are three authentication methods that you can (read: should) apply. These are all set in Domain Name System (DNS) settings. If you're not familiar with DNS settings, read this comprehensible guide on GoDaddy.

1. The Sender Policy Framework

The Sender Policy Framework (or SPF) checks if the sender name mentioned on ‘the envelope’ matches the settings on the Domain Name Server (DNS). The DNS indicates specific IP addresses/servers that are allowed to send messages on its behalf. If the sending IP address does not match the one(s) named in the domains' DNS settings, SPF authentication fails.

SPF failure is the first hint for a receiving mail server that the incoming email might be spoofed.

"Might", because it is still possible that it’s a legitimate email. SPF records are challenging to keep up to date, since big brands tend to change service providers or add email streams frequently. When the SPF record is not up to date, but new legitimate email senders were added to the domain, there's a dilemma.

A strict SPF record would mean that these new emails are discarded. That’s not something you’d want, and ISPs know that. They can't reject an email based solely on SPF. Besides, only checking the envelope does not change the fact recipients can only see what is in the envelope. Spoofers can still pretend to be who they’re not, by writing their name on the email. That’s where DKIM kicks in.

2. DomainKeys Identified Mail

Once the mail server opens the envelope, the only thing left is the message. DomainKeys Identified Mail (or DKIM) is an email authentication method to validate that message. Using a digital signature, DKIM signs the content of an email to let the receiving mail server know it’s a legitimate message. This signature requires a cryptographic ‘key’. By checking this key, the receiving server is able to see if the email has not been tampered with.

There are, however, some providers that use the same DKIM signature for all their customers, never changing it. So if you're understanding this guide so far, you've probably figured that this situation is also very problematic. As with any password or code, they tend to get cracked. Using only one DKIM signature for your entire customer base for their entire life, is a-okay.

So it's crucial to change your key sometimes. But since both DKIM and SPF are not protective on their own, together with DMARC they provide better email protection.

3. Crushing fraud with DMARC

Domain-based Message Authorization, Reporting & Conformance, or DMARC for short, tells the world you're taking your email security seriously. This technique helps you deliver legitimate emails and protects your customers from phishing.

With a proper DMARC record, you're telling mail servers that it's allowed to reject all non-validated emails. DMARC enables the administrative (legitimate) owner of a domain to publish a record on his use of SPF and/or DKIM records, and what the receiving mail server should do when an email fails to conform to these records.  

Using DMARC gives the domain owner three options:

1. Do nothing; let the receiving mail server do nothing with invalid emails (none policy)
2. Place emails in quarantine; in some cases it's better to let emails go to spam than not arrive at all
3. Reject emails; eliminate any email that did not pass the SPF and DKIM check.

To be sure your domains are protected from any form of spoofing, a reject policy is required.

In this day and age, though, the majority of businesses doesn't use DMARC. Even if they do, most of them use a none policy. This policy can be functional for reporting and eliminating domains that aren't legitimate, but often it's not even used for that and is just a formality.

We can't stress the importance of good email authentication enough. With this guide, we're hoping to show you why it's necessary and how to take the first few steps in authentication.