What is email authentication and why is it important?

Email authentication acts like registered post. Email authentication is a series of technical tasks that are undertaken by domain administrators to ensure that any receiving email server can verify the authenticity of inbound email with respects to the Mail-From (who addressed the envelope), the SMTP-FROM, known as the Return-Path (who delivered the email), and the email server (the vehicle) used to transport the email.

Why is email authentication important?

Email authentication is important for identifying sinister or unauthorized email. Email authentication helps in the prevention of email scams. Scammers SPOOF a domain (use a domain  that is no their own) to send email phishing attacks or similar. SPAM is also able to be identified when an email is not properly authenticated.

Let’s start with some key concepts.

Key Concept 1: Think of email authentication as registered post

When you send a letter via the postal service, the details of the intended recipient is placed on the front of the envelope. If you are sending the mail then typically (although it is optional) you may put your name and/or address on the back of the envelope for identification purposes.  You then seal the envelope, place a stamp on the top corner and put the letter in the mailbox ready for collection. In email terms you are known as the MAIL-FROM.

You then rely on a third party service such as Australia Post, Royal Mail or US Mail (whoever) to pick up the letter and deliver it, often via a mail relay when there is international borders being crossed. This is referred to in email as the SMTP-FROM (or return-path). Simply because if the receiver does not want the mail and they place it back into a mailbox in close to their destination with the words “Return To Sender” or RTS for short, the entire process acts in reverse. Often in email known as a “bounce-back”.

If you are the intended recipient, then when you receive the letter, how do you actually know who the mail is from? You don’t, because anyone could have posted that letter. There maybe tell tail signs such as handwriting but you actually don’t know unless it was registered post. If it was sent using registered post you then have piece of mind and can rely on the contents of the letter.

Without the mail being sent as registered post (email authentication) it is very easy to pretend to be a known person or an organization (called spoofing) familiar to the intended mail recipient for malicious purpose or criminal intent.

Email as it is described in this article, behaves in a very similar way to traditional mail. A key difference is that many email users are not technically aware that a second email address (return-path) exists and can differ from the sending email address. That is where problems arise as the domain being used to deliver the mail is often not authorized to do so and is not the same domain that is in the sender’s email address or MAIL-FROM.  To achieve this SPOOF takes seconds for an email professional.

Email authentication serves as a mechanism for receiving postmasters to check that the sender (MAIL-FROM) and the software creating the email is permitted to use the sending agent to deliver the email. If the authentication fails then the email should be bounced, disregarded and reported back to the postmaster of the domain.

Until the latest email authentication protocol that is now being adopted and the new standard in email authentication, DMARC (Domain-based Message Authentication, Reporting & Conformance),  it was impossible to truly authenticate an email as the two preexisting methods, SPF and DKIM did not force alignment between the SMTP-FROM and MAIL-FROM addresses. In fact email scammers could leverage the protocols using email service providers to increase their effectiveness which allowed for more SPAM and SPOOF attacks.

Key Concept 2: Inbound and Outbound Email

If you protect your domain from SPOOF attack then receivers of email from your domain can trust the content. The same applies for email you receive. If the email can be identified as trustworthy then your organization can become more efficient and less prone to business email compromise attacks.

To help organizations with the adoption and understanding of this and other key email trust metrics we developed our Trusted Sender Score & Trusted Sender Network program to aid email users  such as staff, clients and any general email user to easily be able to identify safe email. Protecting your inbound mail servers and staff from unauthenticated email is a vital step in the process.

Key Concept 3: With authentication comes accountability

Once authenticated the email that you send will be analyzed by the receiving mail providers and then rated based on more than 1400 permutations of known email sending metrics. Then your domain will be assigned a reputation and this reputation is what will determine if your email is delivered and where it is delivered to. If you have a poor reputation too often you may have your domain blacklisted permanently which could be a disaster. So it is important that you use a tool like the Zulu Automated Email Reputation Manager and the Zulu Trusted Email Network & Gateway to handle the bulk of the tasks that must occur in order to maintain the highest possible reputation.

More Email Authentication Resources

Trusted Sender Score

https://zuluedm.com/trusted-sender

https://zuluedm.com/trusted-sender/about-trusted-sender-score.php

https://zuluedm.com/trusted-sender/trusted-sender-score-metrics.php

Trusted Sender Program

https://zuluedm.com/tools (primarily to aid organisations)

https://zuluedm.com/trusted-sender/1.0/ultimate-dmarc-project-guide.php

Research

https://zuluedm.com/trusted-sender/dmarc-anti-spoof-adoption-statistics