It goes without saying that if you are a legitimate business, email authentication is vital to secure your brand and online reputation.
Email authentication is, quite simply, a way to prove an email is not forged. Of course it’s been around for years and today all ISP’s and even corporate email servers are using it to control inbound spam. This means that if email marketers want to reach the inbox of their intended recipient, they have to work smartly to ensure their emails are authenticated. ISP’s have an ever expanding set of policies regarding email authentication and email markers constantly have to adapt and adopt new techniques and best practices to stay ahead of their game and on the right side of the law. As for the ISP’s, they simply want to rid their networks of spam, which is also a constant task for them.
Spammers like to employ a wide range of tactics to swindle unsuspecting customers of their personal details, banking details and/or money. A common tactic is email forgery whereby it looks as though an email has come from a certain domain/source (such as your bank), but it’s actually sent from another source. Often, one doesn’t realize it’s a false website until they have entered their personal details. This type of spamming is called phishing and a few years ago, it caused major problems for email marketers worldwide, who had their email lists hacked and spammed to no end.
IP and cryptographic solutions are the two types of authentication that ISP’s use to battle email forgery. SPF and sender ID are IP-based solutions and Domain Keys is a cryptographic solution.
So how do they work?
Sender Policy Framework (SPF) authenticates the envelope HELO and MAIL FROM identities by comparing the sending mail server’s IP address to the list of authorized sending IP addresses published by the send domain’s owner in a DNS record. If the IP’s don’t match, then the email isn’t actually from that website and your ISP can choose to spam it, or not deliver it to you. Many providers such as AOL, Google, Hotmail and Verizon, to name a few, use SPF.
Engineered by Microsoft, Sender ID is based on SFP and addresses the same issue of email forgery by authenticating a different part of the email message. This is done by using an algorithm to verify the Purported Responsible Address (PRA) for an email message and then to validate the address against the website’s Sender ID record, proving that the message came from the indicated sending domain. Both Hotmail and Windows Live Mail use this type of authentication.
With Domain Keys, a website will generate two ‘keys’ – one private and one public. While the public keys are similar to SPF and Sender ID in that they’re available for everyone to see, the private key is only available to the website email servers. Basically, when an email is sent, the private key is put into the message headers, so when your ISP receives the message they check both the public and private headers to ensure that the email does in fact come from where it states it’s from. Yahoo! And Gmail both use this form of authentication.
While these methods certainly make it harder to forge emails, it can also make it more difficult for the sender and receiver to apply. Not all ISP’s use the same technology to authenticate incoming messages so until a standard is set, it’s best to use all three if you want to ensure that you get the best email deliverability possible. You should also check that your email marketing service provider utilizes all three methods too.