Email Authentication Methods

Emails come with the sender's From address, but the truth is you can send an email with any address on it. Spammers, scammers and attackers take advantage of this when they send out their junk mail. There a number of technical solutions available today for verifying that an email is coming from where it purports, including SPF, DKIM and DMARC. They each come with certain challenges.

SPF (Sender Policy Framework)

SPF is a system for publishing a policy for your domain, listing the computers authorized to send emails. It is a system for detecting email spoofing by providing a mechanism to allow receiving mail servers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published as a DNS record for that domain. SPF records can even be configured with a policy that asks mail servers to reject messages from your domain that come from servers not listed in your SPF record.

The main challenge in implementing SPF is being careful to include ALL mail servers that may relay email messages on your behalf. It is easy to forget a newsletter bulk mailer, a mail form on a supporting blog, a home internet connection, or other legitimate sources of email from you domain. In addition, your SPF records have to be maintained as your mail and web servers move around.

DKIM (DomainKeys Identified Mail)

DKIM is an email authentication method designed to detect email spoofing. It allows the receiver to check that an email claimed to come from a specific domain was indeed authorized by the owner of that domain. DKIM works by publishing a cryptographic public-key as a DNS record. Your outgoing mail server must be configured to use the corresponding private-key to sign outgoing messages. An email with a verified DKIM signature may be sure to have been allowed by the owner of the domain, and also not to have had important information altered durring transport.

Care must be taken with DKIM to ensure that all outgoing messages are routed through the mail server that hosts the private-key, or unsigned messages may be sent.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC is built on top of SPF and DKIM. It allows the owner of a domain to publish a policy on which mechanism (DKIM, SPF or both) is employed when sending email from that domain and how the receiver should deal with failures. Additionally, it provides a reporting mechanism of actions performed under those policies. It is an email-validation system designed to detect and prevent email spoofing. It provides a mechanism which allows a receiving organization to check that incoming mail from a domain is authorized by that domain's administrators and that the email (including attachments) has not been modified during transport.

Since it relies on SPF and DKIM, DMARC includes all of the dangers and drawbacks of both. It is therefore fairly complex and fraught with opportunities to have your legitimate emails rejected by mistake.