Posted on Wednesday April 18th, 2012 by Simon Hill
This post was originally posted on the DMA Email Marketing Blog
I think most marketers have heard about email authentication and the use of Domain Keys Identified Mail (DKIM) and the Sender Policy Framework (SPF). If your using an email service provider then its likely that they will handle the authentication for you and you don’t need to worry. But why do emails need to be authenticated ?
Authentication wasn’t created to reduce spam, althought indirectly it does help, but it was designed to reduce the amount of phishing emails and emails with fake sending addresses. It is easy for anyone to send emails pretending to be from a particular domain and without authentication you have no way of knowing if the sender is valid or not. Authentication works using DNS (Domain Name Service) records. You can think of DNS as a giant phone book for the internet. To check if an email is authenticated the receiving email server will look in the phone book to verify details about the sender. Only the owner of the sending domain has the ability to change entries in the phone book (DNS records) which makes the authentication process secure.
Unfortunatley this does not entirely stop phishing emails. A spammer can easily purchase a domain very similar to the one he is trying to copy and then setup the authentication correctly. The emails will pass authentication and you may think nothing is wrong unless you look closely at the domain being used.
In January 2012 the new DMARC (Domain-based Message Authentication, Reporting & Conformance) standard was released and I have to admit I was a little confused to start with. People talked about it strengthening DKIM and SPF but didn’t understand how ? Then suddenly the penny dropped. DMARC is in essence a two way feedback loop for authentication.
Until now, the SPF and DKIM standards have lacked a communication loop between the sender and receiver. A sender has no way to tell the receiving ISP that emails from this domain are authenticated and any that aren’t should be quarantined or rejected. Conversely the receiving ISP also has no way of telling the sender that the emails it is receiving are passing or failing authentication. DMARC provides this communication mechanism and closes the loop between the sender who is authenticating messages and the receiver who is trying to interpret these records. DMARC, like DKIM and SPF is another DNS record that is added by the domain owner or administrator.
DMARC doesn’t change anything in the way the two authentication processes work but brings them together in one standard. To fail DMARC you need to fail both SPF and DKIM authentication. The feedback from the receiving ISP’s is in the form of an aggregate report. Currently we have only ever received reports from Gmail but hopefully Yahoo and others will follow soon. The report is sent daily in a zipped tar file and is in xml format. You can import the report into Excel so you can read it like a spreadsheet or use a website such as www.dmarcian.com to format the results. What is staggering about the report is the number of emails that are being sent from other mail servers pretending to be from domains under your control. You can enter the IP address of mail servers where the authentication is failing into www.projecthoneypot.org and immediately see if the address is a known spammer.
Authentication doesn’t help your emails find its way through the mine field of spam filters and smart inboxes but without it it is likely your emails will be rejected at the first hurdle. DMARC gives the sender a way of checking if emails are being authenticated correctly and what action the reciever should take if authentication fails.
You can learn more about DMARC at the website www.dmarc.org
Extravision is a privately owned UK-based email service provider founded in 2004, with a great ISP reputation ensuring high deliverability rates. We offer flexible email marketing solutions to both small and large businesses across all sectors.