Originally published June 1 2007
Q&A: What is email authentication and how is it currently affecting my email delivery?
by Arial Software
Answer: Many legitimate email marketers and Internet ecommerce professionals are encouraging the implementation of email authentication standards to combat unsolicited bulk email (read: spam and phishing emails) that impinge on legitimate bulk email campaigns.
Email authentication verifies the identity of the source computer sending the email, matching the sender of the message to the domain that the email message is purportedly coming from. Currently, there are two common types of authentication enjoying widespread use: Sender Policy Framework (SPF) and DomainKeys.
SPF
Sender Policy Framework or SPF is an extension of Simple Mail Transfer Protocol (SMTP), the current standard for sending email. SPF was designed to address email spoofing, a spammer practice of forging of an email sender's address, by verifying information from the email message "envelope," mainly the return-path email address. Like a postal mail envelope, the email message envelope describes who the email message is from, and to whom it is going.
The authentication of the SPF record on the Domain Name System (DNS) server, responsible for a particular web domain, is what determines the message status (pass, fail, softfail, etc.) that is subsequently passed to the recipient mail server.
The SPF record specifies which email servers are allowed to send email for a particular domain. The DNS server manages the network of computers connected to a domain. These include the "A" record, which indicates the web server for that domain, a pointer record (PTR) that manages the reverse DNS lookups, and mail exchange (MX) records, which are the mail servers responsible for delivering email for the domain. SPF simply performs a check on one or more of these computers to verify to the recipient mail server their status. In other words, it authenticates them.
SPF by itself does not prevent spam (the recipient mail server reads the information in the SPF file, then makes a delivery determination based on the status); however, there are many larger ISPs using SPF for authentication, including MSN and Gmail. The way to tell for sure if SPF is being used is to look for the SPF status in the email headers. A typical response from a server with SPF implemented may have a header that looks like this:
Received-SPF: pass
DomainKeys
DomainKeys is an authentication system independent of SMTP protocol and deals with email headers which are outside the message envelope. DomainKeys was designed to identify email spoofing and does not directly prevent abusive behavior, but it does make such behavior easier to track. Yahoo! implemented DomainKeys in 2004 for its outbound email, and since 2005 has tracked incoming keys.
To implement DomainKeys, the SMTP server operator specifies a public/private key pair. The public key is located on the DNS server, and the private key is configured on the SMTP server. When sending emails, the SMTP checks in with the DNS, and if verified, adds a DomainKeys signature to the message headers. The receiving server then reads the signature and checks the public key on the DNS server to verify the signature. It then uses that information to apply a rule or deliver the email to the final recipient. If there is no match, the message can be ignored, since it is apparently a spoof.
When Yahoo! receives an email that doesn't have a key pair specified, it will simply indicate in the message header a neutral domain key signature. Yahoo! could eventually reject email messages that are not digitally signed, but currently it delivers neutrally sighed messages. To determine if a server implements DomainKeys, look at the full headers of the email received. A typical DomainKeys header looks like this:
Authentication-Results: mail.someisp.com from=email.somedomain.com; domainkeys=pass (ok)
Summary
Email message senders are responsible for implementing both SPF and DomainKeys at the SMTP server and DNS level, although neither authentication format is mandatory at this time. While these authentication policies are not required now, as more ISP email providers utilize these methods to determine legitimate email messages, the greater impact they will have on email message delivery.
This article was authored by Arial Software, a developer of e-mail marketing newsletter software that sends personalized e-mails. For more information visit www.ArialSoftware.com
All content posted on this site is commentary or opinion and is protected under Free Speech. Truth Publishing LLC takes sole responsibility for all content. Truth Publishing sells no hard products and earns no money from the recommendation of products. NaturalNews.com is presented for educational and commentary purposes only and should not be construed as professional advice from any licensed practitioner. Truth Publishing assumes no responsibility for the use or misuse of this material. For the full terms of usage of this material, visit www.NaturalNews.com/terms.shtml