One of the most basic elements of our work at Return Path is ensuring that clients use best practices in their email delivery processes. A common recommendation we give is to implement email authentication. Email authentication has two primary benefits: It stymies forgery of email messages and allows senders to build a positive reputation with receivers based upon their mailing behavior. Yet many companies, particularly small ones, have never heard of email authentication — and those who have heard of it have not yet initiated a project to implement it.
How does email authentication work? The most common schemes today — SPF, SenderID, and DomainKeys — use the Domain Name System (DNS) to publish “records.” Each record, which is available to the entire Internet community, details the specific machines that are authorized to send mail for a specific email domain.
Before a message arrives in a user’s email inbox, the receiving email server can attempt to verify that the mail is coming from an authorized source by checking email authentication records. Suppose a spammer forges your domain in his spam message. Unless he has hacked your network (a different, and bigger, problem) he is transmitting messages from IP addresses different from yours. When he sends his forged message, a receiver who checks for email authentication records will query for your domain’s records in DNS to determine your authorized mail sending hosts. Since your records won’t include the spammer’s IPs, the receiver can now take greater precautions in handling the message: rejecting it outright, subjecting it to spam-filtering technologies, or directing it straight to a junk folder.
In brief, here’s how to implement email authentication:
Step 1. Find the authentication scheme best suited to your needs. You can find detailed information about the three dominant schemes on the following Web sites:
It is also a good idea to coordinate with your IT group early in this process. They are likely to be familiar with the specifications and can help in planning the process and publishing your records once you’ve built them.
Step 2. Take inventory of systems that send your mail. Identify all machines that send mail on your behalf, which includes all internal and external systems — from corporate mail servers to third parties authorized to send mail on behalf of your company. Once you identify these senders, you need to obtain the IP addresses and host names for each. Be sure to consider the following potential sources:
Step 3. Create your authentication records. There are excellent online tools available for creating valid SPF and Sender ID records. The following wizards can assist you:
DomainKeys differs slightly in that it requires you to create a public and private encryption key pair for your record. The public key is then published in your DomainKeys record in DNS. Details can be found at http://antispam.yahoo.com/domainkeys.
Step 4. Publish your authentication records. Work with whoever manages your DNS records to publish the email authentication records you’ve collected. The actual publishing is easy — finding the responsible party who controls your DNS is often the tricky part.
Step 5. Test your authentication records. SPF, SenderID, and DomainKeys all provide options to publish your records in “test” mode. This provides the opportunity for testing without risking delivery failures for mistakes in your record. Testing will ensure that the mail servers you’ve authorized are being verified by receivers and will determine if you’ve missed identifying any mail servers in your inventory.
Some testing options:
Once the records are published and tested, appoint a staff person to make sure they remain current.
Since your circumstances and sender inventories will vary, some complexities may emerge in your planning and implementation. The benefits of strengthening your company’s reputation for transparency and accountability, however, will be worth the effort.