Authentication

Overview

Consumer confidence is under assault on two fronts: being able to trust that messages are safe and are from whom they claim to be from; and being able to rely upon email to deliver the communications that consumers want, need and expect to receive. The ESPC authentication statement encourages providers of email accreditation and reputation services to make authentication a prerequisite for their solutions. It also urges receivers to test incoming mail for an SPF and DKIM records, routinely publish adoption statistics and provide overt notice to their members when a sender's identity cannot be authenticated.

Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery, by protecting the envelope sender address, which is used for the delivery of messages.  SPFv1 allows the owner of a domain to specify their mail sending policy, by defining mail servers they use to send mail from their domain. The technology requires two sides to play together: (1) the domain owner publishes this information in an SPF record in the domain's DNS zone, and when someone else's mail server receives a message claiming to come from that domain, then (2) the receiving server can check whether the message complies with the domain's stated policy.

More information can be found on: http://www.openspf.org/ and official RFC specifications can be found at http://tools.ietf.org/html/rfc7208

DomainKeys Identified Mail (DKIM) is a email validation system which permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message.  This can be an author's organization, an operational relay, or one of their agents.  DKIM separates the question of the identity of the Signer of the message from the purported author of the message.  Assertion of responsibility is validated through a cryptographic signature and by querying the Signer's domain directly via DNS to retrieve the appropriate public key.  Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.

More information can be found at http://www.dkim.org and the official RFC specification can be found at http://tools.ietf.org/html/rfc6376

Domain-Based Message Authentication, Reporting & Conformance (DMARC) is a technical specification which standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC.

A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes - such as junk or reject the message. DMARC removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

More information can be found at http://www.dmarc.org and the current Internet Draft Specification can be found at https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/

Test your email to see if it is properly authenticating

The ESPC feels that email authentication is critical for establishing and maintaining email credibility and accountability. In fact, adoption of email authentication is mandatory for ESPC members.

To encourage adoption by ALL senders, The ESPC has partnered with ESPC member Port25 to provide this testing tool. The tool allows you to check the format of any DKIM, DomainKey, SenderID or SPF records published by your domain and to see the result of these authentication checks on any message you send.

To use the tool, simply send an email from the domain you want to test to check-auth@verifier.port25.com. You will receive a return email containing an analysis of the authentication status of the message you sent.