« December 2005 | Main | April 2006 »
March 9, 2006
Implementing Email Authentication: A Primer
One of the most basic elements of our work at Return Path is ensuring that clients use best practices in their email delivery processes. A common recommendation we give is to implement email authentication. Email authentication has two primary benefits: It stymies forgery of email messages and allows senders to build a positive reputation with receivers based upon their mailing behavior. Yet many companies, particularly small ones, have never heard of email authentication -- and those who have heard of it have not yet initiated a project to implement it.
How does email authentication work? The most common schemes today -- SPF, SenderID, and DomainKeys -- use the Domain Name System (DNS) to publish “records.” Each record, which is available to the entire Internet community, details the specific machines that are authorized to send mail for a specific email domain.
Before a message arrives in a user’s email inbox, the receiving email server can attempt to verify that the mail is coming from an authorized source by checking email authentication records. Suppose a spammer forges your domain in his spam message. Unless he has hacked your network (a different, and bigger, problem) he is transmitting messages from IP addresses different from yours. When he sends his forged message, a receiver who checks for email authentication records will query for your domain’s records in DNS to determine your authorized mail sending hosts. Since your records won’t include the spammer’s IPs, the receiver can now take greater precautions in handling the message: rejecting it outright, subjecting it to spam-filtering technologies, or directing it straight to a junk folder.
In brief, here’s how to implement email authentication:
Step 1. Find the authentication scheme best suited to your needs. You can find detailed information about the three dominant schemes on the following Web sites:
SPF: www.openspf.org/wizard.html
SenderID: www.microsoft.com/senderid
DomainKeys: http://antispam.yahoo.com/domainkeys
It is also a good idea to coordinate with your IT group early in
this process. They are likely to be familiar with the specifications
and can help in planning the process and publishing your records once
you’ve built them.
Step 2. Take inventory of systems that send your mail.
Identify all machines that send mail on your behalf, which includes all internal and external systems -- from corporate mail servers to third parties authorized to send mail on behalf of your company. Once you identify these senders, you need to obtain the IP addresses and host names for each. Be sure to consider the following potential sources:
- Advertising/PR agencies
- Bulk mailings
- Corporate email
- Customer support and services
- Events marketing
- Forwarding services
- Human resources
- Investor relations
- Newsletters
- Order and shipping confirmations
Step 3. Create your authentication records. There are excellent online tools available for creating valid SPF and Sender ID records. The following wizards can assist you:
SPF: www.openspf.org/wizard.html
Sender ID: http://www.microsoft.com/senderid
DomainKeys differs slightly in that it requires you to create a
public and private encryption key pair for your record. The public key is then published in your DomainKeys record in DNS. Details can be found at http://antispam.yahoo.com/domainkeys.
Step 4. Publish your authentication records. Work with
whoever manages your DNS records to publish the email authentication
records you’ve collected. The actual publishing is easy -– finding the responsible party who controls your DNS is often the tricky part.
Step 5. Test your authentication records. SPF, SenderID, and
DomainKeys all provide options to publish your records in “test” mode. This provides the opportunity for testing without risking delivery failures for mistakes in your record. Testing will ensure that the mail servers you’ve authorized are being verified by receivers and will determine if you’ve missed identifying any mail servers in your inventory.
Some testing options:
- Return Path’s SPF-SenderID testing tool: senderid.returnpath.net
- Port25’s Email Relay: [email protected]
- Gmail: Send to a Gmail account, login, view message, and view the
header. Look for the "Received-SPF:" line for the result of its SPF
check on your email. - DNSSTUFF: www.dnsstuff.com/pages/spf.htm
- OpenSPF: www.openspf.org/why.html
- Yahoo!: Send email to a Yahoo! Account to check DomainKeys
signatures. Yahoo! will also display to the recipient in the user
interface when the signature is valid. - DomainKeys at Sourceforge: http://domainkeys.sourceforge.net (step by step instructions, a few testing email addresses, etc)
Once the records are published and tested, appoint a staff person to make sure they remain current.
Since your circumstances and sender inventories will vary, some complexities may emerge in your planning and implementation. The benefits of strengthening your company’s reputation for transparency and accountability, however, will be worth the effort.
Posted by gcrgcr at 10:33 PM | Comments (0)