Ignoring Email Authentication Will Cost You
In a nutshell, email authentication is a way to tell mail services that you’re the real deal, your emails are legitimate, and that your emails absolutely belong to inboxes.
How does email authentication work?
As simple as this: you add special records into your domain’s DNS zone, and Email Service Providers (ESPs) can check and verify that you are indeed who you say you are.
Moreover, when your identity can easily be verified, it is much harder for cybercriminals to “spoof” your domain and send emails that look like they came from you. Sending a fake email, usually containing malicious links, on behalf of others is also known as a phishing attack. Phishing emails are one of the most common and dangerous attacks worldwide.
On top of the said above, email authentication also
- cuts down on spam,
- improves your email deliverability,
- improves your domain reputation
- and maintains your brand authenticity.
What are the mechanisms of email authentication?
There are 3 key components in email authentication that businesses can set up so that ESPs can verify their identity and legitimacy:
What is SPF?
SPF, or “Sender Policy Framework“, is the first component of security. To make this work (1) you publish the SPF record in domain DNS, it should list all authorized sources which your emails can be sent from. (2) Email senders, on the other hand, should send the same SPF record with the emails. (3) The receiver matches both SPF records coming form DNS record and Email to verify the authorized sources.
This mechanism prevents spammers from using your domain to send out fraudulent emails.
Above said in details:
Sender publishes the list of authorized sources (IPs or 3rd party servers) in domain DNS
Upon receiving email, Receiver makes request to Sender’s domain DNS to retrieve the list of authorized sources.
Receiver checks if IP address, which email came from, is in published sources list.
Depending on success or failure of sources check the relevant policy is being applied.
SPF has 4 policies which are applied through following “qualifiers”:
- + pass
- – fail
- ~ softfail
- ? neutral
You can find more about SPF in RFC.
DKIM, or “DomainKeys Identified Mail”, is a digital signature, embedded in sender email header, that the receiver’s Mail Servers can check to determine if the received email indeed originated from the right sender and has not been tampered on its way. Note that this isn’t something that your email recipient customer, partner, or employee will see, and you can adjust the “send as” name that appears in the inbox. However, recipient ESP or mail server will be able to see that your domain is reputable.
The process of the picture 3 in details:
Sender generates DKIM keys (public and private) and publishes public key in domain DNS.
Sender signs email using DKIM private key, which is tied to the domain owner itself.
Receiver looks up for DKIM public key in Sender’s domain DNS.
Receiver tries to verify the digital signature using the public key, retrieved from DNS. Successful verification means that received email came from genuine sender.
You can find more about DKIM in RFC
Why use DMARC?
The third component of email authentication is DMARC. DMARC is an acronym for “Domain-based Message Authentication, Reporting & Conformance”. If either the sender or recipient uses DMARC it requires that the email sender uses either SPF or DKIM to verify their identity. What’s more, when it’s configured properly, DMARC can pass or reject emails based on their identity check. You can think of DMARC like running a background check on an email’s sender before it is put through to your inbox.
There are some added benefits to using a DMARC protocol:
- It adds a level of security above and beyond either SPF or DKIM.
- DMARC works in conjunction with SPF and DKIM but when used in a monitoring mode it can work on its own.
Note that if your goal is to run a strict DMARC security policy than SPF and DKIM are mandatory.
- Your reputability may increase simply by enacting DMARC. This shows ESPs (and their customers) that you care about your reputation.
- More of your emails are delivered straight to the inbox.
DMARC works as simple as
Receiver requests DMARC policy.
Applies DMARC policy based on response to SPF and DKIM checks.
You can find more about DMARC in RFC.
What happens if you don’t use email authentication?
In a perfect world, nothing happens. However, the reality is that cybercriminals are constantly probing for ways to drop infected links and emails to your inbox as well as your customers. So if you don’t put any email authentication practices into action, people can impersonate you and your business, leading to fraud and phishing attacks.
Two points we would like to stress out.
- The FBI estimates the average loss from phishing attacks is around 1.6 million U.S. dollars for mid-size companies.
- The other worst case scenario is that ISPs may block or even blacklist your domain, which can be time-consuming and costly to resolve.
So it is strongly recommended to have properly configured email authentication to protect your domain from cybercriminals, to protect your valuable brand from a drastic loss in reputation.
Can you “set email authentication and forget about it?”
Although email authentication is difficult to set up and requires intelligent forethought, the reality is that it’s not something that you can set and forget. Instead, you’ll want to stay on top of what kinds of emails are being sent, who is sending them, and what percentage are reaching client inboxes. You want to stay proactive and routinely monitor
Using a service like EasyDMARC can help you manage your email authentication, protect your data, and actively monitor for any improper or uncommon uses of your email. With Smart Alerts and Notifications about attacks and infrastructure changes you’ll be able to rest easily. You’ll feel secure knowing that your emails are landing in the right inboxes, and that if someone does manage to fraudulently spoof your emails, the problem will be handled before its does lasting damage to you, your employees, or your customers.
The Bottom Line: SPF, DKIM and DMARC are mandatory
Email authentication is not only recommended, but it’s required in today’s business world. It is like having a website but not securing it from attackers. Further, it’s something you need to keep an eye on continuously because any changes to your server or senders, no matter how small, can ultimately wreak havoc on your email deliverability. When your emails don’t land in your client’s inboxes, your business loses out big time in lots of ways:
- Clients expecting an email may lose trust,
- You lose potential sales if your marketing emails aren’t landing,
- Top of mind awareness decreases when you aren’t visible,
- It costs time and money to fix, the longer the problem goes unnoticed,
- Above all, you can have big profit and reputation loss because from phishing attacks.
You can find other tools and suggestions for email deliverability here.
The list of costs goes on and on. However, the solution is an easy one: put solid email authentication practices into play and then monitor them regularly. If time is a factor and you simply can’t stay on top of the data, start working with a service like EasyDMARC to help you prevent phishing and fraud, and maintain your client’s trust and your reputation.
Are you wondering how can you start?