Authentication and encryption for email

An overview of key authentication and encryption to set up for email

Here are the critical factors associated with email authentication and encryption:

• Sender Policy Framework (SPF) – allows a sender to specify to a receiver where mail should be coming from. You can use Single IPs, IP ranges, or hostnames.
• DomainKeys Identified Mail (DKIM) – uses a cryptographic signature to verify that the sender has permission to use the domain in the “from” field and that the content hasn’t been tampered with.
• Domain-based Message Authentication, Reporting, and Conformance (DMARC) – tells the recipient what to do with unauthenticated mail.
• Transport Layer Security (TLS) – encrypts the transmission phase of sending email.

SPF and DKIM authentication protocols should be considered a must – and are required in any modern email marketing infrastructure. The lack of SPF and DKIM authentication will damage reputation and affect deliverability and inbox placement. DMARC uses SPF and DKIM protocols and is rapidly increasing in importance, particularly within the financial industry.

SPF

• SPF allows the authoritative owner of a given domain to specify to a receiver which networks or ISPs are authorized to send mail using that domain as a ‘from’ address.
• Single IPs, IP ranges, or hostnames can be used.
• An SPF TXT record should be as narrow as possible for the greatest security.
• This TXT record lives in the DNS zone file for the sending domain.

DKIM

• DKIM uses a cryptographic signature of a designated portion of the email header and the email body.
• It validates the authority of the sending domain.
• It validates that designated headers and content have not been modified in transit.
• It makes use of a public/private key pair.
• It has become a crucial part of deliverability, and you should never send email without it. Failure to include a valid DKIM signature will negatively affect deliverability and inbox placement at many ISPs.

DMARC

• DMARC is an authentication policy published through a short entry in DNS. It enables senders to specify to receivers how to respond when email fails SPF or DKIM checks.
• It allows senders to request aggregated and anonymized reports from recipients regarding unauthenticated email that claims to be from their domains.
• It creates a way for ISPs to supply this data in a standardized format. In turn, this allows domain owners to monitor possible spoofing of their domains, which is especially useful for commonly abused businesses such as banks, online payment systems, various social media, etc.
• It does not allow senders to bypass spam filters.

Some ISPs consider whether or not DMARC “passes” in their filtering decisions. For DMARC to pass, there must be alignment.

• In DMARC alignment: a message must pass ‘SPF authentication’ and ‘SPF alignment’ and/or ‘DKIM authentication’ and ‘DKIM alignment.’
• DKIM alignment: ‘d=’ must match FRIENDLY FROM
• SPF alignment: RETURN-PATH must match the FRIENDLY FROM domain

TLS

• TLS is an encryption method used to encrypt the communication channel between two computers. It is the successor to Secure Sockets Layer (SSL), and the two terms are often used interchangeably. SSL/TLS are widely used to encrypt connections over the internet. For example, whenever a lock appears in the browser bar, the browser encrypts communication between you and the website you are connected to.
• TLS can be used to encrypt email during the transmission stages. Some recipients require it and refuse mail that is not TLS encrypted, but that is not very common (yet). Many MTAs have the option to request TLS if it is available and will failover to an unencrypted connection if it is not.

With all the above correctly configured, you will have built the foundations for increasing your email reputation and having good inbox placement.

Having taken a closer look at the world of email authentication and encryption, we’ll move onto what kind of opt-in method to choose when building your mailing lists.

Further resources:

Additional reading

The official websites for:

• SPF – the Sender Policy Framework is defined in RFC 7208
• DKIM – DomainKeys Identified Mail’s official website
• DMARC -Domain-based Message Authentication, Reporting & Conformance’s official website
• Wiki pagefor TLS

Useful tools: 

• Kitterman’s SPF checkertool
• DKIM Core Key checker
• DMARCvalidation tool