What is Email Authentication?
Email authentication gives mailbox providers (like Gmail or Outlook) confidence that the messages they see from senders are authentic and not messages sent by a bad actor. The more confidence a mailbox provider has that the messages you send are legitimate, the more likely that provider is to deliver the message to the inbox. The email authentication uses the following techniques to authenticate the email sender:
- Forward-Confirmed Reverse DNS
- Sender Policy Framework (SPF)
- Finding The Return-Path Address
- Domain Keys Identified Mail (DKIM)
(1) Forward-Confirmed Reverse DNS
FCrDNS requires that the Internet Protocol (IP) address of the sending software is associated with the same hostname (Mail Server Fully Qualified Domain Name) as the one registered in the DNS zone of the sending domain. The DNS Lookup query shows that the hostname “a-0010.a-msedge.net” is resolved to “220.127.116.11“.
The IP Address “18.104.22.168” when reverse DNS Lookup will be resolved to the Hostname “a-0010.a-msedge.net“.
A PTR record is well-known as the reverse version of an A record. While A record maps the domain name to an IP address, the PTR record maps the IP address to a hostname. So, the PTR record ensures that your IP address officially connects to your host.
Configuring the PTR record is essential if you’re using both internal or external mail servers. This record adds reliability to sending servers and allows the receiving end to check the hostname of your IP address. It is an excellent way of protection against all sorts of spammers.
That’s why some major email providers like Yahoo Mail and Gmail do a reverse DNS lookup before accepting incoming emails.
(2) Sender Policy Framework (SPF):
The Sender Policy Framework (SPF) is an email authentication technique that is used against email spoofing. Setting up an SPF record helps prevent malicious persons from using your domain to send unauthorized (malicious) emails, called email spoofing.
The SPF protocol is used as one of the standard methods to fight against spam and is also used in the DMARC specification.
What are SPF records?
An SPF record is a TXT record part of a domain’s DNS (Domain Name Service). An SPF record lists all authorized Hostnames / IP addresses permitted to send an email on behalf of your domain.
How To create an SPF record:
You can create an SPF record using many available tools such as:
The following is table demonstrate the meaning of each entry:
|mx||Allow servers listed as MX to send emails for this domain.|
|a:||Allow the current IP address of the domain to send an email for this domain.|
|ip4:_||The IP address of the email server.|
|a:_||Any server hostnames that may deliver or relay mail for this domain.|
|Include:_||Any domains that may deliver or relay mails for this domain.|
(3) Finding The Return-Path Address:
What is Bounce’s message?
- A bounce message or just “bounce” is an automated message from an email system informing the sender of a previous message that the message has not been delivered (or some other delivery problem occurred). The original message is said to have “bounced.”
- This feedback may be immediate (some of the causes described here) or, if the sending system can retry, may arrive days later after these retries end.
- More formal terms for bounce message include “Non-Delivery Report” or “Non-Delivery Receipt” (NDR), [Failed] “Delivery Status Notification” (DSN) message, or a “Non-Delivery Notification” (NDN).
What is the Return-Path Address?
The return-path is used to process bounces from your emails and is set in the email header. It defines how and where bounced emails will be processed. The return-path can also be referred to as a bounce address or a reverse path and is an SMTP address that is separate from your sending address.
The return-path domain can be the same as one used in the From address; this is common when sending an email directly and not through a third party such as an ESP. Check the following example the rertun-path address is “firstname.lastname@example.org”.
How to read email full headers in Gmail:
- Open the email you want to check the headers for.
- Next to Reply, click More Show original.
|Created on:||3 June 2021 at 22:54 (Delivered after 3 seconds)|
|From:||Mohamed <email@example.com> Using Microsoft Outlook 15.0|
|SPF:||PASS with IP 22.214.171.124 Learn more|
|DKIM:||‘PASS’ with domain gmail.com Learn more|
|DMARC:||‘PASS’ Learn more|
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [126.96.36.199])
by mx.google.com with SMTPS id dm8sor319068ejc.61.2021.06.03.13.54.13
(Google Transport Security);
Thu, 03 Jun 2021 13:54:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of firstname.lastname@example.org designates 188.8.131.52 as permitted sender) client-ip=184.108.40.206;
dkim=pass email@example.com header.s=20161025 header.b=aOhfwIGO;
spf=pass (google.com: domain of firstname.lastname@example.org designates 220.127.116.11 as permitted sender) email@example.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
(4) Domain Keys Identified Mail (DKIM):
DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. It achieves this by sticking a digital signature linked to a domain name to each outgoing email message. The recipient system can verify this by looking up the sender’s public key published in the DNS. Before using DKIM, the Mailing system must support DKIM.
How does DKIM work?
When an inbound mail server receives a message, it will detect the DKIM signature and look up the sender’s public DKIM key in DNS. The variable or DKIM selector provided in the DKIM signature is used to determine where to look for this key. If the key is found, it can be used to decrypt the DKIM signature. This is then compared to the values retrieved from the received mail. If they match, the DKIM is valid.
First, a pair of encryption keys (one public and one private) is created, either through your sending software or your ESP.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;