Does Email Authentication Matter?
The concept of email authentication isn’t exactly new. My boss Chip House blogged about it all the back in 2004, and here we are again today, almost exactly six and a half years later, and we’re still talking about email authentication. People are still asking, does authentication matter? Do, I, as a sender, need to authenticate my outbound email?
If you don’t already know, the answer is: Yeah, you should be authenticating your email. Here’s a (hopefully) simple explanation as to why: it helps get your emails delivered. That’s not really the POINT of email authentication—the point of email authentication is to help mitigate concerns over phishing and spoofing. You want to try to close as many gaps as possible, eliminate any opportunities for bad guys to send out fake mail purporting to be from you. Email authentication doesn’t do this perfectly, just like locking your car (and buying a car alarm) doesn’t ensure that it will never be stolen, but you still do it, because you know it helps to slow the bad guys down – perhaps driving them to go look for an easier target.
There are four commonly referenced types of email authentication.
SPF – Sender Policy Framework – a simple DNS record in which you specify which server IP addresses are allowed to send mail with your domain in the from header. It is checked by Gmail and AOL, and possibly by other ISPs. It doesn’t give you a huge boost to your deliverability – but it can occasionally be the difference between seeing the inbox versus the bulk folder.
Sender ID – another version of Sender Policy Framework (SPF) used by Microsoft Hotmail. If you’re new to email authentication you probably don’t need to think about this one too much, as it’s likely to be replaced in the very near future. Use SPF instead – Hotmail will fall back to look at an SPF record if a Sender ID record isn’t found. You need this Sender ID (or SPF) record in place if you have issues delivering mail to Hotmail. Why? Because Hotmail’s sender support folks will actually tell you that they cannot help you until a Sender ID record is in place. Thus, by extension, you need to authenticate when sending to Hotmail, else you can’t get their assistance when an issue arises.
DomainKeys – a Yahoo-designed email authentication mechanism that uses cryptography to “sign” messages, affirming that mail really was sent by the signing domain. DomainKeys is deprecated – it still works at Yahoo, you can still use it, but if you’re going to implement it, instead implement DKIM (see below.)
DKIM (pronounced dee-kim) is basically DomainKeys version 2.0. It stands for DomainKeys Identified Mail. If you’re a bank or other financial sender, you should be utilizing DKIM already – signing your mail, making it easier for ISPs to tell that your mail is the real deal, allowing them more easily to figure out which mail is the bad mail (and allowing them to get rid of that bad mail).
If you’re not a financial institution, should you care? Absolutely! If you’re a B2C sender, you need DKIM to be able to participate in Yahoo’s feedback loop (FBL). An FBL allows you to get complaints back from an ISP – you get notified every time somebody hits the “this is spam” button in response to one of your email messages. This is valuable data for troubleshooting, for identifying bad lists or bad campaigns, and for ensuring that you unsubscribe people who don’t want your mail. ISPs use this data as well, to decide which senders to block. Some of them very kindly offer to share this information back to the sender. To get that information from Yahoo, you must authenticate (“sign”) your mail with DKIM. Thus, to maximize your deliverability at Yahoo, you must authenticate your mail.
If you’re a B2B sender the benefits are a bit less clear – we know that some B2B spam filterers do look at domain reputation and authentication, but there hasn’t been any clear understanding that this is necessary or useful in the business-to-business realm. But, I suspect we’ll see a deeper penetration of authentication checking by B2B spam filters over the coming year or two. So, if you want to get ahead of the curve, start authenticating today.
About the author: Al Iverson
As the director of deliverability for email service provider ExactTarget, Al Iverson works with anti-spam blacklist groups, Internet service providers and industry groups to help both senders and receivers address spam, list management and email delivery issues. This includes oversight of the policy compliance and deliverability consultant team, handling escalation and key client deliverability and compliance issues, as well as custom development for new features and functionality related to compliance monitoring and reputation monitoring.
Al has had an active role relating to stopping spam for more than ten years. Prior to joining ExactTarget in 2006, Al worked for a large e-commerce service provider, managing coordination and oversight of spam and deliverability policy across the company’s many subsidiaries, as well as working with direct clients to ensure legal and best practice compliance, troubleshoot deliverability issues, and define and implement practices for email campaign execution. Prior to that, Al worked for anti-spam group MAPS (Mail Abuse Prevention System), creating one of the service’s popular spam filters.
Al continues to be an active member of the anti-spam community, with involvement in various anti-spam projects, discussion groups, and industry forums.