Email Authentication GUIDE Frequently Asked QUES T ION S T OGETHER STRONGER
EMAIL AUTHENTICATION Marketers that use email for communication and transactional purposes should adopt and use identification and authentication protocols. This document will explain what authentication is including some recommendations on what you should do as an email marketer to implement these guidelines within your organization. * This Guide should not be considered as legal advice. It is being provided for informational purposes only. Please review your email program with your legal counsel to ensure that your program is meeting appropriate legal requirements.
THIS COMPLIANCE GUIDE COVERS: Basics of Email Authentication Technologies Basic FAQs on the DMA s Email Authentication Guidelines Implementation: Complementary Types of Email Authentication Systems Beyond Authentication: Email Reputation Email Authentication Resources for Marketers 1. What Do the DMA s Email Authentication Guidelines Require? The DMA s guidelines require marketers to choose and implement authentication technologies in their email systems. It is up to your company to decide what kind of authentication protocol to use, though all are recommended based on current-day trends. The DMA does not require nor endorse the use of any specific protocol, as there are several interoperable, inexpensive, and easy to implement solutions available today. 2. Why does the DMA Require Members to Authenticate Their Email Systems? The DMA requires its members to authenticate their email systems primarily because mailbox providers (aka ISPs, MSPs or receivers) are increasingly requiring authentication. This strongly aligns with a growing trend in the email deliverability industry that s leaning more towards domain-based reputation (as opposed to IP-based reputation a couple of years ago). Secondly, authentication improves the likelihood that legitimate/wanted email will get delivered to the intended recipient s inbox folder. Additionally, email authentication reduces the likelihood of spam, spoof and phishing attacks (thus protecting the integrity of marketers brands). Authentication is seen as one way to make the email marketing arena more secure and improving consumer confidence in email, thus preserving it as a valuable email marketing communications tool. 3. Does DMA s Email Authentication Guideline Require Marketers to Authenticate Inbound Emails, Outbound Emails, or Both? The guideline applies only to outbound email that marketers send either from their own IP addresses or via the use of a third-party service bureau. 1
4. Is Email Authentication Required Just for Marketing Messages? No, DMA s Email Authentication Guideline applies to ALL outbound messages that marketers send or that their third-party service bureaus send on their behalf. 5. Does the Guideline Apply to B-to-B Marketers? Yes, the DMA believes that similar common best practices in email deliverability for consumer promotions should be used for business-to-business campaigns. 6. Does the Guideline Apply to Nonprofits? Yes, non-profit organizations, as well as for-profit businesses, should authenticate the email messages they send. BASICS OF EMAIL AUTHENTICATION TECHNOLOGIES 1. What is an Email Service Provider (ESP)? A company that offers email services to send (bulk/marketing) email on behalf of a marketer. 2. What is an Internet Service Provider (ISP)? A service provider that provides access to the Internet (and most times an email account). 2
3. What methods/types of Email Authentication are out there? There are a few major email authentication methodologies: Sender Policy Framework (SPF) - an IP-based solution, DomainKeys Identified Mail (DKIM) - a cryptographic solution, Domain-based Message Authentication, Reporting & Conformance (DMARC) - builds on the widely deployed SPF and DKIM protocols. The goal of the first two is similar: create a public record against which to validate email messages so that a sender s legitimacy can be verified. Both the SPF and DKIM technologies work to verify that the sender is authorized to send mail. 4. What is the Difference Between IP-Based Authentication and Cryptographic Authentication? A fundamental difference between IP-based and cryptographic authentication solutions is that cryptographic technology protects the integrity of the email content, while IP-based technology verifies or proves that the sender is authorized by the domain owner to send email. 5. What is the Domain Name System (DNS)? The Domain Name System (DNS) is an Internet directory service. DNS is where companies publish information about their domains. 6. What is Transport Layer Security (TLS)? Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL). TLS for email isn t required but has been widely adopted following revelations of government snooping. Some ISPs (like Google s Gmail) add a warning flag to email messages that were received without TLS encryption. For this reason it is recommended that all outbound email support TLS. An overview of TLS is available at: https://www.google.com/transparencyreport/saferemail/tls/ with an FAQ available at https://www.google.com/transparencyreport/ saferemail/faq/. 3
IMPLEMENTATION OF COMPLEMENTARY TYPES OF EMAIL AUTHENTICATION SYSTEMS: SPF, DKIM AND DMARC 4
Sender Policy Framework (SPF): 1. What is it? SPF is an IP-based technology that verifies the sender IP address by cross-checking the domain in the email address listed in the non-visible Mail From line of an email against the published record a domain owner has registered in the Domain Name System (DNS). SPF technology is free to all users. An SPF record is a list of computer servers or IP addresses that senders indicate are authorized to send email that claims to be coming from their domain. When you publish an SPF record for your domain, you declare which IP addresses are authorized to send out email on your behalf. SPF allows senders/marketers effectively to say, I only send mail from these machines (IP addresses/servers). If any other machine claims that I'm sending mail from there, they are not telling the truth. 2. How Do I Implement Sender Policy Framework (SPF)? Run an audit, write a list of all IP addresses that send email on your behalf. As an extra precaution, talk to your IT staff & any Email Service Providers you work with to ensure you don t miss any IP addresses. Create your SPF record. http://www.openspf.org/ provides syntax details and tools to help with this. Publish your SPF record in DNS. Verify that your SPF record is published & working. (i) An easy-to-use third-party tool can be found at http://tools.wordtothewise. com/authentication: a. Input your domain name in text box to check a published SPF record b. View Results. You should see This seems to be a healthy SPF record, meaning the SPF record is good to go. 5
DOMAINKEYS IDENTIFIED MAIL (DKIM) 1. What is it? DomainKeys Identified Mail is a cryptographic, signature-based form of email authentication. DKIM is offered to all users free of charge. The DKIM specification is available at http://www.dkim.org. DKIM requires email senders to generate public/private key pairs and then publish the public keys into their Domain Name System (DNS) records. The matching private keys are stored in a sender s outbound email servers, and when those servers send out email, they generate message-specific signatures that are added into additional, embedded email headers. The DKIM authentication process involves checking the integrity of the message using the email signature header and verifying whether the key used to sign the message is authorized for use with the sender s email address. This step currently involves utilizing the DNS record of the sending domain. The authorization records in the DNS contain information about the binding between a specific key and email address. Using a US Postal Service analogy DKIM is like verifying a unique signature which is valid regardless of the envelope or letterhead it was written on. ISPs that authenticate using DKIM look up the public key in DNS and then can verify that the signature was generated by the matching private key. This ensures that an authorized sender actually sent the message, and that the message headers and content were not altered in any way during their trip from the original sender to the recipient. 6
DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING & CONFORMANCE (DMARC) 1. What is it? DMARC is an email authentication protocol that builds on the SPF and DKIM protocols. SPF and DKIM provide valuable authentication capabilities but have some shortcomings. First they operate on different from addresses (the visible from versus the envelope from ). Second they provide no feedback mechanisms for domains to know when email fails, or when their domain is being spoofed. Finally they provide no guidance to receiving sites as to what to do with messages that fail authentication. DMARC addresses these three issues as it uses domain alignment to match the envelope From address checked by SPF to the visible From address checked by DKIM. It provides a reporting function that allows senders and receivers to monitor and improve domain protection from fraudulent email. Finally it provides a mechanism whereby domains can suggest to receivers what to do with mail that fails DMARC. DMARC Overview: A brief, non-technical overview is available at https://dmarc.org/wiki/faq#how_does_dmarc_work.2c_briefly-.2c_and_in_non-technical_terms.3f. A more detailed explanation & overview can be found at https://dmarc.org/overview. Many domains, including major ISPs, are checking DMARC and utilizing it as part of their spam filtering decisions and many more are implementing the reporting function. 2. How Does Email Authentication Reduce and Protect Against Spam? Spam causes problems for both consumers and marketers. The spam problem is not going away, and spammers quickly adapt to filters set up by Internet and Mailbox Providers thus blurring the perception in consumers minds of which commercial email is legitimate and which is spam. Authenticated email helps ISPs and Mailbox Providers better identify legitimate email. Spammers are then distinguished from senders of 7
legitimate email enabling wanted mail to be delivered to consumers with higher certainty and at a lower cost. 3. How Does Email Authentication Reduce and Protect Against Spoofing and Phishing? Spoofing is the forging of another person s or company s email address. Phishing is sending an email that attempts to trick recipients into giving out personal information, such as credit card numbers or account passwords. The email pretends to be from a legitimate source, such as a user s bank, credit card company, or online Web merchant. Most phishing attacks come from email in which the sender s name in the From Line has been forged or spoofed. Authentication makes it easier for ISPs to identify such fraudulent email prevent it reaching its intended victims. 8
BEYOND AUTHENTICATION: EMAIL REPUTATION 9
Authentication and reputation are fundamentally linked. Authentication alone is not sufficient for Internet Service Providers (ISPs) to make deliver/non-deliver decisions. Authentication verifies authorization to send, but it doesn t tell mailbox providers anything about whether the authorized sender is legitimate or a spammer. This is where reputation and whitelisting come into play. 1. What is a Company s Email Reputation? Email Reputation is a way for ISPs to combine the sender s identity with additional information about the sender s practices. Reputation is based on numerous factors: complaint rates, identity stability, unknown user volume, security practices, unsubscribe policies, and more. Most of these factors can be measured, quantified and weighted by Internet Service Providers (ISPs) and Email Service Providers (ESPs). 2. What Metrics Should I Monitor to Ensure That My Email Reputation is Good? There are a few simple steps marketers can take to ensure that their Email Reputation remains in good standing with ISPs. Good List Hygiene: Sending email to too many addresses that don t exist isn t only a trait of spammers it is a trait of any entity that is considered to have poor marketing practices and is sending spam. ISPs acknowledge that there is a lot of churn in terms of consumers changing email addresses, and because of that they do allow for some margin of error. However, it is generally accepted that marketers should aim to keep invalid addresses at less than 3-5% of each mailing. Of course, reducing these types of errors isn t just good for deliverability, but for Return on Investment (ROI) as well. Sound Email Sending Infrastructure: A common trait of spamming is to redirect email bounces and replies to spoofed, non-functional or non-existent return addresses. Therefore, to differentiate themselves, legitimate senders are expected to be capable of receiving the volume of bounces that typically accompanies any high volume email campaign. Most ISPs require that email senders are capable of receiving at least 90% of messages that are bounced back to them when they attempt to email to an invalid or unknown address. When an email sender does not accept bounce back error replies it is considered suspicious behavior and the sender may be identified as a spammer. If an ISP becomes suspicious of an email sender it may ask high volume email senders to adjust the number of simultaneous connections to their networks. Or it may institute mail volume throttling (spreading out the number of emails sent over a long period of time). High Relevance/Low Complaint Rate: Having good list hygiene and sound delivery infrastructure are the foundation to having a good reputation but keeping complaint rates 10
low is where a company can significantly improve or damage its reputation. The key to having a low complaint rate is making sure that your email is relevant and delivers value to the recipient. In general, ISPs believe there should be little to no reason for a consumer to complain about legitimate email. Marketers should aim to keep their complaint rate below 0.1 percent. The complaint rate is calculated by dividing the total number of complaints by the total number of delivered emails in a specific mailing. Just two or three complaints per thousand emails delivered could result in short-term blocking by ISPs that employ reputation systems, and severe long-term blocking if the sender does not bring the complaint rate under control. 3. What is a Whitelist? A whitelist is a list/process that some ISPs (and mailbox providers and receivers) use to allow email marketers/senders to send emails into their networks of end users without being subjected to certain/stricter) levels of filtering (anti-spam/policy/volume filters, etc). In recent years most ISPs have moved away from whitelisting in favor of more sophisticated filtering. 4. What Are Feedback Loops? A complaint feedback loop (FBL) is a technical system where ISPs share spam complaints with senders in order to monitor list health and to remove complainants from their lists. An FBL is essential for marketers to identify & resolve high complaint email campaigns and messaging streams emanating from their IP address/computer networks. Best Practices for Implementing Email Authentication Protocols: Assign an individual or group at your company to be responsible for working with other relevant departments and vendors to implement email authentication. Authenticate using more than one technology. SPF, DKIM and DMARC are interoperable free technologies that have different deliverability success rates with different ISPs. For best results, authenticate your email systems with one or more technologies. Know your customers and where you are mailing to. Follow developments in the industry field including technological white papers and industry or government-sponsored workshops. Research the major protocols to determine the best solution(s) for your company. Develop a policy for assigning domain and sub-domain names. 11
Develop a way to measure the impact of email authentication in terms of higher deliverability to those you wish to reach. Research ways to authenticate incoming email to your company. 5. What is the Difference Between Pass, Fail and Soft Fail of an Email Message? If a message passes an ISP s authentication check it means the email meets the standards for that ISP s definition of a legitimate message and is likely to be delivered to the recipient s inbox. If a message fails an authentication check it did not meet the standards for that ISP s definition of a legitimate message and likely will not be delivered to the intended recipient s inbox. It will either directed to the recipient s spam/junk folder, or the message may be blocked. A soft fail is a message that is a probable fail according to the ISP s standards; A soft fail message usually comes from a sender or IP address that is not listed on the ISP s list of authenticated senders but is not an outright failed message. EMAIL AUTHENTICATION RESOURCES FOR EMAIL MARKETERS There are many Email Authentication resources available, including: Sender Policy Framework (SPF) info page: http://www.openspf.org DomainKeys Identified Mail (DKIM) Information page: http://www.dkim.org Domain-based Message Authentication, Reporting & Conformance (DMARC): https://www.dmarc.org Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG): http://www.m3aawg.org The Federal Trade Commission has held some workshops on this issue, for example: https://www.ftc.gov/news-events/events-calendar/2004/11/ mail-authentication-summit 12
eec@thedma.org Mailing Address 1333 Broadway, Suite 301 New York, NY 10018 emailexperience.org