Authentication is one way of making the electronic marketplace more secure and improving consumer confidence in email, preserving it as a valuable marketing communications tool.
Authentication improves the likelihood that legitimate email will get through to the intended recipient. Additionally, authentication reduces the likelihood of spam, spoofing, and phishing attacks, thus protecting the integrity of marketers’ brands and curbing spam.
Authentication may become more than just a “best practice,” however; it may become a necessary process in order to clear ISP gatekeepers and ensure the delivery of your email.
Email authentication is used to verify the identity of an entity sending email. Encryption is used to secure the contents of an email message while in transit and ensure that only the intended recipient(s) can open and view the email message.
Transport Layer Security (TLS) allows senders to encrypt email as it transits to a receiver—this encryption prevents anyone from ‘snooping’ or reading the content of the email. Many ISPs and mailbox providers are now enabling TLS for all outbound email, protecting and encrypting the mail stream end-to-end.
TLS isn’t technically new; it’s an evolution of what used to be called SSL (Secure Sockets Layer). Gmail has a published report (The Transparency Report) showing the rapid uptake and use of SSL to encrypt email in transit. More and more ISPs, mailbox providers, and other large senders are beginning to enable TLS to secure email as a channel moving forward.
Although TLS isn’t technically required to send or receive email, and ISPs are not using it as a data point to help establish the mail’s legitimacy, we recommend setting up and enabling TLS on all outbound email to protect the integrity of the channel as a whole.
Spam causes problems for both consumers and marketers. The spam problem is not going away as spammers quickly adapt, confusing consumers about what is legitimate and what is spam. Authenticated email will help ISPs and mailbox providers better identify legitimate email. This will allow ISPs to deliver wanted mail to consumers with higher certainty and at a lower cost.
Using SPF technology, suppose a spammer forges an ABC.com address and tries to spam you. The spammer connects from somewhere other than ABC’s email servers. When the message is sent, you see “Mail From”.
ABC publishes an SPF record. That record tells your ISP or mailbox provider how to find out if the sending machine is allowed to send mail from ABC. If ABC says they recognize the sending machine, it passes, and your ISP or mailbox provider can assume the sender is who it says it is.
Spoofing, a method often used by spammers, is the forging of another person’s or company’s email address to get users to open a message. Phishing is sending an email attempting to trick recipients into giving out personal information, such as credit card numbers or account passwords. The email pretends to be from a legitimate source, such as a user’s bank, credit card company, or online web merchant.
Most phishing attacks come from an email in which the sender’s name in the “from line” has been forged or spoofed. Authentication is predicted to cause a significant reduction in spoofing and phishing attacks because those particular elements of email fraud are identity-based. Therefore, identity authentication will either stop phishing and spoofing, making it easier for consumers to steer clear of them, or make it easier for law enforcement to go after them.
For well-known companies that commonly send email to consumers, such as banks, utilities, remote retailers, and e-commerce services, the benefits of authentication are more profound. For these companies, protecting their users from fraudulent emails translates directly into user protection, user satisfaction, reduced customer care costs, and brand protection and trust. Companies can sign their outgoing emails with DKIM and publish their policies so that ISPs can watch and block messages that claim to come from their domains that are unsigned.
If the company ‘www.example.com’ signs all of its outgoing email with DKIM, Yahoo! can add a filter to its spam protection system that blocks any unsigned or improperly signed messages. This protects tens of millions of example.com’s customers (or prospective customers) from these phishing and spoofing attacks. DKIM would also examine the integrity of the message body.