There are currently two major types of email authentication systems:
The goal of each is the same: to create a public record against which to validate email messages so that the legitimacy of senders can be verified. Both technologies work to verify that the sender is authorized to send mail from a particular IP address.
A fundamental difference between IP-based and cryptographic authentication solutions is that cryptographic technology protects the integrity of the email contents, while IP-based technology verifies or proves that the sender is authorized by the domain owner to send the mail.
Following is a more in-depth comparison of the three types of email authentication systems (SPF, SIDF, and DKIM).
SPF is an IP-based technology that verifies the sender’s IP address. It works by cross-checking the domain in the email address in the “Mail From” line of an email against the published record a sender has registered in the Domain Name System (DNS). SPF technology is free to all users.
An SPF record is a list of computer servers or IP addresses that senders indicate are authorized to send email coming from their domain. When a company publishes an SPF record for their domain, they declare which IP addresses are authorized to send out email on their behalf. SPF allows senders/marketers effectively to say, “I only send mail from these machines (IP addresses/servers). If any other machine claims that I’m sending mail from there, they are not telling the truth.”
DomainKeys Identified Mail is a cryptographic, signature-based type of email authentication. DKIM is a combination of Yahoo’s DomainKeys (DK) and Cisco’s Identified Internet Mail (IIM).
DKIM is offered to all users free of charge. DKIM is available at http://dkim.org and requires more computing resources than IP based technologies.
DKIM requires email senders’ computers to generate “public/private key pairs” and then publish the public keys into their Domain Name System (DNS) records. The matching private keys are stored in a sender’s outbound email servers and when those servers send out email, the private keys generate message-specific “signatures” that are added into additional, embedded email headers.
ISPs that authenticate using DKIM look up the public key in DNS and verify that the signature was generated by the matching private key. This ensures that an authorized sender actually sent the message, and that the message headers and content were not altered in any way during their trip.
The DKIM authentication process involves checking the integrity of the message using the public key included in the email signature header and verifying whether the public key used to sign the message is authorized. This step currently involves utilizing the DNS record of the sending domain. The authorization records in the DNS contain information about the binding between a specific key and email address. In the postal service analogy, DKIM is like verifying a unique signature, which is valid regardless of the envelope or letterhead it was written on.