Email Security and Authentication

Email Security and Authentication

This web page is oriented to techies in charge of their companies email.

The problem with starting to secure your email, is that every step has side effects and repercussions that cause pain and require additional steps.

On the other hand, not doing anything will eventually catch up with you.

Email is complex, despite it being called Simple Mail Transfer Protocol (SMTP).

The primary problem is that email never had any built in authentication, thus allowing people to forge emails. Receiving emails carrying spam and malware are one symptom.

Another problem is other people receiving emails purporting to be from you.

While we might be savvy enough to ignore and avoid the spam and malware coming our way, we cannot be certain that other people will be able to identify forged email sent using our name and email address.

Therefore, it is a good idea to use the tools and techniques available in the email ecosystem.

SPF (Sender Policy Framework) is the primary email authentication tool we have today. We set up a DNS TXT record that defines all of the IP Addresses that are allowed to send email on your behalf.

If you forward any of your emails to another ISP, SPF requires SRS (Sender Rewriting Scheme) to avoid them rejecting your emails.

Another tool that uses DNS to secure your email is DKIM (DomainKeys Identified Mail).

DMARC (Domain-based Message Authentication, Reporting and Conformance), works on top of SPF and DKIM, and helps clarify that you want to enforce the email policies, as well as provide feedback from other ISP’s on what they are seeing regarding both your authorized and unauthorized email stream. has an option that will detect forged email sent to a mailing list. Once detected, there are 3 different ways that we can handle that email.

- Silently ignore the email
- Forward to a list moderator for approval
- Return to the subscriber for approval (self moderation)

We consider email to be forged when proper SPF records have been setup for that domain, with either FAIL or SOFTFAIL.