Jenny Peters

Authentication: SPF, SenderID and DKIM

Written by Jenny Peters Jeffrey Bertoen on

Authentication of e-mail is to make the sender and content of e-mail messages traceable for receiving mailservers. Authentication is applied by many spam filters as a first check on incoming messages. If authentication fails, the e-mail is refused or submitted to extra scrutiny before delivery to your addressee. That's why it's vital to authenticate your sending servers, those of your intermediaries and those of third parties authorised to send in your name. If you do not, inbox delivery of your e-mail messages is unlikely.

SPF, SenderID and DKIM are ways to authenticate a message, but they work in different ways. This article explains (in a simplified manner) to (non-programmer) marketers on what principles these techniques function.

https://pic.vicinity.nl/pic/acc/127/5545E67A/caabe33c2a3a542126e7ec182051550e/Postcodeboek.jpgDNS: digital yellow pages
To explain authentication, we must First explain domain names. Every domain name (p.e. 'www.copernica.com') is linked to an IP address. The IP address is a unique address of a network (p.e. 217.67.229.100). Any computer linked to the internet can find your website through its IP address. The link between domain name and IP address is called the Domain Name System (DNS).

To remember which domain is linked to which IP address, there are special DNS servers. They're like the digital yellow pages. Any time you call forth a website, your computer quickly contacts a DNS server to redirect you to the right page.

Sending e-mails is also processed through IP addresses. Therefore DNS data also includes which IP addresses have permission to send e-mail from a certain domain name. But if your systems aren't up to speed, or you send e-mails via a third party or marketing software, that sending IP address may not be registered for your domain name. Authentication thus fails. The receiving mailserver will see this and refuse the e-mail or place it in quarantaine for the spam filters. The chances of inbox delivery are slim.

https://pic.vicinity.nl/pic/acc/127/B464F257/79f1dc8dfe7a4fb9e7400edc5fd38168/voordeur.jpgSPF: checked at the gate
An SPF record is a file within the DNS data of a domain. It registers which IP addresses are allowed to send mail from that domain. So if someone wants to e-mail from ...@copernica.com, the DNS must have their IP registered. The receiving mailserver checks the SPF as soon as an e-mail is offered. If the IP address does not match, the content of the messages is not even downloaded. Your message is checked at the gate.

Copernica marketing software checks your settings at each mailing and warns if SPF is not set correctly. But not every intermediary does this and more important, only the owner of a domain can change the DNS to include extra IP addresses. The domain owner has the possibility to add an SPF record to his DNS data. That record will say that IP address X has permission to send e-mails from that domain name. Or that IP addresses Y and Z are also part of your organization.

https://pic.vicinity.nl/pic/acc/127/1E2EC1F0/7e4c40276ba797f2f1515e73494058b1/ProfileHead.jpgSenderID: checks your header
A SenderID authentication looks at the sender of the e-mail, just like SPF. SenderID also employs DNS data and uses the same language as SPF to authenticate, but it looks at different fields and values of the e-mail. For a SenderID check your message is first downloaded, so the system is able to look at the headers. Headers are information added to the e-mail such as 'From', 'To' and 'Subject'. There are also many headers in each e-mail which the recipient does not see.

SenderID is such an invisible header which can be added by the sender of the e-mail. It contains information on the 'true' sender of the message, which can be verified through DNS. Again the SPF record is looked at to authenticate the sender, but different codes and values are checked. Both SPF and SenderID authentication are 'popular' in use by spam filters. It is therefore best to insert both types of coding in your DNS data.

https://pic.vicinity.nl/pic/acc/127/1FF68DC4/b3f44390cfc6cd808e03aa9f22d93082/hand.jpgDKIM: digital signature
While SPF and SenderID focus on the sender of an e-mail, DKIM looks at the authenticity of the message itself. DKIM (DomainKeys Certified Mail) adds an invisible header to an e-mail which consists of a digital signature.

An e-mail message with all its content and headers included, can bes een as ones and zeros. Add up the numbers and you reach a unique sum for that message. That sum is included in the digital signature in a coded manner. The receiving mailserver can decode that message by retrieving a (public) key from your DNS data. Meanwhile, it also recalculates the sum of the message itself. If the calculated sum is equal to the sum in the signature, the message is authentic.

DKIM is not standard setup for domain names and sending servers. As mentioned it requires a key which is added to the domain's DNS data. The domain owner has to generate this key and arrange DKIM authentication. DKIM can also be added to e-mail messages by a third party or the sending software. Copernica marketing software offers a click-and-go key generator in its software which sets DKIM for all future messages sent with the software.

Authentication: anti-spam
Authentication is employed by receiving mailservers as a First check for a good reason. Spam sender are typically not authentic. They use false names, false addresses and copied content in their messages. E-mail marketing IS authentic, but you have to prove yourself. A receiving server cannot see that you have opt in permission, it relies on the message and your authentication. Fail your authentication, fail delivery.

Terminology:
Headers
Part of an e-mail containing extra information about the message such as 'From', 'To' and 'Subject', but also invisible info. For example on how the e-mail was routed.

IP-adres
Internet Protocol Address. A unique numeric address through which computers linked to a network can find and recognize each other. I.e. 217.67.229.100

DNS
Domain Name System. Links domain names to IP addresses. I.e. www.copernica.com goes with 217.67.229.100

SPF
Sender Policy Framework. Part of DNS data which registers which IP addresses are entitled to send messages from a domain name.

SenderID
E-mail authentication system which validates the sender of an e-mail message through DNS data.

DKIM
DomainKeys Identified Mail. System of e-mail authentication which adds a digital signature to an e-mail message for validation.

Useful links
For more complete and more technical information on authentication, we recommend the following articles:

http://en.wikipedia.org/wiki/E-mail_authentication
http://en.wikipedia.org/wiki/Sender_Policy_Framework
http://en.wikipedia.org/wiki/SenderID
http://www.openspf.org/SPF_vs_Sender_ID
http://en.wikipedia.org/wiki/DKIM
http://www.dkim.org/
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx

Related articles

File downloads disabled because of security risk

Yesterday afternoon, Copernica disabled file downloads upon the discovery of a security risk by one of our users. The reporting user was able to download random files by manually altering URLs. To prevent abuse, all file downloads were disabled completely on the spot.

The domain copernica.net

As you may know, through the dashboard of the Marketing Suite you can configure the so-called sender domains. In this feature we made a small change.