How to safeguard brand trust with email authentication

“A brand for a company is like a reputation for a person.” – Jeff Bezos.

Imagine what would happen to your reputation if someone stole your identity and started opening bank accounts to commit fraud? 🤔

Identity theft is a problem in the real world and it happens to businesses every day with emails! Your brand is at risk when spammers spoof your email address to send fake messages that appear to come from you.

The good news is that you can stop scammers in their tracks and prevent them from harming your brand. Learn how to use email authentication methods to safeguard your brand and keep spoofed emails out of the inbox.

What is email authentication?

Email authentication is about proving that a message is sent by a person who appears to be sending it. It uses email validation standards to check that the sender address isn’t forged and that the email contents have not been modified after sending it.

Jeff Bezos, for example, keeps a public email address at jeff@amazon.com for customer feedback! Thanks to authentication, you can be assured that it is Jeff and his team behind the email, and that messages received from his email are the real deal.

Importance of email authentication

Having a way of verifying email senders will stop spammers from impersonating your brand with fake emails. Better still, it helps to prevent phishing attacks that use spoofed emails to trick recipients into giving up confidential data like logins and passwords. 😭

1. Safeguards your brand

Adding an email authentication layer means that people can be confident about the brand they are interacting with. Also, it avoids negative publicity about losses suffered by victims of malware or phishing scams that were sent with emails using your brand.

2. Protects your reputation

Email authentication records tell email providers—like Gmail, Yahoo, Outlook and others—that you are a genuine sender. These records are also tied to your sending domain, giving your sending reputation a boost for ISPs that look closely at domain reputation.

3. Ensures email deliverability

Your ability to land in the inbox suffers when bad actors continue to send fraudulent emails using your brand. When enough people start to mark these emails as spam, your genuine emails will go straight into the spam folder—or not be delivered at all.

Remember: No security measures are 100% effective when the weakest link is often human error. While email authentication will stop spammers from using your domain, these illegitimate senders can get creative by registering look-alike domains or sending convincing phishing emails with dodgy domains. Your recipients should double-check URLs before clicking further! 🧐

How email authentication works

Today, three standards are used to filter spoofed email messages before they reach the inbox: SPF, DKIM and DMARC. How these acronyms work will be covered in more detail later, but they follow a general path to verify the identity of email senders:

  1. You publish rules on how to authenticate emails sent from your domain.

  2. Your mail servers are configured to implement and follow these rules.

  3. The receiving mail server checks your mail against the rules that you published.

  4. Your email is then delivered, quarantined in the spam folder, or rejected.

General email authentication process

Types of email authentication methods

1. Sender Policy Framework (SPF)

SPF fixes a vulnerability in SMTP where messages can be sent claiming to be from any IP address. To prevent email spoofing, an SPF record is created in your DNS that lists all the mail servers authorized to send email for your domain.

When an email is received, the receiving mail server compares the sending domain with the servers listed in your SPF record. If there’s a match, the message is genuine. Here’s an example of a TXT record for SPF that is used by MailerSend:

v=spf1 include:_spf.mailersend.net ~all

And here it is translated into human language: 
“MailerSend, a third-party email service provider, is allowed to send transactional emails on my behalf. For other emails not sent from MailerSend, you can mark them as spam.”

2. DomainKeys Identified Mail (DKIM)

DKIM authentication was developed in response to person-in-the-middle (PITM) attacks where hackers change the contents of emails in transit. Public key cryptography is used to verify that the contents of your email have not been altered after sending it.

Email spoofing is prevented by adding a public key to your DNS. An encrypted signature is then added to your message headers using a private key known only to you. When an email is received, the header is decrypted and compared to validate the email.

Here’s an example of a TXT record for DKIM used by MailerSend:

v=DKIM1;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDZzA9t8fUpEuV+E2R/jxTncUJIzUH1W9mFKztbAIKhl8cG0FjXqhZq0JOA1ycxnbDTJXjJ6/zFGFPrSPK/k2oTdhGbnvD9EFhj8JZEPdIuZVG2SZHr1B/p2EDO6KCkA9ehayx222sDUGWZ+R+DL75XRL3/+Ew4SaYiSY9CeYnjGwIDAQAB

Human translation: “Please decrypt all my email headers using this public key. By the way, subdomains are not allowed to send emails on my behalf, so you can reject them immediately.”

3. Domain Message Authentication Reporting and Conformance (DMARC)

DMARC is an authentication framework that unites SPF and DKIM together with a consistent set of security rules. Along with policies to manage emails that fail authentication, you can also get reports about authentication issues and email activity.

First, an identifier alignment test compares the email’s “From” header with the sending domain using SPF and DKIM methods. Depending on how closely they need to match—which you set with the security rules—the email passes or fails the check.

Next, DMARC policies tell the receiving mail server what to do with unauthenticated emails. They can be delivered (for testing purposes), quarantined by putting them in the spam folder, or rejected by sending a bounce message to the sender.

Here’s an example of a TXT record for DMARC:

v=DMARC1; p=none; rua=mailto:aggregate@justanothercompanyname.com; ruf=mailto:forensic@justanothercompanyname.com; fo=1; pct=100; rf=afrf

And translated into human language: 
“Don’t take any action on emails that have failed SPF or DKIM authentication. I want to collect data on them for analysis and troubleshooting. You can send reports on email activity and failed authentications to me at these email addresses.”

10 email authentication best practices

Use these best practices to safeguard your brand and give recipients the confidence to interact with your emails. Mix and match them to suit your needs: for example, you may not need DMARC now, but you’ll definitely need SPF and DKIM for a start.

1. Audit your mail servers

As your sending needs grow in complexity with your business, you might not know which machines are sending messages on your behalf! Get clarity by creating a spreadsheet of all your mail servers along with their IP addresses and domains. Some of these can include:

  • Web servers

  • Mail servers

  • Internal email servers

  • Email service providers, such as MailerLite and MailerSend

2. Secure your sending domains

Your domains are brand assets that are critical to your business. Secure your assets by enforcing SPF and DKIM for top-level domains (.com and .net names, for example), parked domains, and other sub-domains that are publicly visible.

If there are attempts to change your DNS records or transfer ownership of your domain, you will need to unlock it first with a one-time password sent by the domain provider.

When you add a new sending domain in MailerSend, you’re protected from the start with auto-generated SPF and DKIM records. 💪

3. Review your DNS records

For SPF records, check that you have no more than 10 DNS lookups. Exceed this number and you will fail email authentication. This limit was imposed to prevent denial-of-service (DoS) attacks and to conserve the resources of email servers.

Next, test your authentication records by publishing them in test mode. Both SPF and DKIM have testing tags that will help you identify missing mail servers in your audit. Once done, turn off test mode to start protecting yourself from spammers!

In MailerSend, SPF defaults to test mode using the ~all tag. You can change it to -all once you are sure that emails are being authenticated correctly. For DKIM, a domain match is enforced with t=s. You need to set it to t=y for testing purposes.

Finally, publish your SPF and DKIM records to your DNS so that mailbox providers can look them up. Remember, it can take up to 48 hours for DNS changes to be reflected globally. The sooner you publish them, the better it is for your email deliverability.

4. Implement DMARC gradually

When using DMARC for the first time, start it in “monitor” mode so that you can observe and tweak it as you go along. Once you’re satisfied that genuine emails are not getting filtered, you can move to “enforcement” mode to start rejecting and quarantining emails.

You can also test your DMARC policies by using the pct tag. By default, every email is checked (pct=100) but you can set a value between 1-100 until you are confident your policies are working. For example, pct=20 means check 20% of my email for DMARC compliance.

5. Secure your networks

Now that you have SPF, DKIM and DMARC implemented, make sure that they are enabled across all the networks used by your business. You will be protected from malicious emails and phishing attacks, thus preventing malware and information theft.

6. Analyze email authentication reports

Look for suspicious activity using two types of DMARC reports: an aggregate report (RUA) and a forensic report (RUF). RUA provides an overview of email traffic while RUF contains details about emails that failed authentication, including their content.

7. Encrypt traffic between your servers

Another vulnerability of SMTP is that emails are sent in plain text format while in transit between email clients. This means that determined hackers can snoop and monitor your messages while they make their way to the recipient! 

You can prevent email eavesdropping by turning on Transport Layer Security (TLS), a protocol that encrypts Internet traffic. The good news is that MailerSend enables TLS by default when you use SMTP for outgoing emails.

SMTP email encryption

8. Secure your DNS

The Domain Name System (DNS) is the phonebook of the Internet. It matches human-readable domain names with IP addresses. Like SMTP, the creators of DNS did not prioritize security as the Internet was mainly used by institutions of higher learning.

DNS is still vulnerable to security attacks where hackers forge DNS records and redirect email traffic to a server they control. You can avoid this by implementing Domain Name System Security Extensions (DNSSEC) that help you protect your DNS infrastructure.

More extensive resources on how to secure DNS are available at the DNSSEC website.

9. Monitor your IP addresses

An IP address is a numerical address that identifies a device on the Internet. For email, each mail server will have a unique address assigned to it. Use IP monitoring tools to keep track of the status and availability of your servers as well as suspicious activity.

10. Turn on 2FA for accounts

Human error is the weakest link in any security infrastructure. Turn on two-factor authentication (2FA) for every account, meaning hackers are unable to proceed without a code from an authenticator app or a one-time password sent to your phone.

How to authenticate your emails

Now it’s time to apply these best practices! To start sending mail from your own domain, you need to verify and authenticate it. Don’t worry, it’s easy and takes only a few minutes.

First, you need to have a MailerSend account as well as access to your domain’s DNS records at your domain or hosting provider.

1. Navigate to Domains at the main dashboard.

MailerSend dashboard

2. If this is your first domain in MailerSend, enter your domain name and click Add domain and continue to step 3.

Add new domain

If you have existing sending domains, like in the example below, click on Add domain.

List of existing domains

Then enter your new domain name and click Add domain again.

Add new domain to existing domains

3. Next, you will see the three DNS records you should add to the domain’s DNS settings:

  • SPF: Verifies the sender from a list of IP addresses

  • DKIM: Uses cryptographic methods to validate an email

  • CNAME for Return-Path: Receives bounces and other email feedback

For convenience, you can click on each field value to automatically copy it.

SPF and DKIM records

5. Go to the domain’s DNS page at your provider’s site and add the TXT and CNAME records.

The exact steps to configure your DNS settings vary with each domain provider. Check out this in-depth DNS settings guide for popular providers like GoDaddy, Namecheap and Hostinger.

6. After adding the records, jump back to MailerSend to toggle the I have added DNS records option and click Verify domain.

Verify new sending domain

Once the records have been propagated throughout the global DNS servers, your domain will be verified and ready to use! 🎉

Note: The DNS changes usually take effect in a few minutes but it may take up to 24-48 hours for the records to update. Here’s a quick troubleshooting guide if your domain is still marked as unverified.

Congratulations on adding and verifying a new domain! 👏 The next step is to send emails using MailerSend. Check out our comprehensive how-to guide to start sending.

Essential email authentication glossary

Two-factor authentication (2FA)

A method of proving your identity that requires you to provide 2 pieces of information: what you know (your login credentials) and what you possess (your smartphone or security device).

DomainKeys Identified Mail (DKIM)

An email authentication standard that prevents email spoofing by adding an encrypted DKIM signature to the email header of all outgoing messages. 

Domain Message Authentication, Reporting & Conformance (DMARC)

An email authentication standard that uses DMARC records to tell receiving mail servers what to do with unauthenticated emails according to policies you have set.

Domain Name System (DNS)

The phonebook of the Internet that translates a web address into the physical IP address of the server hosting the website.

Domain Name System Security Extensions (DNSSEC)

A set of protocols that secures DNS by adding cryptographic signatures to existing DNS records.

Denial-of-service (DoS)

A cyber attack that aims to disable a server by flooding it with multiple requests until it is unable to function properly.

Identifier alignment

A DMARC process that compares the sending domain with the “From” sender address.

IP address

A unique numerical address that is assigned to every device on the Internet.

Person-in-the-middle (PITM)

An attack where hackers intercept emails on their way to recipients to eavesdrop or change their contents.

Phishing

An attack to steal your personal information by sending emails that impersonate websites that you already use.

Reporting URI for aggregate data (RUA)

A DMARC tag that contains an email address to receive aggregate reports of email activity.

Reporting URI for failure data (RUF)

A DMARC tag that contains an email address to receive forensic reports of emails that failed authentication.

Sender ID

A historical email authentification method for Microsoft Exchange that listed the IP addresses of mail servers authorized to send emails from a domain.

Simple Mail Transport Protocol (SMTP)

A communication protocol to send and receive emails over the Internet.

Sender Policy Framework (SPF)

An email authentication standard that lists the sending IP of mail servers that are authorized to send messages from your domain.

Spoofing

A fraudulent practice where spammers forge your domain to send fake messages that appear to come from you.

Spamming

The practice of sending unsolicited emails in bulk to a large number of recipients.

Transport Layer Security (TLS)

A cryptographic protocol that is used to encrypt and secure data that is sent over the Internet.

Start protecting your brand now!

Now that you have the basics of email authentication, start protecting your brand’s reputation from scammers and give customers the confidence of engaging with your emails. Choose a transactional email provider like MailerSend that has email authentication best practices built-in for peace of mind!

Do you use SPF, DKIM, DMARC, or a combination of these email authentication methods? Share in the comments below. 👇

Sean
I’m Sean, Content Writer at The Remote Company. My lifelong dream is to take a slow walk through one of those old highways winding across Japan. Coffee is my other passion and I enjoy chasing the perfect espresso pour!