Understanding Email Authentication

Here are several key articles that explain the differences between the different ways to authenticate email.

The Domain Name System is essentially the phonebook for the Internet. It manages the relationships between IP addresses (the phone numbers), and domains (individuals and corporations).

SMTP (Simple Mail Transfer Protocol) was originally designed for email to be sent/received in corporate and educational agencies and spam was not considered a problem. Ensuring a valid identity on an email has become a vital step in stopping spam (as email can be filtered based on such an identity), forgery, fraud, and even more serious crimes. The Simple Mail Transfer Protocol (SMTP) is continuously evolving, but when it was designed, in the early 1980s, it was the purview of academia and government agencies, and as such, there was no cause to consider security. It provided for no formal verification of sender. Various email authentication methods have since developed:

Authentication methods

3.1 SPF (SPF checks whether the sender’s IP address is authorised by one of the identified ADMDs)
Sender ID or SIDF(framework) (Microsofts licensed/patented alternative to SPF – Sender ID tries to improve on SPF yet they address different problems. Sender-ID requires SPF in order to be implemented. typical Microsoft! – see below)
3.2 DKIM (DKIM checks the message content, deploying digital signatures. Rather than using digital certificates, the keys for signature-verification are distributed via the DNS. That way, a message gets associated to a domain name).
3.3 ADSP
3.4 DMARC
3.5 VBR
3.6 iprev
“PRA” (Purported Responsible Address) gives incorrect results (false positives) on all the same things that SPF does, but also fails on mailing lists, moderated newsgroups, most MSAs enforcing submission rights (RFC 2476) without adding a corresponding “Sender:” header, and other MTAs adding incorrect “Sender:” headers.
DMARC (Domain-based Message Authentication)
“Despite being one of the world’s largest email senders, we only require a handful of individuals to maintain all of Facebook’s email security efforts thanks to DMARC,” said Michael Adkins, Messaging Engineer, Facebook. “DMARC’s powerful controls protect over 85% of our users from fraudulent email that claims to be from Facebook, and that’s after just one year. Add in the visibility and insight provided by DMARC’s reporting features and a very small team can have a huge impact on phishing.”