Email Authentication GUIDE Frequently Asked QUESTIONS TOGETHER STRONGER
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Email Authentication
GU I D EFrequently Asked
Q U E S T I O N S
T O G E T H E R S T R O N G E R
EMAIL AUTHENTICATION
This document will explain what authentication is – includ-ing some recommendations on what you should do as an email marketer to implement these guidelines within your organization.
* This Guide should not be considered as legal advice. It is beingprovided for informational purposes only. Please review youremail program with your legal counsel to ensure that your programis meeting appropriate legal requirements.
Marketers that use email for communication and transactional purposes should adopt and use identification and authentication protocols.”
THIS COMPLIANCE GUIDE COVERS:
Basics of Email Authentication Technologies
Basic FAQs on the DMA’s Email Authentication Guidelines
Implementation: Complementary Types of Email Authentication Systems
Beyond Authentication: Email Reputation
Email Authentication Resources for Marketers
The DMA’s guidelines require marketers to choose and implement authentication technolo-gies in their email systems. It is up to your company to decide what kind of authentication protocol to use, though all are recommended based on current-day trends. The DMA does not require nor endorse the use of any specific protocol, as there are several interoperable, inexpensive, and easy to implement solutions available today.
1. What Do the DMA’s Email Authentication Guidelines Require?
The guideline applies only to outbound email that marketers send either from their own IP addresses or via the use of a third-party service bureau.
3. Does DMA’s Email Authentication Guideline Require Marketers to Authenticate Inbound Emails, Outbound Emails, or Both?
The DMA requires its members to authenticate their email systems primarily becausemailbox providers (aka ISPs, MSPs or receivers) are increasingly requiring authentication. This strongly aligns with a growing trend in the email deliverability industry that’s leaning more towards domain-based reputation (as opposed to IP-based reputation a couple of years ago). Secondly, authentication improves the likelihood that legitimate/wanted emailwill get delivered to the intended recipient’s inbox folder.
Additionally, email authentication reduces the likelihood of spam, spoof and phishing attacks (thus protecting the integrity of marketers’ brands). Authentication is seen as one way to make the email marketing arena more secure and improving consumer confidence in email, thus preserving it as a valuable email marketing communications tool.
2. Why does the DMA Require Members to Authenticate Their Email Systems?
1
D
esig
ned
by InboxA
rmy
BASICS OF EMAIL AUTHENTICATIONTECHNOLOGIES
No, DMA’s Email Authentication Guideline applies to ALL outbound messages thatmarketers send or that their third-party service bureaus send on their behalf.
4. Is Email Authentication Required Just for Marketing Messages?
Yes, the DMA believes that similar common best practices in email deliverability forconsumer promotions should be used for business-to-business campaigns.
5. Does the Guideline Apply to B-to-B Marketers?
Yes, non-profit organizations, as well as for-profit businesses, should authenticate the email messages they send.
6. Does the Guideline Apply to Nonprofits?
A company that offers email services to send (bulk/marketing) email on behalf of amarketer.
1. What is an Email Service Provider (ESP)?
A service provider that provides access to the Internet (and most times an email account).
2. What is an Internet Service Provider (ISP)?
D
esig
ned
by InboxA
rmy
2
There are a few major email authentication methodologies:
Sender Policy Framework (SPF) - an IP-based solution,
DomainKeys Identified Mail (DKIM) - a cryptographic solution,
Domain-based Message Authentication, Reporting & Conformance (DMARC) - builds on
the widely deployed SPF and DKIM protocols.
The goal of the first two is similar: create a public record against which to validate email messages so that a sender’s legitimacy can be verified. Both the SPF and DKIMtechnologies work to verify that the sender is authorized to send mail.
3. What methods/types of Email Authentication are out there?
A fundamental difference between IP-based and cryptographic authentication solutions is that cryptographic technology protects the integrity of the email content, while IP-based technology verifies or proves that the sender is authorized by the domain owner tosend email.
4. What is the Difference Between IP-Based Authentication and Cryptographic Authentication?
The Domain Name System (DNS) is an Internet directory service. DNS is where companies publish information about their domains.
5. What is the Domain Name System (DNS)?
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is thesuccessor to the Secure Sockets Layer (SSL).
TLS for email isn’t required but has been widely adopted following revelations ofgovernment snooping. Some ISPs (like Google’s Gmail) add a warning flag to emailmessages that were received without TLS encryption. For this reason it isrecommended that all outbound email support TLS. An overview of TLS is available at:
6. What is Transport Layer Security (TLS)?
D
esig
ned
by InboxA
rmy
3
https://www.google.com/transparencyreport/saferemail/tls/ with an FAQ available at https://www.google.com/transparencyreport/
saferemail/faq/.
IMPLEMENTATION OFCOMPLEMENTARYTYPES OF EMAILAUTHENTICATIONSYSTEMS: SPF, DKIMAND DMARC
D
esig
ned
by InboxA
rmy
4
SPF is an IP-based technology that verifies the sender IP address by cross-checking the domain in the email address listed in the non-visible “Mail From” line of an email against the published record a domain owner has registered in the Domain Name System (DNS). SPF technology is free to all users. An SPF record is a list of computer servers or IP addresses that senders indicate are “authorized” to send email that claims to be coming from their domain. When you publish an SPF record for your domain, you declare which IP addresses are authorized to send out email on your behalf.
SPF allows senders/marketers effectively to say, “I only send mail from these machines(IP addresses/servers). If any other machine claims that I'm sending mail from there, they are not telling the truth.”
1. What is it?
Sender Policy Framework (SPF):
D
esig
ned
by InboxA
rmy
Run an audit, write a list of all IP addresses that send email on your behalf. As an extra precaution, talk to your IT staff & any Email Service Providers you work with to ensure you don’t miss any IP addresses.
Create your SPF record. http://www.openspf.org/ provides syntax details and tools to help with this.
Publish your SPF record in DNS.
Verify that your SPF record is published & working.
(i) An easy-to-use third-party tool can be found at http://tools.wordtothewise.
com/authentication:
a. Input your domain name in text box to check a published SPF record
b. View “Results”. You should see ‘This seems to be a healthy SPF record’, meaning the
SPF record is good to go.
2. How Do I Implement Sender Policy Framework (SPF)?
5
DOMAINKEYSIDENTIFIED MAIL (DKIM)
DomainKeys Identified Mail is a cryptographic, signature-based form of email authentication. DKIM is offered to all users free of charge.
The DKIM specification is available at http://www.dkim.org. DKIM requires email senders’ to generate “public/private key pairs” and then publish the public keys into their Domain Name System (DNS) records. The matching private keys are stored in a sender’s outbound email servers, and when those servers send out email, they generate message-specific “signatures” that are added into additional, embedded email headers.
The DKIM authentication process involves checking the integrity of the message using the email signature header and verifying whether the key used to sign the message isauthorized for use with the sender’s email address. This step currently involves utilizing the DNS record of the sending domain. The authorization records in the DNS contain information about the binding between a specific key and email address.
Using a US Postal Service analogy DKIM is like verifying a unique signature which is valid regardless of the envelope or letterhead it was written on.
ISPs that authenticate using DKIM look up the public key in DNS and then can verify that the signature was generated by the matching private key. This ensures that an authorized sender actually sent the message, and that the message headers and content were not altered in any way during their trip from the original sender to the recipient.
1. What is it?
D
esig
ned
by InboxA
rmy
6
D
esig
ned
by InboxA
rmy
7
DOMAIN-BASED MESSAGEAUTHENTICATION, REPORTING &CONFORMANCE (DMARC)
DMARC is an email authentication protocol that builds on the SPF and DKIM protocols. SPF and DKIM provide valuable authentication capabilities but have some shortcomings. First they operate on different ‘from addresses’ (the ‘visible from’ versus the ‘envelope from’). Second they provide no feedback mechanisms for domains to know when email fails, or when their domain is being spoofed. Finally they provide no guidance to receiving sites as to what to do with messages that fail authentication.
DMARC addresses these three issues as it uses domain alignment to match the envelope “From” address checked by SPF to the visible “From” address checked by DKIM. It provides a reporting function that allows senders and receivers to monitor and improve domain protection from fraudulent email. Finally it provides a mechanism whereby domains can suggest to receivers what to do with mail that fails DMARC.
A brief, non-technical overview is available at
https://dmarc.org/wiki/FAQ#How_does_DMARC_work.2C_briefly-.2C_and_in_non-technical_terms.3F.
A more detailed explanation & overview can be found at https://dmarc.org/overview.
Many domains, including major ISPs, are checking DMARC and utilizing it as part of their spam filtering decisions and many more are implementing the reporting function.
1. What is it?
Spam causes problems for both consumers and marketers. The spam problem is not going away, and spammers quickly adapt to filters set up by Internet and MailboxProviders thus blurring the perception in consumers’ minds of which commercial emailis legitimate and which is spam. Authenticated email helps ISPs and Mailbox Providers better identify legitimate email. Spammers are then distinguished from senders of
2. How Does Email Authentication Reduce and Protect Against Spam?
DMARC Overview:
D
esig
ned
by InboxA
rmy
8
Spoofing is the forging of another person’s or company’s email address. Phishing issending an email that attempts to trick recipients into giving out personal information, such as credit card numbers or account passwords. The email pretends to be from a legitimate source, such as a user’s bank, credit card company, or online Web merchant. Most phishing attacks come from email in which the sender’s name in the ‘From Line’has been forged or spoofed.
Authentication makes it easier for ISPs to identify such fraudulent email prevent itreaching its intended victims.
3. How Does Email Authentication Reduce and Protect Against Spoofing and Phishing?
legitimate email enabling wanted mail to be delivered to consumers with higher certainty and at a lower cost.
BEYONDAUTHENTICATION:EMAIL REPUTATION
D
esig
ned
by InboxA
rmy
9
D
esig
ned
by InboxA
rmy
10
Email Reputation is a way for ISPs to combine the sender’s identity with additionalinformation about the sender’s practices. Reputation is based on numerous factors: complaint rates, identity stability, unknown user volume, security practices, unsubscribe policies, and more. Most of these factors can be measured, quantified and weighted by Internet Service Providers (ISPs) and Email Service Providers (ESPs).
1. What is a Company’s Email Reputation?
There are a few simple steps marketers can take to ensure that their Email Reputation remains in good standing with ISPs.
Good List Hygiene: Sending email to too many addresses that don’t exist isn’t only atrait of spammers – it is a trait of any entity that is considered to have poor marketingpractices and is sending spam. ISPs acknowledge that there is a lot of churn in terms ofconsumers changing email addresses, and because of that they do allow for some margin of error. However, it is generally accepted that marketers should aim to keep “invalid” addresses at less than 3-5% of each mailing. Of course, reducing these types of errors isn’t just good for deliverability, but for Return on Investment (ROI) as well.
Sound Email Sending Infrastructure: A common trait of spamming is to redirect email bounces and replies to spoofed, non-functional or non-existent return addresses.Therefore, to differentiate themselves, legitimate senders are expected to be capable of receiving the volume of bounces that typically accompanies any high volume emailcampaign. Most ISPs require that email senders are capable of receiving at least 90% of messages that are bounced back to them when they attempt to email to an invalid or unknown address. When an email sender does not accept bounce back error replies it is considered suspicious behavior and the sender may be identified as a spammer. If an ISP becomes suspicious of an email sender it may ask high volume email senders to adjust the number of simultaneous connections to their networks. Or it may institute mail volume throttling (spreading out the number of emails sent over a long period of time).
High Relevance/Low Complaint Rate: Having good list hygiene and sound delivery infrastructure are the foundation to having a good reputation but keeping complaint rates
2. What Metrics Should I Monitor to Ensure That My Email Reputation is Good?
Authentication and reputation are fundamentally linked.Authentication alone is not sufficient for Internet Service Providers (ISPs) to makedeliver/non-deliver decisions. Authentication verifies authorization to send, but it doesn’t tell mailbox providers anything about whether the authorized sender is legitimate or a spammer. This is where reputation and whitelisting come into play.
D
esig
ned
by InboxA
rmy
11
low is where a company can significantly improve or damage its reputation. The key to having a low complaint rate is making sure that your email is relevant and delivers value to the recipient. In general, ISPs believe there should be little to no reason for a consumer to complain about legitimate email. Marketers should aim to keep their complaint rate below 0.1 percent. The complaint rate is calculated by dividing the total number of complaints by the total number of delivered emails in a specific mailing. Just two or three complaints per thousand emails delivered could result in short-term blocking by ISPs that employreputation systems, and severe long-term blocking if the sender does not bring thecomplaint rate under control.
Assign an individual or group at your company to be responsible for working with other
relevant departments and vendors to implement email authentication.
Authenticate using more than one technology. SPF, DKIM and DMARC are interoperable
free technologies that have different deliverability success rates with different ISPs. For
best results, authenticate your email systems with one or more technologies.
Know your customers and where you are mailing to.
Follow developments in the industry field including technological white papers and indus-
try or government-sponsored workshops.
Research the major protocols to determine the best solution(s) for your company.
Develop a policy for assigning domain and sub-domain names.
A whitelist is a list/process that some ISPs (and mailbox providers and receivers) use to allow email marketers/senders to send emails into their networks of end users without being subjected to certain/stricter) levels of filtering (anti-spam/policy/volume filters, etc). In recent years most ISPs have moved away from whitelisting in favor of moresophisticated filtering.
3. What is a Whitelist?
A complaint feedback loop (FBL) is a technical system where ISPs share spam complaints with senders in order to monitor list health and to remove complainants from their lists. An FBL is essential for marketers to identify & resolve high complaint email campaigns and messaging streams emanating from their IP address/computer networks.
4. What Are Feedback Loops?
Best Practices for Implementing EmailAuthentication Protocols:
D
esig
ned
by InboxA
rmy
12
If a message passes an ISP’s authentication check it means the email meets thestandards for that ISP’s definition of a legitimate message and is likely to be delivered to the recipient’s inbox. If a message fails an authentication check it did not meet thestandards for that ISP’s definition of a legitimate message and likely will not be delivered to the intended recipient’s inbox. It will either directed to the recipient’s spam/junk folder, or the message may be blocked. A soft fail is a message that is a “probable fail” according to the ISP’s standards; A soft fail message usually comes from a sender or IP address that is not listed on the ISP’s list of authenticated senders but is not an outright failedmessage.
5. What is the Difference Between Pass, Fail and Soft Fail of an Email Message?
Develop a way to measure the impact of email authentication in terms of higher deliverability to those you wish to reach.
Research ways to authenticate incoming email to your company.
EMAIL AUTHENTICATION RESOURCESFOR EMAIL MARKETERS
Sender Policy Framework (SPF) info page: http://www.openspf.org
DomainKeys Identified Mail (DKIM) Information page: http://www.dkim.org
Domain-based Message Authentication, Reporting & Conformance (DMARC):
https://www.dmarc.org
Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG):
http://www.m3aawg.org
The Federal Trade Commission has held some workshops on this issue, for
example:
https://www.ftc.gov/news-events/events-calendar/2004/11/ mail-authentication-summit
There are many Email Authentication resourcesavailable, including:
Related Documents
![[DkiM] 회사에서 어떻게 일을 해야 되는지 (2015-12-16)](https://static.cupdf.com/doc/110x72/58ecdc4e1a28abc1168b45d9/dkim-2015-12-16.jpg)
