Question: What is e-mail authentication, and how does it affect my e-mail delivery?

Published on .

Most Popular

Answer: Legitimate e-mail marketers and Internet ecommerce professionals are continually trying to implement standards for e-mail delivery to help reduce unsolicited bulk e-mail (read: spam and phishing e-mails) without impinging on legitimate bulk e-mail campaigns.

Authentication means verifying whether a person or computer is who they say they are. As it pertains to e-mail marketing, authentication specifically attempts to match the sender of the message to the domain that the e-mail message is purportedly coming from. Even in the advanced e-mail marketing environment of today, it is relatively easy to spoof unprotected domains.

Currently, there are two common types of authentication enjoying widespread use: Sender Policy Framework (SPF) and DomainKeys.

SPF: Sender Policy Framework is an extension of Simple Mail Transfer Protocol (SMTP). SPF specifically addresses e-mail spoofing, a common spamming practice referring to forging a sender's address. SPF verifies information from the e-mail message’s "envelope," focusing on the return-path e-mail address. Like a regular mail envelope, the e-mail message envelope describes who sent the e-mail message, and to whom it is going.

The SPF record on the Domain Name System (DNS) server responsible for a particular Web domain is what determines the status of the e-mail message: pass, fail, softfail, etc. This information is passed to the recipient mail server.

The SPF record specifies which e-mail servers are allowed to send e-mail for a particular domain. SPF simply performs a check on one or more of these computers to verify to the recipient mail server their status. SPF by itself does not prevent spam, but the recipient mail server reads the information in the SPF file and then makes some sort of determination based on the status. There are many larger ISPs using SPF, including MSN and Gmail.

DomainKeys: DomainKeys is an authentication system that is independent of Simple Mail Transfer Protocol. E-mail messages are still sent using SMTP, but DomainKeys is not an SMTP extension; rather, it deals with the e-mail headers that are outside the message envelope. DomainKeys was designed to identify e-mail spoofing and does not prevent abusive behavior; it simply makes it easier to track. Yahoo implemented DomainKeys in 2004 for outbound e-mail, and since 2005 has tracked incoming keys.

To implement DomainKeys, the SMTP server operator specifies a public/private key pair. The public key is located on the DNS server, and the private key is configured on the SMTP server. When sending e-mails, the SMTP checks in with the DNS, and if verified, adds a DomainKeys signature to the message headers. The receiving server then reads the signature and checks the public key on the DNS server and verifies the signature. It then uses that information to apply a rule or deliver the e-mail to the final recipient. If there is no match, the message can be ignored, because it is apparently a spoof.

While Yahoo will still receive an e-mail that doesn't have a key pair specified, in the future it could reject e-mail messages that are not digitally signed.

Authentication policies are having limited impact on e-mail marketing now because the standards are still not fully implemented. These standards will have a greater impact on e-mail delivery, however, as more recipient ISP mail servers check for them. During an attempt to authenticate, if you don't have SPF or Domain Keys implemented, your message will most likely still get through with a neutral response. Eventually, though, a consensus will be reached, and switches will be flipped to tighten up the requirements.

Jim Kinkade is the technical support supervisor at Arial Software (, a provider of performance e-mail marketing software solutions.

In this article: