Editor's Note: In this first installment of her three-part series on e-mail authentication, Knowledge Center contributor Ellen Siegel shares a comprehensive, high-level overview of e-mail authentication. In Part 2, Ellen delves into the functionality and implementation details of Sender Policy Framework (SPF) and Sender ID authentication. In Part 3, Ellen delves into the functionality and technical details of Domain Keys Identified Mail (DKIM).
E-mail authentication allows an organization that sends an e-mail to take responsibility for it; it associates a clear sender identity with each authenticated message that can be validated by the receiver. You can think of the authenticated identity as a driver's license; it provides a reliable indicator of identity. Note that the responsible (authenticated) sender organization may not always be that of the author of the e-mail. Sometimes it may be an e-mail service provider (ESP) or a forwarding entity responsible for the transmission of the message.
This ability to perform identity validation wouldn't be such an issue if e-mail was secure but, unfortunately, e-mail was not designed with security in mind (much like the postal mail service). In order to avoid any incompatibilities that would break existing e-mail deployments, e-mail authentication is designed and implemented as a set of extensions to the existing e-mail. This leaves individual deployments free to upgrade to the new capabilities on their own schedule.
The industry has converged on two basic approaches to authentication (and on two similar but distinct protocols for each approach). Sender Policy Framework (SPF) and Sender ID use a path-based approach that depends on the identity of the mail server that delivers the message to the receiver. Domain Keys Identified Mail (DKIM) and its precursor DomainKeys use end-to-end encryption.
Both approaches take advantage of the existing network infrastructure provided by the Domain Name Service (DNS) to publish authentication data. This works well because interaction with DNS is already an integral part of the e-mail transmission and delivery process.