How to Implement E-mail Sender ID Authentication for a Hosted SMB Web site

One of the most important things you learn in life is that Mom is usually right. In this case, Montner & Associates partner Michael Smith found out that not only was Mom right - but that she had motivated him to learn about and use E-mail Sender ID Authentication. 


Last week my wife's 90-year-old mother, Shirley Montner, finally convinced me to do E-mail Sender ID Authentication. You know, that industry-wide initiative to keep spammers from spoofing your domain in the "From" box?

Mom illuminated me in normal motherly fashion - via scolding. She couldn't understand why I was not writing her after she took the time to learn how to do e-mail. Set aside for a minute that I was the one who taught her to do it.

Thing was, I knew I was innocent; I had sent her three e-mails in three days. I shrugged it off as operator error. She often forgets that you have to actually click on the messages in order to read them.

Confident I could give her a proper "I told you so," I logged into her Gmail account. Sadly, however, she was right. There was no e-mail from me in her Inbox. Seems Gmail was putting all my e-mail into her Spam folder. It might as well be on Mars in my mom's case.

The Spam Score - Three Strikes and You're Out

A little investigating revealed to me why it was placing all my e-mail into her Spam folder. Even if you're a good guy sending normal things to your mom, you get a Spam score. Three points and you're out.

First, having "no sender ID authentication" counts as 2.4 Spam points. Ouch. Then I had embedded photos in my e-mails to her. (Attachments with her? You're kidding, right?) That was another Spam point. So, there you have it: my e-mail to mom, and undoubtedly to a lot of other people, was tagged as "Spam." Yikes!

A Sobering Realization Leads to Action

So, now you know how Mom finally convinced me to do E-mail Sender ID Authentication. Of course, my real concern was my PR business. I'd been looking at bounceback e-mails spoofing my domain for years but, unfortunately, my two hosting providers, EarthLink and 1and1, do not support Sender ID Authentication for hosted sites. Nor were they much help telling me what to do, which is even more irritating because it's not that hard once you learn how to do it.

That's where this article comes in. I spent about 40 hours figuring out how to implement E-mail Sender ID Authentication and actually doing it. (If you keep reading, I'll cut that time down to about two hours for you). Here's what I learned, how I did it and some great resources for you to check out.

What Is E-mail Sender ID Authentication?

E-mail Sender ID Authentication is a kind of telephone book that enables e-mail recipients to make sure an e-mail with your domain in the "From" line really came from someone at your organization. There are different standards, but I am going to explain how to do one called Sender Policy Framework (SPF). SPF works by checking incoming e-mail headers against an SPF record (i.e., a text file) stored on your DNS.

Since 95 percent of all Spam uses spoofed domains, just about everyone is checking this now. You really need to implement this. Here's how to do it in six steps:

Step 1: Test Your Current E-mail Sender ID Authentication

The first step is to test your current E-mail Sender ID Authentication. The E-Mail Service Provider Coalition provides a tool on their web site that I really love. Just send an e-mail to the address it gives to you, then check the result. You will see how your e-mail looks to everyone providing e-mail services and checking sender IDs. It shows all the standards, but remember, supporting one is enough. When checking out the result page, see if you scored five big X's at the top of it. Did you? If so, that's not good.

Step 2: Ask Your Hosting Service if They Support Sender ID Authentication

The second step is to ask your hosting service if they support Sender ID Authentication. Unfortunately, most big ones don't, or I would have just switched.