Editor's Note: In Part 1 of her three-part series on e-mail authentication, Knowledge Center contributor Ellen Siegel shared a comprehensive, high-level overview of e-mail authentication. Here, in Part 2, Ellen delves into the functionality and implementation details of Sender Policy Framework (SPF) and Sender ID authentication. In Part 3, Ellen delves into the functionality and technical details of Domain Keys Identified Mail (DKIM).
As discussed in Part 1 of this three-part e-mail authentication series, e-mail authentication is a way of associating a verifiable identity with an e-mail. The industry has settled on two basic approaches to identity verification.
The first approach is path-based, based on the identity of the mail server that delivers the message. The second approach is cryptographic, relying on the fact that the private encryption key used to create a message's digital signature would exist only on authorized mail servers. In the interest of clarity, this article will ignore some of the less common options and focus on the most common configurations.
In order to create and publish your own authentication records, you as an individual or a company must own and manage your own Domain Name System (DNS) domain. If you cannot add and modify records in your domain's DNS entry, you will be unable to authenticate your outbound mail, unless you work with a service provider who can publish authentication records on your behalf.
The first step in setting up sender authentication is to do a thorough analysis of every source of mail sent on behalf of someone using your domain(s). That includes your own mail servers, as well as any authorized third parties who send mail with your domain in the From address. Remember that different mail servers may be used for specific functions such as corporate or marketing e-mail.