About Email Authentication

What is Email Authentication?

Email authentication, also called email validation, is the process of verifying information about the origin of an email. When the simple mail transfer protocol (SMTP) was developed in the 1980s, there was no way to verify the origin of an email. As phishing attacks began to arise, email authentication was established to distinguish legitimate email from fraudulent email.

The email authentication process is completed by internet service providers (ISPs) as emails are delivered to the inboxes they provide (and control). It relies on several protocols including SPF, DKIM, and DMARC. ISPs check the authentication on all of the emails that go into the inboxes they provide. It’s been in existence for many years. However, because SPF, DKIM, and DMARC can be tricky to configure, many domain owners have been unable to correctly set up these policies. As a result, ISPs have generally opted to allow unauthenticated emails into their inboxes rather than risk angering their customers by not delivering wanted or important messages from unsecured senders.

As phishing attacks and the damages associated with them are skyrocketing, however, this leniency is beginning to change. In 2015, all of the big ISPs announced their intent to move to a no-auth = no-entry policy. This would mean that unauthenticated email would be discarded rather than delivered. Microsoft and Google have started flagging select unauthenticated emails with a warning for recipients and diverting some unauthenticated emails to spam. In October 2017, the Department of Homeland Security announced a mandate that all government agencies implement DMARC on all of their domains within 90 days. The message from ISPs and government agencies to domain owners is clear: unauthenticated email will not be tolerated for much longer.

Because email authentication is based on SPF, DKIM, and DMARC, domain owners must properly implement and maintain their email authentication policies. Domains without these policies correctly configured will be unauthenticated and will soon be blocked by ISPs.