Email Authentication GUIDE Frequently Asked QUES T ION S T OGETHER STRONGER EMAIL AUTHENTICATION Marketers that use email for communication and transactional purposes should adopt and use identification and authentication protocols.” This document will explain what authentication is – includ- ing some recommendations on what you should do as an email marketer to implement these guidelines within your organization. * This Guide should not be considered as legal advice. It is being provided for informational purposes only. Please review your email program with your legal counsel to ensure that your program is meeting appropriate legal requirements. THIS COMPLIANCE GUIDE COVERS: Basics of Email Authentication Technologies Basic FAQs on the DMA’s Email Authentication Guidelines Implementation: Complementary Types of Email Authentication Systems Beyond Authentication: Email Reputation Email Authentication Resources for Marketers 1. What Do the DMA’s Email Authentication Guidelines Require? The DMA’s guidelines require marketers to choose and implement authentication technolo- gies in their email systems. It is up to your company to decide what kind of authentication protocol to use, though all are recommended based on current-day trends. The DMA does not require nor endorse the use of any specific protocol, as there are several interoperable, inexpensive, and easy to implement solutions available today. 2. Why does the DMA Require Members to Authenticate Their Email Systems? The DMA requires its members to authenticate their email systems primarily because mailbox providers (aka ISPs, MSPs or receivers) are increasingly requiring authentication. This strongly aligns with a growing trend in the email deliverability industry that’s leaning more towards domain-based reputation (as opposed to IP-based reputation a couple of years ago). Secondly, authentication improves the likelihood that legitimate/wanted email will get delivered to the intended recipient’s inbox folder. Additionally, email authentication reduces the likelihood of spam, spoof and phishing attacks (thus protecting the integrity of marketers’ brands). Authentication is seen as one way to make the email marketing arena more secure and improving consumer confidence in email, thus preserving it as a valuable email marketing communications tool. 3. Does DMA’s Email Authentication Guideline Require Marketers to Authenticate Inbound Emails, Outbound Emails, or Both? InboxArmy The guideline applies only to outbound email that marketers send either from their own IP addresses or via the use of a third-party service bureau. Designed by 1 4. Is Email Authentication Required Just for Marketing Messages? No, DMA’s Email Authentication Guideline applies to ALL outbound messages that marketers send or that their third-party service bureaus send on their behalf. 5. Does the Guideline Apply to B-to-B Marketers? Yes, the DMA believes that similar common best practices in email deliverability for consumer promotions should be used for business-to-business campaigns. 6. Does the Guideline Apply to Nonprofits? Yes, non-profit organizations, as well as for-profit businesses, should authenticate the email messages they send. BASICS OF EMAIL AUTHENTICATION TECHNOLOGIES 1. What is an Email Service Provider (ESP)? A company that offers email services to send (bulk/marketing) email on behalf of a marketer. 2. What is an Internet Service Provider (ISP)? A service provider that provides access to the Internet (and most times an email account). InboxArmy Designed by 2 3. What methods/types of Email Authentication are out there? There are a few major email authentication methodologies: Sender Policy Framework (SPF) - an IP-based solution, DomainKeys Identified Mail (DKIM) - a cryptographic solution, Domain-based Message Authentication, Reporting & Conformance (DMARC) - builds on the widely deployed SPF and DKIM protocols. The goal of the first two is similar: create a public record against which to validate email messages so that a sender’s legitimacy can be verified. Both the SPF and DKIM technologies work to verify that the sender is authorized to send mail. 4. What is the Difference Between IP-Based Authentication and Cryptographic Authentication? A fundamental difference between IP-based and cryptographic authentication solutions is that cryptographic technology protects the integrity of the email content, while IP-based technology verifies or proves that the sender is authorized by the domain owner to send email. 5. What is the Domain Name System (DNS)? The Domain Name System (DNS) is an Internet directory service. DNS is where companies publish information about their domains. 6. What is Transport Layer Security (TLS)? Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL). TLS for email isn’t required but has been widely adopted following revelations of government snooping. Some ISPs (like Google’s Gmail) add a warning flag to email messages that were received without TLS encryption. For this reason it is recommended that all outbound email support TLS. An overview of TLS is available at: https://www.google.com/transparencyreport/saferemail/tls/ with an FAQ available at https://www.google.com/transparencyreport/ InboxArmy saferemail/faq/. Designed by 3 IMPLEMENTATION OF COMPLEMENTARY TYPES OF EMAIL AUTHENTICATION SYSTEMS: SPF, DKIM AND DMARC InboxArmy Designed by 4 Sender Policy Framework (SPF): 1. What is it? SPF is an IP-based technology that verifies the sender IP address by cross-checking the domain in the email address listed in the non-visible “Mail From” line of an email against the published record a domain owner has registered in the Domain Name System (DNS). SPF technology is free to all users. An SPF record is a list of computer servers or IP addresses that senders indicate are “authorized” to send email that claims to be coming from their domain. When you publish an SPF record for your domain, you declare which IP addresses are authorized to send out email on your behalf. SPF allows senders/marketers effectively to say, “I only send mail from these machines (IP addresses/servers). If any other machine claims that I'm sending mail from there, they are not telling the truth.” 2. How Do I Implement Sender Policy Framework (SPF)? Run an audit, write a list of all IP addresses that send email on your behalf. As an extra precaution, talk to your IT staff & any Email Service Providers you work with to ensure you don’t miss any IP addresses. Create your SPF record. http://www.openspf.org/ provides syntax details and tools to help with this. Publish your SPF record in DNS. Verify that your SPF record is published & working. (i) An easy-to-use third-party tool can be found at http://tools.wordtothewise. com/authentication: a. Input your domain name in text box to check a published SPF record b. View “Results”. You should see ‘This seems to be a healthy SPF record’, meaning the SPF record is good to go. InboxArmy Designed by 5 DOMAINKEYS IDENTIFIED MAIL (DKIM) 1. What is it? DomainKeys Identified Mail is a cryptographic, signature-based form of email authentication. DKIM is offered to all users free of charge. The DKIM specification is available at http://www.dkim.org. DKIM requires email senders’ to generate “public/private key pairs” and then publish the public keys into their Domain Name System (DNS) records. The matching private keys are stored in a sender’s outbound email servers, and when those servers send out email, they generate message-specific “signatures” that are added into additional, embedded email headers. The DKIM authentication process involves checking the integrity of the message using the email signature header and verifying whether the key used to sign the message is authorized for use with the sender’s email address. This step currently involves utilizing the DNS record of the sending domain. The authorization records in the DNS contain information about the binding between a specific key and email address. Using a US Postal Service analogy DKIM is like verifying a unique signature which is valid regardless of the envelope or letterhead it was written on. ISPs that authenticate using DKIM look up the public key in DNS and then can verify that the signature was generated by the matching private key. This ensures that an authorized sender actually sent the message, and that the message headers and content were not altered in any way during their trip from the original sender to the recipient. InboxArmy Designed by 6 DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING & CONFORMANCE (DMARC) 1. What is it? DMARC is an email authentication protocol that builds on the SPF and DKIM protocols. SPF and DKIM provide valuable authentication capabilities but have some shortcomings. First they operate on different ‘from addresses’ (the ‘visible from’ versus the ‘envelope from’). Second they provide no feedback mechanisms for domains to know when email fails, or when their domain is being spoofed. Finally they provide no guidance to receiving sites as to what to do with messages that fail authentication. DMARC addresses these three issues as it uses domain alignment to match the envelope “From” address checked by SPF to the visible “From” address checked by DKIM. It provides a reporting function that allows senders and receivers to monitor and improve domain protection from fraudulent email. Finally it provides a mechanism whereby domains can suggest to receivers what to do with mail that fails DMARC. DMARC Overview: A brief, non-technical overview is available at https://dmarc.org/wiki/FAQ#How_does_DMARC_work.2C_briefly- .2C_and_in_non-technical_terms.3F. A more detailed explanation & overview can be found at https://dmarc.org/overview. Many domains, including major ISPs, are checking DMARC and utilizing it as part of their spam filtering decisions and many more are implementing the reporting function.