More than 330 billion emails are sent and received daily—but over 45% of them are spam.
While most spam emails contain unwanted marketing messages or adult content, 2.5% of them are scams or fraudulent messages, such as phishing attacks. If such emails aren’t flagged as illegitimate, recipients may unknowingly fall victim to financial abuse, or even enable a cyber criminal to commit a widespread data breach.
As a mailbox provider, it’s crucial to make email authentication a key part of your process. By identifying and blocking spam and phishing emails in both inboxes and outboxes, you’ll be able to protect your customers and external parties from abuse and fraud, and improve the customer experience. Putting the right rules and policies in place to ensure that only legitimate senders get through will help boost deliverability rates and keep your sender reputation intact.
In this article, we’ll share strategies for managing your email authentication protocols and how to keep your email system secure. By taking these steps, you’ll not only protect your users, but also safeguard your business from potential legal and financial consequences.
Email authentication refers to practices that are used to confirm and verify that an email sender is who they say they are.
In many spam messages or phishing attacks, the sender will “spoof” a domain, making it look like their message is coming from a reputable business, even though it did not originate from that domain. This will make the recipient more likely to trust the authenticity of the message, and provide access to private passwords or other data—which can lead to fraud or financial abuse.
With email authentication, you can identify and flag “spoofing” attempts that attempt delivery to your customers, and block the messages, quarantine them, or send them to the customer’s spam folder. Conversely, you can also detect when someone is trying to spoof your brand’s domain, and can protect your brand from fraudulent behavior.
Email authentication uses a combination of techniques to verify the identity of an email sender and ensure that the message has not been tampered with during transmission. These techniques include SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).
If authentication is missing or not set up on an incoming email, the message can be either sent to the recipient’s spam folder, or will be blocked from delivery altogether. This is to protect the recipient from receiving potentially harmful or fraudulent emails. As a mailbox provider, blocking suspicious outgoing messages can also help you protect your sender reputation and ensure high deliverability rates when you block outgoing spam messages.
When setting up your email authentication protocols, you’ll have multiple technologies to choose from. Here are some of the most common methods used today.
A sender policy framework (SPF) is a record published in your DNS that lists all the IP addresses that are allowed to send emails on behalf of your domain. When an incoming email is received, the recipient server will check the SPF record to verify if the sending IP address is authorized to send emails for that particular domain. If it’s not listed in the SPF record, there's a higher chance that the email will be marked as spam or blocked altogether. While SPFs can help to prevent spam and phishing attempts, they also may reject legitimate emails in situations where the sender’s domain SPF records aren’t properly configured.
DKIM stands as a pivotal technology in the battle against email spoofing by attaching a digital signature to each outgoing email, linked directly to the sender's domain name. This signature enables the recipient's email server to verify whether an email purportedly sent from a specific domain is authorized by that domain's owner. Given that emails often undergo multiple hops—redistributed by mailing lists or forwarding rules—DKIM ensures that signed messages can be reliably relayed by any server, maintaining their integrity and authenticity throughout their journey.
The DMARC protocol was built on top of SPF and DKIM, and relies on senders and receivers sharing information to ensure a smooth validation process. DMARC refers to SPF and DKIM records to validate a sender’s identity, along with testing whether the domain they use is found in the “from” address. If an email does not pass the validation test, DMARC provides rules on how to treat the message based on certain conditions. This protocol can help domain owners block phishing attacks by filtering such messages into spam, or rejecting them altogether.
If you’ve ever seen an email from a brand that included their logo right in the sender column, that brand was using BIMI. Improving email security with BIMI involves using an authentication system that enables trusted senders to display an icon of their choice directly in senders’ inboxes. BIMI can boost recipients’ trust in your messages, while heightening visibility of your brand. Learn how you can enable BIMI for your customers using Halon’s custom module.
MTA-STS is a security standard that enables you to send and receive messages securely over an encrypted SMTP connection. The MTA-STS protocol enhances email security by enabling an SMTP client to confirm the server's identity during the TLS handshake. It does this by requiring the server to present its certificate fingerprint, which the client then matches with a trust store of certificates from verified servers. This process ensures the client does not connect to fraudulent servers, maintaining secure communication.
With Halon, you can easily test SMTP servers using the command-line, verifying the sender’s identity and that the SMTP server is up and running.
TLS reporting is a mechanism that enables email senders to report issues with TLS connectivity. An SMTP TLS report offers insights from the sender's perspective, focusing on key areas such as:
SMTP TLS-RPT is more effective when used alongside MTA-STS. The strict enforcement mode of MTA-STS will prevent email delivery if TLS issues are detected, ensuring a higher level of security and reliability in email communications.
ARC acts as a “chain of custody” for email messages. It enables every entity involved in processing the message to clearly see which entities have previously interacted with it. At every stage of handling, it provides a detailed authentication assessment.
The primary advantage of ARC, now adopted by the majority of mail servers, is its solution to a significant issue: previously, when a DMARC-protected email was forwarded, it would fail DKIM authentication and, consequently, DMARC. ARC preserves all original authentication information, allowing the final recipient's mail server to verify that the email was DKIM authenticated before being forwarded.
Choosing just one of these authentication protocols won’t be sufficient to help you protect your brand and customers. Many of these technologies build off of one another, so it’s important to set up a dynamic tech stack that supports the latest innovations in email authentication technology.
By using an email infrastructure like Halon, you’ll have access to pre-built components to help you set up a best-in-class email authentication system. Halon’s scripting language enables your development team to customize and configure your authentication protocol, based on your brand’s unique needs and security requirements. As such, you’ll be able to set up the right authentication system that balances your need for high deliverability rates against your need for security and protection against email spoofing and phishing attacks.
When establishing your email authentication protocols, it’s important to implement processes and policies that will set you up for success in safeguarding your customers’ email security and your brand’s reputation. To that end, follow these tips:
As you add new sender domains, it’s important to add those to your SPF record. Additionally, if you experience SPF errors with sending emails, it’s important to check your configurations. Two common errors that can block emails from sending are when forwarded mail comes from an address that is not on a “trusted sender” list, and if you are using a faulty DNS server that returns truncated responses.
DKIM uses public-key cryptography to verify message integrity, so it’s a simple process to verify the validity of a DKIM signature with EasyDMARC’s DKIM Record Checker. You can also use the tool’s DKIM Record Generator to instantly generate a new DKIM configuration. It’s also important to have a DKIM rotation system in place, which will help you to prevent spammers from taking advantage of the DKIM replay attack, a technique used to bypass spam filters by sending a single spam message to themselves from a domain with a good reputation.
Make sure to open the lines of communication between your IT and marketing departments so that IT is aware of new email campaigns and sending requirements, and can ensure that your authentication settings are in order. IT can also help to support marketing in implementing BIMI, which will foster customers’ trust in your brand by prominently displaying your logo in their inboxes.
By using Halon’s reporting dashboard to track delivery analytics, you’ll be able to track your messages’ delivery failure rate and associated error codes. You can use this data to identify problems with your configuration, and set up custom rules for how to handle messages from domains that are commonly flagged.
When setting up your email configuration, Halon offers a robust library of pre-built components and a self-service library of technical documentation to support you in the process. That said, there may be times when you need additional support. In this case, you can open a support ticket or reach out by phone to talk to a Halon email consultant, and get expert guidance on best practices to support your setup requirements. Our technical support team can support you through the implementation process, and offer ongoing support with managing your email infrastructure.
Email authentication issues commonly arise when you fail to regularly update your SPF Records or DKIM Records. Authentication can also fail if you have not added, or haven’t properly configured, your DMARC, which tells your server what to do with non-authenticated messages. You may also run into authentication issues if you are trying to route mail through a relay server. When one of our clients wanted to use OAUTH2 for secure email routing through Microsoft 365, messages delivered via SMTP were failing, and so we helped them switch to delivering email over HTTP, which was a simple and straightforward process.
Protecting your customers’ inboxes, and your sender reputation, are both crucial reasons to prioritize putting the right email authentication protocols in place.
But cloud-based email APIs often have rigid frameworks around email authentication protocols, and do not allow any customization based on your unique business needs and scenarios. That can lead to higher spam reports, lower deliverability rates, and damage to your sender reputation and your customers’ user experience.
Choosing an enterprise-grade email infrastructure solution like Halon gives you access to the control you need to set up customized email authentication measures. We offer the ability to implement your choice of authentication measures, including SPF, DKIM, DMARC, BIMI, and others, with the flexibility to quickly make changes to your code or settings as needed. This allows you to increase deliverability rates and protect your brand’s reputation, while also ensuring a seamless experience for your customers.
Our platform also provides detailed reporting and analytics on email delivery, giving you valuable insights into how your emails are performing and allowing you to make data-driven decisions for future campaigns, and identify errors that can be corrected by modifying your email authentication settings.
So when it comes to choosing an email infrastructure solution, don't settle for the limitations of cloud-based APIs. Opt for Halon's customizable authentication protocols and take control of your email delivery today.