Email authentication

By | 22nd November 2019

Authentication is considered as an important mechanism for your e-mail program.

ISPs and webmails have been tightening their filtering rules over the years in order to protect their users from spam and phishing.

In order ensure an optimal deliverability/delivery of your communications, you should implement the most common authentication mechanism available:

  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting and Conformance (DMARC)

In this article, I will explain how to implement the above listed authentication mechanism.

Sender Policy Framework (SPF)

The SPF is used to allow an IP address or a set of IP addresses to send communication on behalf of your domain name or subdomain.

Let’s say that the from email address I am using to send out communication is “” and the IP address of the mail server sending my communications is “”.

In order to allow SPF signing for all outbound emails being sent from my mail server, I will setup an SPF record at my domain’s registrar level by adding the following entry:  IN TXT "v=spf1 ip4: -all"

The above entry tells the receiving mail server that the server with IP address “” is allowed to send communications on behalf of “”, this can be checked on the email header of the received communication which should appear as follow:

Received-SPF: pass (domain of designates as permitted sender)

SPF is the minimal required authentication mechanism for sending communications to ISPs and webmails. This is also the case for lot of businesses.

DomainKeys Identified Mail (DKIM)

DKIM authentication has been created in order to detect forged sender addresses in emails also known as “email spoofing” which is often used in phishing and spam emails.

A DKIM record is composed of two parts, one being the private key which should be setup on your mail server (the one sending the actual communications) and the public key which should added as a dns TXT entry at your domain registrar.

Your DKIM key pair can easily be generated online using I am using the subdomain “” for this example, the key pair is composed of:

A Private key


A Public key

-----END PUBLIC KEY-----

A selector

The selector is part of the DKIM record, it does allow to publish multiple DKIM keys on your domain or subdomain.

When you create a DKIM signature for your communications, you will need to specify which private key to use. The related DKIM key is totally bound to the specified selector. The associated public key is published in the DNS on a domain or subdomain which also need to contain this selector:

In our example, we will use the selector “one”, which will give us the following DKIM record to be added to our domains registrar DNS: IN TXT "v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCl2G3Hvbndic2HRXorxfmdRCpEw8W9LPZ489Brz6RLbZPlmxbvae1KlFDZife3/zfKIAQ9WsjvqRPefJxV/ZNABmqOW09B6arzShAwYpIwwsszhIO8EmDmNqPIcbJWOaDA6F6Wo4VRNVuBVE+JwIcn1YJr+Ijr3wBYhv7B0ArxEwIDAQAB"

The DKIM signature will be validated at the receiving mail server by the following entry in the email header of the communication received:

dkim=pass (ok) header.s=one;

Domain-based Message Authentication, Reporting and Conformance (DMARC)

Designed to give the ability to give domain owners to protect their domains from unauthorized use also known as “email spoofing”.

The primary purpose of implementing DMARC is the protection of a domain against misuage in business email compromise attacks, phishing emails, email scams and other cyber threat activities.

Once the DMARC DNS entry is published, any receiving mail server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication checks it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the published DMARC record the email could be delivered, quarantined or rejected.

Different DMARC policies can be set at your domain registrar’s level.

Reporting only IN TXT "v=DMARC1; p=none;;"

The above DMARC policy will instruct the receiving mail server to only send aggregated reports to the email address “”, this does not instruct the receiving mail server to apply any filtering policy.

Quarantine IN TXT "v=DMARC1; p=quarantine;;"

The above DMARC policy will instruct the receiving mail server to “quarantine” the messages that fails DMARC check. The term “quarantine” means that the receiving mail server can treat the related message in different ways:

  1. deliver to junk folder: deliver the related message into the recipient’s spam folder
  2. temporarily hold the message for non compliance and perform additional analysis to decide whether the message should be delivered to the recipient or not
  3. Use it to improve its spam filtering systems which is likely to result in the related message to be considered as spam

Reject IN TXT "v=DMARC1; p=reject;;"

The above DMARC policy will instruct the receiving mail server to reject all messages which are failing DMARC check.

The receiving mail server which usually react in two different ways:

  1. Refuse to accept non-compliant emails and report it to the domain owner
  2. Accept initial SMTP delivery but prevents delivery to the final recipient for non-compliance. When delivery fails, one the following would happen:
    – A non delivery message will be returned (bounce)
    – The related message is silently dropped

The must have authentication mechanism are SPF and DKIM which are widely used, if possible it is also recommend to implement DMARC to ensure that your domains are fully protected against email spoofing.

Leave a Reply

Your email address will not be published. Required fields are marked *