Email authentication

Are you letting your customers know what work you do best and how you can make their business more successful? Effective marketing establishes and promotes your brand. Your web site and marketing materials should, powerfully, demonstrate why they should do business with you.

Authenticating e-mail

As e-mail becomes an increasingly important form of communication, the threat from spammers has increased (despite laws designed to curb it). This has resulted in the creation of methods to authenticate e-mail in an attempt to mitigate the challenges of spam.

Methods of authenticating e-mail are designed to enable the receiver of an e-mail to know that the sender of the e-mail is who he says he is. This helps reduce spam because one of the major weaknesses of e-mail is that it is easy for a sender to spoof the sending address and hence obscure his identity.

There are several methods of authenticating e-mail including:

Sender Policy Framework (SPF)

SPF, an open standard, works by validating the sender address of an e-mail (specifically the HELO domain and the MAIL FROM address). It is the easiest method of authentication to setup. A text sting is created based on the configuration of your email server. This is stored as a text string within your DNS record, e.g.

“v=spf1 ip4:207.162.216.64 a mx ~all”

To create a record go to http://www.openspf.org/ where you will find a setup wizard. The wizard asks several questions and generates an SPF record. This record then needs to be copied to a text record on your DNS server. Instructions are included on the same site as the setup wizard.

To test your SPF record send an e-mail to check-auth@verifier.port25.com. Within a few minutes you will receive a reply with the results of the test. If your SPF record was created correctly the test results should look something like:

Thank you for using the verifier,
The Port25 Solutions, Inc. team
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: neutral
Sender-ID check: pass
SpamAssassin check: ham

There are other methods of testing available, however it seems that some of them have not been updated to the latest standards and hence may give false negative results.

Sender ID

The Sender ID framework is championed by Microsoft and has the same basic mechanism as SPF. Sender ID uses the SPF record to check whether the email originated from a valid outbound email server as defined by the domain’s SPF record.

Once you have successfully implement SPF, SenderID should work. You can test it by sending an e-mail to check-auth@verifier.port25.com as described above.

Once an SPF record has been set up, Microsoft encourages webmasters to submit a support request to have their record included in the SIDF (Sender ID Framework) cache. A request can be submitted here.

DomainKeys

DomainKeys is a cryptographic authentication system developed by Yahoo!. Users create public/private keys, with the public key being published as part of their DNS records. When an email server sends an email message, it adds a signature to the e-mail which is generated using the private key.

An example of a signature is:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=semplanning.com; h=Received:Message-ID:
Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:
Content-Transfer-Encoding:
X-AntiAbuse:X-AntiAbuse:X-AntiAbuse:X-AntiAbuse:X-AntiAbuse:X-Source:X-Source-Args:
X-Source-Dir; b=B6996yvZ+pjJROqdjlHkuxgeQBe8L9ebIf1gL4obt+4hw1DVd7ghBMopjpLNnj
OmeYZifPC6QQorOAWJSxOlnQoiiK9XdpY+DEPA+bZgMRy9uJhuB76ixN3Imix4LQVY;

When a DomainKeys configured e-mail server receives the e-mail, it checks whether the signature and the public key match. If they do it delivers the email. Not only does this method of authentication ensure that an e-mail sender is authentic, it also ensures that the content of the e-mail has not been tampered with in transit.

If you are using the latest version of Cpanel on a server where you have SSH access, it is relatively straightforward to setup DomainKeys.

  1. Log into an SSH session on your server and type: /usr/local/cpanel/bin/domain_keys_installer <user name> where <User name> was the name of the user for the zone that you want to setup DomainKeys.
  2. The installer will setup DomainKeys and automatically setup a DNS entry for the particular zone adding public key information as a text entry. If you use an external DNS service (e.g. DNSMadeEasy), you will need to copy the entry that was made automatically to the DNS service running on your server. This is the default._domainkey entry. If you use an external DNS service, create a TXT entry named default._domainkey and copy and paste the value that the installer had created.
  3. Create another entry called _domainkey. Add the following entry: “t=y; o=-“
  4. Test the setup by sending an e-mail from your server to a Yahoo! e-mail account. If you have setup DomainKeys correctly, when your receive the e-mail in your Yahoo! account you will see a small padlock simple next to your sender name. If you hover over the padlock with your mouse you will see a small message saying: “This sender is DomainKeys verfied”. Also send an e-mail to: check-auth@verifier.port25.com.