Email Authentication        

Implementation Tools         White Paper         Adoption Reports         DMARC         News & Headlines       

Users, business and governments increasingly rely on email for communication with employees, consumers and business partners, yet upwards of 85% of email sent today is spam or unsolicited email. Worse, increasing amounts are forged or spoofed in an attempt to propagate malware or to use social engineering to entice users to divulge personal information that can be used in identity theft.

In 2003 several industry efforts emerged to help address the rising tide of spam and forged email.  These efforts ultimately produced two key email authentication technologies: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Both are documented in Engineering Task Force (IETF) Request for Comments, SPF in experimental RFC 4408, and DKIM in standards track RFC 5672.

Both SPF and DKIM provide ways for email senders to take responsibility for the email they send, and for receivers to validate that the purported sender information is valid and not forged. Sender identity has domain level granularity, and both SPF and DKIM leverage the Domain Name System (DNS) infrastructure to publish credentials. Authentication can be compared to a driver’s license.  As a form of identification, a driver’s license is documentation showing who you are and that you are licensed to drive, (see step 3).  However, it does nothing to indicate whether or not you are a good driver.  In the same way, email authentication can establish a sender’s identity, but by itself it cannot validate that a sender is legitimate or has maintained good mailing practices.  It is only through the application of an email sender’s reputation data, (step 4 below), that a receiver can make an informed judgment on the “trustworthiness” of email from a given authenticated domain. 

Today businesses around the world and leading ISPs and mailbox providers (including Comcast, Google, Microsoft, and Yahoo) are rapidly adopting SPF and DKIM as complementary approaches to aid in the prevention of malicious and deceptive email.  By validating the identity of the email sender, ISPs and corporate networks can reliably apply reputation data in order to increase deliverability of legitimate email while helping to keep malicious mail out of the inbox. (see below).

For definitions of Email Authentication terms and related OTA initiatives visit the OTA Glossary (updated March 22, 2011)

Listing of companies is not an endorsement nor should it be considered disparaging by OTA, its members and affiliates, nor is it an assertion of their web security or lack there of.  Information is provided for information purposes and is current at time of publishing.  To report updates, email staff@otalliance.org,.