Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

What is email authentication?

Author: Valimail
What is email authentication?

Related posts:

  • What is DMARC?
  • What is SPF?
  • What is DKIM?
  • The five key standards of email authentication

For most of the past 40 years, we’ve had to make a leap of faith every time we opened an email. Do you believe that the email really comes from who it appears to come from? In most cases, that’s an easy “yes” — but in fact, it has been surprisingly easy to fake an email from almost anyone.

That’s because the people who first created the Internet didn’t include any way to verify the sender’s identity. When they set up email’s basic protocols, they balanced costs in computing power, implementation, and ease of use versus the risk of fraud. At the time, it was nearly inconceivable that 84 percent of all email would be malware, phish or spam. So they didn’t include any provisions for authentication.

Email headers are easy to fake

The result: Email headers, including the From: and Reply-to: fields, are remarkably easy to fake. In some cases it’s as simple as typing “john@company.com” into the From: field. Couple that with a legitimate-looking message and some persuasive graphics and formatting, and it’s entirely possible to fool people into thinking that a message in their inbox actually comes from their bank, the IRS, or their boss.

Combine that with the ubiquity and utility of email (98% of consumers check their email daily), and you have the basis for our current security crisis. This weakness in email has led to a rash of phishing attacks aimed at getting employees or customers to click on malicious links, download and open malware-infested files, send W-2s and employee data to scammers, or wire funds into criminals’ accounts. Just recently Coupa, a Silicon Valley company, got tricked into sending the payroll details for all 625 employees to a scammer. Russian hackers managed to distribute malware-infected PDF files by sending emails impersonating Harvard’s Kennedy School. And last year, one of Europe’s biggest companies lost $45M when an employee mistakenly wired the money to a fraudster’s account in response to a bogus email. The FBI estimates that one type of phishing attack, the Business Email Compromise (BEC), costs U.S. companies $3 billion per year.

The fix for fake email: Authentication

But it doesn’t have to be this way. Email authentication is the modern fix to this fundamental flaw. By implementing email authentication you can ensure that anyone — an employee, customer, partner or prospect — who receives an email that purports to be from your company can determine if the email is legitimate and, if not, flag or discard it. Even further, you can get complete visibility and control over who sends email in your name. The importance of this has grown dramatically with the rapid growth in cloud services, over 10,000 of which send email on behalf of their customers for sales, marketing, customer support, HR, accounting, legal and myriad other services. By enforcing authentication and only enabling senders you explicitly authorize you can block everyone else who attempts to send in your name – spammers, phishers, and even “shadow email” senders that may be legitimate but have not been vetted or authorized.

Email authentication standards enable any mail server, anywhere, to verify that an email with your domain in the “From:” address has been has been authorized to send in your name. Before it delivers a message to a recipient’s inbox, a mail server can check: Does the server sending this have the right to use the domain name (or names) listed in the message’s headers? If there’s a cryptographic signature attached to the message, does it match the public key on file for the domain it appears to be from? And do the headers match one another? (For instance, are the From: and Reply-to: fields the same?)

Email authentication puts domain owners in control

Depending on the rules that the owner of the sending domain has set up, the answers to these questions can either validate a message (yes, it’s authentic, go ahead and deliver it!) or invalidate it (it’s not authentic–watch out!). The rules include instructions for what the receiving server should do with non-authenticating messages, such as discard them, or put them in a spam folder, or flag them as potentially dangerous. Email authentication gives the domain owner global control of what happens to messages sent in their name by anyone, to anyone. It’s amazingly powerful and unlike any other kind of security tool.

What’s more, modern email authentication standards include a means for domain owners to get reports on who is using their domain names. In other words, if a company has authorized an email list provider, like MailChimp, to send messages on its behalf, it can see information about all emails sent by MailChimp’s servers and whether they authenticated properly. They can also see all activity from scammers sending spam and phish from unknown, unauthorized servers as well as “shadow email” services that may be legitimate but are not authorized.

Armed with this information, organizations can get a 360-degree view of their email ecosystem, which is a key requirement for having the confidence to enforce authentication globally.  Fortunately, email authentication eliminates the need to constantly monitor for and respond to alerts in real time. Implemented properly, email authentication provides continuous protection and blocks anything that isn’t explicitly authorized. The reports tell the domain owner that a phishing attack was attempted – and failed.

Email authentication is widely supported

As you can see, for email authentication to work it needs to be supported by both the originating domain (company.com) and the receiving email server (Gmail, Outlook.com, or your company’s email servers, for instance). The good news is that there is widespread support for email authentication standards. Virtually every major provider of consumer and business email services including Gmail, AOL, Microsoft, Yahoo, and more support email authentication, representing more than 5 billion mailboxes in all. The same is true for the major providers of email servers and secure email gateways (SEGs), and support is growing rapidly.

Email authentication is based entirely on open Internet standards that are widely accepted. The three key standards are SPF, DKIM, and DMARC; the third builds on and incorporates the previous two.

Great! You’ve got the basics. Now read the next chapter in our explanation of email authentication: What is SPF?

Back to blog
Published April 26, 2017
  • DMARC
  • Email Authentication
  • security
Author: Valimail
Valimail is the global leader in zero-trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world's largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. Valimail is the fastest growing DMARC solution, with the most domains at DMARC enforcement, and is the premier DMARC partner for Microsoft 365 environments. For more information visit www.valimail.com.
Resources
Email Fraud Landscape Spring 2021
Learn more
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Report Reveals 3 Billion Spoofed Emails are Sent Every Day
Learn more
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

1942 Broadway St., Ste. 314C
Boulder, CO 80302

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Website terms of use
  • Do not sell my personal information
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers
Subscribe to our newsletter

Get exclusive content on improving email security and deliverability from the experts at Valimail.

  • *
    I understand that I may proactively manage my preferences, or opt-out of Valimail communications at any time using the unsubscribe link provided in Valimail email communication. I confirm that I am over the age of 16. The information that you provide will be used in accordance with the terms of our Privacy Policy.
  • This field is for validation purposes and should be left unchanged.