Fake email: A real problem
For the last four decades, email recipients have had to make a leap of faith every time they check their inbox. This is because the creators of the Internet didn’t include a way to verify the sender’s identity.
At the time, there was no indication that 84 percent of all emails would be fake — malware, phishing attacks, or spam. So, they didn’t include provisions for sender authentication, which in retrospect is a significant flaw in the overall security of email. It leaves recipients to wonder, “Is this message really from who it appears to come from? Or is it fake?”
This is email’s “original sin,” and it means that it’s easy for an impostor to imitate another person (or company, or government agency) by manipulating the ‘From:’ and ‘Reply-to:’ fields in an email header.
Email authentication is the modern fix to this legacy flaw.
Using email authentication, a domain owner can enable only those third-party senders that it explicitly authorizes to use their domain. Once email authentication is set to enforcement, everyone else who attempts to send email using that domain name gets blocked or quarantined — automatically.
In other words, anyone receiving email from an authenticated domain can be sure that it really comes from that domain or from a service authorized by the domain owner.
The key standards
Email authentication is based on the application of several widely accepted standards. The cornerstone standard, Domain-based Message Authentication, Reporting and Conformance (DMARC), incorporates and builds on two predecessors, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
When fully enforced, DMARC ensures that only authorized senders can transmit messages on the domain owner’s behalf. This eliminates same-domain phishing attacks, which account for two-thirds of all fake email.
In addition, two newer standards also play a role. Authenticated Relay Chain (ARC) ensures that authentication survives forwarding by email lists and forwarders, while Brand Indicators for Message Identification (BIMI) offers a way for domain owners to signal authentication by designating logo images — a digital watermark — that only appear alongside authenticated messages.