Feb 4, 2016

Understanding email authentication headers

Chess

Emails look pretty simple at first glance. You have a To, From, Subject, and Body. There’s not much else to see, right?

Not quite. If you look below the waterline, there is actually a lot going on. Locked up in the headers is a lot of data — and if you want to find out whether a sender really is who they claim to be, this is where you want to look.

If you look at the raw email (sometimes called ‘source’ or ‘original’) you can see more information about the email and how it got to you.

Specifically, you want to look for headers that indicate the authentication status of the email message.

Email authentication consists of SPFDKIM and DMARC — three standards that, working together, help establish the identity of a sender. You can see the results of these evaluations in every email you get.

What you see in the headers depends on your email service provider. Each one shows the information differently and they do not always show the same basic information. The main difference is when it comes to DMARC. Some will show DMARC-related data and some will not. All will show the SPF and DKIM authentication results.

In some cases you may see multiple headers. This can happen if the email has gone through email forwarders. If there are multiple headers, you always want to look at the first header block.

Below we will show how you can see the authentication results for SPF, DKIM and DMARC. It is important to note that, in order for an email to pass DMARC, it must pass either SPF or DKIM. It does not have to pass both.

SPF headers

The criterion that is checked for SPF is whether the server that originated the email is an authorized sender. You may see a field in the email header labeled ‘Received SPF’ which will show whether the email passed or failed this test. You will also see text that shows the IP address of the originating server and whether the sending domain lists that IP address as an authorized sender

Here is how some large email providers represent this information. Note: These headers were copied from a real email, though I’ve replaced the actual domain and IP addresses with generic values:

Google and Yahoo!:

Received-SPF: pass (google.com: domain of example.com designates 10.1.2.3 as permitted sender)

Microsoft (Hotmail):

CMM-Authentication-Results: hotmail.com; spf=pass (sender IP is 10.1.2.3; identity alignment result is pass and alignment mode is relaxed)

DKIM headers

There may be multiple DKIM records in an email header. The results of the DKIM evaluation will also show the domain that was evaluated.To make sure you are looking at the proper result, look for the one that matches the domain in the From address for the email.

Here is how some large email providers show you the results of DKIM validation. As you can see, each uses a different label for the domain that was validated (In each case, the evaluated domain below is example.com)

Google:

dkim=pass header.i=@example.com

Yahoo!:

from=example.com; dkim=pass (ok)

Microsoft (Hotmail):

dkim=pass (identity alignment result is pass and alignment mode is relaxed) header.d=example.com

DMARC headers

Unfortunately, not all email receivers show DMARC results in the header. Of the big three, Google is the only one that does. Other receivers, like Microsoft, will be adding this in the future. (And unfortunately, until they do, there’s no way to check the DMARC status of a message.)

For those that do include it, the DMARC results are fairly easy to read. The results will show whether or not the email passed DMARC. The example below is extracted from the ‘From’ field in the header.

Google:

dmarc=pass (p=REJECT dis=NONE) header.from=example.com

In this case, the email has passed DMARC (dmarc=pass). In this case you can also see the DMARC policy for the domain (p=REJECT) and the disposition (dis=NONE) which will show what action the receiver took with the email (NONE, QUARANTINE, REJECT).

Note that the receiver may choose to override results of DMARC results. This could happen where the email receiver has a trusted relationship with the sender and will allow emails from that sender, even if DMARC authentication fails for those messages.

The road ahead

Today you can only find out if an email was authenticated by looking at the information above. Later on this year, the large ISPs (Google, Microsoft, Yahoo!, etc.) will start showing indicators of authentication results directly to the user. For example, if an email does not pass authentication, the ISPs may remove images from the email or show text stating that the email has not been authenticated. Time to get those emails authenticating properly!

Subscribe to our newsletter