Feb 28, 2018

What email authentication is — and why it matters

US mail

In the beginning, the Internet wizards created email. And it was good: Email’s relatively simple protocols let anyone communicate with everyone. Email evolved into a fundamental medium for global communications, connecting people on all seven continents with each other — and with astronauts in space. (It’s even being used to send wrenches into space.)

But email contained an original sin: There was no way to authenticate the sender. In plain words, that means there’s no reliable, universal way to figure out if that message sitting in your inbox really comes from your Aunt Selma or if it’s some imposter trying to persuade you to wire $5,000 to his overseas bank account. It was a minor problem in the early days of the Internet, but it’s a massive one now, since it threatens to undermine the world’s trust in this most ubiquitous of communications tools.

Despite this problem, email is not going away. And from a business point of view, it’s even more critical than ever. Email accounts for the vast majority of e-commerce conversations, is still growing at 6 percent annually (to 6.3 billion consumer and business mail accounts worldwide as of 2017), and more than 80 percent of consumers sign up for email programs on websites, according to the Radicati Group. 91 percent of us check email every single day.

As a result, email is also wildly effective for businesses. 66 percent of consumers buy online as a result of emails they’ve received, and email marketing has an incredible ROI of 4,300 percent, according to the Direct Marketing Association.

But, just as with those scammers impersonating your saintly aunt, business email is also under attack. 84 percent of all email is either spam or a phishing attempt, says the Anti-Phishing Working Group, a number backed up by the U.S. military’s own analysis of its inbound email. And despite aggressive spam filtering, some of those still get through, where they have a 1 in 10 chance of the target clicking on them. The result: Email is involved in 90 percent of cyberattacks every year, according to research by Verizon, Ironscales, PhishMe, and others.

In total, the Anti-Phishing Working Group estimates, phishing attacks cost brands over $70 billion per year, averaging $1,950 per attack.

These email domain attacks don’t just dupe consumers into revealing personal information, they also directly affect consumers’ trust in a brand and erode their willingness to do any further business, despite the fact the brand had nothing to do with the attack.

Yet there is a solution: A way to expiate email’s original sin. It’s called email authentication, and the standards to enable it are already here today.

The key email authentication standard is DMARC (Domain-based Message Authentication, Reporting & Conformance). It is a well-accepted technical specification adopted by all the major consumer mailbox providers (Gmail, AOL, Microsoft, Yahoo!) that effectively stops unauthorized email uses of a domain, thwarting the majority of email domain attacks.

Major brands have already implemented DMARC and have seen complete elimination or highly significant reduction in attacks. In recent case studies published by companies having implemented DMARC, most report an 80–95 percent reduction in phishing attacks on their consumers.

Large-scale email receivers, such as Google, Microsoft, and Yahoo!, are increasingly requiring that email messages be properly authenticated in a DMARC-compliant way. So adding a DMARC record for a domain and configuring it properly will help ensure proper delivery to recipients using these services.

A reporting mechanism, enabling domains to capture aggregate and individual information about failures for subsequent analysis, is also part of the standard, giving domain owners far more data about what’s going on with inbound and outbound emails.

DMARC works by enforcing existing authentication protocols: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Both rely on the Domain Name System (DNS) in an elegant way to validate that the servers sending an email do, in fact, represent the organizations they purport to represent.

We’ll have more on SPF and DKIM in future posts, and if you really want to know more, dive into our four-part series on what is email authentication? Also, check out our FAQ on DMARC. For now, it’s enough to know that email administrators need to configure either SPF or DKIM (or both) correctly in order for DMARC to work.

But once it’s set up, DMARC adds a tremendous layer of trust to email. It gives you the assurance that the email from Aunt Selma really did come from her. It gives consumers the confidence that the emails they’re receiving really do come from your company, which helps protect your brand from scammers. And it can block phishing attacks from outsiders pretending to be, say, your IT department, looking for employees gullible (or inattentive) enough to give up the passwords to their accounts.

In short, authentication corrects email’s original sin, restoring it to the level of trust it once enjoyed in a simpler, quieter time before the advent of spam and phish.

That’s why DMARC has exploded in popularity, with over 4.8 billion consumer mailboxes (76 percent of the world’s email accounts, and 100 percent of consumer mailboxes from the major U.S. email providers) covered by DMARC as of this date.

Will your organization be able to send and receive messages with these DMARC-enabled mailboxes? Only if you, too, set up and configure DMARC properly. We’ll have more on that in our next blog post.

Or, contact Valimail for more information on our email authentication service.


Originally published Dec. 11, 2015; updated Feb. 28, 2018 with newer data.Top photo: This is what people used to mean by mail authentication. It’s a little more complicated now. Photo credit: Approved by the Postmaster General via photopin.

Subscribe to our newsletter