Resources Home / Email Authentication

Email Authentication Basics

How it works, and why you should implement it

Email authentication is becoming increasingly important for email marketers. This is a basic guide on how it works, what the different techniques are, and the benefits of authenticating your messages.

The most common example used to explain email authentication is the license plate on a car. If you drive around in a car with no license plates, it looks suspicious. The cops have a reason to pull you over. Conversely, if you drive a car with license plates, it doesn't look so suspicious. You appear to be a law abiding citizen who paid his fees and taxes.

ISPs like AOL and Yahoo are swamped with incoming spam. They don't have time to analyze the content of every incoming email. That would be like the cops pulling over each and every car to check for law abiding citizens. When an email marketer sends a campaign to his list of subscribers, and a few thousand of those subscribers have accounts, Yahoo will think it's a wave of spam (replace Yahoo with AOL, or any corporate email firewall). If your emails are authenticated, you don't look so suspicious.

Where Did Email Authentication Come From?

In a nutshell, it's to prove that your email is not a forgery. You see, emails are inherently insecure. You can craft an email, and forge the reply-to and "from:" field to make it look like it came from someone else pretty easy. That's called "spoofing" (remember that word, because it'll be on the quiz later). You may have even received complaints from people telling you to stop spamming them (some spammer is "spoofing" his campaigns to look like they're coming from you). Don't sweat it---it happens to everyone eventually. Spoofing usually leads to Phishing. Phishing is when someone spoofs an email to make it look like it came from a bank, or credit card company. They ask the recipient to log in to some website (designed to look like a real bank site) and enter their banking passwords and PIN codes. Authentication was created to prevent all this spoofing and phishing.

Email Marketers Spoof All The Time
When you use a service like i-Emailer, ConstantContact, iContact, etc., you are sending your campaigns from our servers. But you are probably entering your own reply-to: email address and from: name, right? Well, technically that's a form of spoofing. So long as you are sending the email from a well-known, reputable email service provider, it's not a huge problem. ISPs can tell that it came from a legit server, and generally won't penalize you. But as your list grows, it does eventually affect your deliverability rate. ISPs will more likely "throttle" your campaigns to check them for spam (remember the license plate analogy above?). If you're sending tens of thousands of emails per campaign, you might want to look into some form of email authentication.

Different Types of Authentication

I'm not going to get into the details of how the different types of authentication work, or which is the best. Just know that there are about three major options: SPF, SenderID, and DKIM (aka "Domain Keys"). SPF and SenderID are somewhat easier to implement, because you make some modifications to some files on your domain name server. Let's say you use i-Emailer to send your campaigns. You simply add a file on your server that says, "If you ever receive an email from the i-Emailer guys, and it claims to be from me, it's all cool." DKIM is slightly more complex. You basically embed the message with a cryptographic kind of "key" that proves it's legit. Receiving servers can take the key and reference the delivery server to see if it truly came from that server.

In general, SPF and SenderID are things you, as the email marketer, can do on your own. You might get your IT guys to set it up for you (if you're a i-Emailer customer, here's how to implement SenderID). DKIM is something you'll have to ask your email service provider to setup for your account. It sometimes requires extra setup fees, because it's a little harder to implement.

Authentication Is Not Perfect

Authentication has its drawbacks. For instance, depending on how your email service provider is setup, your email campaigns might be forced to use a different "reply-to:" or "from:" than your own company name. One might argue that this defeats the whole purpose of authentication, in that it makes the email look more suspicious when your recipient opens the message.

At i-Emailer, we've seen cases of authenticated emails getting rejected by mobile devices. It goes something like this: you send an authenticated email to your customer's work account. The authentication in your message says, "this message is only authentic if it came from the i-Emailer server XYZ." But the recipient is a travelling salesperson, and automatically forwards messages from his company account to his Blackberry. The Blackberry server receives your message, but since it was forwarded from your recipient's company server, it appears to be a forgery when they read the authentication instructions.

Is Authentication Worth It?

There are lots of critics and pundits when it comes to the theory behind authentication. If you research the topic at length, you're just going to come away more confused than ever. At i-Emailer, we've actually seen real users benefit from it. If you have a very large list, your campaigns are a lot more likely to get blocked or "throttled" by major ISPs like AOL, Yahoo, Hotmail, and Gmail. Authentication helps you. If you send marketing messages, email firewalls like Postini are very, very harsh when they scan your content (See: Postini likes DKIM). If you know that a huge portion of your subscriber list is at one single domain, then sending a campaign to that list is going to look like a wave of spam (See: Will Yahoo! Block Emails That Are Not Authenticated?). Again, authentication (and maybe some email certification) can help smooth things over for you. Bellsouth recently started to block HTML emails randomly, which confused the heck out of a lot of email marketers. When we investigated campaigns from our own users, we found that authenticated messages seemed to get through perfectly fine. The bottom line is this: if you have a very large list (tens of thousands), and you have money and resources to get it in place, authentication will help get your emails delivered (but you can't send spammy content and expect authentication to help you). If your list is relatively small (in the hundreds) then you probably don't need it yet. Just make sure to use a reputable email service provider, and your campaigns will get through just fine.

See Also:

AOTA Logo Authentication & Deliverability Resources:
Authentication Standards:
i-Emailer's Authentication Resources: