Tips for web professionals

Email deliverability: the importance of authentication

This is a problem that can be irritating, or even financially punitive for your business: your emails are not sent to certain mailboxes for no apparent reason (the recipient’s mailbox isn’t full, your email does not include an unusually large attachment, and your domain name is not, as far as you know, linked to any fraudulent use). It is possible that your recipient has put anti-spoofing protection in place, and it does not consider your emails as being sufficiently safe.

The specter of spoofing

As is often the case, everything starts with a fraudulent incident: you have surely already gotten an email from someone that you know that is sufficiently suspicious for you to have contacted them directly to ask if they really are the one who sent the email. This type of incident, as you have probably guessed, was an attempt at a type of fraud called “spoofing”.

1. What is spoofing

Spoofing consists of falsifying the identity of the sender of an email by modifying the address or name that appears in the “From” field of the message. The goal of spoofing is mainly to fool the recipient of the mail, by making them believe that the mail came from a trusted sender, in order to get them to reveal personal, financial or sensitive information or even execute a malevolent action. This is a more sophisticated phishing technique than typosquatting, and is more widespread and dangerous. The way to prevent this is to have strengthened authentication, which is rather easy to put in place.

2. How does spoofing work?

Spoofing is technically possible because the SMTP protocol used for the transmission of email over the internet does not verify the accuracy of the identity of the sender or the content of the message.

An email notably contains the following information:

  • identity of the sender
  • address of the sender
  • reply-to address
  • subject
  • date
  • address of the recipient

All the attacker needs to do is to indicate a fake name that they want in the “From” field of the message. The recipient would then have no way to know whether or not the message really came from the address listed in the “from” field unless they examined the full headers of the email, which contains the technical information concerning the email’s passing through the network. Unfortunately, the full headers are often difficult to understand, and can even be faked themselves.

While it may be difficult for a user to verity the authenticity of the sender of each mail, some email messaging systems have a way to strengthen the authentication of the sender and the verification of the content of the mails. These mechanisms make use of the publication of DNS records and the use of digital signatures.

The most drastic email providers

The most popular email providers (and the most exposed to these practices) deploy systems that block the sending of emails that do not meet certain conditions.

1. Authenticated sending

The main authentication systems are DKIM, SPF, and DMARC.

DKIM: cryptographically signing emails

DKIM (DomainKeys Identified Mail) is a mechanism that allows verifying the authenticity of the domain name of the sender and the integrity of the content of the message. It works with a system of public and private keys that are associated to a domain. The private key is used by the SMTP server to cryptographically sign each email sent from the domain name. The public key is published in a DNS record of the domain, which allows the receiving servers to verify the signature, and therefore, the validity of the message.

With DKIM, it would be more difficult to pretend to be a legitimate domain name since the mail would not be accompanied by the private key. Additionally, if the content of the message is modified during transmission, the signature is invalidated.

SPF: publish the servers authorized to send emails

SPF (Sender Policy Framework) is a mechanism that allows verifying whether the emails being sent from a given domain name are indeed being sent by authorized servers. It uses the publication of a DNS record that lists the SMTP servers that are authorized to send emails for the domain name. The receiving servers may also compare the IP address of the sender server with those published in the DNS records, and reject emails that come from unauthorized servers.

With SPF, it would be impossible to use a random SMTP server to send emails from a domain name that has been detected as being an unauthorized source.

DMARC: combining DKIM and SPF with a report

DMARC (Domain-based Message Authentication Reporting and Conformance) is a mechanism that allows combining DKIM and SPF with the addition of a report on the emails that have been received and the actions to take in the event that a verification fails. It uses the publication of a DNS record that indicates to the receiving servers how to process the emails coming from the domain: rejection, placed i quarantine, or accepted. The DNS record also contains an email address where the email reports and their statuses are sent.

With DMARC, it would be easier for the owner of a domain name to control what happens with their emails, ad to be informed of spoofing attempts or other abnormal activity.

2. Emails accompanied by good intentions

Beyond the specific menace of spoofing, other elements are examined to determine if an email deserves to be sent to an inbox: the server and its contents.

Servers with a good reputation

Another fundamental element that is used to judge whether or not the intentions of an email are good: the history of the server that allowed the mail to be sent. If the IP address of this server is found in one of a dozen respected blacklists, due to bad practices in the past, the deliverability of the emails will be drastically affected.

Respecting good practices

Certain email services sometimes go farther and carry out verification on the content of the email in order to determine to what degree it can be considered as being suspicious. Elements such as broken links, shortened URLs, images without alt attributes, potentially dangerous elements such as JavaScript, iframes or integrated content are all elements that suggest that the email’s intention may be harmful.

Authentication and good practices: increase your odds of deliverability

If your emails are blocked by a particular message service, it is very likely that they don’t meet the exigences of authentication and content of that service. You therefore should activate these authentication methods in order to get past these filters. Here is how you can do it with your emails at Gandi:

Once this has been done, be sure that your server or content don’t negatively affect the delivery of your messages. To do this, there are tools (such as Mail tester) that verify the reputation and maturity of your server: if your domain name is in a blacklist, your delivery will be penalized by this bad reputation. These tools also analyze the content of your messages, and will provide you with suggestions as to how to correct anything that may be detrimental. In addition to being used for your personal emails, these tools may be particularly useful for sending newsletters, because, for example, they will also check for the presence of elements such as the unsubscribe link.

If, despite these checks, your emails still are unable to be received by the recipient, please feel free to contact our customer support team who will help you identify the source of the problem.