Email Delivery Guide

Email Authentication Explained

Understanding Email Authentication with Alice and Bob

Email authentication can be complex, but it's easier to understand with a simple analogy. Let's follow Alice and Bob as they exchange letters in both the physical and email worlds.

The Problem: How Do We Know Who Really Sent an Email?

In the physical world, when Alice sends a letter to Bob:

  • The letter has Alice's return address on the envelope
  • Alice's handwriting and signature are recognizable
  • The postal service knows which mailbox the letter came from

But in the email world, these physical indicators don't exist. Anyone can put "From: alice@example.com" in an email, even if they're not Alice. This is called email spoofing.

Email authentication protocols solve this problem by creating digital equivalents to the physical world's trust indicators.

SPF

Sender Policy Framework is like Alice telling the post office: "Only accept letters from me if they come from these specific mailboxes."

SPF lets domain owners specify which mail servers are authorized to send email on behalf of their domain.

DKIM

DomainKeys Identified Mail is like Alice using a special wax seal that only she possesses.

DKIM adds a digital signature to emails that can be verified using a public key published in the domain's DNS records.

DMARC

Domain-based Message Authentication, Reporting & Conformance is like Alice giving instructions to the recipient about what to do if her handwriting or seal looks suspicious.

DMARC tells receiving servers what to do with emails that fail SPF or DKIM checks and provides reporting.

The Alice and Bob Email Authentication Story

1. Setting Up Authentication (SPF)
Alice publishes a list of authorized mailboxes (mail servers) that can send letters on her behalf. When Bob receives a letter claiming to be from Alice, he checks if it came from one of these authorized mailboxes.

2. Verifying the Seal (DKIM)
Alice creates a special seal (private key) that she uses to sign all her letters. She also publishes the verification method (public key) so anyone can verify her seal is authentic. Bob uses this to confirm the letter wasn't tampered with during delivery.

3. Handling Instructions (DMARC)
Alice provides instructions to Bob about what to do if either the mailbox check or seal verification fails. She might say "put suspicious letters in a separate pile" or "throw them away immediately." She also asks to be notified about suspicious letters so she can investigate.

SPF Authentication Process

Alice
Sender
alice@example.com
DNS Records
SPF
DKIM
DMARC
SPF Lookup
Checking
Bob
Recipient
bob@example.org
Mail Server
Checking...
Pending

Alice (sender) publishes a list of authorized mail servers in DNS

Step 1 of 6
SPF Authentication

DKIM Authentication Process

Alice
Sender
alice@example.com
DNS Records
SPF
DKIM
DMARC
Preparing Signature
Verifying Signature
Bob
Recipient
bob@example.org
Mail Server
Checking...
Pending

Alice's mail server adds a digital signature to the email header

Step 1 of 7
DKIM Authentication

DMARC Verification Process

Alice
Sender
alice@example.com
DNS Records
SPF
DKIM
DMARC
Authentication Checks
Applying Policy
Bob
Recipient
bob@example.org
Mail Server
Checking...
Pending

Alice publishes a DMARC policy in her DNS records

Step 1 of 7
DMARC Authentication