What Is Email Authentication?

Email authentication is a security measure that aims to verify the sender or the recipient of an email message. This helps to prevent fraud and spam, and can even enable the delivery of sensitive data by email.

Email authentication is a broad term used to describe the use of digital checks to verify an email sender or recipient's identity in some way.

The goal is to check that the person or business who has sent you an email, or that you have sent an email to, is who they say there are.

By ensuring an email has been sent or received by the right people, email authentication can prevent malicious attacks and keep sensitive data protected even if it has been sent to the wrong person in error.

Types Of Email Authentication

To make sure each participant in an email communication interaction is protected, there are two types of email authentication: sender authentication and recipient authentication.

 Sender Authentication

Sender authentication confirms that an email you are sent from an organisation or individual is from a legitimate source.

It enhances message deliverability for genuine senders and minimises the risk for recipients when opening emails.

This type of email authentication often involves verifying the validity of the sender's email address and the integrity of the message itself through the use of cryptographic techniques.

There are several methods used to do this:

Sender Policy Framework (SPF)

A Sender Policy Framework is one of the simplest methods of authentication, allowing you to specify which domains and IP addresses are authorised to send emails on behalf of your organisation.

These are published as DNS (Domain Name System) records.

You can specify multiple services (for example, your M365 server and your marketing email provider) that are allowed to deliver emails on behalf of your organisation within an SPF record, for example, if you use different services for your corporate and marketing communications.

When you send an email message, the recipient's email server checks the SPF record to see if the IP address is authorised.

If it is, the email is recognised as authentic, it is delivered to the inbox.

If it is not authorised, the email will be rejected or marked as spam.

DomainKeys Identified Mail (DKIM)

DKIM is a more complex authentication type that utilises encryption.

It offers a higher level of security than SPF as it verifies both the sending domain and the email message itself.

When enabling DKIM for your domain, you create a pair of cryptographic keys: a private key and a public key.

The private key is then used to sign outgoing messages, while the public key is published in your domain's DNS records.

When a message from your organisation is received, the receiving email server compares the private key signature found within the header against the public key found in your DNS records.

If the signatures match, the recipient server can be confident that the email message was sent by an authorised sender.

If the signature is invalid or missing, the email is likely to be rejected or filtered out as spam.

Domain-Based Message Authentication, Reporting, And Conformance (DMARC)

DMARC utilises both SPF and DKIM to validate sender validity.

It allows you to publish a DNS record that states which of the authentication methods should be used when a recipient needs to verify that an email sent from a specific domain is legitimate.

DMARC also enables you to choose how messages should be handled if they fail the authentication checks.

For example, you can specify the message should be quarantined, sent to spam directly, or blocked right away.

This action is then reported back to the domain owner.

Brand Indicators For Message Identification (BIMI)

BIMI, while not an authentication method itself, leverages the use of DMARC to allow legitimate senders to display a brand logo alongside an email message in the recipient's email client.

Image source: Rejoiner, 2024

This helps with brand recognition and reinforcing trust in an email message sent legitimately, as recipients have a visible indicator that an incoming email is from a trusted sender.

BIMI works by stamping outbound messages with a BIMI header, which contains a URL pointing to a logo file.

When the recipient's email client receives an email message with a BIMI stamp, it verifies that the message has permission to use the branding using DKIM record checks.

If it passes these checks, the email client displays the logo and corresponding message in the inbox.

 Recipient Authentication

Email recipient authentication enables senders to verify that their email is accessed by the intended recipient(s) only.

Recipient authentication is conducted through the deployment of multi-factor (or two-factor) authentication checks.

What Is Multi-Factor Authentication (MFA)?

MFA requires users to provide two or more verification factors to gain access to a resource – in this case, an email message.

These factors can include a mixture of:

• Something you know (password)
• Something you own (digital device)
• Something you are (biometric)

Single-factor authentication, a login process that would often involve just an email and password, creates a single point of failure.

It is too easy for a single-factor login to be compromised, either through a password being hacked or a data breach that reveals it.

Multi-factor authentication ensures that attackers are unable to gain access to an email account without having an additional form of evidence to show that they are the right person.

There are a number of second-factor verification methods used to authenticate email recipients.

The most commonly used are SMS authentication and Q&A (question-and-answer authentication).

SMS Authentication

SMS authentication provides an additional layer of security to email accounts by requiring the user to verify their identity using the ‘something you own’ factor.

SMS authentication uses a message sent to a mobile device verify the identity of the email recipient.

SMS code verification is increasingly common practice, and consumers are becoming more familiar with using their phones to quickly and easily access digital assets.

When a recipient attempts to gain entry to an email within their inbox, they will be required to enter a code that is sent to their mobile phone within a limited time period.

This code is unique for each person and for the highest security should only allow access to a single email.

If the user enters an incorrect code, their access to the email will be locked and the sender will have to reissue it.

If the user enters the correct code, they will be granted access to the email contents and then be able to read and reply.

Q&A Authentication

Q&A is short for ‘question and answer’ – a challenge that is used to verify the identity of the email recipient by fulfilling the factor of ‘something you know’.

When a user attempts to open an email, they will be prompted to answer a question that has been pre-defined by the sender.

The question should be unique to the recipient (or the sender and recipient’s relationship) and difficult for a third party to guess.

Avoiding general knowledge and basic information questions is important to ensure robust security.

If a user answers the question correctly, the recipient will be able to access the email.

If they answer incorrectly too many times, the content will become inaccessible.

Who Should Be Using Email Authentication?

Email authentication is recommended for anyone who wants to ensure the security and privacy of their email communications, especially for those who regularly send or receive sensitive information and documents.

This includes individuals, small businesses and large corporations.

In particular, businesses operating in highly regulated industries where confidentiality and data security are critical should implement email authentication as a standard practice.

For example - healthcare, finance, legal, and government sectors.

This helps them to comply with sector-specific regulations and protect consumers’ personal and financial information.

Why Is Email Authentication Important?

There are multiple benefits to an organisation using email authentication, with the most prevalent being increased security.

Utilising email authentication offers both senders and recipients protection against email threats, for example, phishing and human error.

 Phishing Attacks

Phishing is a widespread type of cyber attack that can target individuals or businesses.

In a phishing attack, the threat actor sends an email pretending to be from a reputable source, such as a bank or well-known company.

The aim is to get the recipient to take an action that will put them at risk, such as clicking a link or replying with sensitive information.

This helps the attacker to gain access to personal data, and can result in financial loss or identity theft.

Sender authentication provides critical security to prevent phishing attacks as it lets the recipient know that an email has come from a legitimate source.

However, without recipient authentication, there’s no guarantee that an email has not been read or manipulated by a malicious third-party before being read by the right person.

 Human Error

While malicious attacks such as phishing are a high priority to protect against, human error is just as important to consider when it comes to preventing data breaches.

In fact, sending an email to the wrong person is the number one cause of a data breach in the UK.

With an overflowing inbox and a busy workday, it can be easy to attach the wrong document, or accidentally send an email to the wrong person (a misdirected or misfired email).

Misdirected emails are especially concerning if they contain sensitive personal information.

Our latest survey reveals that at least ¼ of consumers have accidentally sent an email containing personal data to the wrong person.

Recipient authentication is key to protecting users from error, as it ensures that only an intended recipient can access the email you have sent them.

Even if you were to send an email to the wrong person, they would be unable to pass the verification stage and open it.

Beyond protecting against phishing and human error, there are other business benefits to implementing strong email authentication:

• Compliance with regulations - many industries, such as finance and healthcare, have strict regulations surrounding the protection of sensitive data. Email authentication can help businesses comply by creating a secure environment for customer communication.
• Enhanced email deliverability - email authentication increases the authenticity of your communications and facilitates improves email deliverability by reducing the chance that messages will be rejected or filtered out into the spam folder.
• Growing a positive reputation – by taking steps to protect customer information and privacy, businesses can grow consumer loyalty and trust in their brand.

Creating A Comprehensive Email Security Strategy

While many email providers offer sender authentication out of the box, recipient authentication requires the use of a secure email solution.

Secure email solutions often provide further protection against cyber threat and error, as authentication alone is not enough to enable email communications fit for the exchange of highly sensitive information.

For example, our own solution Mailock provides:

• End-to-end encryption, to prevent email interception
• Email revoke, to block access to any messages sent in error
• Security phrases, to automatically encrypt sensitive emails
• Tracking, to store a full audit trail for outbound messages
• Free secure email for recipients (customers and clients)

To find out more about what a secure email solution is and what it can do for your business, check out our guide to secure email.