What Is Email Authentication?

Email authentication is a security measure that verifies the sender or recipient of an email message. This prevents fraud and spam and enables the delivery of sensitive data securely by email.

Email authentication involves using digital checks to confirm the identity of an email sender or recipient.

The goal is to ensure that the person or business sending or receiving an email is genuine and trustworthy.

By verifying email identities, authentication can prevent malicious attacks and protect sensitive data even if an email is mistakenly sent to the wrong person.

Types Of Email Authentication

To protect all participants in email communications, there are two main types of email authentication: sender authentication and recipient authentication.

 Sender Authentication

Sender authentication confirms that an email from an organisation or individual is from a legitimate source.

It improves message deliverability for genuine senders and reduces the risk for recipients when opening emails.

This process often involves verifying the sender's email address and the integrity of the message using cryptographic techniques.

Several methods are used to achieve this:

Sender Policy Framework (SPF)

The Sender Policy Framework allows you to specify which domains and IP addresses are authorised to send emails on behalf of your organisation.

These authorised senders are published as DNS (Domain Name System) records.

For example, you can list multiple services, like your M365 server and your marketing email provider, in an SPF record to authorise them to send emails on your behalf.

When you send an email, the recipient's email server checks the SPF record to see if the sending IP address is authorised.

If authorised, the email is delivered as authentic to the inbox.

If not authorised, the email will be rejected or marked as spam.

DomainKeys Identified Mail (DKIM)

DKIM uses encryption to provide a higher level of security than SPF by verifying both the sending domain and the email message.

It works by creating a pair of cryptographic keys: a private key for signing outgoing messages and a public key published in your DNS records.

When your message is received, the recipient's email server checks the signature against the public key in your DNS records.

If the signatures match, the server confirms the email was sent by an authorised sender.

If the signature is invalid or missing, the email is likely to be rejected or filtered as spam.

Domain-Based Message Authentication, Reporting, And Conformance (DMARC)

DMARC combines SPF and DKIM to validate sender authenticity.

It allows you to publish a DNS record specifying which authentication methods should be used to verify emails from your domain.

DMARC also lets you decide how to handle messages that fail these checks, such as quarantining, sending to spam, or blocking them.

This action is then reported back to the domain owner.

Brand Indicators For Message Identification (BIMI)

Although not an authentication method itself, BIMI uses DMARC to allow senders to display a brand logo alongside emails in the recipient's inbox.

Image source: Rejoiner, 2024

This enhances brand recognition and reinforces trust, as recipients can see that an incoming email is from a verified source.

BIMI works by adding a BIMI header to outbound messages, containing a URL to a logo file.

The recipient's email client verifies this logo using DKIM checks and displays it if the verification is successful.

 Recipient Authentication

Recipient authentication ensures that only the intended recipient(s) can access an email.

It uses multi-factor (or two-factor) authentication checks to verify the recipient's identity.

What Is Multi-Factor Authentication (MFA)?

MFA requires users to provide two or more verification factors to access an email.

These factors can include:

• Something you know (password)
• Something you own (digital device)
• Something you are (biometric)

Single-factor authentication, typically involving just an email and password, creates a single point of failure.

It is too easy for single-factor logins to be compromised through password hacking or data breaches.

Multi-factor authentication prevents attackers from accessing an email account without additional evidence proving their identity.

Several methods are used for second-factor verification of email recipients.

The most common are SMS authentication and Q&A (question-and-answer authentication).

SMS Authentication

SMS authentication adds security by verifying the user's identity through the ‘something you own’ factor.

It sends a verification code to a mobile device to confirm the email recipient's identity.

Consumers are increasingly familiar with using SMS codes for quick and easy access to digital assets.

When attempting to open an email, recipients must enter a code sent to their phone within a limited time period.

This code is unique and should only allow access to a single email.

If the user enters an incorrect code, access to the email will be locked and the sender must reissue it.

If the correct code is entered, the recipient gains access to the email contents and can read and reply.

Q&A Authentication

Q&A, or ‘question and answer’, verifies the recipient's identity through the ‘something you know’ factor.

When attempting to open an email, users answer a pre-defined question set by the sender.

The question should be unique to the recipient and difficult for third parties to guess.

Avoid general knowledge or easily guessed questions to maintain robust security.

If the user answers correctly, they can access the email.

Incorrect answers too many times will lock the email content.

Who Should Be Using Email Authentication?

Email authentication is essential for anyone wanting to secure their email communications, especially those regularly sending or receiving sensitive information.

This includes individuals, small businesses, and large corporations.

Particularly, businesses in highly regulated industries where data security is critical should implement email authentication as standard.

Sectors like healthcare, finance, legal, and government use email authentication to comply with regulations and protect personal and financial information.

Why Is Email Authentication Important?

Email authentication significantly increases security for organisations.

It protects both senders and recipients from threats like phishing and human error.

 Phishing Attacks

Phishing is a common type of cyber attack that targets individuals or businesses.

Attackers send emails pretending to be from reputable sources, like banks or well-known companies, to trick recipients into taking risky actions, such as clicking a link or providing sensitive information.

Phishing can lead to personal data theft and financial loss.

Sender authentication helps prevent phishing by confirming that emails come from a trusted source.

However, without recipient authentication, there is no guarantee that an email has not been read or altered by an unauthorised third party.

 Human Error

While protecting against malicious attacks is crucial, addressing human error is equally important to prevent data breaches.

Sending an email to the wrong person is the number one cause of data breaches in the UK.

In a busy work environment, it is easy to attach the wrong document or send an email to the wrong recipient (a misdirected email).

Misdirected emails can be especially damaging if they contain sensitive information.

Our latest survey shows that at least a quarter of consumers have accidentally sent emails containing personal data to the wrong person.

Recipient authentication protects against such errors by ensuring only the intended recipient can access the email.

Even if an email is sent to the wrong person, they cannot open it without passing the verification stage.

Beyond phishing and human error, there are other business benefits to strong email authentication:

• Compliance with regulations - Many industries, such as finance and healthcare, have strict regulations for protecting sensitive data. Email authentication helps businesses comply with these regulations by securing customer communication.
• Enhanced email deliverability - Email authentication improves the authenticity of communications and enhances deliverability by reducing the chance that messages will be rejected or sent to spam.
• Building a positive reputation – Protecting customer information and privacy helps businesses grow consumer trust and loyalty.

Creating A Comprehensive Email Security Strategy

While many email providers offer sender authentication as a default, recipient authentication often requires a secure email solution.

Secure email solutions provide additional protection against cyber threats and errors, as authentication alone may not suffice for highly sensitive communications.

For example, Mailock offers:

• End-to-end encryption to prevent email interception
• Email revoke to block access to messages sent in error
• Security phrases to automatically encrypt sensitive emails
• Tracking to maintain a full audit trail for outbound messages
• Free secure email for recipients (customers and clients)

Learn more about what a secure email solution can do for your business in our guide to secure email.

References:

Data Security Incident Trends, ICO, 2024

Reviewed By:

Sam Kendall, 05.06.24

Sabrina McClune, 05.06.24