Email authentication is a security measure that aims to verify the sender or the recipient of an email message. This helps to prevent fraud and spam, and can even enable the delivery of sensitive data by email.
Email authentication is a broad term used to describe the use of digital checks to verify an email sender or recipient's identity in some way.
The goal is to check that the person or business who has sent you an email, or that you have sent an email to, is who they say there are.
By ensuring an email has been sent or received by the right people, email authentication can prevent malicious attacks and keep sensitive data protected even if it has been sent to the wrong person in error.
Types of email authentication
To make sure each participant in an email communication interaction is protected, there are two types of email authentication: sender authentication and recipient authentication.
1. Sender Authentication
Sender authentication confirms that an email you are sent from an organisation or individual is from a legitimate source. It enhances message deliverability for genuine senders and minimises the risk for recipients when opening emails.
This type of email authentication often involves verifying the validity of the sender's email address and the integrity of the message itself through the use of cryptographic techniques.
There are several methods used to do this:
Sender Policy Framework (SPF)
A Sender Policy Framework is one of the simplest methods of authentication, allowing you to specify which domains and IP addresses are authorised to send emails on behalf of your organisation. These are published as DNS (Domain Name System) records.
You can specify multiple services (for example, your M365 server and your marketing email provider) that are allowed to deliver email on behalf of your organisation within an SPF record, for example, if you have different services for your corporate and marketing communications.
When you send an email, the recipient's email server checks the SPF record to see if the IP address is authorised. If it is, the email is considered authentic and delivered to the recipient's inbox. If it’s not listed or is listed as unauthorised, the email will be rejected or sent to the spam folder.
DomainKeys Identified Mail (DKIM)
DKIM is a more complex method of email authentication that utilises encryption. It offers a higher level of security than SPF as it verifies the domain and the email message itself.
When enabling DKIM for your domain, you create a pair of cryptographic keys: a private key and a public key. The private key is then used to sign outgoing email messages (usually in the header) while the public key is published in your domain's DNS records.
When a message from your organisation is received, the recipient's email server compares the private key signature found within the header against the public key associated with your domain in the DNS records. If the signatures match, the recipient server can be confident that the email message was sent by an authorised sender. If the signature is invalid or missing entirely, the email is likely to be rejected or filtered out as spam.
It is important to note that DKIM does not encrypt email message contents, so it is still possible for an third-party to intercept and access messages.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
DMARC is a method that utilises both SPF and DKIM records to validate sender validity. It allows you to publish a DNS record that states which of the authentication methods should be used when a recipient verifies that an email sent from a specific domain is legitimate.
DMARC also enables you to choose how messages should be handled if they fail the authentication checks. For example, you can specify the message should be quarantined, sent to spam directly, or blocked right away. This action is then reported back to the domain owner.
Brand Indicators for Message Identification (BIMI)
BIMI, while not an authentication method itself, leverages the use of DMARC to allow legitimate senders to display a brand logo alongside an email message in the recipient's email client.
This helps with brand recognition and reinforcing trust in an email message sent legitimately, as recipients have a visible indicator that an incoming email is from a trusted sender.
BIMI works by stamping outbound messages with a BIMI header, which contains a URL pointing to a logo file. When the recipient's email client receives an email message with a BIMI stamp, it verifies that the message has permission to use the branding using DKIM record checks. If it passes these checks, the email client displays the logo and corresponding message in the inbox.
2. Recipient Authentication
Recipient authentication enables senders to verify that their email is opened by the intended recipient(s) only, by implementing two-factor or multi-factor authentication.
What is multi-factor authentication (MFA)?
MFA requires users to provide two or more verification factors to gain access to a resource – in this case, an email message. These factors can include a mixture of:
- Something you know (password)
- Something you own (digital device)
- Something you are (biometric)
Single-factor authentication, a login process that would often involve just an email and password, offers less protection, as it creates a single point of failure. It’s not uncommon for an email login to be compromised, either through the password being hacked or a data breach that reveals it.
In comparison, multi-factor authentication ensures that attackers are unable to gain access to an email account without having another form of evidence to prove that they are the right person - even if they have obtained the user's account password through other means.
The two most common second factor verification points used to authenticate email recipients are:
SMS authentication provides an additional layer of security to email accounts by requiring the user to verify their identity using the ‘something you own’ factor.
SMS authentication uses a text message to verify the identity of the email recipient. SMS code verification is increasingly common practice, and consumers are becoming more familiar with using their mobile phones to quickly and easily access digital assets.
When a recipient attempts to gain entry to an email within their inbox, they will be required to enter a code that is sent to their mobile phone within a limited time period. This code is unique for each person and should only allow access to a specific email.
If the user consistently enters an incorrect code, their access to the email will be locked and the sender will have to reissue it. If the user enters the correct code, they will be granted access to the email contents and then be able to read and reply.
Q&A is short for ‘question and answer’ – a challenge that is used to verify the identity of the email recipient by fulfilling the factor of ‘something you know’.
When a user attempts to open an email, they will be prompted to answer a question that has been pre-defined by the sender. The question should be personal to the recipient (or the sender and recipient’s relationship) and difficult for a third party to guess. Avoiding general knowledge and basic information questions is important to ensure robust security.
If a user answers the question correctly, the recipient will be able to access the email. If they answer incorrectly too many times, the content will become inaccessible.
Who should be using email authentication?
Email authentication is recommended for anyone who wants to ensure the security and privacy of their email communications, especially for those who regularly send or receive sensitive information and documents. This includes individuals, small businesses and large corporations.
In particular, businesses operating in highly regulated industries where confidentiality and data security are critical should implement email authentication as a standard practice.
For example - healthcare, finance, legal, and government sectors. This helps them to comply with sector-specific regulations and protect consumers’ personal and financial information.
Why is email authentication important?
There are multiple benefits to an organisation using email authentication, with the most prevalent being increased security. Utilising email authentication offers both senders and recipients protection against email threats, such as:
Phishing is a widespread type of cyber attack that can target individuals or businesses. In a phishing attack, the threat actor sends an email pretending to be from a reputable source, such as a bank or well-known company.
The aim is to get the recipient to take an action that will put them at risk, such as clicking a link or replying with sensitive information. This helps the attacker to gain access to personal data, and can result in financial loss or identity theft.
Sender authentication provides critical security to prevent phishing attacks as it lets the recipient know that an email has come from a legitimate source. However, without recipient authentication, there’s no guarantee that an email has not been read or manipulated by a malicious third-party before being read by the right person.
While malicious attacks such as phishing are a high priority to protect against, human error is just as important to consider when it comes to preventing data breaches. In fact, sending an email to the wrong person is the number one cause of a data breach in the UK.
With an overflowing inbox and a busy workday, it can be easy to attach the wrong document, or accidentally send and email to the wrong person. Such misdirected emails are especially concerning if they contain sensitive information. Our latest survey reveals that at least ¼ of consumers have accidentally sent an email containing personal data to the wrong person.
Recipient authentication is key to protecting users from error, as it ensures that only an intended recipient can access the email you have sent them. Even if you were to send an email to the wrong person, they would be unable to pass the verification stage and open it.
Beyond protecting against phishing and human error, there are other business benefits to implementing strong email authentication:
- Compliance with regulations - many industries, such as finance and healthcare, have strict regulations surrounding the protection of sensitive data. Email authentication can help businesses comply by creating a secure environment for customer communication.
- Enhanced email deliverability - email authentication increases the authenticity of your communications and facilitates improves email deliverability by reducing the chance that messages will be rejected or filtered out into the spam folder.
- Increased reputation – by taking steps to protect customer information and privacy, businesses can grow consumer loyalty and trust in their brand.
Creating a comprehensive email security strategy
While many email providers offer sender authentication out of the box, recipient authentication requires the use of a secure email solution.
Secure email solutions often provide further protection against cyber threat and error, as authentication alone is not enough to enable email communications that are fit for the exchange of highly sensitive information. For example, our own solution Mailock provides:
- End-to-end encryption, to prevent email interception
- Email revoke, to block access to any messages sent in error
- Security phrases, to automatically encrypt sensitive emails
- Tracking, to store a full audit trail for outbound messages
- Free secure email for recipients (customers and clients)
To find out more about what a secure email solution is and what it can do for your business, check out our guide to secure email.
Originally posted on 06 04 23
Last updated on July 26, 2023
Posted by: Sabrina McClune
Sabrina McClune is an expert researcher with an MA in Digital Marketing. She was a finalist in the Women In Tech Awards 2022. Sabrina has worked extensively with B2B technology companies conducting and compiling thorough academically driven research to produce online and offline media. She loves to read fantasy novels and collect special edition books.
Get live updates
Subscribe to our exclusive secure communications content for professionals in regulated sectors.