Mar/Apr 2007

Ask the Expert: What should my organization know about Email Sender Authentication?

by Dr. David Crooke, Founder and Chief Technology Officer, Convioand Dr. Bill Pease, Chief Scientist, Convio

SPF. Sender ID. DomainKeys. No, these aren't levels of sunscreen protection or fancy locksmith tools. These are all ways to verify the identity of an email sender.

Aimed more at controlling online fraud than alleviating spam, email authentication enables more reliable message filtering. Using some form of email authentication also can help prevent spoofing, phishing, and hoax messages — email messages that claim to be sent by well-known organizations and attempt to steal your account information and passwords by asking you to reply with personal information like your credit card number, social security number or account password. So, if you receive an email that purports to be from Citibank or eBay, sender authentication can detect whether the sender is legitimate or an impostor engaged in brand spoofing and phishing.

You're probably scratching your head and wondering how this will affect you and your nonprofit organization. Authentication is rapidly becoming a critical factor for determining whether your email, newsletters and other online communications will be delivered or snared in a spam filter. These messages will increasingly get marked as spam — unless you implement some kind of authentication.

Email publishers everywhere are rapidly adopting sender authentication. For example, the Direct Marketing Association Nonprofit Federation recommends that organizations use some form of sender authentication for email marketing. Sender authentication is one of several ways ethical users of mass email communication can distinguish themselves from spammers, so it is in the long-term interest of all nonprofit marketers to see this technology widely adopted.

How do SPF, Sender ID and DomainKeys work?

All three of these sender authentication systems share a reliance on changes being made to DNS, the system that links IP addresses to domain names. DNS records have been expanded so that domain owners can identify the specific mail servers authorized to send email for their domain. When anyone receives mail purporting to be from your organization's domain, they will be able to check your DNS record to see if the sending mail server is authorized to mail in your name. Failing an authentication test is an indication that a message has a forged sender, and should probably be blocked.

SPF, Sender ID, and DomainKeys differ in the specific component of an email message that each tests. SPF is simplest — it checks the "envelope sender" of an email message (the domain name of the mail server initiating an SMTP connection). Sender ID delays its checking until after message data are transmitted, and examines several sender-related fields in the header of an email message to identify the "purported responsible address." DomainKeys checks a header containing a digital signature of the message. This system is more complicated because it verifies the integrity of each individual message.

How do I get started?

Is your organization prepared for this new wave of email authentication? All mail servers (including the servers of all your vendors as well as your own internal mail servers) will need to comply with SPF protocol if you want your mail to reach large segments of your audience.

Any Internet Service Provider (ISP) or spam-control system using email authentication systems will be checking your organization's domain name records for SPF data. To make sure your DNS records are updated to comply with SPF, you'll need to get in touch with the technical contact on your DNS records for every domain you own that sends email. You can find the contact easily by searching the whois record for your domain name(s) at http://www.networksolutions.com/. Then, instruct the technical contact person to publish an SPF record for your organization. An easy-to-use SPF wizard is available at http://spf.pobox.com/. The email service provider (ESP) that powers your online marketing also can advise you on the details of how to configure SPF and Sender ID records, which authorize your ESP's servers to send email on your behalf.

Existing Convio platform clients are encouraged to visit http://customer.convio.com/WhatIsSPF (login required) for details of how to configure Sender ID and SPF.

Ask the Expert: What should my organization know about Email Sender Authentication? | Convio