Protect Your Domain's Email Reputation

[spiderbait]

I figure that there's a lot of confusion around the various sender authentication protocols and frameworks that are out there, so it's worth posting this as a specific thread to help people research and understand them.

Definition:

Quote:

Originally Posted by Wikipedia

E-mail authentication greatly simplifies and automates the process of identifying senders. After identifying and verifying a claimed domain name, it is possible to treat suspected forgeries with suspicion, reject known forgeries, and block e-mail from known spamming domains.
Taken from Wikipedia

In plain English for domain owners, this can help you in at least 2 ways. First, it allows you to prevent forged or spoofed email sent by others from damaging your domain's email reputation (and keeps you from dealing with many of the bounces those forged emails cause). Secondly, by adopting and using these standards, you can reduce the amount of spam mail that you personally receive and also contribute to reducing the amount of spam mail in general faced by all of us. In other words, it's good for all of us.

In short, if your business depends on email you owe it to yourself to investigate these methods and make an informed choice about whether to implement them or not. Personally, I can't see any reason not to embrace them all, since it's important to me to do everything I can to ensure that email I send is actually received.

So, the links below will take you to various resources regarding the different methods. I'll provide just the briefest overview of them since there's no point in remaking the wheel.

SPF (Sender Policy Framework) utilizes a small text entry in your domain's Zone file to identify servers which are permitted to send email on behalf of your domain. It's important to note that your server doesn't have to use SPF records for filtering incoming mail for you to implement your own SPF record for your domain. Receiving servers that do utilize SPF to screen incoming mail will compare mail claiming to come from your domain against the list of permitted senders. (Adopted by many large email providers, such as Gmail and AOL)


SIDF (Sender ID Framework) is very much the same as the SPF record and is promoted by Microsoft. The link will take you to a MS page where you can create an SPF record and where you can also submit your domain to be added to the SIDF cache. This is a very useful process if you tend to email a lot of Microsoft addresses (hotmail, live)


AOL Postmaster Tools - AOL has adopted SPF and provides resources here for webmasters and postmasters to register their servers, create feedback loops and request whitelist status. This is very useful if you send a lot of email to AOL addresses.


DomainKeys Is distinctly different from SPF/SID methods because it doesn't use domain names as the method of authentication. Instead, DomainKeys uses a signature which is attached to outgoing email. Receiving servers that used DomainKeys can then compares that signature against the public key held on the server of the actual domain. DomainKeys was originally developed by Yahoo, but has been adopted by Gmail and is also now widely supported on many web hosting servers.


There are other resources, but these seem the most valuable to me. Of course there will be new developments and there will be critics. But from my perspective, it's up to us as website owners and managers to stay on top of these new methods and to implement them when we can.

To my knowledge, there are no major ISPs or email providers that are REQUIRING email authentication from incoming mail, yet!

However, many (AOL, Gmail, Hotmail and others) have indicated that is exactly where they're headed.

A final tip: Because Gmail uses both SPF and DomainKeys I like to use it for testing my configuration when setting up email authentication. Send an email to a Gmail address and then view the headers - you'll get a very useful description of Gmail's analysis of the message's authenticity. This is also useful for seeing how Gmail is handling mail from non-authenticated sources.

Anyway, I hope this is helpful to some people.