Email authentication verifies the sender or recipient of an email message, helping to prevent fraud and spam, and making sure data is sent securely.
Email authentication uses digital checks to confirm the individual or organisation sending or receiving an email is genuine and trustworthy.
It addresses key threats, including phishing, where attackers try to steal sensitive information by posing as legitimate entities, and spoofing, where malicious actors send emails that appear to come from a genuine source.
"Email authentication is a cornerstone of modern digital security.
It builds trust in every email interaction, protecting both senders and recipients."
— Paul Holland, Founder, Beyond Encryption
To protect everyone involved in email communications, there are two main types of email authentication:
Sender authentication is vital for proving the legitimacy of email communications.
It stops malicious actors from impersonating trusted sources, which lowers the risks of phishing and spoofing.
Sender authentication confirms that an email is from a legitimate source.
It helps genuine senders get their messages delivered, and it makes email safer for recipients.
This process often involves verifying the sender’s email address, as well as the message’s integrity, using cryptographic techniques.
Several methods are used for this:
SPF lets administrators specify which domains and IP addresses are authorised to send emails on behalf of their organisation.
These authorised senders are published as DNS (Domain Name System) records against a domain (e.g., beyondencryption.com).
When you send an email, the recipient’s mail server checks the SPF record to see if the sending IP address is authorised.
For more details, see the NCSC guidance on email security.
DKIM uses encryption for added security by verifying both the sending domain and the email message.
It works by creating a pair of cryptographic keys:
When your message is received, the recipient’s mail server checks the signature against the public key in your DNS records.
Image Source: Rackspace
DMARC combines SPF and DKIM to check if the sender is genuine.
It lets you publish a DNS record stating which authentication methods should verify emails from your domain.
Here’s how DMARC works in practice:
DMARC also lets you choose what happens if emails fail these checks, like sending them to spam or blocking them.
This action is then reported to the domain owner.
"Combining SPF, DKIM, and DMARC is the base standard for email security.
It not only verifies senders, but also provides useful insights to domain owners."
— Mike Wakefield, CTO, Beyond Encryption
For more guidance, see the UK Government's recommendations on email security standards.
Although it’s not an authentication method by itself, BIMI uses DMARC to let senders display a brand logo next to emails in the recipient’s inbox.
Image Source: Userbouncer
This feature boosts brand recognition and builds trust, because recipients can see that an email comes from a verified source.
BIMI adds a BIMI header to outgoing messages.
It contains a URL to a logo file.
The recipient’s mail client verifies the logo with DKIM checks and displays it if it passes.
| Note: While sender authentication confirms the sender’s identity, it doesn’t encrypt the email content. To confirm both the sender’s legitimacy and the message’s confidentiality, combine sender authentication with email encryption. |
Recipient authentication makes sure only the intended recipient(s) can open an email.
It uses multi-factor (or two-factor) authentication to confirm the recipient’s identity.
MFA asks users to provide two or more verification factors to open an email.
These factors can include:
Single-factor authentication, which often includes just an email and password, creates one point of failure.
It’s easy for single-factor logins to get hacked or leaked in data breaches.
Multi-factor authentication stops attackers from breaking into an email account without more proof of identity.
Many methods exist for second-factor verification of email recipients.
The most common are SMS authentication and Q&A (question-and-answer authentication).
SMS authentication adds security by checking the user’s identity through the “something you own” factor.
It sends a verification code to a mobile device to confirm the recipient’s identity.
Most people are used to getting SMS codes for quick access to digital services.
When they try to open an email, they must enter a code sent to their phone within a short time frame.
This code is unique and only allows access to a single email.
If the user types the wrong code, access to that email is locked, and the sender must reissue it.
If the user types the right code, they gain access and can read and reply.
Q&A, or “question and answer,” checks the recipient’s identity through the “something you know” factor.
When the user tries to open an email, they answer a pre-defined question set by the sender.
The question should be unique to the recipient and hard for anyone else to guess.
Avoid general or trivial questions so that security stays strong.
If the user answers correctly, they can see the email.
If they get it wrong too many times, the content is locked.
Email authentication is helpful for anyone who wants to secure their emails, especially if they send or receive sensitive information.
This includes individuals, small businesses, and large organisations.
It’s especially important for businesses in highly regulated industries, where data security is critical.
Healthcare, finance, legal, and government sectors rely on email authentication to follow rules and protect personal and financial information.
Email authentication greatly improves security for organisations.
It protects both senders and recipients from phishing and human error.
Phishing is a common type of cyber attack aimed at individuals and businesses.
Attackers send emails that appear to be from trusted sources, like banks or well-known companies, to trick recipients into taking risky actions, such as clicking a link or sharing personal information.
Recent data says more than 80% of reported cyber attacks involve phishing emails.
For example, a 2023 study showed that phishing attacks caused almost 40% of all reported security breaches in small to medium-sized businesses worldwide.
Sender authentication helps fight phishing by confirming that emails come from a trusted source.
Image Source: Norton
But without recipient authentication, there's no guarantee an email wasn’t read or altered by an unauthorised third party.
Protecting against malicious attacks is crucial, but human error also causes data breaches.
Sending an email to the wrong person is the leading cause of data breaches in the UK.
In a busy workplace, it’s easy to attach the wrong document or send an email to the wrong recipient (a misdirected email).
Misdirected emails can be damaging if they contain sensitive information.
Our research shows that at least a quarter of consumers have accidentally sent personal data to the wrong person.
Recipient authentication stops that by making sure only the intended recipient can open the email.
Even if an email goes to the wrong person, they can’t open it without passing the verification step.
Beyond phishing and human error, there are other business benefits to strong email authentication:
Many industries, such as finance and healthcare, have strict rules for handling sensitive data.
Email authentication helps businesses comply by securing customer communication.
Email authentication strengthens email authenticity and improves deliverability by reducing the chance that messages are rejected or sent to spam.
Protecting customer information and privacy helps businesses build trust and loyalty.
Robust email authentication involves both sender and recipient verification.
Below is a simple roadmap for putting these measures into practice:
While many email providers support basic sender authentication by default, organisations often need extra tools for recipient authentication.
If your emails contain highly sensitive content, you might consider a secure email solution that offers features like:
Read our comparison of secure email services to learn more.
Email authentication checks that an email is from a trusted sender and hasn’t been changed during delivery.
It helps prevent fraud and keeps communication safe.
DMARC uses SPF and DKIM to defend against phishing attacks.
It lets businesses control how unauthorised emails are handled.
MFA adds an extra security step by requiring a second factor, like a code sent to a mobile device.
This helps make sure only the intended recipient can access the email.
Are UK Consumers Not Taking Email Security Seriously?, Beyond Encryption, 2023
Email Security and Anti-Spoofing, NCSC, 2024
Email Security Standards, UK Government, 2024
Data Security Incident Trends, ICO, 2024
Cyber Security Breaches Survey, ICO, 2023
Between 80 and 95% of cyber attacks begin with phishing, Security Magazine, 2023
Sam Kendall, 10.01.2025
Sabrina McClune, 20.12.2024