Email authentication is a security measure that verifies the sender or recipient of an email message. This prevents fraud and spam and makes sure sensitive data is delivered securely by email.
Email authentication involves using digital checks to confirm the identity of an email sender or recipient.
The goal is to make sure the person or business sending or receiving an email is genuine and trustworthy.
By verifying email identities, authentication can prevent malicious attacks and protect sensitive data, even if an email is mistakenly sent to the wrong person.
"Email authentication is a cornerstone of modern digital security. It ensures trust in every email interaction, protecting both senders and recipients."
— Paul Holland, Founder, Beyond Encryption
To protect all participants in email communications, there are two main types of email authentication: Sender Authentication and Recipient Authentication.
Sender authentication confirms that an email from an organisation or individual is from a legitimate source.
It improves message deliverability for genuine senders and reduces the risk for recipients when opening emails.
This process often involves verifying the sender's email address and the integrity of the message using cryptographic techniques.
Several methods are used to achieve this:
The Sender Policy Framework allows you to specify which domains and IP addresses are authorised to send emails on behalf of your organisation.
These authorised senders are published as DNS (Domain Name System) records.
For example, you can list multiple services, like your M365 server and your marketing email provider, in an SPF record to authorise them to send emails on your behalf.
When you send an email, the recipient's email server checks the SPF record to see if the sending IP address is authorised.
If authorised, the email is delivered as authentic to the inbox.
If not authorised, the email will be rejected or marked as spam.
DKIM uses encryption to provide a higher level of security than SPF by verifying both the sending domain and the email message.
It works by creating a pair of cryptographic keys: a private key for signing outgoing messages and a public key published in your DNS records.
When your message is received, the recipient's email server checks the signature against the public key in your DNS records.
If the signatures match, the server confirms the email was sent by an authorised sender.
If the signature is invalid or missing, the email is likely to be rejected or filtered as spam.
DMARC combines SPF and DKIM to validate sender authenticity.
It allows you to publish a DNS record specifying which authentication methods should be used to verify emails from your domain.
DMARC also lets you decide how to handle messages that fail these checks, such as quarantining, sending to spam, or blocking them.
This action is then reported back to the domain owner.
"Combining SPF, DKIM, and DMARC is the gold standard for email security. It not only verifies senders but also provides actionable insights to domain owners."
— Mike Wakefield, CTO, Beyond Encryption
Although not an authentication method itself, BIMI uses DMARC to allow senders to display a brand logo alongside emails in the recipient's inbox.
Image source: Brand Indicators for Message Identification, Rejoiner, 2024
This enhances brand recognition and builds trust, as recipients can see that an incoming email is from a verified source.
BIMI works by adding a BIMI header to outbound messages, containing a URL to a logo file.
The recipient's email client verifies this logo using DKIM checks and displays it if the verification is successful.
While sender authentication verifies the sender's identity, it doesn't encrypt the email content. To make sure both sender legitimacy and message confidentiality, use sender authentication alongside email encryption. |
Recipient authentication makes sure that only the intended recipient(s) can access an email.
It uses multi-factor (or two-factor) authentication checks to verify the recipient's identity.
MFA requires users to provide two or more verification factors to access an email.
These factors can include:
Single-factor authentication, typically involving just an email and password, creates a single point of failure.
It is too easy for single-factor logins to be compromised through password hacking or data breaches.
Multi-factor authentication prevents attackers from accessing an email account without additional evidence proving their identity.
Several methods are used for second-factor verification of email recipients.
The most common are SMS authentication and Q&A (question-and-answer authentication).
SMS authentication adds security by verifying the user's identity through the ‘something you own’ factor.
It sends a verification code to a mobile device to confirm the email recipient's identity.
Consumers are increasingly familiar with using SMS codes for quick and easy access to digital assets.
When attempting to open an email, recipients must enter a code sent to their phone within a limited time period.
This code is unique and should only allow access to a single email.
If the user enters an incorrect code, access to the email will be locked and the sender must reissue it.
If the correct code is entered, the recipient gains access to the email contents and can read and reply.
Q&A, or ‘question and answer’, verifies the recipient's identity through the ‘something you know’ factor.
When attempting to open an email, users answer a pre-defined question set by the sender.
The question should be unique to the recipient and difficult for third parties to guess.
Avoid general knowledge or easily guessed questions to maintain robust security.
If the user answers correctly, they can access the email.
Incorrect answers too many times will lock the email content.
Email authentication is essential for anyone wanting to secure their email communications, especially those regularly sending or receiving sensitive information.
This includes individuals, small businesses, and large corporations.
Particularly, businesses in highly regulated industries where data security is critical should implement email authentication as standard.
Sectors like healthcare, finance, legal, and government use email authentication to comply with regulations and protect personal and financial information.
Email authentication significantly increases security for organisations.
It protects both senders and recipients from threats like phishing and human error.
Phishing is a common type of cyber attack that targets individuals or businesses.
Attackers send emails pretending to be from reputable sources, like banks or well-known companies, to trick recipients into taking risky actions, such as clicking a link or providing sensitive information.
Phishing can lead to personal data theft and financial loss.
Sender authentication helps prevent phishing by confirming that emails come from a trusted source.
However, without recipient authentication, there is no guarantee that an email has not been read or altered by an unauthorised third party.
While protecting against malicious attacks is crucial, addressing human error is equally important to prevent data breaches.
Sending an email to the wrong person is the number one cause of data breaches in the UK.
In a busy work environment, it is easy to attach the wrong document or send an email to the wrong recipient (a misdirected email).
Misdirected emails can be especially damaging if they contain sensitive information.
Our latest survey shows that at least a quarter of consumers have accidentally sent emails containing personal data to the wrong person.
Recipient authentication protects against such errors by making sure only the intended recipient can access the email.
Even if an email is sent to the wrong person, they cannot open it without passing the verification stage.
Beyond phishing and human error, there are other business benefits to strong email authentication:
While many email providers offer sender authentication as a default, recipient authentication often requires a secure email solution.
Secure email solutions provide additional protection against cyber threats and errors, as authentication alone may not suffice for highly sensitive communications.
For example, Mailock offers:
Learn more about what a secure email solution can do for your business in our guide to secure email.
Email authentication verifies that an email is from a trusted sender and has not been tampered with during delivery. It helps prevent fraud and ensures safe communication.
DMARC combines SPF and DKIM to provide robust protection against phishing attacks. It allows businesses to control how unauthorised emails are handled.
MFA adds an extra layer of security by requiring a second verification factor, such as a code sent to a mobile device, ensuring that only the intended recipient can access the email.
Data Security Incident Trends, ICO, 2024
Brand Indicators for Message Identification, Rejoiner, 2024
Sam Kendall, 20.12.2024
Sabrina McClune, 20.12.2024