Email Authentication: Key to Security, Delivery and Brand Protection

Email authentication is not a new topic, however it will remain a hot topic in 2021 for one very simple reason: the growing threat of email-based cyberattacks. As we reported in a recent webinar, 91% of cyberattacks typically start with a phishing email – which eventually enables the fraud, identity theft, sabotage, ransomware, or other form of attack to succeed. In fact, prior to the COVID-19 crisis Google detected over a hundred million phishing emails are sent per day. Everyone is vulnerable – it’s not really a matter IF an organization will be impacted, it’s just a matter of when. But, email authentication can help. 

The good news? SocketLabs’ native authentication protects all of our customers, and we’re helping companies build a consistent and strong email authentication stance that will allow them to succeed both today and in the future.  

The bad news? While the importance is increasing, far too many companies either aren’t aware of, or are not taking full advantage of, the protection email authentication offers. 

As we head into 2021 – this article will help you appreciate the value of great authentication – including DMARC policies – and take the steps necessary to fully authenticate your SocketLabs’ account. (For a detailed explanation of authentication tools and your SocketLabs’ configuration options, check out our Best Practices Guidelines for Authentication.)

What is email authentication? 

Email authentication at its core refers to the underlying technical standards that allow the receiver of an email message to validate and add trust to the point of origination of a given email message. Email authentication came about because receivers of email ultimately have to answer this questionwho sent this message and can I trust that this person really sent it?” 

How does authenticating email impact deliverability? 

The total volume of malicious email regularly transmitting across the internet is just mind-boggling. So is the role that spam filters play in keeping most malicious traffic away from us. Ultimately our challenge as legitimate email senders is to figure out how we make the job of those spam filters easier. With authentication, we improve deliverability by helping the mailbox providers and spam filters learn which is the “good” mail that can be trusted and delivered to the inbox.

The Future: No Auth, No Entry 

Currently, authentication policies such as DMARC allow senders enact a DNS policy that says “if mail originating from me doesn’t have authentication, I want you (the receiving mailbox) to put that mail in the spam folder”. The concept of “No Authentication (or Auth)No Entry” describes a future point in time when mailbox providers will enforce this type of logic unilaterally – meaning they will choose ONLY to trust and inbox authenticated messages. This is what mailbox providers want to see across the industryThat’s why mailbox providers across the industry are increasingly encouraging email senders and service providers like SocketLabs to authenticate 

How soon will “No Auth, No Entry” be a reality? 

It’s hard to say how far into the future “No Auth, No Entry” really is, but we’re getting close to the point where unauthenticated mail just represents too much of a risk. Seemingly every day there are new industry features and technology from some of the biggest vendors that are moving us towards greater use of authentication. For example, Microsoft is considering adding DMARC-like checking against messages even if there’s no sender policy in place. We also recently blogged about ARC technology which should help solve the historical problem of authentication breaking when a message is forwarded – effectively removing a longstanding barrier to authentication adoption. So we’re definitely moving in that direction, but there’s no clear answer as how long the evolution will take. Ultimately, the best practice that SocketLabs recommends and encourages is for customers to fully authenticate all email and use custom bounce domains and DKIM signtures (known as “white labling”) to allow DMARC protection.

How many companies have adopted DMARC authentication so far? 

When SocketLabs’ deliverabilty team recently sampled the domains on whose behalf we send messages, we saw that 32% had a DMARC policyEssentially, it means that over 68% of our customers have not yet elected to take advantage of all the benefits of DMARC. As an email infrastructure provider, the adoption we see is a direct reflection of the organizations that we work with and the customer choice can depend largely on what they’re trying to do. For example, it matters whether they’re sending mail for themselves or on behalf of multiple sub-clients (as in the example of CRM or marketing automation platform). Regardless of these nuances, our goal in the short term is to drive custom-authentication and DMARC policy adoption over 50%. (It’s important to note that SocketLabs automatically provides 100% SPF and DKIM protection to all customers, as explained below.) 

How is SocketLabs supporting 100% authentication?  

It is 100% true that 100% of the messages we send are authenticated. We made this commitment back in 2009 – long before the concept of DMARC – and we built automated authentication support into out cloud product from the beginning. This means customers get authentication based on SocketLabs’ domain, using a bounce address (envelope address) that SocketLabs controls (SPF authentication) and a DKIM signature placed there by SocketLabs (DKIM authentication). We’ve made this standard feature across our product at every pricing level – and there’s no limit on the different domains that a customer can authenticate. However, our automatic process does not (and can not) enable DMARC for a customer- they must set this up themselves, as explained below.

DMARC authentication requires customers to apply their OWN authentication, using our white labeling options. This allows customers to set up SPF authentication and DKIM authentication that’s “aligned” with their own domain, and not SocketLabs’ domain. Customers can then start setting a DMARC policy and ultimately to apply a strict DMARC policy in which unauthenticated messages are rejected. This is going to best prepare them for “No Auth, No Entry” in the future. In the short term, it’s going to add protection against spoofing, provide brand protection for their domain, and improve deliverability.

How does SocketLabs’ technology help customers authenticate email? 

We’re excited about newly introduced features that will help drive greater adoption of authentication. In particular, we offer onboarding assistance to new accounts as soon as they are opened and we’ve added advanced control for adding aligned SPF authentication and customizing aligned DKIM. We also give customers APIs to programmatically interact with our platform to add authentication settings. Further, since SocketLabs owns and controls the enterprise-class mail transfer agent (MTA) technology that underlies our cloud platform, we’ve built exciting custom features and solutions to help organizations solve unique authentication challenges. For instance, a recently new customer needed to support authentication on behalf of tens of thousands – and in some cases even hundreds of thousands – of different domains. SocketLabs developed a customized solution to help them simplify the process of authenticating at scale.

SocketLabs’ technical innovation and ability to customize our software as needed is helping us progress rapidly towards the goal of 100% customer-customized authentication. These strengths put our customers in a better stance from both a processing and deliverability perspective, and allow us the flexibility to adapt to new authentication demands as the threat landscape and industry response continues to evolve.

 

Check out these authentication resources: 

Review and modify your authentication settings, log in to visit your performance dashboard or review SocketLabs Best Practices Guidelines for Authentication setup guide.