Mar 11, 2007

Authentication Causing False Spoof Warnings

Email is easily "spoofed." That means you can make a message appear as if it’s coming from someone else (and perhaps trick them into submitting a password, or something slimy like that). So receiving servers now look for some type of "authentication" with every message you send. Authentication is basically "proof" that "this message really did come from my server."

Wouldn’t you know it, we’re starting to see a few cases of authentication causing false spoof/phishing warnings from email servers.

Here’s what’s happening:

  • You send an email campaign from Server A, to a recipient at Server B.
  • Server A has authentication setup, so your email has all the proper "proof" that it truly came from Server A. You’re doing everything properly.
  • Server B accepts the message.
  • But your recipient, at Server B, is always on the go. He setup his email account to automatically forward all his email to his mobile device, which uses an email address hosted by his mobile service carrier (Server C).
  • Server C receives the (forwarded) email from Server B. But the message header  says, "This was delivered by Server A," so it looks spoofed.
  • Server C rejects the message.

If you send a lot of emails, you may find evidence of this in one or two of your bounce backs.

It’s not a widespread issue (yet). We occasionally hear from a customer about how "My customer’s email server is saying my emails are spoofed!" Don’t worry. You’re not doing anything wrong. The recipient is probably just forwarding to his mobile device. Ask him to just subscribe with his mobile device’s email address instead of his forwarding address.

They could theoretically solve this problem, if they could tell Server C to "trust the judgments that Server B makes." Not gonna happen.

This problem will be solved once enough mission-critical emails (like travel itineraries) are lost in cyberspace. Just keep an eye on your bounce records, and see if you spot someone you know who should be receiving your emails, but they hard bounced.

If you send last-minute travel itineraries (and people are likely to be forwarding your emails to their mobile devices), or if you’re a bank, and your security and reputation are critical, you may want to consider warning your recipients about this when they sign up for your emails (or at least creating a help article on your website about it).