Dec 8, 2005

Email Authentication (What the heck it means)

You may have heard a lot about Email Authentication recently. Microsoft’s HotMail said they’d be implementing it sometime late this year, and so has Yahoo!Mail. Everyone’s getting worried that if their servers aren’t authenticated, their emails will be blocked or rejected. So what the heck is it? How does it work? Who makes it? Is it really that important? We’ll try to explain a few things…

What is Email Authentication (in plain English, please)?

Email Authentication verifies whether or not an email truly came from wherever it claims to come from.

Why is Authentication Needed?

Right now, it’s too easy for spammers and scammers to make emails look
like they came from anywhere (that kind of "email forgery" is called spoofing).
And you know all those fake eBay or "your local bank" emails you get,
where they try to trick you into giving them your passwords, or
personal information? That’s called "phishing"
for your information. Scammers "spoof" a reputable company, then
"phish" for information. All this "spoofing" and "phishing" is getting
way, way out of hand, so ISPs are starting to use authentication to
solve the problem.

How Does it Work?

The three most talked-about solutions are SPF, Microsoft’s SenderID, and Yahoo’s Domain Keys. With SPF and SenderID, the idea is to publish a record that says, "Any email from me should only  be coming from here." Since it’s simple, lots of ISPs (AOL, for instance) have already implemented and tested SPF and SenderID.

Yahoo’s "Domain Keys" is a bit more sophisticated (and some say more effective). It involves placing cryptographic code inside every single piece of outgoing email. Needless to say, this is a bit more work on delivery servers. Yahoo recently teamed up with Cisco for this initiative, and they changed the name to "DomainKeys Identified Mail" or "DKIM" for short.

BOooorrring! How Does Authentication Help me?

It boils down to reputation. If you’re an email marketer, you want your email service provider (like MailChimp) to have a good reputation. And ISPs consider authentication one sign (of many) that the sender has a decent reputation.

It’s kind of like the ISPs are starting to hang signs on their doors that say, "Shirt and shoes required!" (for the record, MailChimp always wears a shirt and shoes when he goes out. He even wears a spiffy little mail-man hat). That little sign isn’t going to stop robbers from entering the store (robbers wear shoes, too). But it should help the ISPs’  overall customer experience, in that they won’t have to deal with all those yokels walking around barefoot and scratching their you-know-whats in the beer aisle.

Authentication is not a "secret handshake" and it doesn’t mean your emails will "slip past" any spam filters. It just means your emails won’t be penalized for not being authenticated.

You’re still the one in control of your content, subject line, proper coding, and relevancy. In other words, you can walk in with shirt and shoes, but if you’re also wearing a ski mask, do not expect to receive friendly customer service from the guy behind the counter.

And if you’re a bank, or a big company whose reputation is on the line everytime someone spoofs your company, authentication will eventually help people determine if emails are truly from you.

So Is Authentication Going to Stop Spam?

Nope. Unfortunately, spammers can technically setup authentication, too. Authentication is not a silver bullet. It’s just one tiny "baby step" way to help impede spoofing and phishing.

Is MailChimp Implementing Email Authentication?

Yes. When we launch v2.3, all outgoing email from MailChimp will be SenderID, SPF, and DKIM authenticated.