Email Authentication Can Accentuate the Positives, But It Doesn’t Always Eliminate the Negatives

Sometimes at EmailAuth and in discussions with our customers and employees, I encounter the same misconceptions regarding email authentication, especially about DMARC. There’s a lot DMARC (and SPF, and DKIM) can accomplish for your company and its brand; however, there are plenty of things it cannot achieve. It isn’t a blog post designed to teach you how to set up the three protocols. Other blog articles explain the steps to set up an SPF-based authentication, DKIM validation and DMARC. We want to ensure that everyone who reads this is aware of the benefits authentication brings. However, it also has its limitations.

The Authentication Process Confirms Your Identity

If an email message passes authentication tests, the sending domain can be pretty sure of the authenticity as the domain(s) who has claimed responsibility by publishing an SPF or DMARC record and DKIM signing the email message. This way, authentication works similarly to providing a driver’s licence or passport image ID to verify your identity.

…But It Will Not, By Itself, Create A Reputation You Can Trust

The process of passing the authentication check means that the domain receiving it can verify the authenticity of the person or persons responsible for the communication. The receiving part can handle the message in line with the reputation these individuals have already established. In other words, if authentication is the sole good aspect of your mail practices, it is possible to pass authentication, which will allow the recipient domain to place your message to the junk mail folder (or more likely) when your other practices justify such a placement. I always emphasize this issue in conversations with people by saying that “even criminals are licensed drivers”.

The DMARC Establishes Trust and Reaffirms Its Presence by sending Email…

Similar to the idea of authentication, which provides a way to verify the identity of those accountable for the message, the message that passes DMARC checks can be believed to originate from the domain shown on the letters “From” header that is the domain that the recipient is likely to come across when reading the message. The trust factor in emails is crucial to engagement as messages that are authentic and from the source are likely to be opened and clicked. Furthermore that, with DMARC being slated to be a requirement in the upcoming BIMI Standard, this “force multiplication” of trust will become much more crucial for senders in the future.

…But it’s not enough to eliminate Phishing and fraud

DMARC can be described as what prefer to refer to as a “positive affirmation” protocol. It is a positive assertion because it provides a statement regarding the practices of an individual domain’s authentication; however, it does not mention the rules of any other part. For example, a publicly-published DMARC Policy for domain X implies that domain X has authenticated its mail and requires a particular treatment for non-authenticated mail that includes domain X in the From header, and that’s all there is. The policy doesn’t address the usage of domain X in the DKIM signature domain or return-path domain (which is used for SPF screening). More importantly, it does not cover parts that look like domain X but aren’t identical.

Consider the following two messages, both with this subject:

Subject: Critical Account Update Information


One has this From header:

From: “Your Bank” <>


And the other has this:

From: “Your Bank” <>


The DMARC policies on the domain’ only confirm the first message and won’t affect the second. If Your Bank was forward-thinking enough to create a “lookalike” domain and then create a policy that declares “this domain doesn’t send mail”, However, there are likely to be more similar domains than the most careful domain owner can sign up for, so DMARC alone won’t be able to stop the entire set. (BIMI may help to reduce some of the risks by displaying logos from brands for mail that can pass DMARC checks. However, we’re still far from widespread acceptance by BIMI.)

Especially If the Domain Isn’t Verifying for DMARC

However many DMARC policies the owner of a brand publishes for its domains, the policies are useless in the absence of an environment that receives mail that claims to be coming from one of these domains performs DMARC validation. Validation is widely used throughout the email world. However, numerous domains, both small and large, aren’t performing DMARC validation, which means that mailbox holders on those domains face a greater risk of fraud and Phishing than those at fields that do check and enforce DMARC policies.


Email authentication can be used as a method to establish credibility and authenticity in Email. Still, it has, at the same time, shown its weaknesses in establishing reputation and preventing fraud and Phishing. EmailAuth completely supports the concept that email authentication is the best practice and an asset to the entire email system; however, we want to ensure that our clients know that it’s just one aspect of the overall strategy for building credibility and fighting Phishing and fraud.




Comments are closed