There are a several approaches to authenticating email, and the different authentication methods have a lot of different settings to choose from (sometimes because they’re useful, other times just because they were designed by committee). It’s nice that they have that flexibility for the complex situations that might benefit from them, but almost all the time you just want to choose a good, default authentication approach.
So here’s some short prescriptive advice in no particular order for “how to do email authentication at an ESP well” without the long discussions of alternative approaches and justification of each piece of advice.
- Remove every trace of DomainKeys from your email flow
- Sign all your email with DKIM
- Publish SPF records
- Have your SPF records finish with ~all, not -all
- Ignore SenderID, unless you have delivery problems at Hotmail (and even then measure results rather than just assuming it will help)
- Don’t publish ADSP records
- Have the customer pick a single domain to tie their reputation to – ideally their “main” domain, but if that’s not possible then a customer-specific domain owned by the ESP is the next best thing (i.e. “customer.com” is ideal, but “customer.esp.com” is much better than just “esp.com”)
- Use that domain as the d= field when signing email (“d=customer.com”)
- Use that domain, or a sub-domain of it, in the From: field of the email (“From: Someone <email@example.com>” or “From: Someone <firstname.lastname@example.org>”)
- Pick a good email address to use in the From: field, don’t change it lightly
- Use two-part selectors for DKIM, one specific to you, the ESP, on the right and one for key rotation on the left (why do this?)
- Use just what’s needed for DKIM – don’t use i=, l=, q=, x= or z= in the signature, don’t use g= or s= in the published key
- dkimcore.org has more specific advice about which subset of DKIM to sign with
- Make sure your SPF records are valid
- TLS/SSL isn’t useful for authenticating mail (it’s great for connecting to a smarthost from a mail client, but not for connections from the smarthost)
- None of SPF, DKIM or TLS are really designed to protect or hide the contents of a message
- Customers who really want that could look at S/MIME or PGP
- … but better to design their business model such that they don’t need to, as client support is spotty at best
- Empirical evidence that doing something will make a customer happy trumps any of the above
- maybe because there’s evidence SenderID or ADSP or somesuch really helps that customer
- or maybe because the customer just wants it, even if there’s no evidence it would help
Mail client use of authentication data is still in flux, so it’s likely that some of this may change slightly (interaction between SPF and DKIM d= domains, for example) but it’s a pretty good base to start with today.