Authentication Cheat Sheet

There are a several approaches to authenticating email, and the different authentication methods have a lot of different settings to choose from (sometimes because they’re useful, other times just because they were designed by committee). It’s nice that they have that flexibility for the complex situations that might benefit from them, but almost all the time you just want to choose a good, default authentication approach.
So here’s some short prescriptive advice in no particular order for “how to do email authentication at an ESP well” without the long discussions of alternative approaches and justification of each piece of advice.

  1. Remove every trace of DomainKeys from your email flow
  2. Sign all your email with DKIM
  3. Publish SPF records
  4. Have your SPF records finish with ~all, not -all
  5. Ignore SenderID, unless you have delivery problems at Hotmail (and even then measure results rather than just assuming it will help)
  6. Don’t publish ADSP records
  7. Have the customer pick a single domain to tie their reputation to – ideally their “main” domain, but if that’s not possible then a customer-specific domain owned by the ESP is the next best thing (i.e. “customer.com” is ideal, but “customer.esp.com” is much better than just “esp.com”)
    1. Use that domain as the d= field when signing email (“d=customer.com”)
    2. Use that domain, or a sub-domain of it, in the From: field of the email (“From: Someone <someone@customer.com>” or “From: Someone <someone@fooble.customer.com>”)
  8. Pick a good email address to use in the From: field, don’t change it lightly
  9. Use two-part selectors for DKIM, one specific to you, the ESP, on the right and one for key rotation on the left (why do this?)
  10. Use just what’s needed for DKIM – don’t use i=, l=, q=, x= or z= in the signature, don’t use g= or s= in the published key
    1. dkimcore.org has more specific advice about which subset of DKIM to sign with
  11. Make sure your SPF records are valid
  12. TLS/SSL isn’t useful for authenticating mail (it’s great for connecting to a smarthost from a mail client, but not for connections from the smarthost)
  13. None of SPF, DKIM or TLS are really designed to protect or hide the contents of a message
    1. Customers who really want that could look at S/MIME or PGP
    2. … but better to design their business model such that they don’t need to, as client support is spotty at best
  14. Empirical evidence that doing something will make a customer happy trumps any of the above
    1. maybe because there’s evidence SenderID or ADSP or somesuch really helps that customer
    2. or maybe because the customer just wants it, even if there’s no evidence it would help

Mail client use of authentication data is still in flux, so it’s likely that some of this may change slightly (interaction between SPF and DKIM d= domains, for example) but it’s a pretty good base to start with today.

Related Posts

End of quarter spam

There has been a plethora of big brand companies doing stupid stuff with marketing recently. I can only figure it’s end of quarter and everyone is looking to pump up their numbers as fast as possible.
I talked about Millenium hotels sending me with an utterly irrelevant ad earlier this week.
@Yahoomail direct message spammed all their twitter followers with an ad for something related to the new Yahoo mail product.
Anyone watching my twitter feed yesterday probably noticed me complaining about spam from Dell.
All of these things are just examples of sloppy marketing. In Dell’s case it’s even worse because they sent me multiple copies of the spam to different addresses. Two copies of the same “SHOP NOW!” email to different addresses, one of which has never been given to Dell.
Mail to the first address is unquestionably spam and I did send in a complaint to Dell’s ESP. That address is never used to sign up for anything. I did try clicking on the “update your subscription” link in the footer and Dell’s website helpfully told me that address was not on their mailing lists. Looks like Dell bought a list.
The second address is one that was involved with the purchase of software from Dell last July. This is the first non-transactional mail sent to that address. I can’t necessarily call the email spam as I did give it to Dell during the course of a transaction. However, Dell could have done a lot better in managing our “relationship” than they did.
Dell collected my email address as part of a transaction in July 2010. They did not start sending marketing mail to this address until May 2011. While Dell is a major brand and most people would recognize the name and may be a little less inclined to hit “this is spam” waiting 10 months between a purchase and regular mailings is a bad idea.  People who don’t use tagged addresses may forget they gave the sender an email address and automatically send in a spam complaint.
Sitting on an address for 10 months means Dell really should have done a welcome series, or even just a single welcome email, to ease the transition from no mail to regular mail. But, no, they just send me an email advertising their sales.
We’ve been Dell customers for quite a while, and all of our purchases have been enterprise grade hardware or software to run on those servers. We’ve never purchased anything remotely like office computers. But the sales flyer was for desktops, printers and monitors. Dell knows what I purchased from there, so why are they sending me ads for things I’ve never bought?
We have our own Dell sales rep, and my only involvement in the transaction is source of payment. Adding me to a product list really feels like spam.
Then there was the email itself.  The “update your subscription” link was broken and told me I wasn’t subscribed to their list. I mentioned it to Steve and he pointed out that particular link had been broken “forever.” How long has it been since anyone inside of Dell has checked that their footer links work?
What is Dell up to? Who knows. But they unarguably are sending mail to addresses that never opted in. And even if you consider an email giving during a purchase process their handling of that particular address was appalling and in violation of almost every good practice out there.
 

Read More

What is Two Factor Authentication?

Two factor authentication, or the snappy acronym 2FA, is something that you’re going to be hearing a lot about over the next year or so, both for use by ESP employees (in an attempt to reduce the risks of data theft) and by ESP customers (attempting to reduce the chance of an account being misused to send spam). What is Authentication?
In computer security terms authentication is proving who you are – when you enter a username and a password to access your email account you’re authenticating yourself to the system using a password that only you know.
Authentication (“who you are”) is the most visible part of computer access control, but it’s usually combined with two other A’s – authorization (“what you are allowed to do”) and accounting (“who did what”) to form an access control system.
And what are the two factors?
Two factor authentication means using two independent sources of evidence to demonstrate who you are. The idea behind it is that it means an attacker need to steal two quite different bits of information, with different weaknesses and attack vectors, in order to gain access. This makes the attack scenario much more complex and difficult for an attacker to carry out.
It’s important that the different factors are independent – requiring two passwords doesn’t count as 2FA, as an attack that can get the first password can just as easily get the second password. Generally 2FA requires the user to demonstrate their identity via two out of three broad ways:

Read More

ESPs, Non-portable Reputation and Vendor Lock-in

I’ve seen some mentions recently of ESPs suggesting that if you use your own domain in the From: of mail you send through an ESP then that ESP can’t “do email authentication” properly unless they require you to edit your domains DNS settings. That’s not really so, but there is a kernel of truth in there.
The real situation is, unsurprisingly, a bit more complicated.
What authentication features should you look for in an ESP?

Read More