Editing Email authentication

{{Short description|Techniques aimed at providing verifiable information about the origin of email messages}}'''Email authentication''', or '''validation''', is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the [[Domain name#Purpose|domain ownership]] of any [[message transfer agent]]s (MTA) who participated in transferring and possibly modifying a message.

The original base of Internet email, [[Simple Mail Transfer Protocol]] (SMTP), has no such feature, so forged sender addresses in emails (a practice known as [[email spoofing]]) have been widely used in [[phishing]], [[email spam]], and various types of frauds. To combat this, many competing email authentication proposals have been developed. {{As of|2018|pre=By|bare=yes}} three had been widely adopted – [[Sender Policy Framework|SPF]], [[DKIM]] and [[DMARC]].<ref>{{cite arXiv |author1=Hang Hu |author2=Peng Peng |author3=Gang Wang |title=Towards the Adoption of Anti-spoofing Protocols |eprint=1711.06654 |class=cs.CR |year=2017 }}</ref><ref>{{cite web |last1=kerner |first1=Sean Michael |title=DMARC Email Security Adoption Grows in U.S. Government |date=2 January 2018 |url=http://www.eweek.com/security/dmarc-email-security-adoption-grows-in-u.s.-government |publisher=eWeek |access-date=24 November 2018}}</ref> The results of such validation can be used in automated [[email filtering]], or can assist recipients when selecting an appropriate action.
 
This article does not cover user [[authentication]] of email submission and retrieval.

==Rationale==
In the early 1980s, when [[Simple Mail Transfer Protocol]] (SMTP) was designed, it provided for no real verification of sending user or system.  This was not a problem while email systems were run by trusted corporations and universities, but since the [[commercialization of the Internet]] in the early 1990s, [[spam (electronic)|spam]], [[phishing]], and other crimes have been found to increasingly involve email.

Email authentication is a necessary first step towards identifying the origin of messages, and thereby making policies and laws more enforceable.

Hinging on domain ownership is a stance that emerged in the early 2000.<ref>{{cite web |url=http://www.ftc.gov/bcp/workshops/e-authentication/ |title=Email Authentication Summit |author=<!--Staff writer(s); no by-line.--> |date=November 9–10, 2004 |work=workshop |publisher=[[Federal Trade Commission]] |access-date=4 February 2013 |archive-url=https://web.archive.org/web/20120603201012/https://www.ftc.gov/bcp/workshops/e-authentication/ |url-status=unfit|archive-date=3 June 2012 |quote=The Report, however, identified domain-level authentication as a promising technological development}}</ref><ref>{{cite mailing list |url=https://mailarchive.ietf.org/arch/msg/dmarc/-pX7yWlSk39ShOjAzWMxhxlKh1E/ |title=third party authorization |date=14 August 2020 |access-date=14 August 2020 |mailing-list=dmarc-ietf |author=Michael Hammer}}</ref>  It implies a coarse-grained authentication, given that domains appear on the right part of email addresses, after the [[at sign]].  Fine-grain authentication, at user level, can be achieved by other means, such as [[Pretty Good Privacy]] and [[S/MIME]].  At present, [[digital identity]] needs to be managed by each individual.

An outstanding rationale for email authentication is the ability to automate email filtering at receiving servers.  That way, spoofed messages can be rejected before they arrive to a user's Inbox.  While protocols strive to devise ways to reliably block distrusted mail, security indicators can tag unauthenticated messages that still reach the Inbox.  A 2018 study shows that security indicators can lower the click-through ratio by more than ten points, 48.9% to 37.2% of the users who open spoofed messages.<ref>{{cite book |author1=Hang Hu |author2=Gang Wang |title=End-to-End Measurements of Email Spoofing Attacks |url=https://www.usenix.org/conference/usenixsecurity18/presentation/hu |work=27th [[USENIX]] Security Symposium |date=15 August 2018|pages=1095–1112 |isbn=9781939133045 }}</ref>

==Nature of the problem==
SMTP defines message ''transport'', not the message ''content''. Thus, it defines the mail ''envelope'' and its parameters, such as the [[envelope sender]], but not the header (except ''trace information'') nor the body of the message itself. STD 10 and {{IETF RFC|5321}} define SMTP (the envelope), while STD 11 and {{IETF RFC|5322}} define the message (header and body), formally referred to as the [[Internet Message Format]].

SMTP defines the ''trace information'' of a message, which is saved in the header using the following two fields:<ref name="rfc5321">{{cite IETF|title=Simple Mail Transfer Protocol|rfc=5321|author=John Klensin|author-link=John Klensin|sectionname=Trace Information|section=4.4| date=October 2008 |publisher=[[Internet Engineering Task Force|IETF]] |access-date=1 February 2013 |quote=When the SMTP server accepts a message either for relaying or for final delivery, it inserts a trace record (also referred to interchangeably as a "time stamp line" or "Received" line) at the top of the mail data.  This trace record indicates the identity of the host that sent the message, the identity of the host that received the message (and is inserting this time stamp), and the date and time the message was received.  Relayed messages will have multiple time stamp lines.}}</ref>
* ''Received'': when an SMTP server accepts a message it inserts this trace record at the top of the header (last to first).
* ''Return-Path'': when the delivery SMTP server makes the ''final delivery'' of a message, it inserts this field at the top of the header.

A [[mail user agent]] (MUA) knows the ''outgoing mail'' SMTP server from its configuration. An MTA (or a relay server) typically determines which server to connect to by looking up the [[MX record|MX]] (Mail eXchange) [[Domain Name System|DNS]] resource record for each recipient's [[domain name]].

The path depicted below can be reconstructed on the ground of the ''trace header fields'' that each host adds to the top of the header when it receives the message:<ref name="rfc5321"/>
[[Image:Email-flow-with-an-intermediate-relay.png|thumb|left|upright=1.25|Email authentication can be complicated by the presence of an intermediate relay. '''A''' and '''B''' clearly belong to the author's Administrative Management Domain, while '''D''' and '''E''' are part of the recipient network. What role does '''C''' play?]] 
<syntaxhighlight lang="email">
Return-Path: <author@example.com>
Received: from D.example.org by E.example.org with SMTP; Tue, 05 Feb 2013 11:45:02 -0500
Received: from C.example.net by D.example.org with SMTP; Tue, 05 Feb 2013 11:45:02 -0500
Received: from B.example.com (b.example.com [192.0.2.1])
  by C.example.net (which is me) with ESMTP id 936ADB8838C
  for <different-recipient@example.net>; Tue, 05 Feb 2013 08:44:50 -0800 (PST)
Received: from A.example.com by B.example.com with SMTP; Tue, 05 Feb 2013 17:44:47 +0100
Received: from [192.0.2.27] by A.example.com with SMTP; Tue, 05 Feb 2013 17:44:42 +0100
</syntaxhighlight>
The first few lines at the top of the header are usually trusted by the recipient. Those lines are written by machines in the recipient's Administrative Management Domain ([[ADMD]]), which act upon their explicit mandate. By contrast, the lines that prove the involvement of '''A''' and '''B''', as well as of the purported author's [[Mail user agent|MUA]] could be a counterfeit created by '''C'''. The <code>Received:</code> field shown above is an epoch-making piece of the header. The <code>Return-Path:</code> is written by '''E''', the [[mail delivery agent]] (MDA), based on the message ''envelope''. Additional trace fields, designed for email authentication, can populate the top of the header.

Normally, messages sent out by an author's ADMD go directly to the destination's [[MX record|MX]] (that is '''B → D''' in the figures). The sender's ADMD can add authentication tokens only if the message goes through its boxes. The most common cases can be schematized as follows:

[[Image:Mailflows-reloaded.png|thumb|right|upright=1.25|A schematic representation of the most common ways that an email message can get transferred from its author to its recipient.]]

===Sending from within ADMD's network (MUA 1)===
* The ADMD's [[Mail Submission Agent|MSA]] authenticates the user, either based on its [[IP address]] or some other SMTP Authentication means. Depending on the recipient address, the message can follow the normal path or pass through a mailing list or a forwarding service.<ref group="note">For example, a recipient can instruct [[Gmail]] to forward messages to a different email address. The sender is not necessarily aware of that.</ref> '''B''' can be an outbound [[SMTP proxy]] or a [[smarthost]].<ref group="note">Properly configured proxies appear as part of the author ADMD.</ref>
* If the local network does not block outbound port 25 connections,<ref group="note" name="no25">Some ADMDs block outbound connection to port 25 (SMTP) to avoid this. This proactive technique is described in RFC 5068. In addition, some block inbound SMTP connections from [[IP address|IPs]] listed as [[Dialup Users List|dialup]]/DSL/cable.</ref> the user can deploy some "direct-to-mx" software.<ref group="note" name="noadmd">In this case the author's ADMD is not involved at all.</ref> Typically, [[Zombie computer|zombies]] and other malicious hosts behave that way.
* If the MUA is badly configured, it can also use a different relay, such as an outmoded [[open relay]], that often does not authenticate the user.

===Roaming user (MUA 2)===
* Most of the times it is still possible to use one's own ADMD MSA.<ref group="note">Some ISPs block port 587, although RFC 5068 clearly says:
<blockquote>Access Providers MUST NOT block users from accessing the external Internet using the SUBMISSION port 587.</blockquote></ref>
* Outbound connections to port 25 can be intercepted and tunnelled to a transparent proxy.<ref group="note" name="noadmd"/>
* A MUA can be configured to use an SMTP relay that the local network provider offers as a bonus.<ref group="note" name="noadmd"/>

===Disconnected user===
* An [[e-card]] can send mail on behalf of a customer who typed email addresses on the local keyboard; some [[web form]]s can be considered to work similarly.<ref group="note" name="noadmd"/>

===Section notes===
{{Reflist|group="note"}}

==Authentication methods in widespread use==

===SPF===
{{Main|Sender Policy Framework}}
[[Image:SPF.png|thumb|right|upright=1.25|SPF authenticates the sender IP address.]]
SPF allows the receiver to check that an email claimed to have come from a specific domain comes from an IP address authorized by that domain's administrators. Usually, a domain administrator will authorize the IP addresses used by their own outbound MTAs, including any proxy or smarthost.<ref>{{cite IETF |title=Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1 |rfc=7208 |author1=Scott Kitterman |date=April 2014 |publisher=[[Internet Engineering Task Force|IETF]] |access-date=26 April 2014 |quote=There are three places that techniques can be used to ameliorate unintended SPF failures with mediators.}}</ref><ref>{{cite IETF |title=Simple Mail Transfer Protocol |sectionname=Alias |section=3.9.1 |rfc=5321 |author=J. Klensin |date=October 2008 |publisher=[[Internet Engineering Task Force|IETF]] |access-date=15 February 2013}}</ref>

The IP address of the sending MTA is guaranteed to be valid by the [[Transmission Control Protocol]], as it establishes the connection by checking that the remote host is reachable.<ref name="ipaddressforging">IP Address forgery is possible, but generally involves a lower level of criminal behavior (breaking and entering, wiretapping, etc.), which are too risky for a typical hacker or spammer, or insecure servers not implementing RFC 1948, see also [[Transmission Control Protocol#Connection hijacking]].</ref>  The receiving mail server receives the <code>HELO</code> [[Simple Mail Transfer Protocol|SMTP]] command soon after the connection is set up, and a <code>[[bounce address|Mail from:]]</code> at the beginning of each message.  Both of them can contain a domain name.  The SPF verifier queries the [[Domain Name System]] (DNS) for a matching SPF record, which if it exists will specify the IP addresses authorized by that domain's administrator. The result can be "pass", "fail", or some intermediate result - and systems will generally take this into account in their anti-spam filtering.<ref>{{cite web |title=How reliable is it to block/reject on SPF fail? |url=http://www.gossamer-threads.com/lists/spf/help/35352#35352 |author=Scott Kitterman |date=Nov 21, 2009 |work=spf-help |publisher=gossamer-threads.com |quote=I think it's generally fine as long as you offer a mechanism for whitelisting of non-SRS forwarders.}}</ref>

===DKIM===
{{Main|DomainKeys Identified Mail}}
[[Image:DomainKeys Identified Mail (DKIM).png|thumb|right|upright=1.25|DKIM authenticates parts of the message content.]]
DKIM checks the ''message content'', deploying [[digital signature]]s.  Rather than using digital certificates, the keys for signature-verification are distributed via the DNS.  That way, a message gets associated to a domain name.<ref>{{cite IETF |title=DomainKeys Identified Mail (DKIM) Signatures |rfc=6376 |editor1=D. Crocker |editor2=T. Hansen |editor3=M. Kucherawy |date=September 2011 |publisher=[[Internet Engineering Task Force|IETF]] |access-date=18 February 2013 |quote=DomainKeys Identified Mail (DKIM) permits a person, role, or organization to claim some responsibility for a message by associating a domain name with the message, which they are authorized to use.}}</ref>

A DKIM-compliant domain administrator generates one or more pairs of [[Asymmetric key algorithm|asymmetric keys]], then hands private keys to the signing MTA, and publishes public keys on the DNS.  The DNS labels are structured as <code>''selector''._domainkey.example.com</code>, where ''selector'' identifies the key pair, and <code>_domainkey</code> is a fixed keyword, followed by the signing domain's name so that publication occurs under the authority of that domain's ADMD.  Just before injecting a message into the SMTP transport system, the signing MTA creates a digital signature that covers selected fields of the header and the body (or just its beginning).  The signature should cover substantive header fields such as <code>From:</code>, <code>To:</code>, <code>Date:</code>, and <code>Subject:</code>, and then is added to the message header itself, as a trace field.  Any number of relays can receive and forward the message and at every hop, the signature can be verified by retrieving the public key from the DNS.<ref>{{cite web |url=http://www.dkim.org/info/dkim-faq.html |title=DKIM Frequently Asked Questions |author=Dave Crocker |date=16 Oct 2007 <!-- 10:32  --> |publisher=DKIM.org |access-date=17 February 2013}}</ref> As long as intermediate relays do not modify signed parts of a message, its DKIM-signatures remain valid.

===DMARC===
{{Main|Domain-based Message Authentication, Reporting &amp; Conformance}}

DMARC allows the specification of a policy for authenticated messages.  It is built on top of two existing mechanisms, [[Sender Policy Framework]] (SPF) and [[DomainKeys Identified Mail]] (DKIM).

It allows the administrative owner of a domain to publish a policy in their [[Domain Name Service|DNS]] records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the <code>From:</code> field presented to  end users; how the receiver should deal with failures - and a reporting mechanism for actions performed under those policies.

==Other methods==
A range of other methods have been proposed, but are now either deprecated or have not yet gained widespread support. These have included [[Sender ID]], [[Certified Server Validation]], [[DomainKeys]] and those below:

===ADSP===
{{Main|Author Domain Signing Practices}}
ADSP allowed the specification of a policy for messages signed by the author's domain.  A message had to go through DKIM authentication first, then ADSP could demand a punishing treatment if the message was not signed by the author domain(s) —as per the <code>From:</code> header field.<ref>{{cite IETF |title=DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP) |rfc=5616|author1=E. Allman |author2=J. Fenton |author3=M. Delany |author4=J. Levine |date=August 2009 |publisher=[[Internet Engineering Task Force|IETF]] |access-date=18 February 2013}}</ref>

ADSP was demoted to historic in November 2013.<ref>{{cite web |url=http://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/ |title=Change the status of ADSP (RFC 5617) to Historic |author=Barry Leiba |date=25 November 2013 |publisher=[[IETF]]}}</ref>

===VBR===
{{Main|Vouch by Reference}}
VBR adds a vouch to an already authenticated identity.  This method requires some globally recognized authorities that certify the reputation of domains.

A sender can apply for a reference at a vouching authority.  The reference, if accepted, is published on the DNS branch managed by that authority.  A vouched sender should add a <code>VBR-Info:</code> header field to the messages it sends.  It should also add a DKIM signature, or use some other authentication method, such as SPF.  A receiver, after validating the sender's identity, can verify the vouch claimed in <code>VBR-Info:</code> by looking up the reference.<ref>{{cite IETF |title=Vouch By Reference |rfc=5518 |author1=P. Hoffman |author2=J. Levine |author3=A. Hathcock |date=April 2009 |publisher=[[Internet Engineering Task Force|IETF]] |access-date=18 February 2013}}</ref>

===iprev===
{{Main|Forward-confirmed reverse DNS}}
Applications should avoid using this method as a means of authentication.<ref name="rfc8601">{{cite IETF |title=Message Header Field for Indicating Message Authentication Status |rfc=8601 |author=[[Murray Kucherawy]] |date=May 2019 |publisher=[[Internet Engineering Task Force|IETF]] |access-date=12 June 2023}}</ref> Nevertheless, it is often carried out and its results, if any, written in the <code>Received:</code> header field besides the TCP information required by the SMTP specification.

The IP reverse, confirmed by looking up the IP address of the name just found, is just an indication that the IP was set up properly in the DNS.  The [[Reverse DNS lookup|reverse resolution]] of a range of IP addresses can be delegated to the ADMD that uses them,<ref>{{cite IETF |title=Classless IN-ADDR.ARPA delegation |rfc=2317|author1=H. Eidnes |author2=G. de Groot |author3=P. Vixie |date=March 1998 |publisher=[[Internet Engineering Task Force|IETF]] |access-date=18 February 2013}}</ref> or can remain managed by the network provider.  In the latter case, no useful identity related to the message can be obtained.

===DNSWL===
Looking up a [[DNSWL]] (DNS-based whitelist) may provide an assessment of the sender, possibly including its identification.

==Authentication-Results==
RFC 8601 defines a trace header field <code>Authentication-Results:</code> where a receiver can record the results of email authentication checks that it carried out.<ref name="rfc8601"/> Multiple results for multiple ''methods'' can be reported in the same field, separated by semicolons and wrapped as appropriate.

For example, the following field is purportedly written by <code>receiver.example.org</code> and reports [[Sender Policy Framework|SPF]] and [[DKIM]] results:
<syntaxhighlight lang="email">
Authentication-Results: receiver.example.org;
 spf=pass smtp.mailfrom=example.com;
 dkim=pass header.i=@example.com
</syntaxhighlight>
The first token after the field name, <code>receiver.example.org</code>, is the ID of the authentication server, a token known as an ''authserv-id''. A receiver supporting RFC 8601 is responsible to remove (or rename) any false header claiming to belong to its domain so that downstream filters cannot get confused. However, those filters still need to be configured, as they have to know which identities the domain may use.

For a Mail User Agent (MUA), it is slightly harder to learn what identities it can trust.  Since users can receive email from multiple domains—e.g., if they have multiple email addresses -— any of those domains could let <code>Authentication-Results:</code> fields pass through because they looked neutral. That way, a malicious sender can forge an ''authserv-id'' that the user would trust if the message arrived from a different domain. A legitimate <code>Authentication-Results:</code> typically appears just above a <code>Received:</code> field by the same domain from which the message was relayed. Additional <code>Received:</code> fields may appear between that and the top of the header, as the message got transferred internally between servers belonging to that same, trusted ADMD.

The [[Internet Assigned Numbers Authority]] maintains a registry of [https://www.iana.org/assignments/email-auth/email-auth.xml Email Authentication Parameters].  Not all parameters need to be registered, though. For example, there can be local "policy" values designed for a site's internal use only, which correspond to local configuration and need no registration.

==See also==
* {{annotated link|DMARC}}
* {{annotated link|Email encryption}}
* {{annotated link|Email spoofing}}
* {{annotated link|Ident protocol|Ident}}
* {{annotated link|Secure messaging}}

==References==
{{Reflist}}

{{spamming}}
{{Scams and confidence tricks}}

{{DEFAULTSORT:Email Authentication}}
[[Category:Email authentication| ]]
[[Category:Internet fraud]]
[[Category:Spamming]]