Email authentication

Last updated

Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.

Contents

The original base of Internet email, Simple Mail Transfer Protocol (SMTP), has no such feature, so forged sender addresses in emails (a practice known as email spoofing) have been widely used in phishing, email spam, and various types of frauds. To combat this, many competing email authentication proposals have been developed. By2018 three had been widely adopted – SPF, DKIM and DMARC. [1] [2] The results of such validation can be used in automated email filtering, or can assist recipients when selecting an appropriate action.

This article does not cover user authentication of email submission and retrieval.

Rationale

In the early 1980s, when Simple Mail Transfer Protocol (SMTP) was designed, it provided for no real verification of sending user or system. This was not a problem while email systems were run by trusted corporations and universities, but since the commercialization of the Internet in the early 1990s, spam, phishing, and other crimes have been found to increasingly involve email.

Email authentication is a necessary first step towards identifying the origin of messages, and thereby making policies and laws more enforceable.

Hinging on domain ownership is a stance that emerged in the early 2000. [3] [4] It implies a coarse-grained authentication, given that domains appear on the right part of email addresses, after the at sign. Fine-grain authentication, at user level, can be achieved by other means, such as Pretty Good Privacy and S/MIME. At present, digital identity needs to be managed by each individual.

An outstanding rationale for email authentication is the ability to automate email filtering at receiving servers. That way, spoofed messages can be rejected before they arrive to a user's Inbox. While protocols strive to devise ways to reliably block distrusted mail, security indicators can tag unauthenticated messages that still reach the Inbox. A 2018 study shows that security indicators can lower the click-through ratio by more than ten points, 48.9% to 37.2% of the users who open spoofed messages. [5]

Nature of the problem

SMTP defines message transport, not the message content. Thus, it defines the mail envelope and its parameters, such as the envelope sender, but not the header (except trace information) nor the body of the message itself. STD 10 and RFC   5321 define SMTP (the envelope), while STD 11 and RFC   5322 define the message (header and body), formally referred to as the Internet Message Format.

SMTP defines the trace information of a message, which is saved in the header using the following two fields: [6]

A mail user agent (MUA) knows the outgoing mail SMTP server from its configuration. An MTA (or a relay server) typically determines which server to connect to by looking up the MX (Mail eXchange) DNS resource record for each recipient's domain name.

The path depicted below can be reconstructed on the ground of the trace header fields that each host adds to the top of the header when it receives the message: [6]

Email authentication can be complicated by the presence of an intermediate relay. A and B clearly belong to the author's Administrative Management Domain, while D and E are part of the recipient network. What role does C play? Email-flow-with-an-intermediate-relay.png
Email authentication can be complicated by the presence of an intermediate relay. A and B clearly belong to the author's Administrative Management Domain, while D and E are part of the recipient network. What role does C play?
Return-Path:<author@example.com>Received:fromD.example.orgbyE.example.orgwithSMTP;Tue, 05 Feb 2013 11:45:02 -0500Received:fromC.example.netbyD.example.orgwithSMTP;Tue, 05 Feb 2013 11:45:02 -0500Received:fromB.example.com(b.example.com[192.0.2.1]) byC.example.net(whichisme)withESMTPid936ADB8838C for<different-recipient@example.net>;Tue, 05 Feb 2013 08:44:50 -0800(PST) Received:fromA.example.combyB.example.comwithSMTP;Tue, 05 Feb 2013 17:44:47 +0100Received:from[192.0.2.27]byA.example.comwithSMTP;Tue, 05 Feb 2013 17:44:42 +0100

The first few lines at the top of the header are usually trusted by the recipient. Those lines are written by machines in the recipient's Administrative Management Domain (ADMD), which act upon their explicit mandate. By contrast, the lines that prove the involvement of A and B, as well as of the purported author's MUA could be a counterfeit created by C. The Received: field shown above is an epoch-making piece of the header. The Return-Path: is written by E, the mail delivery agent (MDA), based on the message envelope. Additional trace fields, designed for email authentication, can populate the top of the header.

Normally, messages sent out by an author's ADMD go directly to the destination's MX (that is B → D in the figures). The sender's ADMD can add authentication tokens only if the message goes through its boxes. The most common cases can be schematized as follows:

A schematic representation of the most common ways that an email message can get transferred from its author to its recipient. Mailflows-reloaded.png
A schematic representation of the most common ways that an email message can get transferred from its author to its recipient.

Sending from within ADMD's network (MUA 1)

Roaming user (MUA 2)

Disconnected user

Section notes

  1. For example, a recipient can instruct Gmail to forward messages to a different email address. The sender is not necessarily aware of that.
  2. Properly configured proxies appear as part of the author ADMD.
  3. Some ADMDs block outbound connection to port 25 (SMTP) to avoid this. This proactive technique is described in RFC 5068. In addition, some block inbound SMTP connections from IPs listed as dialup/DSL/cable.
  4. 1 2 3 4 In this case the author's ADMD is not involved at all.
  5. Some ISPs block port 587, although RFC 5068 clearly says:
    Access Providers MUST NOT block users from accessing the external Internet using the SUBMISSION port 587.

Authentication methods in widespread use

SPF

SPF authenticates the sender IP address. SPF.png
SPF authenticates the sender IP address.

SPF allows the receiver to check that an email claimed to have come from a specific domain comes from an IP address authorized by that domain's administrators. Usually, a domain administrator will authorize the IP addresses used by their own outbound MTAs, including any proxy or smarthost. [7] [8]

The IP address of the sending MTA is guaranteed to be valid by the Transmission Control Protocol, as it establishes the connection by checking that the remote host is reachable. [9] The receiving mail server receives the HELO SMTP command soon after the connection is set up, and a Mail from: at the beginning of each message. Both of them can contain a domain name. The SPF verifier queries the Domain Name System (DNS) for a matching SPF record, which if it exists will specify the IP addresses authorized by that domain's administrator. The result can be "pass", "fail", or some intermediate result - and systems will generally take this into account in their anti-spam filtering. [10]

DKIM

DKIM authenticates parts of the message content. DomainKeys Identified Mail (DKIM).png
DKIM authenticates parts of the message content.

DKIM checks the message content, deploying digital signatures. Rather than using digital certificates, the keys for signature-verification are distributed via the DNS. That way, a message gets associated to a domain name. [11]

A DKIM-compliant domain administrator generates one or more pairs of asymmetric keys, then hands private keys to the signing MTA, and publishes public keys on the DNS. The DNS labels are structured as selector._domainkey.example.com, where selector identifies the key pair, and _domainkey is a fixed keyword, followed by the signing domain's name so that publication occurs under the authority of that domain's ADMD. Just before injecting a message into the SMTP transport system, the signing MTA creates a digital signature that covers selected fields of the header and the body (or just its beginning). The signature should cover substantive header fields such as From:, To:, Date:, and Subject:, and then is added to the message header itself, as a trace field. Any number of relays can receive and forward the message and at every hop, the signature can be verified by retrieving the public key from the DNS. [12] As long as intermediate relays do not modify signed parts of a message, its DKIM-signatures remain valid.

DMARC

DMARC allows the specification of a policy for authenticated messages. It is built on top of two existing mechanisms, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the From: field presented to end users; how the receiver should deal with failures - and a reporting mechanism for actions performed under those policies.

Other methods

A range of other methods have been proposed, but are now either deprecated or have not yet gained widespread support. These have included Sender ID, Certified Server Validation, DomainKeys and those below:

ADSP

ADSP allowed the specification of a policy for messages signed by the author's domain. A message had to go through DKIM authentication first, then ADSP could demand a punishing treatment if the message was not signed by the author domain(s) —as per the From: header field. [13]

ADSP was demoted to historic in November 2013. [14]

VBR

VBR adds a vouch to an already authenticated identity. This method requires some globally recognized authorities that certify the reputation of domains.

A sender can apply for a reference at a vouching authority. The reference, if accepted, is published on the DNS branch managed by that authority. A vouched sender should add a VBR-Info: header field to the messages it sends. It should also add a DKIM signature, or use some other authentication method, such as SPF. A receiver, after validating the sender's identity, can verify the vouch claimed in VBR-Info: by looking up the reference. [15]

iprev

Applications should avoid using this method as a means of authentication. [16] Nevertheless, it is often carried out and its results, if any, written in the Received: header field besides the TCP information required by the SMTP specification.

The IP reverse, confirmed by looking up the IP address of the name just found, is just an indication that the IP was set up properly in the DNS. The reverse resolution of a range of IP addresses can be delegated to the ADMD that uses them, [17] or can remain managed by the network provider. In the latter case, no useful identity related to the message can be obtained.

DNSWL

Looking up a DNSWL (DNS-based whitelist) may provide an assessment of the sender, possibly including its identification.

Authentication-Results

RFC 8601 defines a trace header field Authentication-Results: where a receiver can record the results of email authentication checks that it carried out. [16] Multiple results for multiple methods can be reported in the same field, separated by semicolons and wrapped as appropriate.

For example, the following field is purportedly written by receiver.example.org and reports SPF and DKIM results:

Authentication-Results:receiver.example.org; spf=passsmtp.mailfrom=example.com; dkim=passheader.i=@example.com

The first token after the field name, receiver.example.org, is the ID of the authentication server, a token known as an authserv-id. A receiver supporting RFC 8601 is responsible to remove (or rename) any false header claiming to belong to its domain so that downstream filters cannot get confused. However, those filters still need to be configured, as they have to know which identities the domain may use.

For a Mail User Agent (MUA), it is slightly harder to learn what identities it can trust. Since users can receive email from multiple domains—e.g., if they have multiple email addresses -— any of those domains could let Authentication-Results: fields pass through because they looked neutral. That way, a malicious sender can forge an authserv-id that the user would trust if the message arrived from a different domain. A legitimate Authentication-Results: typically appears just above a Received: field by the same domain from which the message was relayed. Additional Received: fields may appear between that and the top of the header, as the message got transferred internally between servers belonging to that same, trusted ADMD.

The Internet Assigned Numbers Authority maintains a registry of Email Authentication Parameters. Not all parameters need to be registered, though. For example, there can be local "policy" values designed for a site's internal use only, which correspond to local configuration and need no registration.

See also

Related Research Articles

<span class="mw-page-title-main">Email</span> Mail sent using electronic means

Electronic mail is a method of transmitting and receiving messages using electronic devices. It was conceived in the late–20th century as the digital version of, or counterpart to, mail. Email is a ubiquitous and very widely used communication medium; in current use, an email address is often treated as a basic and necessary part of many processes in business, commerce, government, education, entertainment, and other spheres of daily life in most countries.

The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync.

An email address identifies an email box to which messages are delivered. While early messaging systems used a variety of formats for addressing, today, email addresses follow a set of specific rules originally standardized by the Internet Engineering Task Force (IETF) in the 1980s, and updated by RFC 5322 and 6854. The term email address in this article refers to just the addr-spec in Section 3.4 of RFC 5322. The RFC defines address more broadly as either a mailbox or group. A mailbox value can be either a name-addr, which contains a display-name and addr-spec, or the more common addr-spec alone.

Various anti-spam techniques are used to prevent email spam.

Sender Policy Framework (SPF) is an email authentication method which ensures the sending mail server is authorized to originate mail from the email sender's domain. This authentication only applies to the email sender listed in the "envelope from" field during the initial SMTP connection. If the email is bounced, a message is sent to this address, and for downstream transmission it typically appears in the "Return-Path" header. To authenticate the email address which is actually visible to recipients on the "From:" line, other technologies such as DMARC must be used. Forgery of this address is known as email spoofing, and is often used in phishing and email spam.

A bounce message or just "bounce" is an automated message from an email system, informing the sender of a previous message that the message has not been delivered. The original message is said to have "bounced".

Sender ID is an historic anti-spoofing proposal from the former MARID IETF working group that tried to join Sender Policy Framework (SPF) and Caller ID. Sender ID is defined primarily in Experimental RFC 4406, but there are additional parts in RFC 4405, RFC 4407 and RFC 4408.

<span class="mw-page-title-main">Message submission agent</span>

A message submission agent (MSA), or mail submission agent, is a computer program or software agent that receives electronic mail messages from a mail user agent (MUA) and cooperates with a mail transfer agent (MTA) for delivery of the mail. It uses ESMTP, a variant of the Simple Mail Transfer Protocol (SMTP), as specified in RFC 6409.

Forward-confirmed reverse DNS (FCrDNS), also known as full-circle reverse DNS, double-reverse DNS, or iprev, is a networking parameter configuration in which a given IP address has both forward (name-to-address) and reverse (address-to-name) Domain Name System (DNS) entries that match each other. This is the standard configuration expected by the Internet standards supporting many DNS-reliant protocols. David Barr published an opinion in RFC 1912 (Informational) recommending it as best practice for DNS administrators, but there are no formal requirements for it codified within the DNS standard itself.

MARID was an IETF working group in the applications area tasked to propose standards for email authentication in 2004. The name is an acronym of MTA Authorization Records In DNS.

The Sender Rewriting Scheme (SRS) is a scheme for bypassing the Sender Policy Framework's (SPF) methods of preventing forged sender addresses. Forging a sender address is also known as email spoofing.

In computing, Author Domain Signing Practices (ADSP) is an optional extension to the DKIM E-mail authentication scheme, whereby a domain can publish the signing practices it adopts when relaying mail on behalf of associated authors.

DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email, a technique often used in phishing and email spam.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing email, email scams and other cyber threat activities.

Email forwarding generically refers to the operation of re-sending a previously delivered email to an email address to one or more different email addresses.

Vouch by Reference (VBR) is a protocol used in Internet mail systems for implementing sender certification by third-party entities. Independent certification providers vouch for the reputation of senders by verifying the domain name that is associated with transmitted electronic mail. VBR information can be used by a message transfer agent, a mail delivery agent or by an email client.

SMTP Authentication, often abbreviated SMTP AUTH, is an extension of the Simple Mail Transfer Protocol (SMTP) whereby a client may log in using any authentication mechanism supported by the server. It is mainly used by submission servers, where authentication is mandatory.

A TXT record is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human readable information about a server, network, data center, or other accounting information.

Authenticated Received Chain (ARC) is an email authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing.

Murray S. Kucherawy is a computer scientist, mostly known for his work on email standardization and open source software.

References

  1. Hang Hu; Peng Peng; Gang Wang (2017). "Towards the Adoption of Anti-spoofing Protocols". arXiv: 1711.06654 [cs.CR].
  2. kerner, Sean Michael (2 January 2018). "DMARC Email Security Adoption Grows in U.S. Government". eWeek. Retrieved 24 November 2018.
  3. "Email Authentication Summit". workshop. Federal Trade Commission. November 9–10, 2004. Archived from the original on 3 June 2012. Retrieved 4 February 2013. The Report, however, identified domain-level authentication as a promising technological development{{cite web}}: CS1 maint: unfit URL (link)
  4. Michael Hammer (14 August 2020). "third party authorization". dmarc-ietf (Mailing list). Retrieved 14 August 2020.
  5. Hang Hu; Gang Wang (15 August 2018). End-to-End Measurements of Email Spoofing Attacks. pp. 1095–1112. ISBN   9781939133045.{{cite book}}: |work= ignored (help)
  6. 1 2 John Klensin (October 2008). "Trace Information". Simple Mail Transfer Protocol. IETF. sec. 4.4. doi: 10.17487/RFC5321 . RFC 5321 . Retrieved 1 February 2013. When the SMTP server accepts a message either for relaying or for final delivery, it inserts a trace record (also referred to interchangeably as a "time stamp line" or "Received" line) at the top of the mail data. This trace record indicates the identity of the host that sent the message, the identity of the host that received the message (and is inserting this time stamp), and the date and time the message was received. Relayed messages will have multiple time stamp lines.
  7. Scott Kitterman (April 2014). Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1. IETF. doi: 10.17487/RFC7208 . RFC 7208 . Retrieved 26 April 2014. There are three places that techniques can be used to ameliorate unintended SPF failures with mediators.
  8. J. Klensin (October 2008). "Alias". Simple Mail Transfer Protocol. IETF. sec. 3.9.1. doi: 10.17487/RFC5321 . RFC 5321 . Retrieved 15 February 2013.
  9. IP Address forgery is possible, but generally involves a lower level of criminal behavior (breaking and entering, wiretapping, etc.), which are too risky for a typical hacker or spammer, or insecure servers not implementing RFC 1948, see also Transmission Control Protocol#Connection hijacking.
  10. Scott Kitterman (Nov 21, 2009). "How reliable is it to block/reject on SPF fail?". spf-help. gossamer-threads.com. I think it's generally fine as long as you offer a mechanism for whitelisting of non-SRS forwarders.
  11. D. Crocker; T. Hansen; M. Kucherawy, eds. (September 2011). DomainKeys Identified Mail (DKIM) Signatures. IETF. doi: 10.17487/RFC6376 . RFC 6376 . Retrieved 18 February 2013. DomainKeys Identified Mail (DKIM) permits a person, role, or organization to claim some responsibility for a message by associating a domain name with the message, which they are authorized to use.
  12. Dave Crocker (16 Oct 2007). "DKIM Frequently Asked Questions". DKIM.org. Retrieved 17 February 2013.
  13. E. Allman; J. Fenton; M. Delany; J. Levine (August 2009). DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP). IETF. doi: 10.17487/RFC5616 . RFC 5616 . Retrieved 18 February 2013.
  14. Barry Leiba (25 November 2013). "Change the status of ADSP (RFC 5617) to Historic". IETF.
  15. P. Hoffman; J. Levine; A. Hathcock (April 2009). Vouch By Reference. IETF. doi: 10.17487/RFC5518 . RFC 5518 . Retrieved 18 February 2013.
  16. 1 2 Murray Kucherawy (May 2019). Message Header Field for Indicating Message Authentication Status. IETF. doi: 10.17487/RFC8601 . RFC 8601 . Retrieved 12 June 2023.
  17. H. Eidnes; G. de Groot; P. Vixie (March 1998). Classless IN-ADDR.ARPA delegation. IETF. doi: 10.17487/RFC2317 . RFC 2317 . Retrieved 18 February 2013.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.