eConnect Email Help Center

Email authentication is one of the standard items to include on your checklist if you are to build a reputation as a good sender and see the majority of your emails make it past firewalls and into the inboxes at the ISPs. This guide will give you tips as to why you should have authentication set up if you are an email marketer.

ISPs (AOL, Comcast, Yahoo, etc.) are swamped with incoming mail, much of it from less than reputable senders that are sending spam. They don't have time to analyze the content of every incoming email. That would be like the cops pulling over each and every car to check for law abiding citizens.

When an email marketer sends a campaign to his list of subscribers and a few thousand of those subscribers have @yahoo.com accounts, Yahoo will think it's a wave of spam (replace Yahoo with AOL or any corporate email firewall). If your emails are authenticated, you don't look so suspicious.

Where Did Email Authentication Come From?

In a nutshell, it's to prove that your email is not a forgery. Emails are inherently insecure. You can craft an email and forge the reply-to and "from:" field to make it look like it came from someone else pretty easy. That's called "spoofing". You may have even received complaints from people telling you to stop spamming them, as some spammer is "spoofing" his campaigns to look like they're coming from you.

Don't sweat it---it happens to everyone eventually. Spoofing usually leads to Phishing. Phishing is when someone spoofs an email to make it look like it came from a bank, or credit card company. They ask the recipient to log in to some website (designed to look like a real bank site) and enter their banking passwords and PIN codes. Authentication was created to prevent all this spoofing and phishing.

Email Marketers Spoof All The Time

When you use a reputable ESP, you are sending your campaigns from our servers. But you are probably entering your own reply-to: email address and from: name and technically, that's a form of spoofing. So long as you are sending the email from a well-known, reputable email service provider, it's not a huge problem. ISPs can tell that it came from a legit server, and generally won't penalize you.

But as your list grows, it does eventually affect your deliverability rate. ISPs will more likely "throttle" your campaigns to check them for spam. If you're sending tens of thousands of emails per campaign, you might want to look into some form of email authentication.

Different Types of Authentication

I'm not going to get into the details of how the different types of authentication work, or which is the best. Just know that there are about three major options: SPF, SenderID, and DKIM (aka "Domain Keys"). SPF and SenderID are somewhat easier to implement, because you make some modifications to some files on your domain name server.

Let's say you use the application to send your campaigns. You simply add a file on your server that says, "If you ever receive an email from us and it claims to be from me, it's all cool." DKIM is slightly more complex. You basically embed the message with a cryptographic kind of "key" that proves it's legit. Receiving servers can take the key and reference the delivery server to see if it truly came from that server.

In general, SPF and SenderID are things you, as the email marketer, can do on your own. You might get your IT department to set it up for you. DKIM is something you'll have to ask to set up for your account. It sometimes requires extra setup fees, because it's a little harder to implement.

Authentication Is Not Perfect

Authentication has its drawbacks. For instance, depending on how your email service provider is set up, your email campaigns might be forced to use a different "reply-to:" or "from:" than your own company name. One might argue that this defeats the whole purpose of authentication in that it makes the email look more suspicious when your recipient opens the message.

We've seen cases of authenticated emails getting rejected by mobile devices. It goes something like this: you send an authenticated email to your customer's work account. The authentication in your message says, "this message is only authentic if it came from the application server XYZ." But the recipient is a traveling salesperson, and automatically forwards messages from his company account to his Blackberry.

The Blackberry server receives your message, but since it was forwarded from your recipient's company server, it appears to be a forgery when they read the authentication instructions.

Is Authentication Worth It?

There are lots of critics and pundits when it comes to the theory behind authentication. If you research the topic at length, you're just going to come away more confused than ever. If you have a very large list, your campaigns are a lot more likely to get blocked or "throttled" by major ISPs like AOL, Yahoo, Hotmail and Gmail. Authentication helps you. If you send marketing messages, email firewalls like Postini are very, very harsh when they scan your content. If you know that a huge portion of your subscriber list is at one single domain, then sending a campaign to that list is going to look like a wave of spam.

Again, authentication can help smooth things over for you. Bellsouth recently started to block HTML emails randomly, which confused a lot of email marketers. When we investigated campaigns from our own users, we found that authenticated messages seemed to get through perfectly fine. The bottom line is this: if you have a very large list (tens of thousands), and you have money and resources to get it in place, authentication will help get your emails delivered, but you can't send spammy content and expect authentication to help you. If your list is relatively small, then you probably don't need it yet. Just make sure to use a reputable email service provider and your campaigns will get through just fine.