[All] Email Authentication

**Roxy** · May 20th, 2008, 3:57 PM

In your cPanel you have another amazing email feature called Email Authentication where it helps fight against spam being sent from your domain name. You're probably wondering what this means and how it works. Well if you have ever gotten a phishing email from a well known bank (ie: Bank of America) and saw the email and almost though it was legit, this is what it referrers to. In the tutorial below I will write out what each term means and how it'll benefit you in the end.

Enabling DomainKeys & SPF

In your cPanel under the email category, click on the link that says Email Authentication.

You are taken to the settings page, where you will be asked to enable the DomainKeys and SPF.

DomainKeys "is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity. " (credit: Wikipedia) Which basically means that if a spammer is trying to use your domain to send out spam emails from their server, it will not go through since their DNS does not match up with the authorized DNS from your server.

A more technical and deeper meaning into how DomainKeys work is

1) Somebody wishing to use DomainKeys to help authenticate their emails, publishes a Public Key to their DNS zone file.

2) All outgoing emails from that domain have their headers checksummed and signed with the private key.

3) When a DomainKey aware mail server receives an email signed with DomainKeys, they first fetch the public key, decrypt the checksum, and then perform their own checksum. If the two checksums match, they know the sender is legit.

(Thank you Ray!)

Sidenote: Checksum is a way to protect the authentication of data via telecommunications.

SPF (Sender Policy Framework) "allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam." (credit: Wikipedia) Which means if the email is not authorized to be sent from another server's host it will be rejected and bounced back.

In cPanel you are able to set which hosts and IPs that are able to send emails using your domain name from. This is located in the advance settings. All you need to do is simply click on the add button and follow the instructions continued from there.

Mechanisms & Qualifiers

Now, you're probably also wondering what this line under the SPF means?

Your current raw SPF record is : v=spf1 a mx ?all

v=spf1 means the version of SPF

the a, mx, and all stand for the mechanisms allowed to send messages. "a" being if the domain name has an A record similar to the sender's address, it will match. "mx" referring to if the domain name has an MX record pointing to the sender's address, it will match. "all" being a match all to DNS.

Now as for the ? in front of the all mechanism, these are referred to as "qualifiers".

? = Neutral
- = Fail
+ = Pass
~ = Softfail, between neutral and fail

The domain name may not have a SPF record at all, resulting in the neutral qualifier being used which is "none". As you have noticed within your cPanel the default setting is set at neutral a precaution from using the Fail and softfail qualifiers, as both can be "dangerous". (not literally) If set at Fail the email will automatically bounce back sending an error message to the "return_path", while when set to softfail it will simply read it as potential junk (usually tagged as) and can or cannot be deleted by the recipient.

While it may seem a lot to handle in the end this feature can protect your domain name from being used by spammers posing to be you. A neat feature if you have a booming online business. Not so important for simple personal websites unless you want the added protection.

Will edit with more accurate information

**Sentinel** · May 20th, 2008, 4:44 PM

Good stuff.

**Roxy** · May 20th, 2008, 5:20 PM

Thank you, as I learn more about it, I'll be sure to post more technical information here.

May 20th, 2008, 3:57 PM	#1 (permalink)
Roxy URB4N 5K1LLZ Super #1 Joined in Sep 2005 Lives in Orlando, FL Hosted on SH63 2,653 posts Gave thanks: 81 Thanked 128 times	[All] Email Authentication In your cPanel you have another amazing email feature called Email Authentication where it helps fight against spam being sent from your domain name. You're probably wondering what this means and how it works. Well if you have ever gotten a phishing email from a well known bank (ie: Bank of America) and saw the email and almost though it was legit, this is what it referrers to. In the tutorial below I will write out what each term means and how it'll benefit you in the end. Enabling DomainKeys & SPF In your cPanel under the email category, click on the link that says Email Authentication. You are taken to the settings page, where you will be asked to enable the DomainKeys and SPF. DomainKeys "is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity. " (credit: Wikipedia) Which basically means that if a spammer is trying to use your domain to send out spam emails from their server, it will not go through since their DNS does not match up with the authorized DNS from your server. A more technical and deeper meaning into how DomainKeys work is 1) Somebody wishing to use DomainKeys to help authenticate their emails, publishes a Public Key to their DNS zone file. 2) All outgoing emails from that domain have their headers checksummed and signed with the private key. 3) When a DomainKey aware mail server receives an email signed with DomainKeys, they first fetch the public key, decrypt the checksum, and then perform their own checksum. If the two checksums match, they know the sender is legit. (Thank you Ray!) Sidenote: Checksum is a way to protect the authentication of data via telecommunications. SPF (Sender Policy Framework) "allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam." (credit: Wikipedia) Which means if the email is not authorized to be sent from another server's host it will be rejected and bounced back. In cPanel you are able to set which hosts and IPs that are able to send emails using your domain name from. This is located in the advance settings. All you need to do is simply click on the add button and follow the instructions continued from there. Mechanisms & Qualifiers Now, you're probably also wondering what this line under the SPF means? Your current raw SPF record is : v=spf1 a mx ?all v=spf1 means the version of SPF the a, mx, and all stand for the mechanisms allowed to send messages. "a" being if the domain name has an A record similar to the sender's address, it will match. "mx" referring to if the domain name has an MX record pointing to the sender's address, it will match. "all" being a match all to DNS. Now as for the ? in front of the all mechanism, these are referred to as "qualifiers". ? = Neutral - = Fail + = Pass ~ = Softfail, between neutral and fail The domain name may not have a SPF record at all, resulting in the neutral qualifier being used which is "none". As you have noticed within your cPanel the default setting is set at neutral a precaution from using the Fail and softfail qualifiers, as both can be "dangerous". (not literally) If set at Fail the email will automatically bounce back sending an error message to the "return_path", while when set to softfail it will simply read it as potential junk (usually tagged as) and can or cannot be deleted by the recipient. While it may seem a lot to handle in the end this feature can protect your domain name from being used by spammers posing to be you. A neat feature if you have a booming online business. Not so important for simple personal websites unless you want the added protection. Will edit with more accurate information __________________ Roxanne Urban Roxy -Personal Blog SH63 - the best darn shared server!

May 20th, 2008, 4:44 PM	#2 (permalink)
Sentinel Surpass Fan On a golden path... Joined in Mar 2006 Hosted on SH100 448 posts Gave thanks: 72 Thanked 17 times	Good stuff. __________________ SH100 , SH131 & SH124

May 20th, 2008, 5:20 PM	#3 (permalink)
Roxy URB4N 5K1LLZ Super #1 Joined in Sep 2005 Lives in Orlando, FL Hosted on SH63 2,653 posts Gave thanks: 81 Thanked 128 times	Thank you, as I learn more about it, I'll be sure to post more technical information here. __________________ Roxanne Urban Roxy -Personal Blog SH63 - the best darn shared server!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread:

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)