Login   /  Logout   /  Resources for Consumers  /  Create a FREE Online Account  /  Contact Us
Consumer Help Membership Centers of Excellence Advocacy Events Who We Are Careers Blog


How To Evaluate The Different Types Of Authentication (SPF, Sender-ID, DomainKeys)

There are currently two major types of email authentication systems:

a. IP-based solutions like Sender Policy Framework (SPF) and Sender ID Framework (SIDF), and
b. Cryptographic solutions like DomainKeys Identified Mail (DKIM)

The goal of each is the same: to create a public record against which to validate email messages so that the legitimacy of senders can be verified. Both technologies work to verify that the sender is authorized to send mail from a particular IP address.

A fundamental difference between IP-based and cryptographic authentication solutions is that cryptographic technology protects the integrity of the email contents, while IP-based technology verifies or proves that the sender is authorized by the domain owner to send the mail.

Following is a more in-depth comparison of the three types of email authentication systems (SPF, SIDF, and DKIM).

1. Sender Policy Framework (SPF)
SPF is an IP-based technology that verifies the sender IP address by cross-checking the domain in the email address listed in the visible “Mail From” line of an email against the published record a sender has registered in the Domain Name System (DNS). SPF technology is free to all users.

An SPF record is a list of computer servers or IP addresses that senders indicate are “authorized” to send email that claims to be coming from their domain. When you publish an SPF record for your domain, you declare which IP addresses are authorized to send out email on your behalf. SPF allows senders/marketers effectively to say, “I only send mail from these machines (IP addresses/servers). If any other machine claims that I'm sending mail from there, they are not telling the truth.”

2. Sender ID Framework (SIDF)
Sender ID is basically “Caller ID for email.” SIDF, created by Microsoft, is very similar to SPF. Whereas SPF verifies the visible “Mail From” line of the email, SIDF authenticates either the “Mail From” line or the non-visible “From” line of the email header. Using the US Postal Service as an analogy, SIDF is akin to verifying the authenticity of both the outer envelope and the letterhead on the document inside the envelope.

Here’s how SIDF works:

a. Sender sends an email to Receiver.
b. Receiver’s inbound email server receives the email and calls its Sender ID Framework.
c. Sender ID Framework looks up the Sender ID or SPF record of the domain that Sender is using in the Domain Name System (DNS).
d. The recipient’s ISP determines whether the outbound Mail Server IP address matches any listed IP address authorized to send mail for the user.

3. DomainKeys Identified Mail (DKIM)
DomainKeys Identified Mail is a cryptographic, signature-based type of email authentication. DKIM is a combination of Yahoo’s DomainKeys (DK) and Cisco’s Identified Internet Mail (IIM).

DKIM is offered to all users free of charge. DKIM is available at http://dkim.org . DKIM requires more computing resources than IP based technologies.

DKIM requires email senders’ computers to generate “public/private key pairs” and then publish the public keys into their Domain Name System (DNS) records. The matching private keys are stored in a sender’s outbound email servers, and when those servers send out email, the private keys generate message-specific “signatures” that are added into additional, embedded email headers.

ISPs that authenticate using DKIM look up the public key in DNS and then can verify that the signature was generated by the matching private key. This ensures that an authorized sender actually sent the message, and that the message headers and content were not altered in any way during their trip from the original sender to the recipient.

The DKIM authentication process involves checking the integrity of the message using the public key included in the email signature header, in addition to verifying whether the public key used to sign the message is authorized for use with the sender’s email address. This step currently involves utilizing the DNS record of the sending domain. The authorization records in the DNS contain information about the binding between a specific key and email address. In the US Postal Service analogy DKIM is like verifying a unique signature, which is valid regardless of the envelope or letterhead it was written on.

For more information, please click here for Authentication, Accreditation & Reputation (AAR) – For Marketers! (June 2005), a white paper designed to help marketers navigate the fast-changing and often confusing landscape of AAR with practical, plain-English advice.