Recently, Google and some other email service providers started rejecting messages due to failed authentication checks. In this article, we will explain why these problems occur, and how to resolve them.
In order to understand the issue, you will first need to know what Email Authentication is.
What is Email Authentication?
When most people hear about Email Authentication, they think about their email user name and password. However, the Email Authentication we are referring to is a little different. Email Authentication (or Validation) refers to a number of technologies email operators use to verify the identity of the sending mail server of an email message. The original Simple Mail Transfer Protocol (the set of commands servers use to transfer emails; better known as just SMTP) does not have any such features (it was designed in 1982 after all).
SMTP error messages are very cryptic:
550-5.7.1 This message does not have authentication information or fails to pass authentication checks. To best protect our users from spam, the message has been blocked. Please visit
https://support.google.com/mail/answer/81126#authentication for more information. d16si9512682pgi.148 – gsmtp
There are two main technologies used for Email Authentication:
- SPF – Sender Policy Framework
- DKIM – DomainKeys Identified Mail
How does Email Authentication Work?
SPF and DKIM use slightly different approaches. They both use DNS records. However, the records give away different information. When a server receives an email, it checks these records. Based on the results, the server can determine if the email was sent by an authenticated server or not.
The Spam filters we use at ICDSoft use both of these techniques in order to improve spam recognition and classification.
SPF stands for Sender Policy Framework. The SPF DNS record specifies the allowed sending (SMTP) servers for the domain name. When you use SPF, you can list many different SMTP servers without any configuration needed on the SMTP server itself. The final part of the SPF record (~all) specifies the way unlisted servers must be treated. In the example record below, “~all” means “SOFTFAIL“. Most mail providers will flag this message but not reject it. If you want strict checking, you can use “-all“. Further details about the SPF specification can be found on the Wikipedia page:
SPF records look like this:
v=spf1 a mx include:smtp-spf.someserver.com ~all
The SPF Process:
Here is how SPF works:
SPF works only if the recipient server checks for SPF Email Authentication. The check is basic – when the server receives an email, it checks if the sending server’s IP address is listed in the SPF DNS record of the sender’s domain. Based on the result of this check and the failure policy (~all), the server determines if the message should be delivered, rejected, or classified as spam.
DKIM / DomainKeys
DKIM (DomainKeys Identified Mail) uses public key cryptography to sign messages. The downside of this method is that it requires changes to the mail server software, as opposed to SPF, which requires publishing a single DNS record. This requires the cooperation of your email administrator.
At ICDSoft DKIM is available out of the box
Use a hosting provider that understands E-mail
Each authenticated sending server must sign every email they send with a Private Key. This Private Key has a matching Public Key which is published in the DKIM DNS record. Recipient mail servers use this Public Key to check if the message was sent from an authenticated server (as only authenticated servers have the correct private key).
DKIM records look like this:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTYf0C/D2g0vFGjYWb5gzZ2WDnBHiq++iHkCyQ1upCSokENuDAgRfAiWrW1M1Ge6dbZoI5RPzChmKe7PMqZf7fzj0+dvn6VP//r/+cZd6nmMh65cN/iwwl7ncP6rngI8B4cfmgPfjU0eY46F511mThvAQ4TLvj7Han5qMZrG5FzwIDAQAB
The DKIM Process
DKIM still relies on the recipient server to check the validity of a message. The receiving server, if it is DKIM enabled, will check the message headers for the message signature and verify it against the Public Key published in the DKIM DNS record. If the message fails, it is up to the recipient server to classify the message accordingly.
Why did Google Suddenly Start Blocking My Messages?
Google is the largest email provider today. Over a billion users use their Gmail and G Suite services. Their spam protection is really tight, but this has drawbacks as well. Many users struggle to get some legitimate emails out of their Spam folders.
Google recently updated their spam filter and started blocking messages without Email Authentication. We are not aware about any announcement of this change. It caught many Gmail users unprepared and asking for help.
While the change may be beneficial overall, the power Gmail has over the email system raises concerns. When Gmail makes a change to their policies, all email servers must comply, even if they do not agree with the changes. In this case, however, we think that the measures Google is pushing for are beneficial for all, and we support this change.
At ICDSoft You Have Control
Use a Provider That Respects Your Choice
In 2014, a similar unannounced policy change by another big player (Yahoo) caused millions of mailing lists to stop working. This effectively broke all mailing list communication with these large email providers. You can check more at: Yahoo email anti-spoofing policy breaks mailing lists.
ICDSoft customers were affected as well, and we immediately applied a patch to our mailing list software which resolved the issue.
How to Enable Email Authentication?
Every new ICDSoft customer gets DKIM and SPF enabled by default. Combined with our generous disk space offerings, advanced anti-spam protection and low prices, this makes us a preferable choice for many email users. And we also offer Free Migration with every account (which includes Email).
If you are an existing client, to enable DKIM and SPF, navigate to the DNS Manager in the online Control Panel, and click the “Enable” buttons.
Most other service providers should have a similar easy way to enable support for these two technologies. If such support isn’t available, you can use some online SPF and DKIM record generators, like https://mxtoolbox.com/SPFRecordGenerator.aspx.