Email overview and authentication
Created: April 12, 2025 | Modified: January 18, 2026
Email overview and authentication
This is a primer on the core components of email authentication, with a sequence diagram illustrating how email validation works.
Email authentication
Email authentication methods ensure that the email being sent and received is authentic, preventing spoofing and unauthorized use of your domain.
Want to understand email spoofing? (Don't actually do this)
In your mail client, find the "from" field (hidden by default in Outlook). Add a custom email address that isn't yours.
Congratulations - you've just created a spoofed email address.
While it would require additional steps to bypass modern authentication, in concept this demonstrates why SPF, DKIM, and DMARC are critical.
There are four key components of modern email authentication, all configured in a domain's public DNS records:
| Acronym | Formal Name | Standard | Purpose |
|---|---|---|---|
| MX | Mail Exchange | RFC 974 | Instructs senders which server receives email for a domain |
| SPF | Sender Policy Framework | RFC 7208 | Lists authorized senders for a domain |
| DKIM | DomainKeys Identified Mail | RFC 6376 | Uses public-key cryptography to sign email headers; receiver verifies signature to ensure email integrity |
| DMARC | Domain-based Message Authentication, Reporting, Conformance | RFC 7489 | Instructs receivers on handling mail that fails SPF/DKIM validation for a domain |
If you're receiving mail: No. Authentication ensures mail is authentic, but doesn't detect spam, phishing, or malware. You'll need additional protections like email security gateways or filtering services.
Email authentication workflow
This sequence diagram illustrates what happens when email is sent and authenticated:
sequenceDiagram
autonumber
Box Sender
actor User as Sending User
participant SMS as Sending Mail Server
end
participant DNS as DNS Records
box Receiver
participant RMS as Receiving Mail Server
actor RUser as Receiving User
end
User ->> SMS: Mail send request
Note left of SMS: Is this user allowed to send via this mail server?
SMS ->> SMS: Authentication challenge
break Authentication Failed
SMS ->> User: Send request rejected
end
autonumber 3
SMS ->> SMS: Authentication pass
SMS ->> DNS: Get MX record for Receiver
Note over SMS: Who should receive this mail?
DNS ->> SMS: Return MX record
SMS ->> RMS: Send mail to Receiver (mail servers)
Note over SMS: Sign mail header with DKIM private key
RMS ->> DNS: Get SPF, DKIM, DMARC
Note over RMS: What are the records for this Sender?
DNS ->> RMS: Return SPF, DKIM, DMARC
RMS ->> RMS: Evaluate SPF
Note over RMS: Is this Sender in the SPF record?
break SPF Fail
RMS ->> RMS: Evaluate DMARC
note right of RMS: Send reports to RUA/RUF<br>value listed in DMARC record
end
autonumber 10
RMS ->> RMS: SPF Pass
RMS ->> RMS: Evaluate DKIM
Note over RMS: Does this Sender's mail header<br>signature match the public key?
break DKIM Fail
RMS ->> RMS: Evaluate DMARC
note right of RMS: Send reports to RUA/RUF<br>value listed in DMARC record
end
autonumber 12
RMS ->> RMS: DKIM Pass
RMS ->> RMS: Custom Evaluation
Note over RMS: Spam/malware/phishing checks /<br> Mailflow rules / etc
RUser ->> RMS: Authenticate to server
break Authentication Fail
RMS ->> RUser: Authentication fail
end
autonumber 15
RMS ->> RMS: Authentication pass
RMS ->> RUser: Receive the Sender's mail
Caveats and considerations
DNS request size: 459 octets in a single request (RFC 7208 Section 3.4)
DNS lookups: Maximum 10 DNS lookups (RFC 7208 Section 4.6.4)
Exceeding either limit will cause SPF validation failures. Use include: statements carefully and consolidate where possible.