Our Truemark service relies on email authentication (SPF/Sender ID or DomainKeys/DKIM) as a foundation for verifying legitimate messages. And there are some email services out there that indicate with an icon whether a message has passed authentication. But is email authentication by itself enough?
Nope (you knew that was coming). Email authentication only tells me that the message really came from the entity who claimed to send it. That works great when someone pretending to be a bank uses the bank’s email address – the authentication will fail and the message can be dropped so consumers never see it.
But what if they create a domain name that sounds like it belongs to the bank (e.g., bank-support.com) and then send email from there? It’s possible for the sender of such a message to authenticate their email and have it pass. Uh-oh. So much for using authentication alone to determine the legitimacy of messages.
So how do you really know when a message is legitimate? It takes at least one more piece of information. The most definitive is a list of domains the company uses to send email. Then it’s simple – compare the domain in the message to the company’s list, and if there’s a match and the message can be authenticated, you’re good. That’s how our Truemark service works (it’s actually more complicated than that since there are several “from” addresses in an email message, but that’s for another time).
Another way to verify legitimacy is by assigning reputation to messages from specific domains or IP addresses. This requires a monitoring of new domains/addresses over time to determine whether messages sent from there are “good”. In this case, authentication plays a role since it allows you to verify that the message actually came from those domains/addresses, but it isn’t as definitive as comparing to a known-good list.
Bottom line? Like those products labeled “made of genuine artificial leather,” just because an email is marked as “authenticated” doesn’t mean it’s real.