Why Email Authentication is Important
Email is one of the most prominent channels for cyberattacks in organizations because it is the most popular method for corporate communication. Unauthenticated domains are highly vulnerable to phishing and other malicious activities. According to research by Verizon in 2024, 90% of all malware is delivered by email, making it critical for organizations to differentiate between real and fake emails.
Email authentication is an effective process to confirm the identity of email senders. It plays a critical role to minimize the risk of cyberattacks in any email-based business by helping users distinguish legitimate emails from spam and phishing emails.
The foundational protocols in email authentication that collectively enhance trust and email deliverability are:
1. Domain-based Message Authentication, Reporting and Conformance (DMARC) - Helps domain owners ensure that emails are sent from their domains, and control how they want unauthorized messages to be treated.
2. Sender Policy Framework (SPF) - Authenticates emails by helping organizations publish an authorized list of senders.
3. DomainKeys Identified Mail (DKIM) - Uses digital signatures to sign emails and ensure that they remain unaltered through the delivery process.
For organizations that send over 5,000 emails daily, DMARC compliance is mandatory for inbox placement with leading email providers like Gmail, Yahoo and Outlook. DMARC validation ensures that:
1. Emails are genuinely sent from the user’s domain using SPF and/or DKIM checks. It does this by matching the SPF record and DKIM key with the sender's root (primary) domain.
2. Spoofing and phishing are prevented by giving inbox providers clear instructions on how to handle unauthenticated messages.
3. Reporting is enabled so that domain owners can monitor authentication results and spot any abuse.
For smaller volume email senders, these leading email providers have started flagging DMARC non-compliant emails. Instead of being delivered to the recipient’s Inbox, non-compliant mails often end up in the Junk/Spam folder, in the Other tab (in Outlook) or get archived or redirected by rules set up by the user.
Emails from BI Helper
BI Helper uses the Amazon Simple Email Service (AWS SES) to send PDF/ PPTX reports from Power BI or Tableau to end-users. Every email sent from AWS SES has two parts:
- Header From: This is the 'friendly' from address your recipient sees in their email client (e.g., newsletter@yourbrand.com). Its purpose is display and recognition.
- Envelope From (Return-Path): This is the hidden address used by mail servers for routing and handling bounces. By default, AWS SES uses its own domain for this (e.g., random-string@amazonses.com).
DMARC requires that the domain in Header From aligns with the domain in Envelope From.
This addresses a major vulnerability where a malicious actor can send an email that passes the individual SPF and DKIM checks and looks genuine. The recipient has no reason to be suspicious of it, but the email is a complete fraud.
DMARC Compliance in BI Helper
Branded Email Sending Subdomain
Identifier alignment: In order to be DMARC compliant, you need to connect a branded email sending subdomain to your account that matches the root domain in your ‘from email ' address.
For example, if your root domain is mycompany.com and you send emails from sales@mycompany.com, then you can use reports.mycompany.com as a branded sending subdomain.
IMPORTANT:
1. Please work with your DNS admin / Azure admin to set up DMARC compliance for your sender email IDs in BI Helper.
2. The specifics of the implementation depend on your DNS or hosting provider. Please review their documentation before you start.
Setup Steps
1. Go to Settings > DMARC Compliance in BI Helper and click on the ‘+ Add Subdomain’ button. The requirements for the subdomain are given in the page.
2. Pick a subdomain, enter it and click on ‘Save’. BI Helper will generate 3 CNAME records, 2 TXT records and one MX record for SPF and DKIM in the same page.
3. Copy and publish them to your DNS provider. Click on ‘Continue’ to complete the DMARC setup.
4. Allow up to 72 hours for your DNS provider to propagate them.
5. Once your domain is verified, please ensure that your ‘from email’ address is aligned with your ‘mail from’ subdomain. This satisfies DMARC's alignment requirement for SPF.
Check DMARC Status of ‘From Email'
1. To check the DMARC status of your ‘From email', go to the Send Email tab in BI Helper, enter your Sender Email and click on Check DMARC.
2. When you see the green 'DMARC Compliant' box, it means that the process is complete and your emails from BI Helper will now have the highest deliverability levels.
Additional Resources - AWS SES
Complying with DMARC authentication protocol in Amazon SES - Amazon Simple Email Service
Using a custom MAIL FROM domain - Amazon Simple Email Service
