Marek Loder Customer Success Email Authentication What you need to know Patrick Graham Customer Success

• Spend my days at Postmark onboarding new clients • Work out of our headquarters here in Philadelphia • Big fan of the great outdoors • Newly minted private pilot • Music and coffee aficionado. • I spend my days at Postmark troubleshooting technical problems for our customers • Work remotely from the Pacific Northwest. Marek Loder Patrick Graham

What is Postmark? A fast & reliable transactional-only email platform for web applications Your customers expect application emails to arrive immediately, not eventually. Reaching the inbox isn’t enough

1. What are the authentication methods and how do they work? 2. Why are they important for you? What are you going to learn?

Image source: https://www.flickr.com/photos/eelssej_/413385838 Why do I need email authentication?

Unauthenticated PayPal phishing email

1. Protect Reputation 2. Protect Deliverability Email Authentication Methods SPF, DKIM, and DMARC

Whitelist & Blacklist SPF 1

‘From Address’: Return-Path: Who the message was sent from Where the message was sent from

Github’s SPF Record v=spf1 ip4:192.30.252.0/22 include:_spf.google.com include:mail.zendesk.com ~all This is an SPF record Defines an IP range Google and ZenDesk mail servers Accept all mail. (Soft Fail)

Github’s SPF Record v=spf1 ip4:192.30.252.0/22 include:_spf.google.com include:mail.zendesk.com ~all This is an SPF record Defines an IP range Accept all mail. (Soft Fail) Google and ZenDesk mail servers

No content

SPF Gotchas…

Only use one SPF record v=spf1 include:_spf.google.com ~all TXT v=spf1 include:mail.zendesk.com ~all TXT v=spf1 include:_spf.google.com include:mail.zendesk.com ~all TXT SPF Gotchas

Only 10 lookups SPF Gotchas

2 Domain Keys Identified Mail DKIM

1. Private key 2. Public key 3. Signature DKIM Components

DKIM Private Key -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDWnZ5hejTvASYrXmwk/hHOsAFDri2zWYnX2KD+yKB7OG6eVqd6 L0HxcY8ds7HJrEaNtVMoic7XazqHyfhyTagPQ9z1ijdQTAhCwXpO4GOutu5tbTcN bVIgWH/hE8OnDOKuCbLn79VYfIQEu9bnOyKGreU9kuxYROv7737OhnwiEwIDAQAB AoGBAJvwbPtA86NR/2z1r7h1T3UR1+lYbuZpQcovIlPebRT7XQz5w7j5C34m2Clp vt3dqmoe/WxwLXXC+QVfUIGlQV15KmA+2+jjYwVCC0lfLsp+xZxnvOyOcCoppbv7 Lbqt9gmF/JwPOUYq3KD+iVwpKiE89Y5DBOFBmaCk6kA4IyXxAkEA9OK5xX9e9fdf MzdJamQ56oMF5CkspVfCCFI4R5zwkRE4R+1pDgYRpvxe2eHk+gEw7nsMpghh6Von begKCr+2yQJBAOBbMWF3Q+556TuAKnCgWd9ZD4BcBEboMFwwXDCaewFVM6dHHcKS wySKyHBP0QjFoP7ESrHglxC/PWqBQ0TbE/sCQBeKZAlUQTCr4v7tZaVQlTCx/7L7 MkuCsChUnwxjTczkNuDTNbIfazr+L7AKQxS1YJrMQV8El0TzYa7zC2QVIeECQQCN 9aXdQhXdw43sdEBmW1ACntvMIG0kYK6Y5pCuwFCsmzi/06PlBfAsIxSI3DgsEMC5 84I/4xgzJI674WarHuQZAkEAqrceOh0yLADMAJlztXsbh96fk//AtPn20FdW/0dE SFGvG8GqV7B99nj/O1BV6V5mfO3bzCtleAJbaptniIL56A== -----END RSA PRIVATE KEY----- Stored secretly by the sender

DKIM Public Key google._domainkey.github.com Stored publicly in the sending domain’s DNS

DKIM Public Key google._domainkey.github.com Selector DKIM specific subdomain Signing domain

DKIM Public Key google._domainkey.github.com Selector DKIM specific subdomain Signing domain

DKIM Public Key google._domainkey.github.com Selector DKIM specific subdomain Signing domain

DKIM Public Key google._domainkey.github.com v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCCqkSdyfFtn4S3VkICnzOvsi wAZ60Z79uN4YpwgAzrScaDmn0IfgG9I6AKklaPAzmCIOh1Rl2pB/ O9nMlEhVpvpNyauFXxhGEkqWp4PeMaoAl2j/uy8lhk1EIoEfM42Ifzm6GMymG/ c61rOuorAqQsGAdUif2HyOmJYdXi8x7zfQIDAQAB TXT

DKIM Signature DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wildbit.com; s=google; h=from:mime-version:date:message-id:subject:to:cc; bh=i/ep9kKrYpLMJ4OkXiiAVdd16bxlMgi4OcpDEQzV55U=; b=CgpzvIVR3mMRXmktyTXAUBFYM3MNgM77WrpGmSqy2Lyeq6aObuzcBCDgh0ZTkgw8lI A8kVodA4EpFOuc66GrJtLFBoy1MxWzUJP25WgAIPj0plbFObXlpJJKMDC0bEoXSnUZrB DVMEDhw8fyP73mgKKfGGzrfja2nE/kUv1WdfU= SMTP header

No content

3 Domain-based Message Authentication and Conformance DMARC

No content

DMARC Special DMARC subdomain _dmarc.gmail.com v=DMARC1\; p=none\; rua=mailto:[email protected] TXT

DMARC v=DMARC1\; p=none\; rua=mailto:[email protected] _dmarc.gmail.com This is a DMARC record Reporting Policy

DMARC v=DMARC1\; p=none\; rua=mailto:[email protected] _dmarc.gmail.com This is a DMARC record Reporting Policy

DMARC Tool A free tool to monitor & implement DMARC dmarc.postmarkapp.com

Checking Validity Check DKIM, SPF, and DMARC validity in Gmail

SPF passing and DMARC SPF passing are not the same thing. DMARC SPF alignment requires that the From address domain matches the Return-Path domain DMARC - SPF alignment gotcha

SPF Domain-based way to say what IPs are allowed to send email for you. DKIM Message-based signatures to verify your email is unmodified. DMARC Domain-based way to tell receivers how to handle authentication failures for your domain. Email Authentication Methods

A few reasons to consider Postmark…

Authenticate Sending Domains: DKIM & Return-Path Custom Return-Path DKIM

Unprecedented Troubleshooting 45 days of email activity Search all your messages Detailed message events Advanced filtering

Detailed message events, grouped by recipient Full content previews (HTML & Plain Text) Message overview

Customer support that’s human Made the switch to @postmarkapp today. The customer service and delivery rates are awesome. Samuel Goudie “ Postmark has stellar customer service. I don't think I have ever waited more than a few minutes for a response to an email. Christopher Dundy “ Ashley Dana Marek Patrick

DMARC Reports MailMason SpamCheck StyleMerge MailBrush Templates Mustachio Webhooks MailHandler postmarkapp.com/labs Check out our free & open source tools at…

Part of the family. postmarkapp.com Questions? Email [email protected] @postmarkapp