Does email authentication prevent spam?

Written By Brian Adkins

I see this question asked a lot:

Question: Email Authentication is a combination of useful policies called SPF, DKIM, and DMARC … but are these policies designed to stop SPAM?

Short Answer: Not really… they are designed to stop Spoofing.

Here’s the longer answer

There are two categories of email senders that often get lumped together, but should really be treated as separate groups:

  • Spammers

  • Spoofers

What is a Spammer?

Simply put, a spammer is anyone that sends an email that the recipient doesn’t want to receive. The purpose of the email is irrelevant and could be advertising, news, offers, phishing attempts, or even an email from the IRS. Spam is in the eye of the beholder. Coincidentally, this is the same definition landscapers use for weeds. “It’s only a weed if you don’t want it there”.

TL;DR - Spammers are sending you an email you don’t want to see

What is a Spoofer?

A spoofer has a more technical and non-subjective definition. A spoofer is an emailer that is using a Domain which they have not proven that they own. Most of the time, spoofing is intentional which means the spoofer is trying to fool the email recipient.

Occasionally, however, spoofing is accidental such as when an employee signs up for a service which sends emails on behalf of the company and using the company’s domain. If that employee doesn’t include their IT department in those conversations, it’s likely that those emails will be considered “spoofing attempts” by receiving email servers because those emails have not been “blessed” (authenticated) by the owner of that domain.

TL;DR - Spoofers are trying to trick you into thinking they are someone else

Aren’t Spoofers also Spammers?

Sometimes, yes… Sometimes, no.

Examples of Spammers that are not Spoofers:

  1. The company TruGreen sends me a TON of spam and I can’t seem to get them to stop. However, they are not spoofers because they meticulously authentication all of their email. Still ends up in my spam folder, however.

  2. Remember that any Spammer that doesn’t authentication their email is a dumb spammer. Smart spammers always use SPF/DKIM/DMARC because:

    1. Email authentication is free

    2. Email authentication increases the odds of ending up in the inbox

Examples of Spoofers that are not Spammers

  • I’m working with a Client right now that has set up email authentication, but has done in incorrectly such that some of their email-sending systems are not yet authenticated (their CRM system). I definitely don’t want these emails to end up in my spam folder, but because of their DMARC policy and their lack of DKIM/SPF, their CRM system was technically spoofing their domain.

So email authentication doesn’t prevent SPAM?

Technically, no, but that was not its intended purpose.

Email authentication (SPF/DKIM/DMARC) is aimed at prevent Spoofers from successfully impersonating domains they do not own.

However, because a good amount of spam emails are also Spoofed emails, email authentication does have the effect of reducing amounts of spam in the end…. and specifically the worst type of spam where the sender is trying to trick the recipient.

Brian Adkins
Previous

Got problems? Get a second opinion from the internet
Next

HEY... An MTA server rejected my emails with error 550!