Lyris Technologies' strategic account manager explains how to authenticate your email with the help of your IT department and your email service provider.

"Knock knock."
"Who's there?"
"Oprah"
"Oprah who?"
"You know, that Oprah. Let me in!"

So would you let "Oprah" into your house? Probably not. After all, all you have to go on is this person's word that she is in fact Oprah.

It makes sense not to let someone into your home without any kind of verification that the person is who she says she is. And yet ISPs need to make that kind of decision every day with the billions of pieces of email they allow into their network.

This email claims to be from Sun Trust Bank; is it really? Or is it a fraudulent email masquerading as a legitimate message from the bank, in hopes that some unwitting dupe will provide his login, password, and mother's maiden name?

Amazingly enough, in the trusting days when email was invented, there were no mechanisms created to reliably verify that a message really did come from the person it said it did. And it's remarkably easy to forge the sender line.

There have been multiple authentication protocols proposed and tested in the past. None of these took off as industry standards. But nowadays, there's lots of motivation to rally behind a protocol that works and actually fights the spam epidemic.

Now, with spam and phishing so prevalent, it's in every email marketer's best interest to use authentication. Even if your brand hasn't fallen victim to a phishing attack, authentication helps ISPs distinguish the white hats from the black. When the ISPs can block spam more effectively, that means your opt-in email messages stand out in the inbox.

So, how can you authenticate your email? With a little assistance from your IT department and your email service provider, you can implement three different authentication methods: SPF, Sender ID, and Domain Keys.

Why three? They are similar, in that they use information you publish about your domain to verify that the mail servers sending the email are authorized to do so. But each verifies different parts of the message and are used by different ISPs to authenticate email. 

1. SPF
Created in 2003 by an open group of independent developers, SPF, or Sender Policy Framework (originally the acronym stood for Sender Permitted From), lets a company publish which mail servers are allowed to send email for its domain. When an ISP begins to receive an email message, it can use SPF to validate that the connecting server is authorized to send email for that domain.

To implement SPF, all your ISP or IT team needs to do is to add a line to your DNS record with information about authorized sending IP addresses. SPF record tools and tests are available at the SPF Project Website.

2. Sender ID
With Sender ID, email sent to MSN or Hotmail addresses is much more likely to be put into the inbox than bulked.

Sender ID Framework is a Microsoft initiative that is derived from SPF and uses SPF-style records to work. But whereas "straight" SPF validates the email "envelope," Sender ID validates one of the message's address header fields as determined by an algorithm called PRA (Purported Responsible Address). This patented algorithm is designed to select the header field best representing the e-mail address "responsible" for sending the message.

Confused? They are very similar, but they validate different elements in the email message. Although SPF and Sender ID records look similar, it's best to have separate SPF and Sender ID records to ensure they both work properly.

Microsoft hosts information about Sender ID, including a Sender ID Record Wizard.

3. DomainKeys
A Yahoo! and Cisco initiative, DomainKeys (or the subsequent DKIM, for Domain Key Identified Mail) works differently from SPF and Sender ID. To implement, you create a pair of keys, a public key to be published and a private key to be used by your outbound mail server to create a digital signature of your messages. The receiving mail server then uses the public key to verify that the digitally signed message really was sent legitimately.

Currently, Yahoo and Gmail use DomainKeys to validate mail, and other major ISPs are reportedly ready to begin using it as well. Yahoo has also started a feedback loop so DomainKey users can be informed of spam complaints against them.

Many ESPs (Email Service Providers) support Domain Keys, but not all. Unlike SPF and Sender ID, Domain Keys changes how an ESP sends email because it requires the addition of a digital signature based on the private key.

Yahoo's DomainKeys site details how it works, and implementer's tools are available at Sourceforge.net.

None of these email authentication methods is "best;" each has specific merits in fighting fraud and spam. Each is used by a significant portion of the internet community, so it behooves the intelligent email marketer to use all of them. And doing so should take little effort on the part of those who control your domain.

Email authentication won't solve the problem of spam, but it does mean that when your email comes knocking, the ISPs won't need to wonder who it is.

Wendy Roth is strategic account manager for Lyris Technologies. Read full bio.