Simplicato, Inc. | Email Hosting Company | IMAP, Business Email Hosting, Email Address Authentication, Email Encryption, Email Services, Greylisting, Real-Time Black Lists

Sales 877.438.4627 \| Support: 866.347.1660		WebMail \| My Account \| Support

The Leading Business Email Hosting and Archiving Company^TM

Chat Live
With Sales

Email Archiving & Compliance

Email Hosting

About Us

Support

Technology

Customers

Sign Up

Sales: 877-438-4627

  SUPPORT
  › Getting Support
  › Configure Email Software
  › DNS Settings + SPF
  › Email Hosting Tools
  › iPhone Configuration

  RESOURCES
  › In the Media
  › Email Hosting FAQ
  › Email Hosting Articles
  › Address Authentication
    › Introduction
    › Requirements
    › The Concept
    › Diagrams
    › Weaknesses
    › How does it work?
    › Authentication Server
    › DNS Settings
    › Sender SMTP Server
    › Recipient SMTP Server
    › The Protocol
    › Message Header
    › Domain Rating Servers
    › Sender Mail Clients
    › Recipient Mail Clients
    › Comparison Analysis
    › Copyright and Licensing
    › Notify Me

Summary

The fundamental concept is that the original sender of the message should add an Authentication Key (Authkey) to the message header that is unique to the sender email address and the recipient should verify that the sender email address matches the Key.

Unique Process

In order to provide an easy migration process, there are two phases. In Phase I, the Sender SMTP Server should get the AuthKey and attach it to the message header. In Phase II, the mail client may attach the AuthKey to the message header. We will mainly focus on describing the Phase I implementation while mentioning the Phase II solution when appropriate.

An Authentication Server (AS) that serves the domain, every so often sends a new AuthKey as a regular email message. Sender's SMTP Server verifies that the message has come from its AS with a new AuthKey and records it. In Phase II, the sender's mail client will be accepting and storing the AuthKey.

The Recipient SMTP Server verifies that the sender's email address and the AuthKey match. If there is a match, then the sender is authentic and the message can be delivered or can be checked further for its rating before it is delivered. If there is no match, the recipient can choose how he wishes to treat the mail (reject, accept, or mark as Spam).

When an email address is valid, it can be checked against a Domain Rating Server. If the content of the message with a valid email address is deemed to be Spam, the end user can report it to a Domain Rating Server.

Getting the Authentication Key

While it is possible to spoof the sender, it is much more difficult to hijack mail messages for a specific recipient; thus sending an AuthKey as a regular email message will guarantee a delivery to the proper destination.

The Authentication Server sends a new AuthKey to the email address. The AS puts the following information in the message header:

X-New-Auth-Key: NewUniqueKeyString

The size of the Authentication Key can be implementation specific but large enough to reduce the likelihood of guessing the Key. The AuthKey can be attached by the mail client, or attached by the Sender SMTP Server to the message header.

The Sender SMTP Server (and the client in Phase II) verifies that sender IP Address is of its own Authentication Server and accepts the new Authentication Key. The Authentication Server IP Address is verified by checking the DNS records for the domain.

The Authentication Key is kept in the SMTP Server and the mail client until new Key is arrived and replaced.

Attaching The Authentication Key to the Message Header

Every time the Sender sends an email message, it attaches the Sender Authentication Key to the message header.

X-Auth-Key: EmailAddressAuthenticationKey

The size of the Key can be implementation specific but large enough to reduce the likelihood of guessing the Key. The AuthKey can be attached by the mail client, or attached by the Sender SMTP Server to the message header.

If the mail client attaches the Key, the Sender SMTP Server does not attach the Key. When the mail client attaches the Key it enables the user to use any SMTP Server and to manage multiple email accounts in the same mail client simultaneously. Furthermore, if the message is forwarded, the SMTP Server can verify that the mail message is valid by checking if the (original) sender and the Key match against the Authentication Server or it can be left to the final recipient SMTP Server for checking.

AuthKey Generation Interval (AGI) and AuthKey Valid Time (AVT)

Theoretically, it is possible that a person that receives an email with an AuthKey can use the same Key and the sender's email address to spoof the email address. In order to reduce or avoid this possibility, Authentication Server uses AuthKey Generation Interval (AGI) and AuthKey Valid Time (AVT) parameters.

AGI dictates how often a new AuthKey is generated and sent to the Email Address. The Sender is supposed to start using the new AuthKey as soon as it arrives.

AVT is the duration, during which the AuthKey will be considered valid.

The Administrator of the domain defines both AGI and AVT.

Each Email Address in the Authentication Server has two types of records:

· Email Address Settings Record
· AuthKey Record

Here is a sample Email Address Settings Record:

Email Address AGI AVT

my@domain.com 7200 (min) 2880 (min)

Using the Email Address AGI Record, a new AuthKey is generated every AGI, recorded into Authentication Server Database and sent to the Email Address.

Below is a sample AuthKey Record on the Authentication Server:

Email Address Expiration Time AuthKey

my@domain.com 2005-01-01 22:08:15 my64charbyteskey-01

Expiration time is calculated at the time of the new AuthKey generation as follow:

Expiration Time = Current Time + AGI + AVT

The AuthKey can be kept as little as few minutes and as long as few days, weeks or even months. It is in the control of the Domain Administrator.

Verifying Sender Authentication Key

The Recipient SMTP Server checks the message header. If there is an Authentication Key, the SMTP Server will query the DNS Server of the sender's email domain for the Authentication Server using the TXT Record.

The query should return one or more Authentication from the TXT Record Servers and the port number. For example,

AS=as1.simplicato.com:2550;as2.simplicato.com:2550:3600

The Recipient SMTP Server connects to the Authentication Server and requests to validate the Sender's Email Address with the AuthKey. The Authentication Server will reply either VALIDKEY or INVALIDKEY.

As a matter of implementation, the Recipient SMTP Server stores the Sender Address and the matching AuthKey in its cache to reduce traffic to the Authentication Server. If a message with a new AuthKey arrives that does not match what is in the cache, the Recipient SMTP Server will contact the Authentication Server again. If the Authentication Server validates the Key, the new Key for that recipient is stored in the cache.

In case the Authentication Server fails to respond, the Administrator can either set the policy for the Recipient SMTP Server to mark the mail as Spam, hold the mail for later verification, reject the mail or delivering it with special status in the header for the End User.

The Recipient SMTP Server removes the AuthKey from the message header to prevent the recipient user from using the Key to spoof the email address.

In Phase II, the Recipient's Mail Client can also validate the AuthKey if the Recipient SMTP Server does not validate it.


Privacy Policy \| Terms of Service \| Money Back Guarantee \| Contact Us \| Site Map	click-to-email

© 2001-2007 Simplicato™. All Rights Reserved. Simplicato™ and Backaway™ are trademarks of Simplicato, Inc.

Email Address Authentication The Concept