← field notes

How Email Authentication Really Works

an email arrives claiming to be from a bank. the name is right, the logo is right, it reads like every other message that account has ever sent. most people simply believe it, because on the surface there is no reason not to. but the strange question almost nobody asks is the one that matters. how does the inbox know the message came from who it says it did.

for most of email’s life the honest answer was that it did not know at all. email was born in an age of trust, among a handful of people who all knew each other, and it was built with no way to prove who sent anything. that flaw never fully went away. the hidden machinery that now tries to patch it, in the fraction of a second before a message lands, is one of the most important and least understood systems on the internet.

the original flaw

the part of a message that says who it is from is, by itself, just text. nothing in the basic design of email stops a stranger from typing a bank’s exact address into the from line and sending a message that, on the surface, looks completely genuine.

it is a letter whose return address is simply whatever the sender felt like writing. no postmark, no check, no proof. for decades that was the reality, and it is the soil the whole world of forged senders and impersonation grew out of.

why the gap matters

this single weakness is the foundation of an enormous amount of online harm. the message that pretends to be a bank asking someone to confirm their details. the urgent note that looks like it came from inside a person’s own company, asking for a payment. the receipt that mimics a real service but carries a link that goes somewhere it should not.

each works because email, left to itself, cannot tell the receiver whether the claimed sender is real. the impersonator breaks into nothing, they simply exploit a system never designed to ask for proof.

so the question became unavoidable. if the from line cannot be trusted, how can an inbox decide whether to believe a message claiming a particular domain, without the sender’s cooperation. the answer is not one fix but three overlapping layers, each covering a weakness the others leave open.

the list of authorized senders

the first layer answers a narrow question. for a given domain, which servers are actually allowed to send mail on its behalf. the owner can publish a public list of them, a domain pinning a notice to its own front door that says these are the only places my mail comes from.

when a message arrives claiming to be from that domain, the receiver checks whether the server that delivered it is named there. a message sent by a machine the domain never authorized is an immediate red flag.

the list is public on purpose, because its power comes not from hiding but from being the domain’s own official word about who speaks for it. but it has a blind spot. it vouches for the delivering server, not for the message itself, which is why a second layer was needed.

the sealed message

the second layer goes deeper. a legitimate mail system can attach a cryptographic signature to the message, a kind of sealed wax stamp calculated from its contents using a secret key only the real domain holds. the matching public key is published openly, so any receiver can verify the seal.

if the signature checks out, two things are proven at once. the message really was signed by something holding the domain’s secret key, and the contents have not been altered on the way, because even a single changed character would break the seal.

the seal matters because mail passes through many hands in transit, and unlike the first layer this signature travels with the message, so it survives being forwarded and relayed and is still provable at the far end.

the policy with teeth

now there are two checks, but a gap remains. what should a receiver do when one fails, bin the message, quietly flag it, or let it through.

the third layer lets a domain answer that itself, in public. the owner publishes a policy that says, in effect, if a message claims to be from me but fails these checks, here is what should happen to it, up to and including reject it outright. the same policy asks receivers to send back reports, so the owner can watch for impersonation attempts across the whole internet.

this is the layer that turns two technical tests into an enforceable rule with real consequences.

the silent trial

every message passes through all three checks in a fraction of a second, silently, billions of times a day, before anyone reads it. the result heavily influences whether it reaches the inbox, lands in spam, or vanishes entirely.

the only time most people sense it is when something fails and a message they were waiting for never arrives.

the alignment trap

there is a subtle trap that makes the system stronger than it first looks. an impersonator might pass a check on a technicality while still lying, by sending a validly signed message from a domain they genuinely control, while showing a completely different, trusted name in the part a reader actually sees.

so the strict version of these rules demands alignment. the domain that passes the technical checks has to match the domain displayed as the sender. that requirement closes the gap between technically valid and actually honest.

reputation on top

layered over all of it is something softer and just as decisive. reputation. large receivers keep a constantly updated picture of how each sending domain and server has behaved over time. does this sender normally send the kind of mail people want. has it suddenly started blasting huge volumes after months of silence. do recipients open its messages or quietly mark them as junk.

a sender with years of clean history and passing checks sails in. a brand new one, even configured perfectly, starts with no trust and earns it slowly, message by message, complaint by complaint.

this is why a hijacked account is so dangerous. it inherits all the trust the real owner spent years building and turns it against the people who learned to rely on it. the checks prove identity; reputation decides how much that identity is worth, and the two together are stronger than either alone.

where the fight moved

the other side adapts, leaning on the weaknesses the checks cannot see. they register domains that look almost identical to a trusted one, a single character off, perfectly authenticated for a domain that is technically theirs but built to fool the human eye. they compromise the real accounts of legitimate senders, so the mail passes every check honestly, because it genuinely came from the real system.

the verification proves a message came from a domain. it cannot, by itself, prove that domain is honest or that its owner meant to send anything. that gap is where the modern fight has moved.

why the defender gained ground

even so, the advantage has shifted hard toward the receiver. before these layers existed, anyone could trivially forge any sender and the inbox was helpless. now forging a major, properly defended domain outright is genuinely difficult, because the seals and authorized sender lists cannot be faked without the secret keys.

the attacker is pushed off the strong target and onto the weaker edges, which are harder to pull off and easier to catch through reputation and reporting. the door that used to swing open for anyone now demands real proof, and that alone strips out an ocean of the crudest fakery.

the double edge

the same strict gates that block impersonators also catch the legitimate but misconfigured. a small organization, a school, a charity that has not set up these published records correctly can find its real messages quietly binned, judged as fakes by a system that cannot tell careless from criminal.

there is a quiet centralizing pull in this too. when a handful of giant providers effectively decide what counts as a trustworthy sender, getting mail delivered increasingly means playing by their rules. the open, anyone can run a mail server spirit the system was born with keeps narrowing, and the gate that keeps out impersonators also, slowly, raises the cost of simply being heard.

what it is really about

so here is the part to sit with. every message that reaches an inbox has already passed through a silent trial nobody witnessed, a check on whether the name on the envelope can actually be believed. email began as a system built entirely on trust, with no proof of anything, and the machinery bolted on since is a decades long attempt to retrofit honesty onto something that never had it.

it mostly works, quietly, which is why almost nobody thinks about it. no single layer is enough. the list vouches for the server but not the message. the seal proves the message but not the intent. the policy sets consequences but only for domains that bother to publish one. reputation weighs behavior but can be inherited by whoever steals the account. what holds the line is all of them at once, layered, none trusted alone, each covering a little of where the others fail.

and that is the shape of every fight this channel walks through. not one clean trick that settles it, but a stack of imperfect signals weighed against each other, holding an uneasy line against the next thing built to slip past. someone learns to forge a name, someone else builds the machinery to see through the forgery, and the contest never resolves. it only moves to fresh ground.

The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.

watch
The Hidden Internet on YouTube

Every field note starts as a short documentary. Watch the systems in this piece explained on screen.

subscribe →
read on
More field notes

The rest of the series on how the modern internet detects, tracks, and sorts the traffic that reaches it.

browse the archive →