Skip to content

How Message Authentication works

Message Authentication is used to verify the authenticity of an email's origin.

This topic describes the Message Authentication types Sophos Email Security uses to protect you from illegitimate emails.

For more information on the order in which checks are carried out in different scenarios, see Sequence of Message Authentication.


This topic provides a brief explanation of how Message Authentication works, however it does not include detailed information such as setting up DNS records (DMARC, SPF, DKIM) because we're focusing on what happens to incoming mail.


Domain-based Message Authentication, Reporting and Conformance (DMARC) utilizes both DKIM and SPF to validate the authenticity of an email.

The sender creates a DMARC record which instructs the receiver to carry out DMARC checks and contains information about what to do when DMARC fails.

When an email is received, Sophos Email Security carries out a DNS check to find the DMARC record for the domain specified in the emails' from (header) address. The DMARC record tells the receiver (in this case, Sophos Email Security) to check for DMARC and specifies what to do with email that fails DMARC checks. The Sophos Email Security default option for messages that fail DMARC checks is Conform to sender policy, meaning that what happens to the message depends on what is defined in the DMARC record. The domain specified in the from address is checked against the information in the SPF and DKIM records to verify that the domains match. To pass a DMARC check, the message needs to pass validation and alignment checks for SPF or DKIM:

  • For SPF, the domain specified in the MAIL FROM (envelope) address must match one of the IP addresses or subnets specified in the SPF record. DMARC then checks the MAIL FROM address against the from address to make sure they align.
  • For DKIM, the signature must be validated and the domain specified in the from address must match the domain used to create the signature specified in the DNS record.



Sender Policy Framework (SPF) allows you to verify that incoming email comes from an IP address or host authorized by the sending domain's administrators.

The sender creates an SPF record which specifies the hosts, IP addresses, and subnets that are authorized to send mail for their domain.

When Sophos Email Security receives an email, it compares the sending mail server's address with the authorized senders in the SPF record. If these don't match, the SPF check fails.

See SPF.


DomainKeys Identified Mail (DKIM) is used to authorize an email by verifying its digital signature, which associates a domain name with the email.

The sender decides which part of the email they want signed (header and/or body) and then they configure their mail server to create a hash of those parts. The hash is then encrypted by their private key. They also publish a DKIM record which contains the public key used to decrypt the signature.

When Sophos Email Security sees that an email has a DKIM signature, it does a DNS lookup to find the DKIM record associated with the sending domain. It uses the public key to decrypt the digital signature back to the hash value. It then takes the elements of the message that were signed and creates its own hash that it compares to the decrypted hash. If these don't match, the DKIM check will fail.