Your Email Resource.
Deliverability
Articles and guides relating in delivering emails to ISP’s and bypassing spam filters.
Why should I implement a SPF record on my domain?
42 years ago
In our earlier post titled ‘What is SPF?‘ we established what sender policy framework was and how it works.
This time Email Manual will look at the reasons for implementing an SPF record on your domain and discussing the common objection.
Prevent potential damage to your brand.
By implementing an SPF record (sender policy framework) spammers and phishers are less likely to choose your domain as their ‘cover’ domain.
This is because spammers will seek domains which do not implement any form of email authentication as there is a higher chance they will get through spam filters at the receiving domain. Without SPF/email authentication when the remote mail server receives an email it will have no way to verify or check whether the email is likely to be genuine or not and will therefore have to rely on unreliable content filtering to establish whether the email is likely to be spam or not. Content filtering relies on patterns like words or phrases within the body or subject of the message and the receiving mail server will make a decision on whether your email is genuine purely on the content of your message. With SPF the spam filter at the remote mail server will be able to make a more informed decision as to whether the message is genuine or not.
If you do implement SPF however it is still possible that spammers will attempt to use your domain as their cover domain and attempt to deliver messages using it. When this happens the remote mail server will check against your SPF record and recognize that the source of the email it has just received is not authorised to send email for your domain and is likely to block or quarantine your message. This means that if your customers or potential customers are the target of the spam the vast majority of the emails will be blocked which will reduce the impact to any of your non internet savy client base. In addition to helping your own client base and protecting your own brand you are also allowing the wider internet community to cut down on the amount of spam on the internet by being able to pickup on more of it and block it.
SPF can also help you reduce the amount of users that blacklist your domain. Lets imagine a scenario when you have not implemented SPF, a spammer has successfully delivered email to many domains around the word seemingly coming from your domain/brand. In this instance there are likely to be many people around the world marking these emails as spam. Many spam filters use bayesian techniques for the spam filter to “auto learn”. This means that once a user has marked an email coming from your domain as spam, the spam filter will analyse every part of the email, looking for phrases, html patterns, images and the from domain and email address. If the spammer is sending many different emails using your domain one of the few things that will remain consistent will be your domain name and the spam filter will pickup on this. If you then send the mail server that has auto learnt about your domain and the large amount of spam coming from it, a genuine email, the chances are it will be blocked. The chances of this happening will be much reduced if you had implemented SPF.
Spam filters don’t only negatively score emails which fail the SPF check. If an email from a domain passes an SPF check, it is quite feasible that the administrator of that spam filter has added a policy to positively score that email. This means that genuine email from your domain is MORE likely to be delivered to the inbox of the person you are sending an email to.
In Summary then the reasons for implementing SPF are :-
- You domain is less likely to be used by a spammer.
- If your domain is used by a spammer, the emails are far more likely to get blocked.
- You help reduce the amount of overall spam on the internet.
- Your domain is less likely to be blacklisted by bayesian spam filters.
- Genuine email is more likely to get through spam filters.
That being said however, the biggest objection to SPF is that many people think that it ‘breaks’ email forwarding. This is where the email is received by one mail server and then forwards it to another for a particular account or domain. Although this is true if the email server receiving the forwarded mail does inbound SPF checking there are several workarounds you can put in place.
One of most commonly used workarounds is to whitelist the mail server that forwards mail to your own. This means that it can fail the SPF check but you can still choose to allow the email through. The vast majority of mail servers allow whitelisting and this is normally very easy to implement. If you however can not support whitelisting there is another option. The other option is that instead of forwarding from the original domain that the email was sent from, you can instead “resend” the email, e.g take the contents of the original email, put it into a new email and send it from a domain which will not fail SPF checks.
I think you will agree that the benefits far outway the negatives, especially as only a small percentage of domains and users forward mail so no doubt you now want to know how you can go about implementing your SPF record on your domain(s). Email Manual will be posting a guide tomorrow on how to create your SPF record and within a couple of days we will have a guide on how you can implement the SPF record on both BIND and Microsoft DNS servers, why not subscribe via twitter or our RSS feed to be notified of when these guides are available.
Online Trust Alliance shows more than 50% of .Gov domains do not comply with Email Authentication Standards
02 years ago
Further to yesterdays article on fortune 500 companies and US government domains and their non-compliance to adhere to widely used email authentication standards we thought you might like to see the Online Trust Alliance findings for the .gov domains.
Government Agencies such as the Whitehouse, Secret Service and the Federal Communications Commission all fail to adhere to these standards.
A full list of .Gov domains which were analyzed is available from the OTA here.
Yahoo Feedback Loop made available to all.
02 years ago
For a long time Yahoo! have offered a feedback loop which was developed and maintained by themselves. For a brief period this was available to the public but involved signing paperwork, sending it off and waiting over 6 weeks for it to be processed.
This was a major inconvenience to anyone who was mailing for several domains as the feedback loop itself was not done on an IP level like most, but instead a domain level using Domain Key technology which Yahoo! developed with Cisco.
Yahoo have now deprecated their feedback loop by preventing further signups and have now partnered with Return Path and are using them to deliver their feedback loop messages which uses ARF (Abuse Reporting Format) back to the organisation who has signed up to receive the complaints. Organisations should then automatically process these and unsubscribe the complainant. If these ARF messages are processed correctly and complainants are unsubscribed this allows the organisations spam complaint levels to remain low and therefore a good reputation is maintained with Yahoo allowing better delivery of emails to Yahoo users.
For more information on the Yahoo! Feedback Loop see http://feedbackloop.yahoo.net/
Brands must do more to protect their subscribers from phishing.
32 years ago
According to the OTA (Online Trust Alliance) organisations must do more to protect their email subscribers from being victims of phishing scams.
Phishing scams are emails sent by a spammer which mimics a well known brand in order to get the subscriber to disclose usernames and passwords or other personal information. For instance every one of us has received an email claiming to be from our banks. Most of these are easy to spot and consequently easy to ignore but some are not. Spammers will often put in considerable effort, registering similar domains to the genuine brand, putting many hours into the site design containing the genuine brands logos etc which often makes them indistinguishable to the average internet user.
The online trust alliance released a report last month claiming that 56% of .gov Web sites and 45% of leading e-commerce sites are not taking appropriate e-mail and domain security measures.
The report measured 25 government domains, as well as the top 300 online retailers as measured by sales volume during a 10 day period last month.
Analysis was done against the DNS records of the US government and ecommerce sites which shows whether the organisation uses SPF, Domain keys or its slightly younger sister, DKIM and found that a huge percentage of these domains had not adopted one of these email authentication technologies which allows spam filters to pickup on phishing emails/spam and either block or quarantine them.
Whilst big brands and government organisations continue to fail to adopt these sorts of technologies there will always be successful phishing scams. If large organisations like these started to adopt these technologies, spam filters could become more aggressive against domains that don’t authenticate correctly which will apply pressure for smaller brands and individual companies to follow suit which would dramatically help reduce the amount of phishing and spam emails sent across the globe.
A Gartner survey of 5,000 adults in the US estimated that 24.4 million Americans have been duped by a phishing e-mail in 2006. If the larger organisations did their bit in helping IT departments block these sorts of emails it would undoubtedly save the economy millions of pounds which are lost to fraudsters every year.
Email Manual Recommendations:
- Implement SPF on your domain, initally with softfail, then switch to hardfail once you have gained confidence.
- Implement Domain Keys/DKIM on outbound email.
- Block inbound email which hardfails SPF checks.
- Block inbound email which is not Domain key/DKIM signed where the policy record for the domain indicates all mail should be signed.
Goodmail Adopts DKIM: Widening the range of supported MTA’s
02 years ago
Daniel Dreymann the co-founder of Goodmail, the company whose product range includes CertifiedEmail recently wrote on his personal blog that Goodmail are to adopt the use of DKIM as an authentication method rather than relying on a standard which goodmail themselves had designed and implemented involving RSA key pairs and SHA-1.
Daniel said:
“It was a relatively simple matter for us to substitute DKIM for our original authentication layer. The authentication layer was, and still is, a rather prosaic component of CertifiedEmail. The other security components, the “secret sauce” that made CertifiedEmail the best and the only secure email certification system, remain in place. DKIM-based CertifiedEmail is as secure as the original specification of CertifiedEmail.”
The benefit to marketers and IT staff here is that rather than having to run and maintain specialised MTA’s from vendors like Port25, Strongmail, Message systems and Socketlabs nearly all off the shelf mail servers will support DKIM signing on outbound messages. This allows organisations to use CertifiedEmail from Goodmail on your outbound corporate email as well as emails you send through your ESP (Email Service Provider).
If you wish to read more about this news please see the full press release here.