Our partner, Message Systems, recently held Insight 2014, a user conference which I attended and spoke at. There I talked about the features of Message Systems’ adaptive delivery and how Inbox Marketer worked with their development team to build and test rules that changed the way the Momentum platform automatically trafficked. This helped by shaping email delivery and backing-off automatically when an Internet Service Provider (ISP) is overloaded or a mailer’s reputation changes. I also spoke alongside our partner 250ok about 2014 email trends in North America, where we compared email benchmarks from our platform with global trends relating to Inbox Placement Rates (IPR).
Accurate Email Authentication Records
On two other panels at the user conference, a number of ISP representatives presented on the importance of accurate email authentication records. ISPs are starting to look at how email is being authenticated and over-riding some of the records that are overly generous or not secure enough.
The first part of the discussion dealt with Sender Policy Frameworks (SPF) records that used a '+all' flag in the record. This flag is telling the receiving mail servers that all the Internet Protocols (IPs) in the record and all others in the world could be valid for sending email. This is basically a record in name only but does not actually authenticate in any positive manor. This makes it difficult for an ISP to validate that the messages are approved to be sent on your behalf. The consensus from the group was that these records would be ignored. Domains using them are more likely to be abused and used for deceptive messaging (malware/phishing) or spam. Apparently this is increasing in popularity; as more organizations publish good records, those with no authentication or very loose authentication are becoming higher value targets.
The second topic dealt with very large sections of IP space being used in the SPF records, when only a small subset of IP addresses are being used for sending email. By over-approving IP space, a company can make their records overly generous, opening their network up to abuse from unapproved internal sources or infected systems that are being approved to send on your behalf. By limiting the authentication records to just active mail domains and servers you can protect your brand and your reputation from internal harm and abuse.
The last key item the ISPs talked about is how you can assume reputation from your existing records when moving IPs or adding new IPs. By updating your existing networks in your authentication records, ISPs are starting to associate your existing reputation with the new IP space as a way to reduce the time needed to warm up new IPs. This process is working on the assumption that your behaviour is positive and the same behaviour will carry over onto the new IPs. This will be very important for domain migrations should you be adding new vendors or IPs, changing service providers, or moving data centres.
A Final Thought
What good is all this authenticating if you are not getting feedback on its effectiveness? An overriding theme at several conferences this year was DMARC, which stands for "Domain-based Message Authentication, Reporting & Conformance." It is a fairly new authentication solution that allows the domain owner to receive regular reports on how their mail domains are being used and how ISPs are interpreting their authentication records. These reports provide insight into the source of the email (IP Sending), how it processed against your authentication records (Pass/Fail), whether it was forwarded from somewhere else, and how many messages they say are from the same source. This can be extremely valuable for brands being phished or spoofed to understand the reach and size of the attacks. DMARC also has features that allow brands to request that an ISP block failed messages and send sample reports for analysis and potential take down, should the sites be found to be sending fraudulent emails.
Key Take Aways:
- Use smaller groups of IPs - limit to the networks that are actually sending your email, don't list all your networks in your records.
- Apply an actual policy in your records '~all' or '-all' are recommended over the options '?all' and '+all'.
Start publishing monitor only DMARC records (p=none), so that you can see potential brand reputation issues before they become a problem and be proactive when you react to the threats.