BIMI Monitoring has arrived

MxToolbox is happy to announce additional support for BIMI in the form of BIMI record monitoring.  Now, you can be confident that all your important email deliverability records are properly configured and constantly monitored by our experts.

What is BIMI?

BIMI is an email delivery standard that works with other standards (SPF, DKIM and DMARC) to publish an image or logo on an end-user’s email box when an email comes from you. BIMI helps your email recipients feel confident that an email is legitimately from you and helps to protect your brand from use in fraud and phishing.

How does BIMI work?

First, you need to have SPF, DKIM and DMARC properly setup.  Next, you publish a BIMI DNS record that defines your preferred logo image.  Then, when you send email to a user on a BIMI-Supported inbox provider, like Yahoo! and, in Summer 2020, Google, the inbox provider you have a chance of displaying your logo.

Inbox providers will check for DMARC compliance on every email.  If the email passes DMARC tests, then this inbox provider will check for a BIMI record.  If a valid BIMI record is found, then the inbox provider will display your logo next to the email.  As these checks happen on each email, you need to be sure that your email is both passing DMARC and that your BIMI record is accessible every time you send email.  With a BIMI logo next to every email you send, your customers will be reassured that each email is a legitimate communication from you and have your brand top of mind.

MxToolbox BIMI Monitoring

MxToolbox is expanding our support for BIMI by announcing the inclusion of BIMI record configuration monitoring as part of MxToolbox Delivery Center.  You can already test your BIMI record with our Supertool, but now we offer integrated alerts when BIMI is non-accessible or misconfigured.

Since BIMI is dependent on SPF, DKIM and DMARC, MxToolbox highly recommends that you adopt tools, like Delivery Center, to help you setup and maintain these technologies while also monitoring your your day-to-day DMARC compliance.  MxToolbox Delivery Center leverages our email expertise to improve your email deliverability and allows you to focus on running your business.  Adding BIMI to a tool like Delivery Center will help improve your email delivery and improve the visibility of your brand.

ARC Protocol – Getting your email delivered

Recently, RFC 8617 established the Authenticated Received Chain (ARC) Protocol, a new and powerful email authentication and security standard that allows legitimate forwarded emails to be delivered without any issues.   ARC has been in testing for several years with Google and another inbox provider to transform the theoretical solution into a full-fledged standard.

What is ARC?

ARC allows mail handlers (email servers) to preserve a “chain of custody” that shows where the respective message originated and all subsequent handling entities via authentication data when forwarding emails. To get more specifics about the ARC protocol, click here.

Before ARC, a forwarded email would no longer pass DKIM alignment because there was no standard for preserving the original and subsequent DKIM signatures.  An unaligned message might then fail DMARC and be rejected by the final inbox provider and never reach your customer’s inbox.

The ARC protocol establishes a standard for preserving DKIM alignment when a message is forwarded.  This helps these messages look less suspicious to the receiving inbox providers by ensuring emails that are forwarded pass authentication and avoid being labeled as spoofed messages. 

Why is ARC important?

ARC becoming a standard applied to all inbox providers is highly important for your email deliverability. With ARC, if your business forwards email and has implemented DKIM, your email chain of custody will no longer break, resulting in higher delivery rates.  While SPF alignment breaks under most message forwarding instances, DKIM breaks when emails pass through forwarding services that modify content involving a DKIM signature. Even if the email fails SPF and DKIM validations, the inbox provider can choose to validate the ARC standard.

It is imperative that your business email implement DKIM as soon as possible to improve email deliverability and leverage the benefits of ARC.

ARC Enables more DMARC Adoption

The creation of the ARC standard shows continued support for the DKIM, SPF and DMARC standards that are the basics for email deliverability.  ARC allows messages that have been forwarded via mailing lists, list servers, and email gateways to pass DKIM authentication and not break during delivery.  DKIM is integral to achieving DMARC compliance, so the ARC standard also allows more senders to pass strict DMARC policies.  Strict DMARC block non-DMARC compliant email to improve your company’s overall email deliverability by reducing the threat of fraud and phishing using your domain.

What do I need to do to take advantage of ARC?

The first steps to leveraging ARC involve the adoption of basic email deliverability standards – SPF, DKIM and DMARC.  If you have not already read it, MxToolbox has a great guide to setting up these protocols.  Once you have SPF, DKIM and DMARC setup, inbox providers that have adopted ARC will automatically process your email appropriately.

MxToolbox Delivery Center provides everything you need to manage the on-going maintenance of email delivery.  Learn more about Delivery Center and how we can help you with email deliverability!

Email Delivery’s On-going Maintenance

You configured all your email senders.  SPF, DKIM and DMARC seem to be well-tuned.  Email compliance appear to be good.  Email is being delivered and most email appears to make it to your customers’ inboxes.  Open rates look reasonable.  You’re done, right?

Steps to a “Complete” Email Delivery posture

To get to an optimal email delivery posture, you need to finely tune the components of your email senders.

  1. Identify all your email senders.  Who is sending email on behalf of your domain? This may sound trivial, but it’s not.  IT setup your main outbound servers, but is Marketing using Marketing Automation, Sales using a CRM, or Order Management a separate Invoicing and Order Fulfillment system?
  2. Include all your senders in your SPF.  If not, most inbox providers will automatically deny your email.  Google, Office365, Yahoo! and many other inbox providers automatically refuse email if the sending domain’s SPF record does not include the sending servers.
  3. Setup DKIM on all your email senders.  DKIM allows you to cryptographically sign your emails so recipients know they are from you.
  4. Setup a DMARC record and direct RUA and RUF to a service, like MxToolbox’s Delivery Center, that can analyze and provide feedback on DMARC compliance.
  5. Monitor DMARC compliance across your senders.  This may mean revisiting steps 1, 2, 3 & 4 as you discover new senders or the configurations need updating.
  6. Gradually change your DMARC policy from None to Quarantine to Reject.  Stricter policies will help prevent fraud and phishing using your domain which will improve your overall email deliverability.

I’m at a Strict DMARC Policy, I’m done.  Right?

Nope!  Strict policies will help prevent fraud and phishing using your domain, but this can also deny legitimate email from new or misconfigured sources.

You need to have an on-going maintenance plan.

MxToolbox recommends:

  • Regular monitoring of SPF, DKIM and DMARC configurations.  If your senders change their configurations, it can cause issues with your email delivery.
  • Regular monitoring of your senders blacklist status.  If you or your senders are blacklisted, then your email will be blocked before ever reaching an inbox.
  • Regular monitoring of SPF, DKIM and DMARC compliance rates.  A low compliance rate means that legitimate email may be blocked.
  • Adoption of new technologies as they arise.  For example, BIMI, ARC or VMCare beginning to be adopted by inbox providers and email senders.
  • Regular monitoring for new email senders.  Some of these may be emerging threats to your brand while others may be legitimate senders adopted by other departments without your knowledge.

MxToolbox Delivery Center provides everything you need to manage the on-going maintenance of email delivery.  Learn more about Delivery Center and how we can help you with email deliverability!

First Verified Mark Certificate Issued

Recently, JPMorgan Chase became the first company to adopt the VMC standard, and companies gained another tool to prevent email fraud. 

What is VMC?

Verified Mark Certificate (VMC) is a method to watermark outbound messages to declare the email comes from an official, legitimate source.  With a certificate like this, senders get better email deliverability because email recipients will see a valid VMC as a certificate of trust emails.

Entrust Datacard, a U.S.-based provider of trusted identity and secure issuance technology solutions, recently issued the first VMC certificate to JP Morgan Chase. Entrust developed the new vendor-neutral VMC solution in collaboration with the AuthIndicators Working Group, a committee of companies responsible for creating the Brand Indicators for Message Identification (BIMI) standard.  While the VMC and BIMI standards still in the early stages of definition and adoption, this announcement indicates a big push to get BIMI into inboxes.

What is BIMI?

The BIMI protocol helps to improve email authentication and brand assurance by allowing a sender to publish a logo icon through DNS.  Inbox providers then use this logo to highlight DMARC compliant emails from the sender, thereby providing a reassurance to users that this email is free from phishing and spoofing attacks.  The logos themselves will also make it easier for customers to recognize their preferred companies in inboxes and increase brand awareness by prominently displaying trusted logos. 

How do VMC and BIMI work together?

The goal of VMC is to prove a BIMI image is authentic, not a scammer utilizing a fake image of a trusted source like the sender, Microsoft, Amazon, or JP Morgan, for example.  Validating that a BIMI-displayed logo is legitimate will make phishing and spoofing practices more difficult to accomplish. While BIMI allows companies to display logos in supported inboxes, VMC authenticates the logos are valid and owned by the actual sender of the email.

The recent exciting news that JPMorgan Chase was granted the first VMC is a promising sign that BIMI should be standardized soon. BIMI, which leverages DMARC, continues the technological trend of making it difficult for online fraudsters and phishing attacks to trick unsuspecting victims.

How MxToolbox Helps

To achieve the BIMI standard, Domain-based Message Authentication, Reporting, and Conformance (DMARC), along with SPF and DKIM, must first be implemented. MxToolbox’s team of email delivery experts and tools can help you implement and understand DMARC to help your business attain email deliverability.

First, MxToolbox provides a free DMARC lookup tool to analyze your DMARC record and make recommendations for getting your email DMARC compliant.

In addition, MxToolbox’s BIMI Lookup tool is a free diagnostic tool that will look for a BIMI record for the supplied domain name and run a series of diagnostic checks against the record to ensure compliance with standards and accessibility of the BIMI icon to inbox providers.  As the VMC standard is defined, MxToolbox will extend our tools to checking and validating VMC certificates.

Finally, MxToolbox is here to guide your company through the DMARC process and help optimize your email deliverability.  We offer several solutions to help you get your email DMARC compliant and monitor the on-going DMARC compliance of your email:

  • Delivery Center is our base package that allows you to monitor the SPF, DKIM and DMARC compliance of your email while giving you insight into emerging email threats.
  • Delivery Center Plus gives you all the great reporting of Delivery Center combined with deeper reporting on Phishing and Fraud using your domain.
  • Delivery Center Managed Services gives you access to our Email Experts who manage your DMARC compliance and free you to focus on your business.

Microsoft Office 365 Requires DMARC Compliance

Microsoft is taking more proactive steps to ensure email security by rolling out a new feature for Office 365 called Unverified Sender.  It allows users to keep their Outlook inbox safer and reduce fraudulent mail by flagging email that are not DMARC compliant .  If you send email to Outlook.com users or Office 365 users, this could severely impact your email deliverability!

How Does the Unverified Sender Feature Work?

According to their official Microsoft Roadmap, the Unverified Sender feature is described as follows:

“Unverified sender is a new Office 365 feature that helps end users identify suspicious messages in their inbox. In order to help customers identify suspicious messages in their inbox, we’ve added an indicator that demonstrates Office 365 spoof intelligence was unable to verify the sender.”

The Unverified Sender feature checks if the sender of an email can be verified. If its origin is found and identified as harmful/fraudulent, this feature works by providing Outlook users with a distinct visual indicator. 

When an Unverified Sender is detected, Outlook customers will see a “?” next to a message you sent to their Office 365 inbox, which means it is considered unverified. 

For example:

message-did-not-pass-verification

Once Unverified Sender is enabled by the user, the warning indicator will alert Office 365 customers about the potential risk that the email poses, especially phishing attacks or sender spoofing attempts

What Criteria Is Used?

To be Verified, your email must pass either SPF or DKIM authentication and also achieve DMARC compliance. When Outlook can’t verify if the identity of the sender is DMARC compliant, the “?” indicator is displayed in the sender photo field, as shown in the above visual. With this update from Microsoft, DMARC should now be at the top of your priority list if you haven’t adopted it yet.

How Does the Feature Affect My Business?

If your business sends email to Office 365 and Outlook users (which most businesses do today), it’s critical to avoid being marked as an unverified sender.  Adopting DMARC and getting all your legitimate senders to DMARC compliance is now a business necessity. Without DMARC, you run the risk of having Microsoft’s new Unverified Sender feature label your outbound messages as suspicious threats customers, vendors and partners, impacting your email deliverability and potentially your business.

MxToolbox is here to guide your company through the DMARC process and help optimize your email deliverability.  We offer several solutions to help you get your email DMARC compliant and monitor the on-going DMARC compliance of your email:

  • Delivery Center is our base package that allows you to monitor the SPF, DKIM and DMARC compliance of your email while giving you insight into emerging email threats.
  • Delivery Center Plus gives you all the great reporting of Delivery Center combined with deeper reporting on Phishing and Fraud using your domain.
  • Delivery Center Managed Services gives you access to our Email Experts who manage your DMARC compliance and free you to focus on your business.

 

Using MxToolbox to setup SPF, DKIM and DMARC

A few months ago, our friends over at BEMO cybersecurity paid us a huge compliment  by blogging on two of our favorite topics, MxToolbox and implementing DMARC.  Their blog, MxToolbox: How to Enable SPF, DMARC, and DKIM, is a great guide for setting up SPF, DKIM and DMARC in a single outbound email sender Office 365 configuration.  If you’re getting started with SPF, DKIM and DMARC, this is a great guide to using our free tools and improving your Office 365 configuration for better email delivery.  

Since not all outbound email configurations are the same, our delivery experts had a few thoughts to add…

Do you have Multiple Outbound Senders?

Most companies send corporate email from a centralized set of servers.  Office 365 and Gmail do this for many companies, but you could also have an internal email setup like MS Exchange.  However, many companies also employ one or many 3rd party email senders.  For example:

  • Marketing Automation (Marketo, Eloqua, Hubspot, etc.)
  • Email Campaign Tools (MailChimps, Constant Contact, etc.)
  • Customer Relationship Managers (Salesforce, Zoho, Microsoft Dynamics, etc.)
  • Support Ticketing Systems (LiveAgent, ZenDesk, etc.)
  • Order Management and Fulfillment

You will want these services to send email “from” your domain, so they need to be included in your SPF, DKIM and DMARC configurations.  This will mean additional IP address ranges in your SPF record, additional DKIM keys setup and monitoring DMARC compliance for all your outbound email senders.

Do you send email from Multiple Domains?

Whether your company has acquisitions or other brands you wish to send email from, you may operate and email from multiple domains.  For this type of configuration, you’ll need to configure SPF, DKIM and DMARC for each domain you send from.  Similarly, MxToolbox Experts are finding that it has become more common to send email from a dedicated subdomain, like email.yourdomain.com.  This also requires careful thought and may need additional SPF, DKIM and DMARC configuration.

Everyone should be looking at DMARC Reports

When you configure DMARC records there are two important tags that you can use to elicit feedback on your sent email from inbox providers – RUA and RUF.

mxtoolbox-dmarc-record

RUA – List the email addresses you would like to receive SPF, DKIM and DMARC compliance information from inbox providers.

RUF – List the email addressed you would like to receive Forensic data on failed email from your domain.

These RUA and RUF reports are sent in XML format by each individual inbox provider.  The information sent is highly valuable to protecting and improving your email deliverability.  However, to gain insight from them, you need some way to aggregate these reports across all these inbox providers.

Go slowly on your road to Quarantine or Reject Policies

If you have a single sender setup, then you can go straight to Quarantine or Reject policies on DMARC without concern for a portion of your email being unfairly rejected.  Most companies, though, have multiple outbound email senders.  Before you commit to Quarantine or Reject, you need to ensure that all of your legitimate outbound email senders are sending SPF, DKIM and DMARC compliant email.  If not, email from these sources may miss the inbox.  It takes some time and effort to:

  1. Examine DMARC reports
  2. Uncover non-compliant senders
  3. Update each non-compliant configuration
  4. Evaluate the changes you made

Once you are confident that your legitimate email is getting through, the DMARC record enables you to set a percentage of your email to the Quarantine policy.  Starting with a small fraction, like 10%, gives you the opportunity to detect any email that might go missing from customers’ inboxes.  MxToolbox recommends a slow, iterative approach through Quarantine to Reject policies.  Once you are at 100% Reject, MxToolbox recommends continual evaluation of your senders DMARC compliance.

Leverage MxToolbox SPF and DMARC record generators

As part of our suite of free tools, MxToolbox provides an SPF Record Generator and DMARC Record Generator tool.  Use these to help you get the syntax of your DNS records correct, then use our check tools to that your DNS entries are properly detectable by the outside world.

BIMI Lookup Tool

MxToolbox is excited to announce the unveiling of another free tool for your use: the new BIMI Lookup tool. This innovative tool enables you to test your Brand Indicator for Message Identification (BIMI) records, ensuring that your BIMI record is correct and adheres to the current standards.  A missing or incorrectly formatted BIMI record means your customers may not see your domain’s logo in their inboxes. 

What’s BIMI and Why’s It Such a Big Deal?

BIMI is an industry-wide standards effort to display brand logos next to the brand’s email messages in their customer’s inboxes as indicators of trust to help message recipients recognize and avoid fraudulent emails delivered to their inboxes. This new standard, which is currently in beta testing, is important to email senders and their customers alike. Businesses get a prime opportunity to add trust to the emails they send and increase the visibility and ROI of their email programs, while recipients also benefit from senders deploying DMARC and other BIMI authentication standards to reduce the success of phishing attacks.

BIMI builds off of DMARC, with some outlets calling it DMARC 2.0, and will only display if you have deployed DMARC. Several Oath brands (Yahoo!, AOL, etc.) are currently beta testing the BIMI standard with their mailbox users. Gmail will also be rolling out their own beta test of the BIMI protocol in 2020. With Gmail’s current 1.2 billion worldwide users able to see a company’s logo displayed within a year’s time, adopting the BIMI standard will be highly beneficial to your business email practices. As DMARC and BIMI work in tandem to improve message delivery, it becomes imperative your brand utilizes these pioneering email technologies and standards.

How MxToolbox’s BIMI Lookup Tool Works

The new BIMI Lookup tool allows you to check for any errors included in your BIMI record published content, syntax check content, DMARC record format, or image format content. By entering your company’s domain name and clicking the “BIMI Lookup” button, this diagnostic tool will parse the BIMI record for the supplied domain, display its BIMI record, and run a series of diagnostic checks against that specific record. The provided results will help you recognize any current issues in your BIMI record’s setup that may prevent your logo from being displayed in Yahoo!, AOL, and Gmail (early 2020) inboxes.

To learn more about BIMI and how it’ll benefit your business, please click here.

Ultimate Combo

MxToolbox’s free BIMI Lookup tool is a great way to ensure your BIMI record is setup correctly and displays your logo as intended. BIMI provides your business an opportunity to grow your brand and protect your customers. Implementing this standard and monitoring it with our new tool are positive steps in improving your business email delivery. Don’t let your messages be sent to the Junk folder anymore.