Monthly Archives: November 2019

Microsoft Office 365 Requires DMARC Compliance

Microsoft is taking more proactive steps to ensure email security by rolling out a new feature for Office 365 called Unverified Sender.  It allows users to keep their Outlook inbox safer and reduce fraudulent mail by flagging email that are not DMARC compliant .  If you send email to Outlook.com users or Office 365 users, this could severely impact your email deliverability!

How Does the Unverified Sender Feature Work?

According to their official Microsoft Roadmap, the Unverified Sender feature is described as follows:

“Unverified sender is a new Office 365 feature that helps end users identify suspicious messages in their inbox. In order to help customers identify suspicious messages in their inbox, we’ve added an indicator that demonstrates Office 365 spoof intelligence was unable to verify the sender.”

The Unverified Sender feature checks if the sender of an email can be verified. If its origin is found and identified as harmful/fraudulent, this feature works by providing Outlook users with a distinct visual indicator. 

When an Unverified Sender is detected, Outlook customers will see a “?” next to a message you sent to their Office 365 inbox, which means it is considered unverified. 

For example:

message-did-not-pass-verification

Once Unverified Sender is enabled by the user, the warning indicator will alert Office 365 customers about the potential risk that the email poses, especially phishing attacks or sender spoofing attempts

What Criteria Is Used?

To be Verified, your email must pass either SPF or DKIM authentication and also achieve DMARC compliance. When Outlook can’t verify if the identity of the sender is DMARC compliant, the “?” indicator is displayed in the sender photo field, as shown in the above visual. With this update from Microsoft, DMARC should now be at the top of your priority list if you haven’t adopted it yet.

How Does the Feature Affect My Business?

If your business sends email to Office 365 and Outlook users (which most businesses do today), it’s critical to avoid being marked as an unverified sender.  Adopting DMARC and getting all your legitimate senders to DMARC compliance is now a business necessity. Without DMARC, you run the risk of having Microsoft’s new Unverified Sender feature label your outbound messages as suspicious threats customers, vendors and partners, impacting your email deliverability and potentially your business.

MxToolbox is here to guide your company through the DMARC process and help optimize your email deliverability.  We offer several solutions to help you get your email DMARC compliant and monitor the on-going DMARC compliance of your email:

  • Delivery Center is our base package that allows you to monitor the SPF, DKIM and DMARC compliance of your email while giving you insight into emerging email threats.
  • Delivery Center Plus gives you all the great reporting of Delivery Center combined with deeper reporting on Phishing and Fraud using your domain.
  • Delivery Center Managed Services gives you access to our Email Experts who manage your DMARC compliance and free you to focus on your business.

 

Using MxToolbox to setup SPF, DKIM and DMARC

A few months ago, our friends over at BEMO cybersecurity paid us a huge compliment  by blogging on two of our favorite topics, MxToolbox and implementing DMARC.  Their blog, MxToolbox: How to Enable SPF, DMARC, and DKIM, is a great guide for setting up SPF, DKIM and DMARC in a single outbound email sender Office 365 configuration.  If you’re getting started with SPF, DKIM and DMARC, this is a great guide to using our free tools and improving your Office 365 configuration for better email delivery.  

Since not all outbound email configurations are the same, our delivery experts had a few thoughts to add…

Do you have Multiple Outbound Senders?

Most companies send corporate email from a centralized set of servers.  Office 365 and Gmail do this for many companies, but you could also have an internal email setup like MS Exchange.  However, many companies also employ one or many 3rd party email senders.  For example:

  • Marketing Automation (Marketo, Eloqua, Hubspot, etc.)
  • Email Campaign Tools (MailChimps, Constant Contact, etc.)
  • Customer Relationship Managers (Salesforce, Zoho, Microsoft Dynamics, etc.)
  • Support Ticketing Systems (LiveAgent, ZenDesk, etc.)
  • Order Management and Fulfillment

You will want these services to send email “from” your domain, so they need to be included in your SPF, DKIM and DMARC configurations.  This will mean additional IP address ranges in your SPF record, additional DKIM keys setup and monitoring DMARC compliance for all your outbound email senders.

Do you send email from Multiple Domains?

Whether your company has acquisitions or other brands you wish to send email from, you may operate and email from multiple domains.  For this type of configuration, you’ll need to configure SPF, DKIM and DMARC for each domain you send from.  Similarly, MxToolbox Experts are finding that it has become more common to send email from a dedicated subdomain, like email.yourdomain.com.  This also requires careful thought and may need additional SPF, DKIM and DMARC configuration.

Everyone should be looking at DMARC Reports

When you configure DMARC records there are two important tags that you can use to elicit feedback on your sent email from inbox providers – RUA and RUF.

mxtoolbox-dmarc-record

RUA – List the email addresses you would like to receive SPF, DKIM and DMARC compliance information from inbox providers.

RUF – List the email addressed you would like to receive Forensic data on failed email from your domain.

These RUA and RUF reports are sent in XML format by each individual inbox provider.  The information sent is highly valuable to protecting and improving your email deliverability.  However, to gain insight from them, you need some way to aggregate these reports across all these inbox providers.

Go slowly on your road to Quarantine or Reject Policies

If you have a single sender setup, then you can go straight to Quarantine or Reject policies on DMARC without concern for a portion of your email being unfairly rejected.  Most companies, though, have multiple outbound email senders.  Before you commit to Quarantine or Reject, you need to ensure that all of your legitimate outbound email senders are sending SPF, DKIM and DMARC compliant email.  If not, email from these sources may miss the inbox.  It takes some time and effort to:

  1. Examine DMARC reports
  2. Uncover non-compliant senders
  3. Update each non-compliant configuration
  4. Evaluate the changes you made

Once you are confident that your legitimate email is getting through, the DMARC record enables you to set a percentage of your email to the Quarantine policy.  Starting with a small fraction, like 10%, gives you the opportunity to detect any email that might go missing from customers’ inboxes.  MxToolbox recommends a slow, iterative approach through Quarantine to Reject policies.  Once you are at 100% Reject, MxToolbox recommends continual evaluation of your senders DMARC compliance.

Leverage MxToolbox SPF and DMARC record generators

As part of our suite of free tools, MxToolbox provides an SPF Record Generator and DMARC Record Generator tool.  Use these to help you get the syntax of your DNS records correct, then use our check tools to that your DNS entries are properly detectable by the outside world.

BIMI Lookup Tool

MxToolbox is excited to announce the unveiling of another free tool for your use: the new BIMI Lookup tool. This innovative tool enables you to test your Brand Indicator for Message Identification (BIMI) records, ensuring that your BIMI record is correct and adheres to the current standards.  A missing or incorrectly formatted BIMI record means your customers may not see your domain’s logo in their inboxes. 

What’s BIMI and Why’s It Such a Big Deal?

BIMI is an industry-wide standards effort to display brand logos next to the brand’s email messages in their customer’s inboxes as indicators of trust to help message recipients recognize and avoid fraudulent emails delivered to their inboxes. This new standard, which is currently in beta testing, is important to email senders and their customers alike. Businesses get a prime opportunity to add trust to the emails they send and increase the visibility and ROI of their email programs, while recipients also benefit from senders deploying DMARC and other BIMI authentication standards to reduce the success of phishing attacks.

BIMI builds off of DMARC, with some outlets calling it DMARC 2.0, and will only display if you have deployed DMARC. Several Oath brands (Yahoo!, AOL, etc.) are currently beta testing the BIMI standard with their mailbox users. Gmail will also be rolling out their own beta test of the BIMI protocol in 2020. With Gmail’s current 1.2 billion worldwide users able to see a company’s logo displayed within a year’s time, adopting the BIMI standard will be highly beneficial to your business email practices. As DMARC and BIMI work in tandem to improve message delivery, it becomes imperative your brand utilizes these pioneering email technologies and standards.

How MxToolbox’s BIMI Lookup Tool Works

The new BIMI Lookup tool allows you to check for any errors included in your BIMI record published content, syntax check content, DMARC record format, or image format content. By entering your company’s domain name and clicking the “BIMI Lookup” button, this diagnostic tool will parse the BIMI record for the supplied domain, display its BIMI record, and run a series of diagnostic checks against that specific record. The provided results will help you recognize any current issues in your BIMI record’s setup that may prevent your logo from being displayed in Yahoo!, AOL, and Gmail (early 2020) inboxes.

To learn more about BIMI and how it’ll benefit your business, please click here.

Ultimate Combo

MxToolbox’s free BIMI Lookup tool is a great way to ensure your BIMI record is setup correctly and displays your logo as intended. BIMI provides your business an opportunity to grow your brand and protect your customers. Implementing this standard and monitoring it with our new tool are positive steps in improving your business email delivery. Don’t let your messages be sent to the Junk folder anymore.