Monthly Archives: June 2022

Apple to Support BIMI in Native Mail Applications

Apple Mail recently announced BIMI adoption within its email applications in iOS 16 and MacOS Ventura. In September. Apple will become the most recent email client to support BIMI.

Why adopt BIMI?

BIMI gives email recipients more confidence in messages they receive and helps them avoid fraudulent emails by forcing senders to utilize new technologies to make email more secure.

BIMI gives marketers and businesses enhanced branding opportunities by attaching the company’s logo to verified messages in the inbox as a reward for adopting DMARC email security technologies. Your customers will trust your correspondence more and your brand will be enhanced.

What is BIMI?

BIMI, or Brand Indicators for Message Identification, is a DNS-based email technology that allows a company to specify a logo for inbox providers to display in an email client. Email providers, such as Gmail, Yahoo Mail, and now Apple Mail, can show this logo to their users in the subject line of certified messages from the sending company. If you receive a legitimate email from Yahoo!, for example, this logo will appear:

How do I get BIMI?

BIMI requires DMARC. Before you can get your logo displayed in Apple Mail’s inbox, you need to get your email fully DMARC compliant, then apply strict DMARC policies. Becoming DMARC compliant is a process, but it is very beneficial and strongly recommended. You need to know who is sending email on your behalf, ensure they are properly configured with both SPF and DKIM, and regularly monitor DMARC delivery reports to understand DMARC compliance.

Once your verified email sources are fully DMARC compliant, you can start enforcing stricter “Quarantine” or “Reject” policies with your DMARC configuration. Inbox Providers like Yahoo!, Google and now Apple Mail will only attach a BIMI logo to your email if the email is DMARC compliant and you have a “100% Reject policy”.

Need Help with BIMI and DMARC?

Checkout your BIMI configuration

Our free BIMI Lookup tool searches for a BIMI record for any submitted domain name. If a record is found, it is shown in detail after a series of diagnostic checks are performed against the record. For example, below are the results for chase.com.

Get DMARC Compatible!

To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system, such as MxToolbox Delivery Center. Our Delivery Center provides valuable insight into your email delivery status and the continual maintenance necessary to sustain peak performance, including:

  • Manage SPF, DKIM, DMARC, and BIMI to improve compliance and reduce the threat of fraudsters and phishing campaigns using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops (FBLs) to gain unique data on how your recipients view your emails and when they mark them as spam.
  • Gradually move your DMARC policy to “Reject” to enable better inbox placement opportunities and reduce the risk of phishing and fraud using your domain.
  • Manage the ongoing requirements of maintaining optimal levels of email deliverability and security.

Want more assistance? MxToolbox has a Managed Services offering to get you DMARC compliant and maintain the highest levels of email delivery.

Monitoring Complaints to Improve Email Reputation

As marketers, we all use some sort of marketing list for our email campaigns. These are typically opt-in prospects or existing customers. Sometimes we acquire lists from 3rd parties or put a case study or some other thought leadership behind a registration wall to obtain new marketing contacts. Regardless of where we acquire the email address, it has a certain value to us. But does the correspondence have value to the recipient? If not, it can affect your long-term sending reputation.

CAN SPAM

Before the CAN SPAM Act, end-users were inundated with junk email. This forced Inbox Providers like Google, Yahoo!, Hotmail and others to implement Junk and Spam filters to keep email at least somewhat relevant for their users. With the Act, marketers were now made responsible for policing their lists and removing anyone who opted out or unsubscribed. It’s an imperfect solution for several reasons:

  • Bad actors can completely ignore CAN SPAM.
  • Legitimate marketers can get email addresses from many sources, including the user, so the Inbox Provider cannot block unsolicited email.
  • Legitimate emailers can still “spam” a user with large amounts of irrelevant email unless that email user unsubscribes.
  • Unsubscribe methods may be complicated enough that users find it difficult and give up.

For these and many other reasons Inbox Providers have developed their own mechanisms to fight irrelevant email, spam and junk. These analyses can derail even well configured emailing domains.

Proprietary Junk and Spam Algorithms

Google, Yahoo!, Outlook.com/Office365.com, McAfee, Symantec and many other providers of inboxes or email gateway filtering software have come up with many ways to separate the valuable correspondence from the junk, spam and dangerous:

  • Blacklists – If the sending IP is on a blacklist, it’s probably spam. There are dozens of reasons for blacklisting, which includes being flagged as spam somewhere.
  • SPF Authentication – If the sender’s servers aren’t listed in the SPF record for the sending domain, it might be spam.
  • DMARC – If the sending domain fails, SPF checks or DKIM checks, then it might be spam. Our Delivery Center product started out as a DMARC compliance tool.
  • Attachments – Most inbox providers scan attachments for known malware and discard infected messages.
  • Subject Lines – There are certain subject lines typically used in spam and junk. These are easily filtered out.
  • Content – Content quality is an emerging issue for inbox providers. For example, dollar signs “$” or frequent use of FUD phrases might indicate spam. You can find more information about Content with our Inbox Placement tool.
  • User Feedback – Users provider direct and indirect feedback on relevance of a sender.

User Complaint Metrics Affect Email Delivery

Aggregating User Complaints is a great method for Inbox Providers to understand sending domain relevance across all their inboxes and discover emerging threats to their users. For example, your domain sends a legitimate marketing campaign and the Inbox Provider see the following:

  • ~20% of recipients open the email (based on global average open rates, yours may differ)
  • Some open the email and delete it without really reading it, indicating low engagement.
  • Some delete the email without opening, indicating apathy or disinterest.
  • Some mark it as spam or junk and even why they think it’s junk or spam.
  • Some click on your unsubscribe link, which can be tracked.
  • Some unsubscribe through the provider UI.
  • Some go to disused or invalid email addresses.

Do you know what these numbers are for your domain? Inbox providers are rating the deliverability of emails from your domain taking these new factors into account.

What can Marketing Do?

The good news is that Inbox Providers are willing to share your deliverability information with you! Called Complaints or Feedback Loops, Inbox Providers enable legitimate domains to subscribe to the complaints they receive from their users. Complaint detail can be:

  • The number of complaints received.
  • Email subjects that resulted in Unsubscribes, Spam Complaints or were marked as Junk.
  • Email addresses that bounce or were invalid.
  • Email addresses that unsubscribed at the Inbox Provider level.
  • Email addresses that marked emails as Junk or Spam.

Marketing can then:

  • Review campaigns that have a high complaint volume to improve them and make subsequent campaigns better.
  • Remove bounced and invalid email addresses from email lists. They’re wasting money and hurting your sender reputation.
  • Unsubscribe customers from marketing lists if they complained or unsubscribed. These complaints hurt your domain’s sending reputation and impact how your customers view your brand.

MxToolbox Can Help!

Our Delivery Center suite of email delivery tools now includes Recipient Complaints: aggregation, analysis and actionable insight that integrates with the top Inbox Providers’ feedback and complaint loops. Getting each Complaint/Feedback Loop integration setup can complicated, so MxToolbox Experts have created a simple, step-by-step guide for each integration: Yahoo!, Google, Validity, Mailgun, Microsoft and others. Get Started with Delivery Center and start improving your email reputation!

Google’s Recent SMTP Relay Exploit and DMARC Policies

In April, Google began to see an uptick in spoofing attacks that utilized their SMTP Relay system and compromised Google accounts. They have closed the loophole by May, however, at least 30,000 malicious emails were detected in a two-week period. While this is an extremely small chunk of Google’s email traffic, similar exploits can affect other outbound email providers, requiring patches and constant vigilance.

What is the SMTP Relay exploit?

Google has a great reputation as an outbound sender so email coming from their servers is generally accepted. Google allows their customers to leverage that reputation to send bulk or large quantities of email through the SMTP Relay connection. Before the fix, this enabled any Google customer to send email that looked like another Google customer by simply putting their domain in the “From:” field. For example, SmallCompany.com gets hacked by a scammer and begins to send email that looks like GreatBrand.com, a well respected company also hosted at Google.

  • Blacklists – Google rotates sending IP addresses to minimize the affects of blacklists so a blacklist will not generally catch this issue.
  • SPF Authentication – Both SmallCompany.com and GreatBrand.com have Google’s servers in the SPF record, so it passes Authentication. This might be enough to make the inbox.
  • SPF Alignment – The “From:” address says GreatBrand.com. The <ReturnPath> is SmallCompany.com so it fails SPF Alignment.

So, unless the recipients servers are configured to check SPF Alignment, the Spoofing email may make the inbox. Any brand could then be compromised by a hack to another company in the same outbound email provider.

How do you protect your brand from spoofing?

First, you might think to bring all email in-house. This just compounds your risk. Google and other outbound email providers have more security experts and experience than even most large companies can ever hope to bring to bear. A small or medium business should leverage that experience to protect their brand and get their emails delivered.

Second, adopt DMARC and SPF, and DKIM. A properly configured SPF, DKIM and DMARC setup will help prevent spoofing of your brand and give you insight into potential spoofing issues.

Finally, adopt DMARC “Reject” policies. A DMARC “Reject” policy instructs recipient providers to highly scrutinize in-bound email and reject anything that fails SPF Alignment or Authentication. A “reject” policy would immediately fail email that arrived using the recent SMTP Relay exploit.

Why are few companies adopting “Reject” Policies?

If “reject” policies are great, why aren’t companies adopting them immediately? Unfortunately, there is a lot of fear and misunderstanding about “reject” policies. Our Experts receive push-back every day from our clients. Let’s look at a few examples:

“My legitimate email might be rejected”

While it is possible for legitimate email to be rejected, it is far more likely to be accepted if you have a “reject” policy in place. Inbox providers are looking for relevant content from senders with good reputations. By telling setting up DMARC with a “reject” policy you are telling them that you value your reputation. In addition, the “reject” policy is telling them to throw out emails that might harm your reputation.

“I won’t know if a legitimate source comes online”

Maintaining good email delivery means ensuring that all your legitimate email sources are managed actively. Each source should be included in your SPF record to ensure SPF Authentication. While it is possible for a department to bring in a new 3rd party email source without telling you, these vendors will have detailed information about proper SPF configuration as part of their on-boarding process. If it still slips by, then is it really valid email? Could that rogue department be hurting your brand? Regardless, a comprehensive DMARC reporting tool, like MxToolbox Delivery Center, will alert you that a potential Verified Email Source is missing.

“I won’t know if a phishing attack occurs”

The beauty of DMARC is that by publishing a DMARC record with RUA and RUF tags, you are asking for information about the compliance of emails that come “from” your domain. Inbox providers will tell you through an XML email report. Regular reviews of these reports will give you insight into legitimate sources that fail as well as emerging email threats from phishing attacks using your brand. While you can manually parse these XML files, most companies rely on a reporting tool, like MxToolbox Delivery Center, to process and distill these files into actionable insights.

“It seems complicated…”

While it can take some time to verify your outbound email sources, ensure that SPF and DKIM configurations are correct and monitor DMARC reports to ensure that everything is properly tuned, moving to a “reject” policy is not very complicated. MxToolbox Delivery Center uses our experience with DMARC to make recommendations on when to move to a “quarantine” or “reject” policy and how much of your mail to send under that policy.

If you still find it complicated, you can leverage our Expert Managed Services to help you with your configuration.

What do MxToolbox Experts recommend?

Our team of Experts is always evaluating the newest email technologies – DMARC “reject” policies are a necessity to help improve your brand reputation by stopping phishing attacks using your brand. If more brands adopted DMARC “reject” policies, phishing attacks would be greatly reduced. It’s time for all companies to be DMARC compliant – Get Started Today!