Category Archives: Email Delivery

Identifying Email Phishing

There are two types of email phishing:

  1. Phishing emails that come to you
  2. Phishing emails that come from you

Consumers are typically the target of phishing emails, while the domains of businesses with great brands are typically used to send the false emails.  In a separate blog post, our experts discuss how to recognize phishing email in your inbox.  In this post, we will discuss recognizing phishing email that leverages your business’s domain.

Why would I care if phishing comes “from” my domain?

Put yourself in the place of your customers, partners and suppliers.  If you received an email that appeared to be from one of them but it turned out the be phishing, would you still trust them?  Would that erode their brand in your mind?  Would you be more likely to check their legitimate emails for mistakes, issues, and threats?  Phishing using your domain hurts your brand, even when your customers know that you are not responsible!

Further, phishing puts your email delivery at risk.  Increasingly, email inbox providers like Google, Yahoo! and Outlook.com look at the domain an email comes “from” and what the reputation of that domain is in their systems.  If your domain name has been used for phishing, then all of your email may come under additional scrutiny.  If uncontrolled, this could lead to mistaken blacklisting or lower inbox placement.

How do I recognize phishing from my domain?

Occasionally, email recipients will ask you directly “Did you send this email?”, but by then, it’s already too late.  Phishing emails are like cockroaches – seeing one means potentially hundreds hidden in the woodwork.  Without adopting three new(ish) technologies, you really can’t know when your domain is being used for fraud and phishing.

The technologies you need to think about are SPF, DKIM and DMARC, and each work together.  SPF allows you to tell the world who can send email on your behalf, DKIM allows you to digitally sign your emails and DMARC allows you to designate an email address for feedback on your email, among other things.  Once you have SPF and DKIM setup for most of your email, you can get feedback on your email via the email address in the DMARC record.  Each email inbox provider (Google, Yahoo!, Outlook.com, etc.) will provide feedback containing everyone sending email for your domain – legitimate and phishing – that they received.  You’ll want to comb through that feedback to identify IP addresses and domains not legitimately connected to your business.

How do I stop phishing with my domain?

Here again, SPF, DKIM, and DMARC are important technologies to understand.  IP addresses and Domains that fail alignment or authentication with SPF, DKIM or DMARC will be likely candidates for phishing scams.  However, these may also be legitimate senders that are misconfigured or not included in you SPF.  You will want to investigate each to make a determination as to their legitimacy.

Once you are sure you know who is legitimate and that they are passing SPF, DKIM and DMARC checks, you can begin to tell inbox providers what to do with email that fails these checks.  DMARC allows you to set the steps a recipient should take with email that is failing SPF, DKIM and/or DMARC checks:

  • None – Do Nothing
  • Quarantine – Set this email aside and tell me you quarantined it
  • Reject – Bounce the email entirely

Your DMARC record also allows you to set the percentage of traffic subject to these rules, from 0-100%.  This level of granularity is important in allowing you to control how quickly you move all of your email to a reject status.  In this way you can test to see if any legitimate email is affected without negatively impacting your business.  Once you reach a 100% Reject policy, you will be filtering out all of the phishing using your domain.

How can MxToolbox help?

MxToolbox is your Expert in Email Delivery.  We understand how complex SPF, DKIM and DMARC can be to understand and implement and how costly fraud and phishing can be to your brand.  Our team has created a new product called Fraud Center that includes assistance from our expert support team to help you through this journey.  Fraud Center provides insight into both legitimate and illegitimate email sent on behalf of your domain as well as:

  • Configuration suggestions for your SPF, DKIM and DMARC
  • Consolidated reporting across inbox providers
  • Recommendations for when to change DMARC policies
  • Forensic examinations of rejected email
  • Access to our expert support to help you with Email Delivery

Managing the Reputation of 3rd Party Emailers

Whether you use 3rd parties as inbox providers, bulk emailers, CRMs, marketing automation, order management, support ticketing, calendaring or any other task, they are more than likely an integral part of your day-to-day business.  But, are you managing their reputation?  Is their email reputation harming yours?

Your email reputation is highly dependent on who is sending email on your behalf so it needs to be managed.  Think about it – if a 3rd party emails one of your customers and they are blacklisted or mis-configured then how does that reflect on you?  Not only is there a risk that the email might not make it to your intended recipient, it might get lodged in their junk email.  Regardless, your reputation, and email delivery, is tied up with that of your 3rd party providers.

So, how do you manage the reputation of a 3rd party?

The minimum step to managing 3rd party reputation is to setup Blacklist Monitoring of all the outbound IP addresses they use for your email.  With monitoring, when your email providers get blacklisted, you get alerted to the issue.  Under normal operations, there is a general risk of blacklisting, especially for bulk email providers.  However, the more frequently a provider is blacklisted and the larger the proportion of their network is blacklisted, the bigger the risk for your business.

The best method for managing 3rd party emailers involves adopting DMARC, DKIM and SPF technologies.  These technologies allow you to take control over who is sending on behalf of your domain and receive feedback on how emails sent by you and your 3rd parties are being received and handled.  DMARC, DKIM and SPF have become business requirements for anyone sending email at more than small volumes.

Using DMARC to manage 3rd parties

When you begin receiving DMARC digests, you will have feedback on how all email purporting to come from your domain is passing SPF, DKIM and DMARC tests at recipient email boxes.   You can look up the IP addresses and domains of your email providers in these reports to determine if they are passing.  Any legitimate senders not passing SPF will need to be added to your SPF records.  Any legitimate senders not passing DKIM will need to be contacted so that DKIM can properly be configured for those providers.  You may potentially need to examine whether or not you want to continue your relationship with some providers if they cannot improve performance.

MxToolbox helps you manage your email providers

MxToolbox Delivery Center is the best way to manage 3rd party email providers.  Rather than forcing you to deal with raw XML digests, MxToolbox Delivery consolidates and report on all the IP addresses and domains sending on your behalf across all inbox providers.  You get clear reports, filtered by date, provider, IP address, SPF record and more of who is passing and failing SPF, DKIM and DMARC alignment, authentication, and compliance.

mdcpro_overview

With Delivery Center, you get something no other company provides – blacklist information on your providers.  We monitor the reputation of the senders in your SPF record and alert you when one of those senders is blacklisted.  You also receive full analysis of your SPF, DKIM and DMARC records for RFC compliance and best practice recommendations for configurations.  Learn more about MxToolbox Delivery Center.

Identifying Legitimate Emailers

Email management has become more complicated over the last few years.  It used to be that only IT could setup email services for a company.  Now, almost anyone can setup email services on behalf of an organization.  Increasingly often, Marketing, Sales and other organizations are subscribing to SaaS services like Marketing Automation, CRMs, Bulk Emailers, etc that often send email for these organizations to customers, vendors, partners and suppliers.  If not properly managed, you can lose control of your legitimate email and cause email delivery problems that impact your business.

How do you Identify Legitimate Emailers?

First, you need to adopt two important technologies: SPF and DMARC.  SPF allows you to designate IP addresses and domains that can send on behalf of your domain.  Add all your known providers to your SPF record to ensure email from those providers is properly received and processed by inbox providers.  You can find out more information about SPF and how to create SPF records on our site.  DMARC enables you elicit information from inbox providers on how email send on behalf of your domain is being received and processed.  This will contain data on both legitimate and illegitimate senders like fraud and phishing.  MxToolbox provides DMARC configuration and validation tools.

The second step to identifying missing legitimate providers is to start reading the digests inbox providers send to your DMARC response address.  To do this, you’ll either need some skill with reading XML and a lot of patience or a service that consolidates, processes and analyzes DMARC digests from inbox providers.  The larger your email volume, including illegitimate email, the harder it is for you to process these digest by hand.

Examine unknown

Delivery Center differentiates emailers in your SPF and those potentially illegitimate senders.

MxToolbox has developed a product to help businesses like yours analyze DMARC compliance and responses to improve your email configuration, email deliverability and your online brand reputation.  MxToolbox Delivery Center gives you instant access to statistics on email delivery and email reputation including all the IP addresses and domains sending on your behalf.  Tools like Delivery Center are the best way to find legitimate senders not in your SPF records.

The last step to identifying unknown legitimate emailers, once your SPF and DMARC records are setup and delivering digests to your choice of tool, is to examine who is sending on your behalf.  Tools like Delivery Center show statistics about SPF Authentication, SPF Alignment, and DMARC compliance.  Emails that pass these checks are more likely to reach your customers inboxes.  Emails that fail are more likely to be tossed into junk folders or bounce entirely.  Looking at sending IP addresses and domains can give you insight into potential legitimate senders that you may have missed in your SPF records and the potential for fraud and phishing emails from senders posing as you.

To identify Legitimate Senders:

  1. Review the largest volume senders that fail SPF, DKIM and DMARC
  2. Investigate the Domains and reverse DNS of the IP addresses – Do they look like legitimate email providers?  Legitimate providers own a number of IP addresses, have a website that shows off their products and pricing.  These could also be legitimate email forwarders, even if you are not specifically doing business with them.
  3. Investigate the Blacklist reputation of IP addresses and domains – Are they blacklisted?  Legitimate providers may have a small portion of their network blacklisted as part of their business but if a large portion of that network is blacklisted they may not be a good provider to use or may be shady.
  4. Investigate the location of the IP addresses or ASNs – Are they sending from a country that you don’t operate in?  Are they sending from a country with known hacking issues?
  5. Slice and dice the data – No single view will give you every angle.  Looking up DKIM domains or SPF domains, sender domains or Mail From headers can give you insight.  The trick is to have a tool that enables you to review your DMARC digests from all angles.
  6. Be patient and repeat often – You won’t solve your email delivery issues in a single day or a single pass.  This is something that you need to review on a regular basis, especially since you may be adding or changing legitimate senders frequently.
mdcpro_inbox

MxToolbox Delivery Center gives you access to compliance and authentication information with multiple views to give you the best insight into your email delivery.

 

DMARC is the key to improving Email Deliverability!

Email is the key to your customer communication strategy.  But, what is your email reputation?

Setting up and managing your DMARC configuration is the key to getting insight into your email delivery.  MxToolbox is the key to understanding DMARC.

MxToolbox Delivery Center gives you:

  • Who is sending phishing email purporting to be from your domain
  • What is the reputation of your domains and delegated IPs
  • Where other senders are and What their reputations are
  • How your SPF, DKIM and DMARC setup is performing

Learn More

DMARC Record Missing Alerts

Have you heard of DMARC?  It is the newest way to protect your email delivery and online reputation from delivery failures, misconfigurations and fraud and phishing attempts.  If you aren’t using DMARC, you are at risk from email delivery failures.  Learn more about DMARC, DMARC Compliance and Email Delivery.

Since DMARC is such a pivotal technology, we have decided that our customers need to be alerted when it is not configured.   Therefore all MX record lookups will show a critical warning when a DMARC record is not found (see below).  Paid users with MX monitors will receive critical alerts that a DMARC record is missing or misconfigured for their domain.

DMARC record missing.png

MxToolbox experts feel that DMARC is critical to your business success.  Our team is ready to help you with your DMARC configuration and transition to a focus on proactive email delivery management.  Our most recent products MxToolbox Delivery Center and MxToolbox Fraud Center leverage DMARC to improve your email delivery and protect your brand from email fraud.

Improving DMARC Compliance

In recent months, DMARC has become increasingly mentioned in the news as a way to reduce spam, improve email deliverability and reduce the potential for fraud and phishing.

  • In early 2017, UK National Health Service required DMARC as the default for email services.
  • In July, a US Senator Ron Wyden sent an open letter to the US Department of Homeland Security requesting the agency take steps to protect all Federal agencies with DMARC.
  • In August, the UK’s HMRevenues & Customs announced that it had stopped over 300k phishing emails using DMARC.
  • In October, the US Department of Homeland Security directed Federal agencies to adopt security technologies like DMARC.

With all this attention, businesses are starting to realize that adopting DMARC helps them in two ways:

  • Inbound – using DMARC to screen incoming emails for compliance can limit your company’s exposure to fraud and phishing emails, scams and malware.
  • Outbound – sending email that is DMARC compliant can improve email delivery to your customers and limit the potential negative impacts of 3rd parties that try to use your domain for fraud or phishing.

MxToolbox highly recommends that every company implement DMARC for both inbound email screening and outbound email delivery.  Inbound email screening is dependent on your particular email service.

How does DMARC work for outbound email?

DMARC works in conjunction with two other technologies: SPF and DKIM.  SPF allows you to designate 3rd parties as legitimate senders for your domain.  More on SPF here. DKIM allows you to take responsibility for your email by cryptographically signing your email.  SPF, DKIM and DMARC use DNS records to specify the IP addresses, domains and security keys for your particular configuration.

DMARC requires both SPF and DKIM to function properly.  Once you setup SPF and DKIM you can setup DMARC to get information on how your outbound emails are performing – whether or not emails coming “from” your domain are compliant with the definitions in your SPF and how many of your emails are compliant with DKIM.

With a DMARC record, you specify an email address for aggregate feedback about your SPF and DKIM compliance, an email address for specific forensic feedback related to failed emails and how email that fails compliance should be handled by the recipient – ignored, quarantined or rejected.

How do you improve your DMARC Compliance?

DMARC Compliance is based upon SPF and DKIM compliance rates.  In order to improve your outbound DMARC compliance and therefore your email delivery rates, you must:

Setup DMARC with both RUA and RUF

RUA and RUF designate email addresses where you can receive summaries of authentication and alignment pass/fail and detailed forensic information on failed emails.  As this is the only way to receive feedback, setting up these email addresses is extremely important.

Monitoring your DMARC Feedback

Inbox providers will respond to these RUA and RUF tags by sending summaries.  Unfortunately, the summary digests and forensic details are not quite human readable.  If your outbound email volume is over a few hundred emails a day, you need to consider some way to decode these digests.

MxToolbox provides a service, Delivery Center, that decodes these digests, summarizesthem and gives you granular reports on how your emails are performing.

dc_dashboardWith tools like Delivery Center, you can review the IP addresses and Domains sending on your behalf to determine how your legitimate senders are performing and who is using your brand/domain name to commit fraud and phishing.  It is important to investigate domains and IPs that fail SPF, DKIM and DMARC regularly so that determine if they are legitimate and need to have their configuration updated or illegitimate and need to be blocked. As your investigations progress and you improve your configurations, you will have more confidence when you decide to tell recipients to block failed email.

 

Act on DMARC Forensic Responses

DMARC forensic reports provide you with detailed information about the emails that have failed SPF, DKIM and DMARC checks.  You can use this information to investigate threats to your brand or problems with your 3rd party emailers.

Tools like MxToolbox Delivery Center give you immediate access to DMARC forensic reports that enable your detailed investigations.

Summary

The best way to improve email delivery is to adopt new technologies SPF, DKIM and DMARC and leverage a tool like MxToolbox Delivery Center that gives you insight into how your email is performing.  With the right tool, you can keep tabs on your email configuration, understand the threat to your brand, and improve email delivery.

Improving DKIM Compliance

Adopting DKIM can make a huge difference in how the email you send is perceived by recipients.  With DKIM you are taking ownership of an email by cryptographically signing each email.  Recipients then decode the signature to verify that you sent the email.  DKIM, in short, is like putting a wax seal on a letter that uniquely identifies you.

How can you improve DKIM compliance?

Get Informed

The first thing you need to improve DKIM compliance is a method to understand what your current compliance rate is.  To do this, you need:

  1. Adopt DMARC.
  2. Have a method to parse and report on DMARC digests coming from inbox providers.

DMARC responses from inbox providers are often not-quite human readable and the larger the volume of email you send, the more complex the responses.  To parse these, you need a product that summarizes them and provides reports that you can understand.

MxToolbox Delivery Center was designed to provide you with a complete understanding of who is sending email on your behalf and how your emails are performing with respect to SPF, DKIM and DMARC compliance and how likely your emails are to be rejected by inbox providers.

Get Control

Now that you have insight into what emailers are compliant, the second step to improving your DKIM compliance is to take control of the compliance of your internal emails and 3rd party emailers.

Investigate internal systems that might be sending email on your behalf and make sure that those systems are capable of signing outbound email with your DKIM signature.  These could be anything from marketing automation and sales systems to order entry, vendor management or customer support.  Regardless if they are home-grown or off-the-shelf, if the system is sending email, it needs to be DKIM compliant or the email may be rejected.

Similarly to internal systems, you must take a look at external, 3rd party providers to understand if they can be DKIM compliant.  Most external providers can sign email with a DKIM key, however, email forwarders are much less likely to be DKIM compliant than bulk emailers or other 3rd party service providers.  Talk with each of them to setup DKIM compliant email.

Repeat

Getting DKIM compliant is not a one-time project, but an on-going process.  To ensure high levels of compliance long-term, you will need to:

  • Regularly check compliance rates
  • On-board new internal and 3rd party systems to be compliant
  • mdcpro_inboxSetup processes to assess new applications and providers based on their DKIM support

MxToolbox Delivery Center gives you everything you need to analyze SPF, DKIM and DMARC compliance rates, identify problem internal services and external 3rd party providers and react to threats to your reputation where services are blacklisted or non-compliant.

Summary

DKIM Compliance is an on-going process that requires regularly investigation of DKIM compliance rates with tools that give you insight into the IP addresses and 3rd party tools and domains that are sending email on your behalf.

Improving SPF Compliance

SPF can be a huge benefit to your email delivery.  SPF, in short, lets you state who you trust to send your email.  The more email sent on your behalf that complies with your SPF rules, the more of your email will be accepted by email inbox providers and your intended recipients.

How does SPF work?

SPF is a DNS record type that gives you the option to declare all the IP addresses, domains and 3rd party providers that you use, and also limit the list of valid emailers to only what you list.  By setting these limits, you could shut down potential fraud, spoofing or phishing threats and improve your reputation with customers and vendors.  Spoofing and phishing scams are incredibly common place, even using credentials from legitimate small and medium sized businesses.  Email that is SPF compliant is more likely to get to a customer’s inbox.

How can you improve SPF Compliance?

First, you need to understand what your compliance rate is.   To get your compliance rate, you’ll need to elicit feedback from your recipients.  Fortunately, you can do this by setting up a DMARC record, something that MxToolbox can help you with.  DMARC records include an RUA declaration which defines who gets SPF and DKIM compliance information about your email.

Compliance digests can be cumbersome to read, process and understand, especially if you have more than a very small volume of outbound email.  Getting help processing these files, like with MxToolbox Delivery Center, is a necessity.  However, once decoded, you’ll get information about ALL the IP addresses and Domains that send email on your behalf and how much of that email volume complies with SPF or DKIM.  Now’s the time to consider how to improve compliance:

  1. Take note of IP addresses and domains that are low in compliance
  2. For each IP address and domain, investigate the origin
    • Is the domain an email partner that wasn’t included in your SPF record?  Commonly, CRMs, Email Marketing, Marketing Automation, Order Management and Customer Support/Ticketing Systems send email on your behalf.
    • Does the IP address belong to you, an existing partner or a new email partner?  It is common for partners to add a new IP range from time to time.
    • Does the IP address belong to a forwarder one your partners uses?  Forwarders are more difficult to track down but you may need to investigate or change your contract terms.
    • Can you trace the IP address to a place you don’t do business or a location of frequent scammers?  It is frequent
  3. For valid IP addresses and domains, add them to your SPF (or negotiate with the department that hired them to stop using that service)
  4. For invalid IP addresses, there are options you can take through DMARC to instruct your recipients to reject SPF-non-compliant email.

This is an iterative and continuous process.  New services will be added and IP addresses change all the time.   SPF Compliance requires regular review of your DMARC digests and statistics.  However, all this work will improve your email delivery and your online reputation.

MxToolbox Delivery Center is your solution for managing SPF and DKIM compliance and understanding the complexity of DMARC setup.  MxToolbox experts developed Delivery Center to help customers like you improve email deliverability, manage their online reputation and head off fraud and phishing issues.