Category Archives: Email Delivery

Apple to Support BIMI in Native Mail Applications

Apple Mail recently announced BIMI adoption within its email applications in iOS 16 and MacOS Ventura. In September. Apple will become the most recent email client to support BIMI.

Why adopt BIMI?

BIMI gives email recipients more confidence in messages they receive and helps them avoid fraudulent emails by forcing senders to utilize new technologies to make email more secure.

BIMI gives marketers and businesses enhanced branding opportunities by attaching the company’s logo to verified messages in the inbox as a reward for adopting DMARC email security technologies. Your customers will trust your correspondence more and your brand will be enhanced.

What is BIMI?

BIMI, or Brand Indicators for Message Identification, is a DNS-based email technology that allows a company to specify a logo for inbox providers to display in an email client. Email providers, such as Gmail, Yahoo Mail, and now Apple Mail, can show this logo to their users in the subject line of certified messages from the sending company. If you receive a legitimate email from Yahoo!, for example, this logo will appear:

How do I get BIMI?

BIMI requires DMARC. Before you can get your logo displayed in Apple Mail’s inbox, you need to get your email fully DMARC compliant, then apply strict DMARC policies. Becoming DMARC compliant is a process, but it is very beneficial and strongly recommended. You need to know who is sending email on your behalf, ensure they are properly configured with both SPF and DKIM, and regularly monitor DMARC delivery reports to understand DMARC compliance.

Once your verified email sources are fully DMARC compliant, you can start enforcing stricter “Quarantine” or “Reject” policies with your DMARC configuration. Inbox Providers like Yahoo!, Google and now Apple Mail will only attach a BIMI logo to your email if the email is DMARC compliant and you have a “100% Reject policy”.

Need Help with BIMI and DMARC?

Checkout your BIMI configuration

Our free BIMI Lookup tool searches for a BIMI record for any submitted domain name. If a record is found, it is shown in detail after a series of diagnostic checks are performed against the record. For example, below are the results for chase.com.

Get DMARC Compatible!

To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system, such as MxToolbox Delivery Center. Our Delivery Center provides valuable insight into your email delivery status and the continual maintenance necessary to sustain peak performance, including:

  • Manage SPF, DKIM, DMARC, and BIMI to improve compliance and reduce the threat of fraudsters and phishing campaigns using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops (FBLs) to gain unique data on how your recipients view your emails and when they mark them as spam.
  • Gradually move your DMARC policy to “Reject” to enable better inbox placement opportunities and reduce the risk of phishing and fraud using your domain.
  • Manage the ongoing requirements of maintaining optimal levels of email deliverability and security.

Want more assistance? MxToolbox has a Managed Services offering to get you DMARC compliant and maintain the highest levels of email delivery.

Monitoring Complaints to Improve Email Reputation

As marketers, we all use some sort of marketing list for our email campaigns. These are typically opt-in prospects or existing customers. Sometimes we acquire lists from 3rd parties or put a case study or some other thought leadership behind a registration wall to obtain new marketing contacts. Regardless of where we acquire the email address, it has a certain value to us. But does the correspondence have value to the recipient? If not, it can affect your long-term sending reputation.

CAN SPAM

Before the CAN SPAM Act, end-users were inundated with junk email. This forced Inbox Providers like Google, Yahoo!, Hotmail and others to implement Junk and Spam filters to keep email at least somewhat relevant for their users. With the Act, marketers were now made responsible for policing their lists and removing anyone who opted out or unsubscribed. It’s an imperfect solution for several reasons:

  • Bad actors can completely ignore CAN SPAM.
  • Legitimate marketers can get email addresses from many sources, including the user, so the Inbox Provider cannot block unsolicited email.
  • Legitimate emailers can still “spam” a user with large amounts of irrelevant email unless that email user unsubscribes.
  • Unsubscribe methods may be complicated enough that users find it difficult and give up.

For these and many other reasons Inbox Providers have developed their own mechanisms to fight irrelevant email, spam and junk. These analyses can derail even well configured emailing domains.

Proprietary Junk and Spam Algorithms

Google, Yahoo!, Outlook.com/Office365.com, McAfee, Symantec and many other providers of inboxes or email gateway filtering software have come up with many ways to separate the valuable correspondence from the junk, spam and dangerous:

  • Blacklists – If the sending IP is on a blacklist, it’s probably spam. There are dozens of reasons for blacklisting, which includes being flagged as spam somewhere.
  • SPF Authentication – If the sender’s servers aren’t listed in the SPF record for the sending domain, it might be spam.
  • DMARC – If the sending domain fails, SPF checks or DKIM checks, then it might be spam. Our Delivery Center product started out as a DMARC compliance tool.
  • Attachments – Most inbox providers scan attachments for known malware and discard infected messages.
  • Subject Lines – There are certain subject lines typically used in spam and junk. These are easily filtered out.
  • Content – Content quality is an emerging issue for inbox providers. For example, dollar signs “$” or frequent use of FUD phrases might indicate spam. You can find more information about Content with our Inbox Placement tool.
  • User Feedback – Users provider direct and indirect feedback on relevance of a sender.

User Complaint Metrics Affect Email Delivery

Aggregating User Complaints is a great method for Inbox Providers to understand sending domain relevance across all their inboxes and discover emerging threats to their users. For example, your domain sends a legitimate marketing campaign and the Inbox Provider see the following:

  • ~20% of recipients open the email (based on global average open rates, yours may differ)
  • Some open the email and delete it without really reading it, indicating low engagement.
  • Some delete the email without opening, indicating apathy or disinterest.
  • Some mark it as spam or junk and even why they think it’s junk or spam.
  • Some click on your unsubscribe link, which can be tracked.
  • Some unsubscribe through the provider UI.
  • Some go to disused or invalid email addresses.

Do you know what these numbers are for your domain? Inbox providers are rating the deliverability of emails from your domain taking these new factors into account.

What can Marketing Do?

The good news is that Inbox Providers are willing to share your deliverability information with you! Called Complaints or Feedback Loops, Inbox Providers enable legitimate domains to subscribe to the complaints they receive from their users. Complaint detail can be:

  • The number of complaints received.
  • Email subjects that resulted in Unsubscribes, Spam Complaints or were marked as Junk.
  • Email addresses that bounce or were invalid.
  • Email addresses that unsubscribed at the Inbox Provider level.
  • Email addresses that marked emails as Junk or Spam.

Marketing can then:

  • Review campaigns that have a high complaint volume to improve them and make subsequent campaigns better.
  • Remove bounced and invalid email addresses from email lists. They’re wasting money and hurting your sender reputation.
  • Unsubscribe customers from marketing lists if they complained or unsubscribed. These complaints hurt your domain’s sending reputation and impact how your customers view your brand.

MxToolbox Can Help!

Our Delivery Center suite of email delivery tools now includes Recipient Complaints: aggregation, analysis and actionable insight that integrates with the top Inbox Providers’ feedback and complaint loops. Getting each Complaint/Feedback Loop integration setup can complicated, so MxToolbox Experts have created a simple, step-by-step guide for each integration: Yahoo!, Google, Validity, Mailgun, Microsoft and others. Get Started with Delivery Center and start improving your email reputation!

Google’s Recent SMTP Relay Exploit and DMARC Policies

In April, Google began to see an uptick in spoofing attacks that utilized their SMTP Relay system and compromised Google accounts. They have closed the loophole by May, however, at least 30,000 malicious emails were detected in a two-week period. While this is an extremely small chunk of Google’s email traffic, similar exploits can affect other outbound email providers, requiring patches and constant vigilance.

What is the SMTP Relay exploit?

Google has a great reputation as an outbound sender so email coming from their servers is generally accepted. Google allows their customers to leverage that reputation to send bulk or large quantities of email through the SMTP Relay connection. Before the fix, this enabled any Google customer to send email that looked like another Google customer by simply putting their domain in the “From:” field. For example, SmallCompany.com gets hacked by a scammer and begins to send email that looks like GreatBrand.com, a well respected company also hosted at Google.

  • Blacklists – Google rotates sending IP addresses to minimize the affects of blacklists so a blacklist will not generally catch this issue.
  • SPF Authentication – Both SmallCompany.com and GreatBrand.com have Google’s servers in the SPF record, so it passes Authentication. This might be enough to make the inbox.
  • SPF Alignment – The “From:” address says GreatBrand.com. The <ReturnPath> is SmallCompany.com so it fails SPF Alignment.

So, unless the recipients servers are configured to check SPF Alignment, the Spoofing email may make the inbox. Any brand could then be compromised by a hack to another company in the same outbound email provider.

How do you protect your brand from spoofing?

First, you might think to bring all email in-house. This just compounds your risk. Google and other outbound email providers have more security experts and experience than even most large companies can ever hope to bring to bear. A small or medium business should leverage that experience to protect their brand and get their emails delivered.

Second, adopt DMARC and SPF, and DKIM. A properly configured SPF, DKIM and DMARC setup will help prevent spoofing of your brand and give you insight into potential spoofing issues.

Finally, adopt DMARC “Reject” policies. A DMARC “Reject” policy instructs recipient providers to highly scrutinize in-bound email and reject anything that fails SPF Alignment or Authentication. A “reject” policy would immediately fail email that arrived using the recent SMTP Relay exploit.

Why are few companies adopting “Reject” Policies?

If “reject” policies are great, why aren’t companies adopting them immediately? Unfortunately, there is a lot of fear and misunderstanding about “reject” policies. Our Experts receive push-back every day from our clients. Let’s look at a few examples:

“My legitimate email might be rejected”

While it is possible for legitimate email to be rejected, it is far more likely to be accepted if you have a “reject” policy in place. Inbox providers are looking for relevant content from senders with good reputations. By telling setting up DMARC with a “reject” policy you are telling them that you value your reputation. In addition, the “reject” policy is telling them to throw out emails that might harm your reputation.

“I won’t know if a legitimate source comes online”

Maintaining good email delivery means ensuring that all your legitimate email sources are managed actively. Each source should be included in your SPF record to ensure SPF Authentication. While it is possible for a department to bring in a new 3rd party email source without telling you, these vendors will have detailed information about proper SPF configuration as part of their on-boarding process. If it still slips by, then is it really valid email? Could that rogue department be hurting your brand? Regardless, a comprehensive DMARC reporting tool, like MxToolbox Delivery Center, will alert you that a potential Verified Email Source is missing.

“I won’t know if a phishing attack occurs”

The beauty of DMARC is that by publishing a DMARC record with RUA and RUF tags, you are asking for information about the compliance of emails that come “from” your domain. Inbox providers will tell you through an XML email report. Regular reviews of these reports will give you insight into legitimate sources that fail as well as emerging email threats from phishing attacks using your brand. While you can manually parse these XML files, most companies rely on a reporting tool, like MxToolbox Delivery Center, to process and distill these files into actionable insights.

“It seems complicated…”

While it can take some time to verify your outbound email sources, ensure that SPF and DKIM configurations are correct and monitor DMARC reports to ensure that everything is properly tuned, moving to a “reject” policy is not very complicated. MxToolbox Delivery Center uses our experience with DMARC to make recommendations on when to move to a “quarantine” or “reject” policy and how much of your mail to send under that policy.

If you still find it complicated, you can leverage our Expert Managed Services to help you with your configuration.

What do MxToolbox Experts recommend?

Our team of Experts is always evaluating the newest email technologies – DMARC “reject” policies are a necessity to help improve your brand reputation by stopping phishing attacks using your brand. If more brands adopted DMARC “reject” policies, phishing attacks would be greatly reduced. It’s time for all companies to be DMARC compliant – Get Started Today!

Does your email make it to the Inbox?

Inbox Providers are constantly adapting their algorithms to detect and eliminate spam while simultaneously elevating wanted email. This arms race puts Email Marketing at a disadvantage – we typically only receive a few data points:

  • # of Sent Emails
  • # of Emails Opened
  • # of Click-Throughs

While these leading indicators of sales are very valuable, they miss out on two key details:

  • Was the email delivered at all?
  • Was the email delivered to the Inbox or Spam/Junk Folder?

If you can’t answer those questions, then you may be missing out on simple methods to improve sales! Every email that fails to make the inbox is a conversation that did not happen!

MxToolbox Inbox Placement

The newest feature of MxToolbox Delivery Center provides you with direct insight into the inbox placement of your newsletters and campaigns at major inbox providers like Google, Yahoo! and Outlook.com. In addition, MxToolbox will analyze the each email for potential issues with content, format, sending configuration, etc that will impact email delivery. Learn More

How does it work?

MxToolbox Inbox Placement works in two ways:

  • Send a Test Email to our list of email boxes when creating new campaigns to see how they might perform. Refine your campaign to get better performance.
  • Include our email list in your newsletter and campaign lists to gain insight into how they perform in real-time.

Our tool aggregates campaigns/newsletters by subject and sending date, analyzes the contents and provides a clear, concise report of placement (Inbox, Junk/Spam, Not Delivered) and potential reasons for lower placement. Learn More

How do you get Inbox Placement?

Simply subscribe to MxToolbox Delivery Center to begin analyzing your Inbox Placement!

The Flavors of Successfully Delivered Email

Email delivery is a complicated thing. There are multiple layers of technology protecting an inbox at modern inbox providers like Google, Yahoo! and Outlook.com. For example:

  • Blacklists are used to identify IP addresses that have spammed or otherwise should not be trusted
  • SPF identifies legitimate sending IP addresses for a domain
  • DKIM allows a domain to sign email to ensure the integrity of the email
  • DMARC enables a sending domain to get feedback from Inbox Providers on SPF and DKIM compliance
  • Inbox Providers maintain internal Unsubscribe Lists
  • Inbox Providers maintains internal Spam Lists
  • Inbox Providers run proprietary Spam Content Analyses
  • Inbox Providers monitor engagement with emails from a domain

Email Delivery Standards

Technically Delivered

In the email world, a message is considered successfully delivered when the recipient can access the email. The email could be delivered to any subfolder for example:

  • Junk
  • Spam
  • Quarantine
  • Bulk
  • Promotions
  • Customer configured Filter or Subfolder

While this does not seem optimal to the recipient or sender, the email is accessible, just not in the main Inbox.

Undelivered email is completely inaccessible to the recipient. An email could be undelivered for multiple reasons, depending on how the Inbox Provider’s algorithms work:

  • The sending IP was blacklisted so the system declared the email Spam and rejected it.
  • The Sending IP was not listed in the Sending Domain’s SPF record. This is either a misconfiguration or a sign of a deliberate spoofing attempt.
  • The DKIM signature does not align with the Sender’s signature.
  • The recipient mailbox is full
  • The recipient mailbox does not exists

Marketing Delivery Success

Marketers only see email delivery as getting the email to the recipient’s Inbox. That makes sense as their mission is only accomplished when the email is Opened, Read and relevant links Clicked.

Obviously, there’s a bit of a disconnect between how IT sees delivery and how Marketing sees delivery. Both are correct for their purposes. They are simply not speaking the same language.

MxToolbox Helps you Reach the Inbox!

MxToolbox has long developed tools and services around Mailbox Delivery. Our early Delivery Center service focused on the primary technologies supporting email delivery: Blacklisting, SPF, DKIM and DMARC. Our newest features of Delivery Center change this focus to help the Marketer reach the Inbox.

Complaints

Inbox Providers often have a list of complaints leveraged by their users against Senders. Some even allow access to these complaints, which often include email reported as spam, dead email inboxes, full inboxes and even unsubscribes done only through the Inbox Provider. Delivery Center now includes a feature to integrate and aggregate complaints and make them visible and actionable for you to improve your sending reputation with Inbox Providers. Lowering your complaints goes a long way toward making your email deliverable to the Inbox. Learn more about Complaints.

Inbox Placement

Ultimately, Marketing looks at metrics like Open Rates, Click-through Rates and Purchases to judge an email campaigns strength. However, these indicators lag something more important: Placement in the Inbox. Delivery Center now contains a tools that enables you to test the inbox placement of an email campaign both before sending it to your customers and simultaneously with the bulk emailing. Inbox Placement works across the large Inbox Providers like Google, Yahoo and Outlook.com. Learn more about Inbox Placement.

Roadrunner Emails are being targeted by Spammers

We have recently seen an uptick in complaints from Roadrunner Email users. It appears that many inbox users are receiving emails that appear to be from MxToolbox.com or use links back to mxtoolbox.com. The issue is appears to be that Spammers are using an Unsubscribe link that points to mxtoolbox.com. We are not sending these emails. We suspect that this is either a failure of DMARC email processing at RoadRunner or, more likely, an Inbox Provider Insider Scam.

How to recognize Spam, Fraud and Phishing attempts

We highly recommend everyone read our post on Recognizing Fraud and Phishing Emails, but here are a few key points:

Spam and Phishing Characteristics

  • There is a financial incentive or free product
  • There is an overwhelming sense of urgency
  • The origin is a company with which you have no connection
  • The subject line is strange or hyperbolic
  • You googled the company and that’s not the business they are in

If you think it’s spam or phishing?

  • Don’t open it unless you must 
  • Don’t click on any links
  • Don’t unsubscribe 
  • Mark it as Junk with your Email Provider

How DMARC affects email acceptance

DMARC policies instruct an Inbox Provider (think gmail.com, yahoo.com or rr.com) how to process email that fails to meet DMARC compliance tests. These tests include:

  • Determining if the sending IP address is designated by the sent from Domain – SPF Compliance
  • Determining if the send included a valid cryptographic signature in the email header – DKIM Compliance

If an email is DMARC compliant, then it may be sent from a legitimate sender. If not, then it could be considered spam. A “Reject” DMARC policy, like the one MxToolbox uses instructs Inbox Providers to reject any email that fails DMARC compliance tests. If an Inbox Provider is passing email from a non-compliant source despite a reject policy, this is a problem for their users.

What Inbox Providers should do

Inbox Providers generally pay attention to the DMARC policies of sent externally. They do this for two reasons:

  • Admitting non-DMARC compliant email increases the risks of spam email making it to their users. Blocking spam before it makes it the user is both a good security measure for users and a good selling point for the provider.
  • Admitting non-DMARC compliant email increases the costs of email storage. Each spam email is small, but take as a whole, they make up more than 50% of email traffic. Doubling storage is expensive if you don’t have to.

However, some Inbox Providers may only be looking at external email, and not email sent from other Inboxes in their network. This is a mistake that we call an Inbox Provider Insider Scam.

What Roadrunner users should do

We encourage any user receiving spam that appears to be from us to let us know! Contact Us on our site and include examples so that we can track down the issue.

You can also report the spam to Roadrunner, with the actual spam email so your admins can block the messages. Demand better inbox protection from your Provider.

Google to Fully Support BIMI

This week, Google finally announced the roll-out of BIMI across all Gmail inboxes. This is great news for email delivery and email security. BIMI will give recipients more confidence in the email they receive and force senders to adopt new technologies to make email more secure.

What is BIMI?

BIMI or Brand Indicators for Message Identification, is a DNS-based email technology that allows a company to post a logo for use by inbox providers. Inbox providers, like, Google, Yahoo! and Outlook/Office365.com, can show this logo to their customers next to certified messages from that company. If the email is not compliant with DMARC, then the logo does not show. Since it’s certified by being DMARC-compliant, your customers will know that the message is really from you and you will get your logo out in front of more customers and prospects!

How do I get BIMI?

BIMI requires DMARC. Before you can get your logo to appear in Google’s inbox, you first need to get your email fully DMARC compliant and then move to strict DMARC policies. Becoming DMARC compliant isn’t easy: you need to understand who is sending email on your behalf, have them properly configured with both SPF and DKIM and regularly monitor DMARC delivery reports to understand your DMARC compliance.

Once you have your verified sources of email fully DMARC compliant, you can start moving toward stricter “Quarantine” or “Reject” policies with your DMARC configuration. Once you set DMARC policy to “100% Reject” for non-compliant email, BIMI-compliant inbox providers will start appending your logo to email from your domain.

MxToolbox is your Expert for DMARC and BIMI

To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities and reduce the risk of Phishing and Fraud using your domain.
  • Manage the on-going requirements of maintaining high levels of email deliverability

Is Email Secure?

Yes and No. Email is a highly valuable tool that has evolved to be more secure, but there are still ways to exploit email for nefarious purposes. Email users should be careful with how they use email and the emails they respond to. Let’s look at email security in more detail.

A Little History

Electronic mail originated on the early experimental Arpanet, the precursor to the Internet. At that point, all the interconnected servers were within high-security facilities. Since the security was on the outside, researchers did not consider protocol security; everything was sent in clear text – HTTP for browsing documents, FTP for sharing data files, and SMTP for electronic communications. When the Arpanet opened up to universities and then to businesses and private users, those same protocols were still transmitting data and passwords in clear text. Unfortunately, clear text communications are susceptible to man-in-the-middle attacks – corrupted computers or routers between the two computers in communication.

The early Internet was not secure, so new technologies were developed to improve security:

  • HTTPS to secure online transactions involving credit cards
  • SFTP to secure file transfers (now replace by HTTPS in many cases)
  • TLS to encrypt email communications between email servers

With the adoption of TLS, Transport Layer Security, email was secured from potential man-in-the-middle attacks. However, there are other ways to exploit email.

Alternate Technologies

There were other technologies that attempted to “secure” email communications, all had various degrees of success, but none of them have really gone mainstream.

  • PGP, or Pretty Good Privacy, used a Public-Private encryption key system to encrypt and decrypt email. Email was completely secure in transit, and from administrators, but unfortunately, PGP was bulky to use. TLS solved the problem of securing communication between servers without the user needing to do anything.
  • “Secure” Email Servers are web servers where communication could be secured behind a password protected web login. It was not really email but a way to communicate in an email-like fashion. You often see these secure communications websites with Legal and Medical professions, but they suffer from bulky interfaces and the inconvenience of going somewhere other than your normal email applications to view the communication.
  • Sender Verification Services respond to an unsolicited email with an email demanding the sender verify their identity. The goal here is to reduce the potential for spam and phishing attempts by creating a hurdle for senders to jump. The inbox provider then only passes on “verified” email to the user. This technique essentially removes any automated email, including newsletters, as marketing teams are unable to monitor the verification email. The downside is that a legitimate sender may not register so you miss important email.

The Threat of Spam and Phishing

Email is the #1 preferred method for perpetrating online scams. The marginal cost of sending an email is negligible and the rewards for a successful scam can be thousands or millions of dollars. According to Cisco, approximately 84% of all email is spam, much of which is phishing scams and much also escaping spam filters. By that measure, email is not “secure”.

“Securing” Email

Improving email security is not a single technology or vendor but involves changing business processes, adopting new standards and continuously adapting to the ever-evolving landscape of email scams. Some recommendations:

  • Stop hosting your own email – Inbox providers like Gmail, Office365, Yahoo!, etc. have dedicated teams to managing and blocking spam and phishing. Most businesses would benefit by leveraging these external experts and outsourcing email inbox services.
  • Turn on 2-factor authentication – Securing email communication, both sending and receiving, means securing access to email accounts. 2-Factor Authentication helps make email more secure.
  • Invest in Spam and Phishing Awareness Training – Email scams exploit human weakness through social engineering to gain access to your email, bank accounts and secure data. Training your team to recognize these scams will improve your email security.
  • Leverage DMARC and supporting technologies – SPF, DKIM, DMARC and BIMI work hand-in-hand to 1) declare who can send email on behalf of a domain, 2) digitally sign email from that domain, 3) report compliance to the sending domain, and 4) apply a corporate logo to compliant email. When a domain leverages these technologies, it is secured against being used in spam and phishing attempts and gives the recipients peace-of-mind that the email is genuine.

To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
  • Manage the on-going requirements of maintaining high levels of email deliverability

On-Premise Email Security Best Practices

If your company strategy requires on-premise email management, then there are some best practices you can adopt:

  • Use Inbound Email filtering gateways – Out of the box inbound filtering either software or hardware will block most threats using threat detection algorithms. Basic gateways block blacklisted senders. More advanced options allow you to write your own acceptance policies.
  • Create Advanced Acceptance Policies – Your business is unique. Threats come in many forms. Maybe you want to filter all incoming image files or executables or maybe eliminate objectionable terms associated with risks. Sophisticated algorithms might help protect your business.
  • Accept only DMARC compliant email – One great idea that Google has pioneered is prioritizing DMARC compliant email. If you do the same, you dramatically reduce the potential for fraud and phishing emails making it to your users.
  • Setup Outbound Email filters – You do not want to become a source of spam, so setting up filters to control outbound email will reduce the risk of being blacklisted or of sending spam emails within your network.
  • Setup Advanced Outbound Policies – Advanced policies could include forcing the legal team to encrypt all outbound email or prevent emailing large files, executables, etc. Leveraging advanced policies will help make using email more secure.
  • Setup DMARC for all outbound email sources – Adopting DMARC for all your outbound email sources will help you protect your sending reputation and reduce the risk of your domain names being used in spam.
  • Invest in Spam and Phishing Awareness Training – As mentioned above, when employees are trained to recognize spam and phishing attempts, they are less likely to click on dubious links in spam and phishing attempts or click on and install malware.

While email was not initially designed with security in mind, new technologies are improving the security posture of email. Adopting these as they arise makes your business more secure and protects your users, clients and partners.

Inbox Provider Insider Junk Scams

Inbox Providers work hard to stop email fraud and phishing scams from outside. Google, Yahoo! and Office365.com all utilize a mix of algorithms that include Blacklists, SPF, DKIM and DMARC compliance, Spam scoring and Relevance scoring to make inbox placement decisions. However, scammers have found an interesting loophole, by sending the spam from the Inbox Providers servers.

How does an Insider Scam work?

The trick to sending spammy email from within an Inbox Provider’s network is first to compromise an existing email box on the provider’s servers. This can be surprisingly easy! Google, Yahoo! and Office365.com have Millions of users. Corrupt one email box and a spammer can easily send email to every user on every domain that uses the Inbox Provider’s network. For example:

  • An email from a corrupted Gmail account never leaves the Gmail network when sent to Gmail Inboxes so the email may skip other Gmail spam safeguards like content scanning and Junk/Spam folder analysis.
  • An email sent from a Gmail account passes Blacklist, SPF, DKIM and DMARC for every domain using Gmail to send email, including emails sent outside the Gmail network, giving these emails a level of trust. A corrupted Gmail account therefore has the clout of Gmail behind it.

Inbox Providers have traditionally looked at Spam and Phishing as an external threat. With the transition of email from on-premise to cloud-based solutions, internal threats with compromised accounts will force Inbox Providers to change and adopt Internal Spam and Phishing analysis algorithms.

What can you do to protect your users?

You email users need to be aware that incoming email cannot be 100% trusted, even when using a reputable Inbox Provider. Invest in Fraud and Phishing training for your staff will raise awareness and help break some of the apathy with regard to security. Read up on more ways to recognize and combat Fraud and Phishing in our previous blog entry.

What can you do to protect your outbound email?

If you are not monitoring the quality of your outbound email, you are at risk for accidentally sending Fraud and Phishing emails from your Inbox Provider and other email sources. Every business should be monitoring Blacklisting, and SPF, DKIM and DMARC compliance from all email sources. With DMARC reporting, you receive feedback on how much of your email is passing SPF, DKIM and DMARC compliance to know how likely your email will make it to the Inbox of your recipients. MxToolbox Delivery Center provides all the information you need on email from your domain.

However, DMARC reporting and Strict DMARC policies will not prevent an Inbox Provider Insider attack using your domain name. For that, you need to use another feature of MxToolbox Delivery Center, Feedback Loops. Feedback Loops provide direct feedback from email recipients at different Inbox Providers on how each recipient views the email they received from you – Did it look like Spam, Phishing or Unsolicited Email? Did they unsubscribe?

Soon, Inbox Providers will implement algorithms to protect their users, scammers will find new ways to exploit your users and your domain for their own gain. In the meantime, beware the Inbox Provider Insider scams.

What’s in my Inbox? Recent Spam and Phishing attempts

Until social engineering fails as an exploit or it becomes unprofitable to scam companies and individuals via email, there will be Spam and Phishing. Spam and Phishing now accounts for more than 50% of global email traffic and has a diverse portfolio of subjects, origins, support websites and exploit software. Rather than getting overly technical, lets discuss the Junk in our own Inbox.

What’s Junk in My Inbox?

My Spam

I get some really boring spam. Home Warranties, Insurance, Credit and Retirement planning offers are the majority of my trash, but I get some interesting consumer spam around Wild Seafood and Diet Chocolate. Why seafood and diet chocolate? I have no idea. I only moderately like seafood and hate low-end chocolate. The rest make tremendous sense – all of them have a significant financial impact.

Keys to Recognizing Spam and Phishing

  • There is a financial incentive
  • There is an overwhelming sense of urgency
  • There is a need to login or check on your account – immediately
  • The origin is a company with which you have no connection
  • The subject line is strange or hyperbolic
  • Something is offered free

If you think it’s spam or phishing?

  • Don’t open it – Legitimate emails track open rates, and so do spammers. Fraudsters know who is a decent mark if you open it.
  • Don’t click on any links – In addition to showing the spammer that you are game, they’ll now have the opportunity to try to get you to download malware, provide login details or give them your credit card.
  • Don’t unsubscribe – You just told them that your email address is valid. Spammers will use it in other attempts. They are constantly refining their pitch and you just told them one of them failed.

Things you can do…

  • If you suspect this is a legitimate communication from a website you actually use – You can go directly to the website. Don’t click the email link, instead, Google the domain or go directly to the .com.
  • If you think it is a scam – Google the subject line or the sender. If it’s a scam other people may have questions about it and many security companies keep lists of spam subject lines.
  • If you must open it – You can Google some of the content or URLs in the content. That will give you information on the potential for scam. You can also use MxToolbox’s Spam Analyzer as a gauge to test the spaminess of the email.
  • Mark it as Junk – Every Inbox Provider has a method to mark an email as Junk or Spam. This feeds into their algorithms to detect new Junk and Spam. Marking it gives your Inbox Provider additional information in their pursuit of a Spam-free inbox.