Category Archives: Fraud and Phishing

Why do you need DMARC?

At MxToolbox, we keep saying “DMARC adoption is imperative for successful delivery of your business email“. Without implementing DMARC, your messages are vulnerable to poor inbox placement, and fraud, phishing and spoofing campaigns. The DMARC standard gives you visibility into who is sending email “from” your domain, including bad actors. And, big Inbox Providers are prioritizing DMARC-compliant email for inbox placement. If you don’t adopt DMARC, you will behind your competitors.

Inbox Provider DMARC Adoption is Increasing

The major Inbox Providers like Google and Yahoo! have supported DMARC for several years. About 80% of the world’s inboxes run DMARC checks on inbound messages, and enforce the domain owner’s DMARC policies. This includes essentially all U.S.-based email providers (Gmail, Yahoo!, Outlook).

In addition, a recent study found the number of email domains that have implemented DMARC has now exceeded the one million mark.1 This is an increase of over 48% from the previous year, and nearly 2.5 times the number of DMARC records from two years ago. It is now likely that your competitors are adopting DMARC to get better inbox placement and protect their domains against fraud and phishing. It’s time you joined them.

MxToolbox Helps You Adopt DMARC

To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
  • Manage the on-going requirements of maintaining high levels of email deliverability

1 https://www.valimail.com/resources/email-fraud-landscape-summer-2020/

Phishing Risk – Domain Registrars

Email Fraud and Phishing is a huge risk for both consumers and businesses.  In 2019, the FBI estimated that people lost over $57M to email fraud and phishing attacks.  Fortunately, there are ways to protect yourself and your business.

Inbox Protection

For consumers and businesses, being vigilant in recognizing the potential for fraud and phishing via email is important.  The FTC has created good guidelines to help you recognize inbound email phishing and you can read more about recognizing phishing on MxToolbox’s Blog.  Unfortunately, people are pretty bad at recognizing phishing emails, so depending on your users to protect your business from phishing scams is not enough, you need technological assistance.

Inbox Provider Protection

Your email inbox provider is trying to protect you from fraud and phishing emails by using DMARC as a decision criteria for inbox placement.  DMARC does three important things for email senders:

  1. Obtain feedback on how much of your email is passing SPF, DKIM and DMARC checks
  2. Obtain forensic examples of failed emails
  3. Set a policy for how Inbox Providers handle email that fails DMARC checks

A sender using DMARC is therefore more likely to manage email delivery and less likely to be a source of spam, malware, fraud or phishing.   Senders can even instruct Inbox Providers to Reject email that fails DMARC compliance checks.  Inbox providers then protect their users from fraud and phishing by prioritizing DMARC compliant email.

Vendor Sender Protection

A Vendor that sets up and maintains DMARC and sends DMARC compliant email will protect its own brand from being used in fraud and phishing emails and protect the recipients of their email.  Therefore, it is important to check the DMARC status of any potential vendors.  

In this on-going series, MxToolbox will report upon the DMARC status of key service areas.  Today:

Domain Registrars – Do they protect their customers from fraud and phishing?

TLDR:  Some, not all. 

DMARC adoption by the top 30 domain registrars is currently ahead of the Alexa 1000 and the Fortune 500, but not complete.  With 30% of Domain Registrars not adopting DMARC yet, there is a lot of room for improvement.  In addition, only 21% of Domain Registrars have adopted strict Reject DMARC policies to protect their customers from fraud and phishing attempts using the registrars domain. 

The Risk

If a Domain Registrar has not adopted DMARC and more secure DMARC Reject policies, the risk of their domain being used in fraud and phishing emails is particularly high.  If a single email slips through your mental filter, a fraudster could gain your legitimate credentials to your domain registrar and make potentially fatal changes to your domain setup.  For example:

  • Redirecting traffic from your website to theirs
  • Setting up a phishing website in a subdomain of your own domain to gain your customers information
  • Changing your SPF record to include their IP addresses to further the email phishing scam
  • All of the above.

Domain Registrars are a critical component of e-commerce.  If they are not protecting themselves from being used in fraud and phishing attacks, they put their customer businesses at risk.

The Solution

There are a few simple ways to protect your business from fraud and phishing by vendors:

  • Check any vendor you do business with for a DMARC record.  
  • Prioritize vendors with DMARC policies set to Reject.
  • If you are tied to a vendor who has not adopted DMARC, it’s time to pressure them to do so.
  • Adopt DMARC for your own email communications.

How can you adopt DMARC?

Adopting DMARC is a multi-step process requires on-going management.

  1. Setup SPF record to include all your known senders
  2. Setup DKIM signatures at all your known senders
  3. Create a DMARC record to get feedback on your email
  4. Identify new legitimate sources of email from the DMARC reports and add them to your SPF and DKIM setups
  5. Identify fraud and phishing from DMARC reports and warn your users and email recipients.
  6. Gradually adopt restrictive policies once you have identified all legitimate sources of email using your domain name

Repeat steps 4 and 5 regularly as you may add and remove systems and vendors that send email on behalf of your domain.  In addition, DMARC reports can be difficult to read, particularly when you have a large volume of email.  Investing in a partner to help you on your DMARC journey is important. 

MxToolbox Delivery Center

To maintain the highest levels of email deliverability, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
  • Manage the on-going requirements of maintaining high levels of email deliverability

The State of Government Email Delivery

Recently the CDC found itself in the awkward position of advising the public on email fraud and phishing.  The reason: COVID contact tracing efforts have been thwarted by fraudulent email from professional phishing groups.  Email phishing and email delivery are a systemic problem for governments and businesses alike.

As more federal, state and local agencies move online they generate more email to their constituents and users. Whether you are receiving confirmation on your recent driver’s license renewal or setting up a meeting about property taxes, ensuring the email reaches your inbox is a major concern.  Unfortunately, the majority of American governmental agencies are poorly positioned to deliver email.

Blacklisting

Inbox providers use blacklists to filter incoming email.  Email from IP addresses of a blacklist or containing Domain names on blacklists will be blocked or thrown into the Spam or Junk folders.  

Unfortunately, on average 3.3% of government domains are blacklisted, meaning that their email is in jeopardy of being blocked.  

AgencyBlacklist %
City3.8%
County3.8%
Federal Agency – Executive1.1%
Federal Agency – Judicial0.0%
Federal Agency – Legislative4.4%
State3.3%

City, County and State governments represent the majority of government domains and the highest percentage of blacklisted agencies, excluding the Legislative branch of the Federal government.  This puts email correspondence with these smaller agencies in jeopardy.

SPF

SPF is a technology that allows a domain to designate a list of IP addresses or domains as legitimate senders on behalf of that domain.  For example, your company could use MailChimps or SalesForce to send email to marketing and sales customers.  SPF allows you to designate those two companies as valid senders and only these domains.  Anyone else trying to send email using your domain would fail the SPF checks that inbox providers run on incoming email.  A failed SPF check means that the email may be blocked or dumped to the Spam or Junk folders.

Agency Type% SPF
City72.7%
County70.1%
Federal Agency – Executive93.9%
Federal Agency – Judicial73.9%
Federal Agency – Legislative22.8%
State40.1%

MxToolbox’s survey clearly shows that State and Legislative Agencies are failing to adequately use SPF to protect their email delivery.  While City and County agencies fare slightly better, SPF adoption is required to get email to the inbox.  Without SPF, anyone can attempt to send email that appears to come from a government agency, creating the potential for fraud and phishing using that agency’s domain name.  

The lone bright spot in our survey is the Executive Branch of Federal government.  The nearly 94% adoption of SPF reflects the Department of Homeland Security’s requirement to fully adopt DMARC by October of 2018 (SPF is a key component of DMARC).  While some departments are behind, the DHS directive has definitely been successful. All US agencies need to make adopting SPF, and DMARC a priority to improve email delivery and protect their recipients from fraud and phishing using government domains. 

DMARC

DMARC is a standard that allows a domain owner to do several things:

  • Assign email addresses to be used for feedback from inbox providers regarding SPF, DKIM and DMARC compliance.
  • Assign email addresses to be used for forensic samples of emails that fail SPF, DKIM or DMARC compliance.
  • Set a Policy for how Inbox Providers should handle email from the domain that fails SPF, DKIM or DMARC compliance.  Policy options are:
    • None – Do nothing
    • Quarantine – Set the email aside in a Quarantine type folder.  Sometimes this is a Spam or Junk folder, sometimes this gets placed in a Quarantine spot the administrator can examine.
    • Reject – Dump the email to trash. A reject policy is required by the Department of Homeland Security and to use the BIMI image standard.
  • Specify a % of email to obey the Policy.  The rest will be treated as in a None policy.
Policy as a % of DMARC % ofDomains
Agency Type% DMARCNoneQuarantineRejectReject
City13.1%56.6%24.5%13.8%1.8%
County20.7%52.8%25.8%19.7%4.1%
Federal Agency – Executive90.4%2.8%1.4%93.6%84.6%
Federal Agency – Judicial17.4%50.0%25.0%25.0%4.3%
Federal Agency – Legislative13.2%40.0%13.3%46.7%6.1%
State12.0%57.4%14.0%24.0%2.9%

The Executive Branch with 90% DMARC adoption is well out in the lead, again owing to Department of Homeland Security requirements.  Unfortunately, all other agencies are dangerously behind, risking their email deliverability.  In our recent case studies, we found that improving DMARC compliance can dramatically improve email open rates and click through rates.  If government agencies want to connect with constituents, they need to adopt DMARC as soon as possible.

Fraud and Phishing Protection

Ultimately, to protect your recipients from Fraud and Phishing using your domain, you need to adopt a strict Reject DMARC policy.  A Reject policy tells the inbox provider to completely reject email that does not pass SPF, DKIM and DMARC checks.  Unless they gain access to your servers or the servers of your legitimate senders, fraudsters’ emails will be blocked by a DMARC Reject policy.  While getting to a DMARC Reject policy requires careful management and attention to prevent legitimate email from being blocked, the benefit of protecting your email, your brand and your customers outweighs the complexity and cost.   

Taken as a whole, Government agencies are woefully inadequate in their support for DMARC reject policies and guarding their email from fraud and phishing.  Particularly troubling are the state, county and city governments with low single digit support.  Government agencies need to be a trusted source of information.  Unfortunately, with their current DMARC configurations, the domains of government agencies are at tremendous risk of being used in fraud and phishing attacks.

How can you or governments adopt DMARC?

Any domain owner must adopt SPF and DMARC immediately.  When adopting DMARC, it pays to invest in an email delivery management platform that can help you analyze your email senders, manage the quality of your senders and help you obtain a DMARC Reject policy that does not limit legitimate email. Without analyzing the SPF, DKIM and DMARC compliance of your email, both legitimate and fraudulent, you will not be able to protect your email deliverability.  

MxToolbox Delivery Center

To maintain the highest levels of email deliverability, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.
  • Manage the on-going requirements of maintaining high levels of email deliverability

Blacklisted? Get DMARC

Blacklisting is the oldest form of spam protection.  Inbox Providers keep a list of IP addresses and domains that recently sent spam and block them from the inbox.   Blacklisting eventually evolved to include 3rd parties maintaining and selling blacklists derived from spam traps, honey pots, and lists gathered from multiple inbox providers.  As an email sender, being blacklisted is a sign that you are not adequately managing your email delivery posture.  But, blacklisting is not the only way Inbox Providers protect their users from spam.  Increasingly, Inbox Providers are using technologies like SPF, DKIM and DMARC to make inbox delivery decisions.

DMARC Helps Prevent Blacklisting

Your IP addresses and Domain can be blacklisted for many reasons:

  • Spam appears to be coming from your IP addresses or Domain
  • Sending too much email from a single IP address
  • Sending email from an IP address that also sends spam
  • Email recipients marking too much email from your Domain as spam
  • Improper Forwarding
  • Domain included in Fraud and Phishing emails
  • Using spammy wording in your email content

With the right DMARC setup, you can almost completely block spammers from spoofing your domain, or using it in spam, fraud and phishing emails.  Adopting DMARC would then eliminate three reasons why your Domain could be blacklisted, dramatically improving your email delivery posture and helping you get your business message to your intended audience.

DMARC Might be More Important than Blacklisting

Blacklisting was once the first line of defense.  Now, Inbox Providers are increasingly using more complex algorithms to determine the quality of the email they deliver to inboxes.  These algorithms weigh content, blacklisting, DMARC and other factors to determine placement in the Inbox, Junk/Bulk/Spam Folder or simply dump the email entirely.  In the new algorithms, DMARC configuration might weigh more heavily than Blacklisting.  

Since DMARC depends upon two other technologies, SPF and DKIM, DMARC setup requires more time and attention to setup.  This means your team cares about email delivery management and is more active in the management process.  Inbox providers like Gmail, Yahoo! and Outlook.com have begun to prioritize DMARC compliant email.

Blacklists are simple and fallible.  A legitimate email can put a company on a blacklist if it falls into a honey pot or gets reported as spam by enough email recipients.   In addition, many companies use 3rd party emailers with large IP address blocks.  These mass emailers rotate through the IP addresses when sending email for all their clients.  Not only could your email be sent from the same IP address as many other businesses, but that IP address could be blacklisted because of the other companies’ content.   Inbox Providers know the limitations to blacklisting and the benefits of DMARC and their proprietary algorithms reflect this, making DMARC adoption a business requirement.  Even if you are blacklisted, DMARC can help you reach the inbox.

How does DMARC work?

Adopting DMARC gives you the ability to do three important things:

  1. Get feedback on how much of your email is passing SPF, DKIM and DMARC checks
  2. Get forensic examples of failed emails
  3. Set a policy for how Inbox Providers handle email that fails DMARC checks

Feedback on email allows you to identify SPF and DKIM configuration issues with legitimate senders, improve these configurations and identify illegitimate senders which may be fraud or phishing threats.  Once you have corrected your configuration issues for legitimate email senders, you can change your DMARC policy to instruct Inbox Providers to Reject email that fails SPF, DKIM and DMARC checks.  DMARC Reject policies give Inbox Providers comfort that you are actively managing your outbound email.

MxToolbox Delivery Center

To maintain the highest levels of email deliverability, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the ongoing maintenance necessary to maintain peak performance:

  • Manage SPF, DKIM, and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.
  • Gradually move your DMARC policy to Reject to enable better inbox placement opportunities.

Email Deliverability in the Travel Industry

Traveling is one of the most enjoyable experiences a person can have and is a widely popular leisure activity.  Travel is also a risky endeavor, requiring careful planning and sometimes last minute itinerary changes especially in business travel.  Lodging and airfare are typically the most expensive pieces of the budget, so you want partners you can depend upon to inform you of confirmations and itinerary changes in a timely manner.  But, can you trust the emails that come from these airline partners?

DMARC Creates Trusted Senders

DMARC is a requirement for trusted email communication.  An email from a sender with DMARC properly configured to a strict “Reject” policy can be trusted.  Without a “reject” policy, a sending company could easily be spoofed by a fraudster and have that email accepted by inbox providers.  Adopting DMARC protects the email recipient and the corporate brand.

DMARC Adoption in the Airline Industry

Trusting email correspondence from your airline is an important part of enjoying your travel experience.  If an airline domain can be easily compromised by fraudsters, your travel plans are at risk.  Unfortunately, email hygiene and DMARC adoption rates are low among airlines.

MxToolbox’s September 2020 study uncovered the following concerns about airlines ability to deliver emails to their travellers:

  • 8% of airlines sending IP addresses are blacklisted, meaning that email from these domains could be blocked from your email entirely.  Good luck getting that flight update.
  • Only 40% of airline domains have adopted DMARC.  Email delivery from the other 60% of airline domains is at high risk for fraud and phishing and may be more likely to end up in the Junk folder than the Inbox.
  • Only 14% of airlines are using Strict DMARC policies (7% Reject, 7% Quarantine).  The remaining companies are at high risk of being used for fraud and phishing.
  • Only 1 Airline has deployed BIMI to display their logo in the recipients inbox. BIMI gives an extra level of assurance that the sender is legitimate and reinforces the corporate brand.

Protecting Your Brand with DMARC

To maintain the highest levels of email deliverability, businesses like yours (and these airlines) need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the on-going maintenance necessary to maintain peak performance:

  • Leverage our unique Adaptive Blacklist Monitoring to manage the email reputation of all your senders.
  • Manage SPF, DKIM and DMARC (and BIMI) to improve compliance and reduce the threat of fraud and phishing using your domain.
  • Review daily volume and SPF, DKIM and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops to gain unique information on how your recipients view your emails and when they mark you as spam.

Has your email been Spoofed?

Email spoofing can harm your corporate brand, decrease open rates for your legitimate email, cause legitimate email to be blocked, compromise website security and even create financial complications.  No company is totally immune from malicious email spoofing using their domain, but there are ways to protect yourself.  Spoofing comes in a few different forms:

  • Simple Domain Spoofing – a spammer sends email that looks like it is from your domain, but originates from a server that you do not control or not in your SPF record.
  • Hacked SPF Sender – A spammer hacks a legitimate sender, one listed in your SPF records, and sends email that appears to be from you.  
  • Hacked Internal Account – A hacker compromises an internal email box and sends email via legitimate sources.  
  • Similar Domain Spoofing – A spammer sets up a complete domain that has a similar name to yours.  For example, “example.com” versus “exarnple.com” or “exampIe.com”.

Recently some fraudsters were brazen enough to attempt to spoof email from MxToolbox.com.  This illustrates how our experts (and MxToolbox Delivery Center Product) protect us from fraud and phishing and how we can protect your company too.  

DNS Configuration

Good email delivery and protection from fraud and phishing attempts requires expert management of your DNS.  Four DNS protocols are particularly important:

  • SPF allows you to delegate outbound email to 3rd parties.
  • DKIM allows you to crytographically sign email to take ownership of the email you send.
  • DMARC provides two very useful features:
    • Allows you to designate email addresses to receive feedback on your email delivery.
    • Allows you to set an email delivery policy for how inbox providers handle email that isn’t DMARC compliant with either SPF or DKIM.
  • BIMI allows you to provide an icon that inbox providers may display if your email passes DMARC with a strict DMARC policy

Our spoofer used IP addresses outside of our SPF so failed SPF checks and DMARC compliance.  Additionally, our DMARC policy is set to reject, so inbox providers knew to discard these failed emails immediately.  Our expertly configured DNS helped us reduce the impact of this attack on our email delivery, our customers and the non-customers targeted.

You might think that DNS configuration is all you need to protect your email delivery, but there is more.

Visibility

SPF, DKIM and DMARC Passing Rates

While DNS configuration is the most important first step in email deliverability, you need constant visibility into your email delivery status in order to protect your brand.  MxToolbox Delivery Center provides important insight into your email delivery posture with real-time statistics on SPF, DKIM and DMARC pass and fail rates across all your email senders, legitimate and fraudulent.  

In this case, MxToolbox Experts quickly noticed a spike in email from illegitimate sources.  Delivery Center reported this spike by analyzing DMARC reports approximately 24-48 hours before we began to receive bounceback notices from targeted inbox providers.  With strict ‘Reject’ DMARC policies in effect, our Expert team could rely on most inbox providers dumping these emails without delivery, however, we needed to analyze the potential risk.

Bounce Analysis

MxToolbox Delivery Center integrates a Bounceback analysis tool that allows us to analyze bounceback email messages from dozens of inbox providers to determine the reason an email failed to make it to the intended recipient.

bouncebacktool.JPG

Bounceback messages can help you understand recent attacks and prevent new ones.  For example, a bounceback due to Reverse DNS failure, as above, is an indicator that your spammer was using a server outside of your network and not listed in your SPF as was our recent spammer.  Bounceback messages can also provide insight into other reasons for delivery failure, including blacklisting, malware/spam content and more.

Feedback Loops

The newest visibility feature of MxToolbox Delivery Center incorporates Feedback Loops.  Feedback Loops allow Inbox Providers to return information from inbox owners to the original senders, including much of the original message header.  Analyzing message content and headers returned via feedback loops gives you unique insight into how your email is being perceived by recipients.  Did the recipient report you as spam?  Was the email actually fraudulent?  Was the content yours but appeared spammy?  Feedback loops are very powerful and a necessary part of maintaining high quality email delivery.  

Get ahead with Delivery Center

To maintain the highest levels of email deliverability, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the on-going maintenance necessary to maintain peak performance:

  • Who is sending email purporting to be from your domain
  • What is the reputation of your senders’ IPs
  • Geolocation of your senders and What their blacklist reputations are
  • How your SPF, DKIM and DMARC setup is performing
  • What senders are failing DKIM
  • What senders are failing SPF verification
  • When to setup more restrictive policies for DMARC
  • What on-going maintenance you need to maintain and improve your email deliverability

 

A Case of Fraud and Phishing

Companies large and small are potential victims of fraud and phishing using their brands and domains.  If you leave your business unprotected, it is simple for hackers and fraudsters to leverage your domain and brand to email your customers scams.  Companies in banking, financial services and investment advice are at particular risk due to the potential for immediate financial loss.

MxToolbox Experts are here to help you prevent damage to your brand and improve your email deliverability.  Leveraging new email technologies, such as DKIM, DMARC, BIMI and others, our Managed Services team helps businesses worldwide with email deliverability and protect against fraud and phishing.

A recent Investment Advisory case study shows how MxToolbox can help:

  • Leveraging DMARC best practices to aid email deliverability
  • Improving SPF, DKIM and DMARC compliance rates
  • Implementing strict DMARC policies to prevent Fraud and Phishing
  • Dramatically Improving Email Open Rates

Read the Case Study

BIMI Monitoring has arrived

MxToolbox is happy to announce additional support for BIMI in the form of BIMI record monitoring.  Now, you can be confident that all your important email deliverability records are properly configured and constantly monitored by our experts.

What is BIMI?

BIMI is an email delivery standard that works with other standards (SPF, DKIM and DMARC) to publish an image or logo on an end-user’s email box when an email comes from you. BIMI helps your email recipients feel confident that an email is legitimately from you and helps to protect your brand from use in fraud and phishing.

How does BIMI work?

First, you need to have SPF, DKIM and DMARC properly setup.  Next, you publish a BIMI DNS record that defines your preferred logo image.  Then, when you send email to a user on a BIMI-Supported inbox provider, like Yahoo! and, in Summer 2020, Google, the inbox provider you have a chance of displaying your logo.

Inbox providers will check for DMARC compliance on every email.  If the email passes DMARC tests, then this inbox provider will check for a BIMI record.  If a valid BIMI record is found, then the inbox provider will display your logo next to the email.  As these checks happen on each email, you need to be sure that your email is both passing DMARC and that your BIMI record is accessible every time you send email.  With a BIMI logo next to every email you send, your customers will be reassured that each email is a legitimate communication from you and have your brand top of mind.

MxToolbox BIMI Monitoring

MxToolbox is expanding our support for BIMI by announcing the inclusion of BIMI record configuration monitoring as part of MxToolbox Delivery Center.  You can already test your BIMI record with our Supertool, but now we offer integrated alerts when BIMI is non-accessible or misconfigured.

Since BIMI is dependent on SPF, DKIM and DMARC, MxToolbox highly recommends that you adopt tools, like Delivery Center, to help you setup and maintain these technologies while also monitoring your your day-to-day DMARC compliance.  MxToolbox Delivery Center leverages our email expertise to improve your email deliverability and allows you to focus on running your business.  Adding BIMI to a tool like Delivery Center will help improve your email delivery and improve the visibility of your brand.

ARC Protocol – Getting your email delivered

Recently, RFC 8617 established the Authenticated Received Chain (ARC) Protocol, a new and powerful email authentication and security standard that allows legitimate forwarded emails to be delivered without any issues.   ARC has been in testing for several years with Google and another inbox provider to transform the theoretical solution into a full-fledged standard.

What is ARC?

ARC allows mail handlers (email servers) to preserve a “chain of custody” that shows where the respective message originated and all subsequent handling entities via authentication data when forwarding emails. To get more specifics about the ARC protocol, click here.

Before ARC, a forwarded email would no longer pass DKIM alignment because there was no standard for preserving the original and subsequent DKIM signatures.  An unaligned message might then fail DMARC and be rejected by the final inbox provider and never reach your customer’s inbox.

The ARC protocol establishes a standard for preserving DKIM alignment when a message is forwarded.  This helps these messages look less suspicious to the receiving inbox providers by ensuring emails that are forwarded pass authentication and avoid being labeled as spoofed messages. 

Why is ARC important?

ARC becoming a standard applied to all inbox providers is highly important for your email deliverability. With ARC, if your business forwards email and has implemented DKIM, your email chain of custody will no longer break, resulting in higher delivery rates.  While SPF alignment breaks under most message forwarding instances, DKIM breaks when emails pass through forwarding services that modify content involving a DKIM signature. Even if the email fails SPF and DKIM validations, the inbox provider can choose to validate the ARC standard.

It is imperative that your business email implement DKIM as soon as possible to improve email deliverability and leverage the benefits of ARC.

ARC Enables more DMARC Adoption

The creation of the ARC standard shows continued support for the DKIM, SPF and DMARC standards that are the basics for email deliverability.  ARC allows messages that have been forwarded via mailing lists, list servers, and email gateways to pass DKIM authentication and not break during delivery.  DKIM is integral to achieving DMARC compliance, so the ARC standard also allows more senders to pass strict DMARC policies.  Strict DMARC block non-DMARC compliant email to improve your company’s overall email deliverability by reducing the threat of fraud and phishing using your domain.

What do I need to do to take advantage of ARC?

The first steps to leveraging ARC involve the adoption of basic email deliverability standards – SPF, DKIM and DMARC.  If you have not already read it, MxToolbox has a great guide to setting up these protocols.  Once you have SPF, DKIM and DMARC setup, inbox providers that have adopted ARC will automatically process your email appropriately.

MxToolbox Delivery Center provides everything you need to manage the on-going maintenance of email delivery.  Learn more about Delivery Center and how we can help you with email deliverability!

First Verified Mark Certificate Issued

Recently, JPMorgan Chase became the first company to adopt the VMC standard, and companies gained another tool to prevent email fraud. 

What is VMC?

Verified Mark Certificate (VMC) is a method to watermark outbound messages to declare the email comes from an official, legitimate source.  With a certificate like this, senders get better email deliverability because email recipients will see a valid VMC as a certificate of trust emails.

Entrust Datacard, a U.S.-based provider of trusted identity and secure issuance technology solutions, recently issued the first VMC certificate to JP Morgan Chase. Entrust developed the new vendor-neutral VMC solution in collaboration with the AuthIndicators Working Group, a committee of companies responsible for creating the Brand Indicators for Message Identification (BIMI) standard.  While the VMC and BIMI standards still in the early stages of definition and adoption, this announcement indicates a big push to get BIMI into inboxes.

What is BIMI?

The BIMI protocol helps to improve email authentication and brand assurance by allowing a sender to publish a logo icon through DNS.  Inbox providers then use this logo to highlight DMARC compliant emails from the sender, thereby providing a reassurance to users that this email is free from phishing and spoofing attacks.  The logos themselves will also make it easier for customers to recognize their preferred companies in inboxes and increase brand awareness by prominently displaying trusted logos. 

How do VMC and BIMI work together?

The goal of VMC is to prove a BIMI image is authentic, not a scammer utilizing a fake image of a trusted source like the sender, Microsoft, Amazon, or JP Morgan, for example.  Validating that a BIMI-displayed logo is legitimate will make phishing and spoofing practices more difficult to accomplish. While BIMI allows companies to display logos in supported inboxes, VMC authenticates the logos are valid and owned by the actual sender of the email.

The recent exciting news that JPMorgan Chase was granted the first VMC is a promising sign that BIMI should be standardized soon. BIMI, which leverages DMARC, continues the technological trend of making it difficult for online fraudsters and phishing attacks to trick unsuspecting victims.

How MxToolbox Helps

To achieve the BIMI standard, Domain-based Message Authentication, Reporting, and Conformance (DMARC), along with SPF and DKIM, must first be implemented. MxToolbox’s team of email delivery experts and tools can help you implement and understand DMARC to help your business attain email deliverability.

First, MxToolbox provides a free DMARC lookup tool to analyze your DMARC record and make recommendations for getting your email DMARC compliant.

In addition, MxToolbox’s BIMI Lookup tool is a free diagnostic tool that will look for a BIMI record for the supplied domain name and run a series of diagnostic checks against the record to ensure compliance with standards and accessibility of the BIMI icon to inbox providers.  As the VMC standard is defined, MxToolbox will extend our tools to checking and validating VMC certificates.

Finally, MxToolbox is here to guide your company through the DMARC process and help optimize your email deliverability.  We offer several solutions to help you get your email DMARC compliant and monitor the on-going DMARC compliance of your email:

  • Delivery Center is our base package that allows you to monitor the SPF, DKIM and DMARC compliance of your email while giving you insight into emerging email threats.
  • Delivery Center Plus gives you all the great reporting of Delivery Center combined with deeper reporting on Phishing and Fraud using your domain.
  • Delivery Center Managed Services gives you access to our Email Experts who manage your DMARC compliance and free you to focus on your business.