Category Archives: MX News

General news about our company, products and future releases.

Why are my SPF Pass Rates so low?

SPF is an important technology for email delivery.  If your email is not SPF compliant, then it is highly unlikely that an Inbox Provider will deliver the email to the recipient’s inbox.  Inbox Placement is key to getting your message heard and SPF compliance is key to making the Inbox.  MxToolbox Delivery Center provides a comprehensive resource for understanding and managing SPF, DKIM and DMARC compliance, but there are few things you need to know about SPF regardless of the tools you choose.

SPF Compliance

To be SPF Compliant, an email must SPF Authenticated and SPF Aligned.  The standard provides a strict compliance that also allows a domain to designate 3rd parties as valid senders.

SPF Authentication

An email is considered SPF Authenticated when the email originates from an SMTP server on an IP address that is contained in the sending domain’s SPF records.  This enables a business to designate a 3rd party emailer as a valid sender of email.  

SPF Alignment

SPF uses the header of the email to determine Alignment.  An email is considered SPF Aligned when the domain in the “From:” address of the email is the same as the domain in the Return-Path field of the header or with a domain that is Authenticated with the valid list of senders in the SPF record.

MxToolbox SPF Pass Rates

MxToolbox has two metrics useful for understanding SPF Compliance: SPF Authentication Rates for Aligned Domains and SPF Pass Rates for Verified Sources.  These metrics enable you to report upon and analyze your email providers for areas to improve upon.

SPF Authentication Rates for Aligned Domains

As part of our SPF management processes, MxToolbox Delivery Center gathers a list of valid return path domains and subdomains and analyzes the amount of email from these SPF Aligned domains that is properly SPF Authenticated.   Email that is Aligned but not properly Authenticated indicates that one or more email senders are missing from your SPF records, or that your SPF records are too large and violate SPF include rules.  You will need to add the missing senders to your SPF record or use an SPF Flattening tool.

SPF Pass Rates for Verified Sources

As part of MxToolbox Delivery Center, we automatically detect the sources that are sending email on behalf of your domain. These include your own servers, your corporate Inbox Provider, 3rd party marketing tools, CRMs, etc.  Verified Sources should be in your SPF records, meaning they should be Authenticated. 

Our second analysis looks at the SPF Alignment rates for each of these Authenticated senders – the SPF Pass Rate.  A low SPF Pass Rate for a sender indicates that the sender’s “From” and “Return-Path” domains are not the same or not contained in your SPF record.  Unknown sources that arise from this analysis could be threats to your brand or rogue senders that need to be added to your SPF records.

There are potentially several reasons for low SPF Pass Rates for Verified Sources:

  • Spoofing – A malicious actor is trying to use your domain to legitimize their spam or malware.
  • Forwarding – Many people use inbox forwarding or mailing lists to manage email distribution or aggregate email. Forwarded email will change the return-path, breaking SPF Alignment.
  • Missing Senders – Someone may have legitimately contracted with a 3rd party emailer and failed to add the full or correct entry to the SPF record. The sender could be SPF Aligned, but not Authenticated.

To fully understand why your SPF Pass Rate for a Verified Source you need to investigate the largest sources of misaligned email, SPF Unaligned Domains. Typically, you will see benign domains like gmail.com, googlemail.com, and other subdomains of legitimate senders. Occasionally, you’ll see large volumes from other sources, which could be benign or fraud. Investigating these can improve your email delivery.

Does DMARC and email deliverability seem too complicated?

MxToolbox Experts are here with a Managed Services approach to your email configuration issues.

Maintenance Scheduled for 13 August 2022

MxToolbox.com will be offline for scheduled maintenance and infrastructure migration on 13 August 2022 between 10AM and 1PM Central Time.

How does this affect you?

All systems for MxToolbox will be offline for the duration of the maintenance. This includes:

  • mxtoolbox.com and the SuperTool will be inaccessible.
  • Delivery Center – All data will be retained and new data will be updated after the maintenance is complete, however, no access to Delivery Center reporting will be possible during the maintenance window. This will in no way impact your email delivery.
  • Blacklist and other DNS Monitoring – Monitors and alerts will not function during maintenance. There will be a corresponding gap in Monitoring history.
  • Mailflow Monitoring – During the migration outbound pings will no longer be performed, nor returns be processed. Reporting may show anomalous failures or delays due to these gaps.
  • ServiceProvider – Blacklist reporting will be offline.
  • API Services – No lookups will be available during the maintenance window.
  • Access to create Support Tickets will be down during maintenance.

What do you need to do?

If you whitelist MxToolbox IP ranges to enable monitoring or lookups you will need to add new ranges to the allow list:

  1. US-EAST-1A: 44.194.168.193/32
  2. US-EAST-1B: 52.55.244.91/32
  3. US-EAST-1C: 18.205.72.90/32
  4. US-EAST-1D: 18.209.86.113/32

How long will MxToolbox be offline?

The duration of the maintenance interval will be three hours. You can monitor status of our maintenance on the MxToolbox StatusIO page.

It’s time to adopt MTA-STS

Inbox Providers like Google, Yahoo! and Outlook.com are in a constant arms race trying to protect their users from spammers, spoofers and irrelevant content. Since the late 90’s dozens of new technologies have been proposed and adopted, including: Blacklists, TLS Encryption, SPF, DKIM, DMARC, BIMI and, now, MTA-STS. With the continued progression of MTA-STS, it is now time for all domains to adopt the technology to secure inbound email and reduce the threat of spam.

What is MTA-STS?

MTA-STS is an update to TLS Encryption that allows an Inbox Provider to specify a list of secure servers to receive email and mandates a secure TLS connection to these servers. Insecure connections will not be accepted. This corrects a few of the short-comings of TLS alone: Expired TLS Security Certificates, Man-in-the-Middle Attacks and attacks that downgrade to no encryption.

How does MTA-STS Work?

When a sender wants to connect to an inbox provider or domain’s email servers to deliver email, they first query the MTA-STS DNS entry which contains the location of a policy file. The policy file is accessed via HTTPs and contains information about the correct servers to use, which must match the MX records exactly, the TLS encryption requirements, the MTA-STS policy mode and the maximum length to cache this information. Senders then encrypt communication with the servers and transmit the email.

Since the sender is required to verify the connection and it is encrypted to known servers, the sender has a slightly higher level of trust. Any sender that fails this mini test can be considered a threat.

What does MxToolbox recommend?

MxToolbox recommends that all companies setup MTA-STS for their receiving domains to inform senders that their email servers and providers accept secure message delivery using SMTP over TLS and also require that email should not be delivered using an insecure SMTP connection. When MTA-STS is enabled for your receiving domain, it requests external servers to send messages to your domain only when the SMTP connection is authenticated with a valid public certificate AND encrypted with TLS 1.2 or higher. This is a higher level of security for incoming email and should reduce spam to your domain.

In addition, you should ensure that all your domain’s email senders support MTA-STS. This includes your email server software, email marketing, and any other potential email senders: CRM, Order Management, Support, etc. Once you select a provider’s MTA-STS policy, messages sent from your domain to external servers will also comply with the standard and improve delivery.

Test Your MTA-SLS setup with MxToolbox

To help all our users get a head start with MTA-STS, we’ve created a free lookup tool as part of our SuperTool. Check your MTA-STS policy setup as well as any email sender!

Check My MTA-STS

The Flavors of Successfully Delivered Email

Email delivery is a complicated thing. There are multiple layers of technology protecting an inbox at modern inbox providers like Google, Yahoo! and Outlook.com. For example:

  • Blacklists are used to identify IP addresses that have spammed or otherwise should not be trusted
  • SPF identifies legitimate sending IP addresses for a domain
  • DKIM allows a domain to sign email to ensure the integrity of the email
  • DMARC enables a sending domain to get feedback from Inbox Providers on SPF and DKIM compliance
  • Inbox Providers maintain internal Unsubscribe Lists
  • Inbox Providers maintains internal Spam Lists
  • Inbox Providers run proprietary Spam Content Analyses
  • Inbox Providers monitor engagement with emails from a domain

Email Delivery Standards

Technically Delivered

In the email world, a message is considered successfully delivered when the recipient can access the email. The email could be delivered to any subfolder for example:

  • Junk
  • Spam
  • Quarantine
  • Bulk
  • Promotions
  • Customer configured Filter or Subfolder

While this does not seem optimal to the recipient or sender, the email is accessible, just not in the main Inbox.

Undelivered email is completely inaccessible to the recipient. An email could be undelivered for multiple reasons, depending on how the Inbox Provider’s algorithms work:

  • The sending IP was blacklisted so the system declared the email Spam and rejected it.
  • The Sending IP was not listed in the Sending Domain’s SPF record. This is either a misconfiguration or a sign of a deliberate spoofing attempt.
  • The DKIM signature does not align with the Sender’s signature.
  • The recipient mailbox is full
  • The recipient mailbox does not exists

Marketing Delivery Success

Marketers only see email delivery as getting the email to the recipient’s Inbox. That makes sense as their mission is only accomplished when the email is Opened, Read and relevant links Clicked.

Obviously, there’s a bit of a disconnect between how IT sees delivery and how Marketing sees delivery. Both are correct for their purposes. They are simply not speaking the same language.

MxToolbox Helps you Reach the Inbox!

MxToolbox has long developed tools and services around Mailbox Delivery. Our early Delivery Center service focused on the primary technologies supporting email delivery: Blacklisting, SPF, DKIM and DMARC. Our newest features of Delivery Center change this focus to help the Marketer reach the Inbox.

Complaints

Inbox Providers often have a list of complaints leveraged by their users against Senders. Some even allow access to these complaints, which often include email reported as spam, dead email inboxes, full inboxes and even unsubscribes done only through the Inbox Provider. Delivery Center now includes a feature to integrate and aggregate complaints and make them visible and actionable for you to improve your sending reputation with Inbox Providers. Lowering your complaints goes a long way toward making your email deliverable to the Inbox. Learn more about Complaints.

Inbox Placement

Ultimately, Marketing looks at metrics like Open Rates, Click-through Rates and Purchases to judge an email campaigns strength. However, these indicators lag something more important: Placement in the Inbox. Delivery Center now contains a tools that enables you to test the inbox placement of an email campaign both before sending it to your customers and simultaneously with the bulk emailing. Inbox Placement works across the large Inbox Providers like Google, Yahoo and Outlook.com. Learn more about Inbox Placement.

Two-Factor Authentication and Security

Security is important for any system you use, but doubly important for communications systems like email. Think about what you store in your inbox:

  • A history of all communications with important clients, friends and family
  • Irreplaceable documents
  • User ID for other accounts
  • Purchase histories at online retailers

There are probably many more things in there that you don’t want anyone else to access. It is therefore important that your email provider take precautions to safe guard your email.

Good Password Technique

Protecting valuable, private data requires good password discipline. MxToolbox has a few suggestions for passwords to improve security:

  • Do not make the password a “word” or derived from a word – The more random characters, the harder it will be for a password dictionary to crack it through guesswork
  • Do not reuse passwords – Unfortunately, site breaches and bad password file controls have exposed millions of passwords. If you reuse a password that was exposed, you are just asking for a hacker to gain access to your account.
  • Use a Random Password Generator – The more random a password, the harder it is to crack. MxToolbox has offered a free, untracked random password generator for several years.
  • Use a Password Vault – A password vault stores all of your passwords in an encrypted state that only requires a single password to access. It’s easier to remember a single, long password so a password vault takes the load of all those lengthy, random passwords for you.
  • Use Two-Factor Authentication where available

What is Two-Factor Authentication (2FA)?

Passwords are simply insufficient to protect important information. A simple password can be guessed, a password file could leak, etc. Many online companies are implementing Two-Factor Authentication to provide an additional layer of protection to sensitive information. Two-Factor Authentication, or 2FA requires a password and a code or token sent to a trusted device.

Two-Factor Authentication is common for Apple, Google and many other major website users. For example, an Apple user would see a warning on their iPhone about a sign-in to their iCloud account on an iPad or Apple computer and require using that code on the account. Google uses a similar approach through a Google Authenticator app on your phone or device. Other websites will send a text message with an authentication code that you input into the site to verify your login attempt. Regardless of the implementation, 2FA helps to ensure that the login attempt is valid by requiring access to a trusted device meaning that a hacker would have to have both the login and the device to gain access to the account.

MxToolbox Offers 2FA

MxToolbox has implemented Two-Factor Authentication across all our services. Email is the life blood of many organizations and we feel that it is important to protect our customers from potential breaches that might expose sensitive information. We highly recommend that every customer turn on 2FA for their account.

How to configure 2FA at MxToolbox

  1. Log in to your account.
  2. Click “username@mxtoolbox.com” in top right corner for dropdown menu.
  3. Click “Settings” option directly below username.
  4. Click “2 Step Verification” tab (fourth tab in header).
  5. After reading the explanation, choose either Software Token (recommended), Test Message, or Disabled and follow the instructions specific to your preference.
  6. If you see Status: Enabled to the far right of the Two-Factor Authentication (2FA) heading, you have completed MxToolbox’s 2FA process.

By utilizing 2FA, a potential compromise of just one of the two factors will not unlock your MxToolbox account. So, even if your password is stolen or your phone is lost, the chances of someone else having your second-factor information is highly unlikely. If you utilize 2FA correctly, websites and apps can be more confident of your identity and allow you secure access to accounts.

MxToolbox Updates: New Mobile/Tablet-Optimized SuperTool in Beta

MxToolbox will soon beta test a new and updated version of our SuperTool (Beta8). Some SuperTool users will receive access to this beta version, while others will continue to use the existing SuperTool.  Be on the lookout for the upcoming changes.

The SuperTool streamlines all of your MX record, DNS, blacklist, and SMTP diagnostics into one integrated tool. Everything you need to assess your business domain’s status is found with this free tool.

Our Beta8 rollout centers on increasing multi-device usage and ensuring a better, more enjoyable experience across all devices. Upgrades will be especially noticeable for users on both mobile and tablet options. From phone, tablet or laptop, the new and improved SuperTool will help retrieve all the information you seek with the aim of a better user experience than the current SuperTool.

If you receive the Beta8 version, congrats! Any feedback you could provide our team will be greatly appreciated. Please send your thoughts, concerns, and recommendations to: feedback@mxtoolbox.com.

 

SPF Tool and IPv6 Updates

SPF Tool and IPv6 Updates

To continue our support of Email Delivery and Deliverability, MxToolbox is adding IPv6 support (Internet Protocol Version 6) to our SPF Tool, with more tools to come online later. When a user runs an SPF lookup, this update changes the lookup behavior for MX and A records that are specified within an SPF record (as tags).  Now,  SPF lookups will also check for AAAA DNS records and their resulting IPv6 addresses. Previously, the SPF tool only looked for IPv4 addresses when MX and A tags were present in an SPF record.  

Background

IPv6 is the most recent version of the Internet Protocol—the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Web. It was ratified as an Internet Standard in 2017 and allows for larger addressing space. Every computer, smartphone, and any other device connected to the Internet needs a numerical IP address in order to communicate with other devices. Compared to its predecessor, IPv6 can handle packets more efficiently, improve performance, and increase security.

While, IPv6 has been around for decades, IPv6 addresses are now being actively used in email delivery.  MxToolbox is here to help with the transition to IPv6.  MxToolbox’s research of the current outbound email space shows that adoption has largely been among the free webmail providers such as Gmail and Outlook.com.  Additionally, 25% of the Alexa Top 1000 websites are currently reachable over IPv6 networks.

1 https://www.worldipv6launch.org/measurements/

 

Threat Investigation in Delivery Center

Email delivery is under assault by spammers and hackers world-wide.  Your brand and domain name can be leveraged to send spoofing emails, malware and spam to your customers, your suppliers and even to random strangers.  Unfortunately, the potential for abuse is no longer restricted to larger companies as hackers and spammers attack smaller, less protected companies.  Regardless of the size of your business, you need to protect yourself.  Several small businesses using MxToolbox Delivery Center have recently discovered that as much as 90% of the email volume reportedly coming “From” their domain is spoofed, leading to blanket denial of their email delivery.  Any company can have their business completely crippled by this type of spoofing.  How do you investigate and prevent email spoofing to improve email deliverability and protect your business?

Introducing, MxToolbox Threat Investigator!

Screen Shot 2018-08-22 at 4.20.01 PM

Investigate threats to your email delivery in a consolidated interface.

Continuously striving to increase our customers’ email delivery rates, MxToolbox is excited to unveil a new product feature that will help your business achieve ideal deliverability.   With Threat Investigator, our customers get in-depth details on potential email delivery threats, including threatening IP addresses, geo-location, related domain information, reverse domain name system (DNS), autonomous system name/number (ASN), threat volume, and online reputation (MxReputation).  Threat Investigator provides everything you need to analyze current and potential email threats to email delivery and take steps to prevent these threats from impacting your business.

Screen Shot 2018-08-22 at 4.18.53 PM

Leverage ASN, Geo-location and Reverse DNS to categorize threats.

Because online communication is essential for your business, MxDelivery Center with the new Threat Investigator feature examines issues associated with outbound email, focusing on any encountered delivery difficulties. Moreover, this product identifies ongoing phishing and spoofing campaigns that threaten your brand and email reputation. Being able to recognize these threats early preserves your company name and helps overall message deliverability.

In addition, this innovative feature also provides phishing and legitimate email failure samples as references for investigation purposes. All of this is at your disposal for comparison exercises and to further enhance your familiarity with threats as they emerge.

Screen Shot 2018-08-22 at 4.32.50 PM

Threat Investigator integrates MxToolbox blacklist reputation to give you more insight.

MxToolbox’s Threat Investigator gives you unmatched awareness of threats to your company’s email practices. Your messages deserve safeguarding, and MxToolbox provides the tools necessary to protect and deliver your business email. Rely on our team of experts to help your emails get delivered by using the new Threat Investigator feature to reinforce your brand.

Existing customers: As a valued MxToolbox customer, you will have access to the Threat Investigator tool (depending on your current product subscription level). If you do not have access and would like to use this new feature, be sure to upgrade your plan to take advantage of MxToolbox’s Threat Investigator item.  Your business and your customers will greatly benefit from its addition.

DMARC Record Missing Alerts

Have you heard of DMARC?  It is the newest way to protect your email delivery and online reputation from delivery failures, misconfigurations and fraud and phishing attempts.  If you aren’t using DMARC, you are at risk from email delivery failures.  Learn more about DMARC, DMARC Compliance and Email Delivery.

Since DMARC is such a pivotal technology, we have decided that our customers need to be alerted when it is not configured.   Therefore all MX record lookups will show a critical warning when a DMARC record is not found (see below).  Paid users with MX monitors will receive critical alerts that a DMARC record is missing or misconfigured for their domain.

DMARC record missing.png

MxToolbox experts feel that DMARC is critical to your business success.  Our team is ready to help you with your DMARC configuration and transition to a focus on proactive email delivery management.  Our most recent products MxToolbox Delivery Center and MxToolbox Fraud Center leverage DMARC to improve your email delivery and protect your brand from email fraud.

Announcing MxDelivery Center

The only constant in the email world is change…

In the Dot.Boom era, most people discovered email for the first time.  Quickly thereafter malicious individuals discovered how to exploit the new technology for profit with unwanted email: SPAM.  So, businesses created blacklists, lists of IP addresses implicated in the distribution of SPAM, to stop them.  At the same time, a need for legitimate business to know if they were flagged as SPAM and blacklisted arose, and MxToolbox has been informing businesses of their online blacklist reputation ever since.

Over the last decade and a half, legitimate businesses started to employ email filtering and 3rd party mass email companies to keep their email servers off of blacklists and improve inbox delivery.  In addition, new techniques and standards were created to help businesses manage these relationships: SPF, DKIM, DMARC, etc.

What do these standards do?

SPF tells the world what IP addresses and Domains can send email on your behalf.

DKIM electronically signs emails you send to prove that they were actually sent by you.

DMARC provides a framework for how a receiver of your email should process any discrepancies they see with SPF and DKIM and how they should tell you about them so that you can improve your email deliverability.

These technologies fit together nicely, but understanding them and reporting on it is complex.  So, we thought we’d help…

Announcing MxDelivery Center

MxDelivery Center provides everything you need to manage a complex email setup that includes everything from your own servers, to mail hosting services (like Gmail or Outlook.com) and 3rd party emailers while reducing the risk to your brand from phishing and spoofing attacks.

ed-interface

MxDelivery Center combines:

  • RFC compliance checking and recommendations for SPF and DKIM configurations
  • In-depth processing of DMARC reports from your email recipients
  • Graphical representation of your DMARC compliance, SPF Verification and DKIM Verification
  • Insight into spoofing and phishing attacks carried out with your brand
  • Reputation of providers and emailers sending on your behalf

ed-reputationpage

Learn more about MxDelivery Center on the product page.

ed-configurationpage

Or, try our Free DMARC Report before you buy MxDelivery Center!