Category Archives: Uncategorized

Improving DKIM Compliance

Adopting DKIM can make a huge difference in how the email you send is perceived by recipients.  With DKIM you are taking ownership of an email by cryptographically signing each email.  Recipients then decode the signature to verify that you sent the email.  DKIM, in short, is like putting a wax seal on a letter that uniquely identifies you.

How can you improve DKIM compliance?

Get Informed

The first thing you need to improve DKIM compliance is a method to understand what your current compliance rate is.  To do this, you need:

  1. Adopt DMARC.
  2. Have a method to parse and report on DMARC digests coming from inbox providers.

DMARC responses from inbox providers are often not-quite human readable and the larger the volume of email you send, the more complex the responses.  To parse these, you need a product that summarizes them and provides reports that you can understand.

MxToolbox Delivery Center was designed to provide you with a complete understanding of who is sending email on your behalf and how your emails are performing with respect to SPF, DKIM and DMARC compliance and how likely your emails are to be rejected by inbox providers.

Get Control

Now that you have insight into what emailers are compliant, the second step to improving your DKIM compliance is to take control of the compliance of your internal emails and 3rd party emailers.

Investigate internal systems that might be sending email on your behalf and make sure that those systems are capable of signing outbound email with your DKIM signature.  These could be anything from marketing automation and sales systems to order entry, vendor management or customer support.  Regardless if they are home-grown or off-the-shelf, if the system is sending email, it needs to be DKIM compliant or the email may be rejected.

Similarly to internal systems, you must take a look at external, 3rd party providers to understand if they can be DKIM compliant.  Most external providers can sign email with a DKIM key, however, email forwarders are much less likely to be DKIM compliant than bulk emailers or other 3rd party service providers.  Talk with each of them to setup DKIM compliant email.

Repeat

Getting DKIM compliant is not a one-time project, but an on-going process.  To ensure high levels of compliance long-term, you will need to:

  • Regularly check compliance rates
  • On-board new internal and 3rd party systems to be compliant
  • mdcpro_inboxSetup processes to assess new applications and providers based on their DKIM support

MxToolbox Delivery Center gives you everything you need to analyze SPF, DKIM and DMARC compliance rates, identify problem internal services and external 3rd party providers and react to threats to your reputation where services are blacklisted or non-compliant.

Summary

DKIM Compliance is an on-going process that requires regularly investigation of DKIM compliance rates with tools that give you insight into the IP addresses and 3rd party tools and domains that are sending email on your behalf.

Improving SPF Compliance

SPF can be a huge benefit to your email delivery.  SPF, in short, lets you state who you trust to send your email.  The more email sent on your behalf that complies with your SPF rules, the more of your email will be accepted by email inbox providers and your intended recipients.

How does SPF work?

SPF is a DNS record type that gives you the option to declare all the IP addresses, domains and 3rd party providers that you use, and also limit the list of valid emailers to only what you list.  By setting these limits, you could shut down potential fraud, spoofing or phishing threats and improve your reputation with customers and vendors.  Spoofing and phishing scams are incredibly common place, even using credentials from legitimate small and medium sized businesses.  Email that is SPF compliant is more likely to get to a customer’s inbox.

How can you improve SPF Compliance?

First, you need to understand what your compliance rate is.   To get your compliance rate, you’ll need to elicit feedback from your recipients.  Fortunately, you can do this by setting up a DMARC record, something that MxToolbox can help you with.  DMARC records include an RUA declaration which defines who gets SPF and DKIM compliance information about your email.

Compliance digests can be cumbersome to read, process and understand, especially if you have more than a very small volume of outbound email.  Getting help processing these files, like with MxToolbox Delivery Center, is a necessity.  However, once decoded, you’ll get information about ALL the IP addresses and Domains that send email on your behalf and how much of that email volume complies with SPF or DKIM.  Now’s the time to consider how to improve compliance:

  1. Take note of IP addresses and domains that are low in compliance
  2. For each IP address and domain, investigate the origin
    • Is the domain an email partner that wasn’t included in your SPF record?  Commonly, CRMs, Email Marketing, Marketing Automation, Order Management and Customer Support/Ticketing Systems send email on your behalf.
    • Does the IP address belong to you, an existing partner or a new email partner?  It is common for partners to add a new IP range from time to time.
    • Does the IP address belong to a forwarder one your partners uses?  Forwarders are more difficult to track down but you may need to investigate or change your contract terms.
    • Can you trace the IP address to a place you don’t do business or a location of frequent scammers?  It is frequent
  3. For valid IP addresses and domains, add them to your SPF (or negotiate with the department that hired them to stop using that service)
  4. For invalid IP addresses, there are options you can take through DMARC to instruct your recipients to reject SPF-non-compliant email.

This is an iterative and continuous process.  New services will be added and IP addresses change all the time.   SPF Compliance requires regular review of your DMARC digests and statistics.  However, all this work will improve your email delivery and your online reputation.

MxToolbox Delivery Center is your solution for managing SPF and DKIM compliance and understanding the complexity of DMARC setup.  MxToolbox experts developed Delivery Center to help customers like you improve email deliverability, manage their online reputation and head off fraud and phishing issues.

Understanding Email Delivery

Email delivery is more than simply having an email service or configuring an email server.  Today, with outsourced email providers, 3rd party emailers, bulk emailers and spoofers, email delivery requires a multi-faceted approach that might seem daunting to many.  MxToolbox, your expert on email delivery, helps companies like yours navigate the complexity.

  1. Managing Blacklist Reputation
  2. Managing 3rd Party Emailers
  3. Taking Ownership of your Email
  4. Requesting Feedback on your Email
  5. Iterative Management of your Feedback

Managing Blacklist Reputation

The first line of defense against bad emailers is the blacklist.  An IP address or Domain on a blacklist typically means that the IP address has sent spam or the Domain on the list has been included in the body of spam email messages.  A receiver will reject email from that IP or any message that includes that Domain.  Because your email may be rejected outright, monitoring the IP addresses of your outgoing mail servers for blacklisting is a necessity.  (Monitoring your domain for blacklisting is somewhat less valuable as domain blacklists only report if a domain is in the body of controversial email, rather than being the sender of the email.)

MxToolbox has email delivery plans that include blacklist monitoring to get you started on the path to managing your email deliverability.

Managing 3rd Party Emailers

As your company grows, you will probably move more of your outbound email to email services from a third party provider in some form or fashion:

  • Bulk Emailers – Marketing will outsource the delivery of newsletters or advertisements, or signups emails.
  • CRMs and Marketing Automation – Sales/Marketing adds a CRM system or Marketing Automation system, either online or locally, that sends important email to customers.
  • Order Entry/Fulfillment – Online businesses especially rely on 3rd parties for order entry or fulfillment which may send email on behalf of the original seller.

Regardless of the application, tool or service, there are multiple IP addresses or Domains that could be legitimately sending email on your behalf.  Declaring this relationship publicly through SPF makes it more likely that your 3rd party email will get through to your customers, partners and vendors.

MxToolbox can help you setup your SPF records and check your existing SPF records for compliance.  Once SPF is setup, you will need to maintain the list of IP addresses or domains of 3rd party emailer and regularly check your record for compliance.

Taking Ownership of your Email

Anyone can say that they are sending email on your behalf, but how do you ensure that recipients trust that the email is from you?  If it were a letter, you’d sign it, right? SPF allows you to designate who can send on your behalf but that’s only one part of it.  DKIM allows you to actually sign an email and take responsibility for the email’s content just like a signature on a letter.  As such, implementing DKIM gives your recipients a level of confidence that you take responsibility for the content of emails coming from your domain, including spam, viruses and malware.

MxToolbox experts can help you with your DKIM setup.  Our team has a deep understanding of the problems businesses face implementing new technologies and experience helping small, medium and large businesses with DKIM.

Requesting Feedback on your Email

Wouldn’t it be nice to know what a recipient organization thought of your email?

Wouldn’t it be nice to know if they classified it as spam or passed it through to their inboxes?

Wouldn’t it be nice to know who (IP addresses and Domains) are using your good name to spoof email?

Wouldn’t it be nice to know if your 3rd party emailers are passing SPF and DKIM checks and being delivered?

DMARC is a standard that uses DNS to set how a sender obtains feedback from recipient organizations on email purportedly sent from the sender’s domain.  Any recipient can bundle up statistics on emails received from your domain and send them back in a digest format.  They can also send forensic data that includes individual troublesome email.  DMARC, in short, gives you insight into your email deliverability across your own servers, 3rd party emails, and potential fraud and phishing schemes.

Setting up a DMARC record and analyzing the feedback is the next step you must take to manage your email deliverability.  MxToolbox experts know DMARC and our newest product, Delivery Center, makes it easy to process the feedback you are receiving via DMARC, get insight into issues with 3rd party senders and make early detection of potential fraud and phishing schemes.

Iterative Management of your Feedback

Once you start receiving DMARC digests and forensic reports, you will begin to see patterns in email sent on your behalf:

  • Legitimate Senders not in your SPF
  • Legitimate Senders/Forwarders without proper DKIM signatures
  • Legitimate Senders that you may not have known about
  • Illegitimate Senders looking to leverage your brand

All of this feedback gives you the opportunity to manage how recipients process your email. By updating the policy on your DMARC record and the level of filtering recommended, you can tell your recipients to quarantine or outright reject email that doesn’t pass SPF and DKIM checks.  This should be an iterative process, one that requires slowly increasing restrictions on how email is processed.  Never go straight to reject, you are likely to have legitimate email rejected.

Why would you want to set more restrictive policies?  Third parties with bad sending reputations can affect your email reputation, potentially even causing your legitimate email to be dumped to the spam folder or rejected entirely.  The more you manage the reputation of your senders, the better your reputation and the more likely your email is to be accepted.

MxToolbox is the expert in email delivery, SPF, DKIM and DMARC.  Our team will help you improve your email delivery, give you insight into your legitimate and illegitimate senders, help you set DMARC to improve your email reputation and help you get your message delivered.  Our Delivery Center product gives you everything you need, including access to our expert support team.

DNSSEC Root Zone Key Signing Key (KSK) Rollover

What is it?

The KSK is a public-private key pair that allows the DNSSEC protocol to secure your DNS information. The public part of the key is the starting point for DNSSEC queries similar to how the root servers are the starting point for DNS queries. The private part of the key is used by Verisign to sign the Zone Signing Keys in the DNSSEC-sign of the root zone.

What does that mean?

If you’re not using DNSSEC then you don’t have anything to worry about. DNSSEC is a additional security measure that can be taken to secure your DNS information and verify that your domain is actually yours. If you’re not sure that you’re using DNSSEC then you likely are not using it. You could ask whomever is responsible for your DNS to find out for sure.

If you are using DNSSEC then you will need to create a new key pair and retire your current key pair so that DNSSEC will keep functioning. This will be done automatically for you if you are supporting RFC5011 (https://tools.ietf.org/html/rfc5011). Otherwise, you will need to manually update the trust anchor at http://data.iana.org/root-anchors/ and you can find information about testing your configuration at https://www.icann.org/en/system/files/files/ksk-rollover-external-test-plan-22jul16-en.pdf

MxToolbox Resources

networktools_dns.png

MxToolbox has all the DNS and DNSSEC tools you need to help you through this transition.  We have everything from basic DNS lookups, to DNSKEY, NSEC and IPSECKEY lookups to comprehensive domain research tools, like Investigator.  You can even validate your DNS Cert or HTTPS Certificate.  All of these tools are easily accessible from

our Network Tools page (see image).

Additional Resources:

https://www.icann.org/news/blog/dnssec-rolling-the-root-zone-key-signing-key

https://www.icann.org/resources/pages/ksk-rollover

The Status of SpamCannibal

We have temporarily removed SpamCannibal from the list of the over 100 blacklists we check when you use our service.  This means that it will temporarily not appear during searches.

Why?

For approximately the last week, SpamCannibal has failed to resolve in DNS and failed to respond to other queries.  For the moment we are treating it like a temporary outage and simply suspending use of it while we wait for more information.

Typically, when a blacklist goes down permanently, they let everyone know by blacklisting the entire world.  This has not happened.  Instead, we simply stopped receiving status from queries and DNS now times out for the site.  No public announcement has been made, so we are assuming that the outage is temporary until we get more information.

What’s the Status of my Monitors?

We maintain the last status of your IP address or domain associated with the monitor for each blacklist.  If you were on SpamCannibal’s list before the outage, you are still considered to be blacklisted until we find our what has happened to their list.  If you were not on the blacklist at the time of the outage, your status will not change.

What does this mean for email delivery?

Being on a blacklist means that if any company uses that blacklist for email delivery or rejection purposes, your email could be rejected.  Anyone who was using a copy of the SpamCannibal blacklist at the time of the outage may still be using that copy for decision making purposes.

Can an IP or domain be delisted?

Not at this time.  Since the site is inaccessible, there is no method for delisting available. If there is more information or the site remains down for an extended period of time, we may decide to flush all monitors that are currently listed as blacklisted by SpamCannibal.

We will continue to monitor SpamCannibal and return them to our pool of blacklists if the site should recover.

Why Blacklisting isn’t really the problem..

If you are on a blacklist, then you’re feeling the urgency and pain of getting off the blacklist and restoring your ability to send email to customers, prospects and vendors – you’re ready to get back to business.  But, wait a second, what caused you to be blacklisted in the first place?

Causes of Blacklisting

  • Malware or Virus infection
  • Errant bulk email campaign
  • Random mail to spam traps or honeypots

You can control these issues with software that filters inbound and outbound email, but really, these are just symptoms of a greater problem – poor Email Delivery Management, meaning methodically developing best practices to ensure email gets to the inbox.

What is going on with email delivery?

Long gone are the days when you could fire off an email and assume it went directly into your customers’ inboxes.  Between spam filters, anti-virus programs, and blacklist-based email filters your email delivery is controlled by several layers of security.  But, do you know anything about how that security works?  Do you know if your email is getting through?  Do you get any feedback from users?  Blacklists are just part of the equation.  By the time you know you are on a blacklist, it’s already too late, your email is already being denied.

In addition, you are probably using several 3rd party companies to email for you.  These could include a bulk email service, marketing automation, forwarders or even rogue email systems sitting in your network.  Do you know if you or partners emailing on your behalf have good reputations with your customers, their inbox providers and those security tools I mentioned?  Do you get any feedback until you’re blacklisted?

In recent years, Google and Outlook.com have been rapidly gaining market share as inbox providers.  They and many other companies are prioritizing email that has passed SPF verification and is signed by a valid DKIM signature.  Are you ready for SPF and DKIM?  Do you know if all your 3rd party emailers are covered in your SPF record?

Finally, email spoofing is becoming one of the biggest methods for exploiting a company’s brand to obtain private information and user credentials.  Do you know who is leveraging your brand to spoof your customers?

How do you manage email delivery?

The short answer is to adopt three important technologies:

  • SPF – Enables you to tell the world who is legitimately allowed to send email on your behalf
  • DKIM – Enables you to sign email and take ownership of the quality of the email you send
  • DMARC – Enables you to publish an email address where you can receive feedback from inbox providers about the quality of the email coming from your domain and control how a provider processes email that fails SPF or DKIM.

With all three technologies, you take ownership for the email you send, designate additional senders for your domain and get feedback on email sent by you, your senders and potentially malicious senders.  This is the start of email delivery management.

Our Experts

MxToolbox is the expert in email delivery.  Our team of highly skilled specialists can help you setup SPF, DKIM and DMARC and begin to manage your email delivery.

After talking with dozens of clients, we realized that our customers needed help decoding DMARC reports and understanding:

  • Who is sending email purporting to be from your domain
  • What is the reputation of your domains and delegated IPs
  • Where other senders are and What their reputations are
  • How your SPF, DKIM and DMARC setup is performing
  • What senders are failing DKIM
  • What senders are failing SPF verification
  • When to setup more restrictive policies for DMARC

Check out MxDelivery Center and how our experts can help you better reach your customers.

Investigate by URL

With recent upgrades to the Investigator tool, we’re bringing you even more value and information!  In addition to Related IPs and Related Domains , we recently added the capability to lookup based upon a URL.

Now, you can submit a URL to Investigator and we will pull up all the information on the Domain and take a screenshot of the URL you submit.

Use the Investigator to see if a suspect URL looks like it might contain harmful content while you checkout the rest of the domain!

Investigator URL

MxToolbox Investigator is premium tool included with our MxWatch Monitoring plans.  You can also try a free version of Investigator.