Are Your Emails Getting Blocked? Here’s How to Guarantee Delivery!
Hi. I'm Max Clark. We're gonna take a couple minutes. We're gonna talk about email authentication. Why it's important, why you care, what you should do.
Speaker 1:I don't know. Use whatever language you want. Okay. In the good old days of email, there was no authentication, and it was the Wild West. And we saw massive issues with spam.
Speaker 1:You know, there's a bunch of different approaches that went out. The first ones were DNS based block lists, which was, hey. Your mail server could do a lookup against a DNS list and say, this is IP address of the because system is trying to connect to me. Is it in your blacklist? And if it's in a blacklist, we can do something with the email.
Speaker 1:We went from DNS based blacklisting to more advanced filtering, and this is when, like, the Bayesian filtering really kicked in. And we were and that point became looking for patterns within the message that would then designate whether or not it had a higher or lower likelihood of spam. And there's a lot of systems in the market that still use a Bayesian filter. If you look at the message header, you can see what the actual score is. And there might be hundreds of filters that go through and things that then test, and then you get an aggregate score that goes up or down.
Speaker 1:And then you can say, you know, above this threshold, it's spam. Above this other threshold, it's quarantined. Above this other threshold, just outright rejected. There was a system message delivery agent at TMDA, I think, that ran on top of Qmail. TMDA was really fun because every inbound email went into quarantine, and then you as the receiver could look at your quarantine list and say, yes, I wanna receive email from the source or no, I don't, TMDA also had the ability of immediately replying back to the sender and actually forcing the sender to take action and say, hey.
Speaker 1:Are you really a person? Click this link if you are, and something else will happen. 37 signals, their hey email product as a screener. The screener is a modern version of TMDA kind of agent where message from unknown senders goes into the screener, and then you as the user get to decide if you're gonna receive or reject mail. What I like about their screener approach is as part of that reject, accept or reject process, they also have you set up a filtering rule as well.
Speaker 1:Did you want this going to your inbox? Do you want it to go to your feed? Do you want it to go to updates, you know, where you're just seeing receipts? You know, so you get a forced filtering against it, which is also very nice. It's not very it's not super granular because it's based on sender, but it works fantastic for most applications.
Speaker 1:Okay. Fast forward, you know, however many years, and we end up with SPF. And SPF, sender prevent permitted from, is text record that gets added to DNS. Again, we're using DNS or a signal. What SPF enabled was for the sender to designate what their sources were for email.
Speaker 1:So as a sender domain, you would go through and actually today, still the same thing. You configure your SPF resources or record to say, I'm a Google Workspace user or, you know, company. Right? So include Google Workspace's SPF record and accept email from Google Workspace. Maybe you're using HubSpot or Salesforce.
Speaker 1:You would include their SPF record. You'd have a mailing you're using Mailchimp or using Convertkit or you're using Beehive or whatever it actually is. Again, maybe you're using HubSpot. You would add the SPS record for that. Now at the end of the SPF record, you get another flight that you get to set what to do if it doesn't match.
Speaker 1:Right? And you get to send a signal of what your behavior you want to do the receiving mail system to do. Right? So you could say, this is absolutely all of my senders, and if it doesn't match this list, then reject. You could say, do a soft fail.
Speaker 1:So if a sender tries to connect to you and it's not in this list, it might be good. It might not be good, but, you know, don't necessarily reject it. Maybe put it into your quarantine. Do something else with it that's a little more gentle. Now the problem with SPF, it is a DNS based lookup, and it is limited as a text record with how many entries can be in the text record.
Speaker 1:And then you could include other text records, but you can only go through so many lookups before SPF fails. And SPF flattening isn't a great technique for you either because then you're actually having to go through and constantly query the different include SPF records and try to build out an include list that makes sense for you and and do things with So SPF was a good but imperfect system that that came out. And, also, by the way, it didn't give you a lot of granularity of how to treat things. So then we get DKM, and DKM enables a mail server. So, again, uses DNS.
Speaker 1:When you enable DKIM, what you're doing is you're creating a public and private key for your mail server to use to send and authenticate itself when it connects out. Usually, a DKIM has 2 keys associated with it, whichever mail server you're using, mail system you're using. If you're using Office 360 5, if you're using Google Workspace, if you're using something else, it'll walk you through the DKM process to set this thing up. So you have to click the enable button. You have to add the records to your DNS entry to your DNS and then for your zone file, and then you have to go back to the mail server.
Speaker 1:By the way, this is the key point here. You have to go back to the mail server, and you have to say, okay. It's active. Start authenticating with it. Because if the mail server starts trying to actually sign your email with its DKM before it's published in DNS or available, things are just gonna reject and get bounced back to.
Speaker 1:DKM is great because if you're using any of these systems or you're doing mail forwarding, now that platform has the ability to authenticate and use the DKM to authenticate and have a really strong signal of, yes, I really do am this thing. And even if a message header doesn't match or my host name doesn't match, you know, my hello or one of these other things, I still have this signed DKM header. I have this signed DKM on the message that enables it to validate that this is a good message. The last piece of all this stuff is called DMARC, and DMARC now allows you to set policy and additional control. And DMARC has basic intermediate or advanced mode when you configure a DKM record.
Speaker 1:And DKM has policies, so you could set policies for let's call it the root level. Normally, you put DMARC at, like, you know, so it broker dotcom. So there's underscore demark.itbroker.com is the record. And you can have DMARC then exist at different subdomains. So if we had, like, info, sending an email out, info dot IT broker, we could have a DMARC record underneath info.
Speaker 1:Or in the DMARC record itself, you can say this policy, you know, subdomain policy equals blank. Right? And and your policies are accept, quarantine, reject. When you set policies, you can set thresholds and percentages. So if you're turning on DMARC for the first time and you haven't used this before, generally, the advice is is to start with a relatively low percentage.
Speaker 1:Give an instruction to quarantine and start at, like, 10% or 20% or 50%, and then and then work your way up before you get to a reject. Work your way up to a 100% quarantine and then flip to a reject. And DMARC also allows you to signal to the receiving mail server what you wanna do around alignment, and alignment is important both for SPF and DKM. So if something is trying to send and it has an SPF record but doesn't have DKM, what do you want it to do? Do you want it to accept, reject, quarantine?
Speaker 1:If it doesn't have either, what do you do? If it has both, you know, what do you do? And you also get to create records in DMARC to send you reporting, and you'll see this as usually as an RUA record. By the way, this is just a string. Well, you know, it looks like giblety gluc until you know what it actually does, or you can go and you can read the RFC for DMARC and and it's go through it.
Speaker 1:It's not that complicated. There's 5, 6 records or something, record types, and just how you apply it. The RUA record, you're gonna wanna not send this to yourself. Don't put your own email at this thing. Run it through a tool, and Demark Digest has a free option.
Speaker 1:It won't give you a ton of data, but, like, it'll give you enough data. You could for $10 a domain, you can get, like, a really good amount of data out of it. Cloudflare has a Demark parser. If you have your domain registered with d with Cloudflare, you can send it to it. Still very much a work in progress.
Speaker 1:It isn't gonna give you as much or as nice data as a DMARC digest would. If you're running Mimecast or all the tools have some sort of ability to process DMARC. And what the report for DMARC is gonna tell you is it's gonna show you what's trying to send email out as you and was that email accepted or rejected. When you turn DMARC on for the first time, you're probably gonna wanna pay attention to this really closely for a while and make sure that you don't have a system that you didn't you weren't aware of trying to send email out that wasn't authenticated and that was being rejected. After a while, you're probably gonna start ignoring your DMARC reports.
Speaker 1:Maybe you just wanna turn it on, look at it monthly, and it's just something you do as part of your monthly process of saying, hey. Let's just skim through and see what's going on here, and is anything trying to, like, freak out? We run our SPF and strict. You know? So it has a fail instruction.
Speaker 1:Our DMARC as well strict policies with a hard reject. You know? Really, I think majority of time, what happens is somebody somewhere inside the company is trying to set up and send out email under the domain and doesn't bother to communicate with anybody else at the company of, like, hey. We've we're gonna start to get mailing campaigns, and we haven't bothered to communicate with anybody, and isn't our email getting out anywhere? Right?
Speaker 1:So if you're running any sort of tool to actually parse and give you DMARC messages, you'll see this all of a sudden because you'll have a spike of email on the graph of, like, hey. The sender is trying to send out a ton of email for you. Maybe you care. Maybe you don't. You know?
Speaker 1:Maybe this is one of those things you just set up for reject, and when somebody wants to do something, they have to come back and actually go through the process of configuring DKM and SPF and and getting it listed properly into DMARC, which is all the same things, by the way. Every mail server is gonna do this. Why is this relevant right now? This was just good. By the way, SPF, DKM, and DMARC does not reduce the amount of spam that you receive.
Speaker 1:Doesn't do anything for inbound email. It does, but not directly. Right? It's indirectly helps inbound email because if somebody's trying to send email from a domain that doesn't that lacks SPF, DKM, or DMARC, your receiving mail server can now block it or reject it or quarantine or use it as a signal to say this email is probably not great. But, you know, if you're somebody's out there saying spam, all I have to do is add DNS entries for DMARC, DKM, and SPF.
Speaker 1:You know, it's be passed all the signals that this stuff authenticates. So so it's not a direct reduction of inbound spam. What it will do for you absolutely is it'll prevent people from using your domain to send spam out. So people can't masquerade as you. They can't spoof your domain.
Speaker 1:They can't run scams and different things and and try to con people, and then that come back to you and use your brand. Right? So these are all really good tools to limit potential brand damage, and also you don't want somebody spamming under your domain name because then, of course, you get blocked, and you can't email with your domain either, which is a horrible experience if that ever happens to you. So this is relevant because it's good behavior, and this is just a good thing to run. But it's also relevant because the major email hosts, so Yahoo and Gmail, have changed their rules recently on how they handle bulk email senders.
Speaker 1:So if you send over a certain amount of messages to one of these platforms per day, you have to have a lot of things in place in order for them to accept email from So the baseline for it now is that you have to have SPF, DKM, and demark configured, or they're just gonna reject or quarantine you. Flat out, like, you're in the penalty box. If you're sending over a quantity of messages, you need to have low spam thresholds. You need to have a reporting mechanism. You need to have unsubscribe.
Speaker 1:You need to have all the rest of the things that you should have. By the way, when I say that you should have, chances are that you don't have to worry about any of these things because the platform that you're using to actually send out the email is going to have these things. So any of your mail list software that you're using to actually send out bulk messaging is going to have this. If you're seeing transactional emails from your application, this is a really good point of maybe don't send it directly and use a service like SES or Postmark or SendGrid, because then you can send out your transactional emails through these systems. And these systems can process and deal with all the other stuff that comes in and deal with unsubscribes and deal with these things for you and not have it be application developer overhead you.
Speaker 1:Email is effectively free thing to send email. Doesn't cost you anything when you look at it from a volume standpoint. And this is why email spam will never go away. It is a incredibly efficient delivery mechanism cost per message to send out. And there's always going to be a game of whack a mole going on with the email host of dealing with trying to identify and make a decision and accept what should be a good message and reject what's a bad message.
Speaker 1:And your goal as a responsible Internet citizen sending or receiving email is to configure the baselines just so that way you have the highest potential of actually getting your email out from your users to where they need to go. And so today, that means if you haven't already done it, go through the add your your and your records. By the way, you don't have to figure out how to do this. Log in to the admin interface or whatever email system you're using. If you're on Google Workspace or if you're on Office 365, for instance, I'm gonna assume you're on one of those 2 platforms.
Speaker 1:That's gonna cover probably 99% of people watching this, just do an Internet search and say, you know, Google Workspace DKM, and it's gonna take you to the help docs. The help docs is gonna link you into the admin interface to actually generate this stuff and give you the records that you need to copy and put into your DNS. Same thing with Office 365. So all you really have to do is figure out what your DNS host is and where do you need to send it. I'm Max Clark.
Speaker 1:Little history on email. Hope this helps. If you have any questions, comment below, and we'll get back to you. You.
