Explore how unified SASE architecture can revolutionise network infrastructure, delivering on the promise of enhanced security, streamlined operations, and accelerated deployments.
Think of a customer email box as a mailbox. A mailbox with stickers that say "no junk mail", "addressed mail only", "no circulars". A mailbox that is also guarded by a sometimes over-zealous automated gatekeeper that sorts the mail before it even gets read.
You have an important message that you want to deliver. You want to do everything you can to ensure your customer has the best experience. You don't want that follow up call - "I never received that!"
There is so much spam and unwarranted email in the world these days that most mail services go through hoops to keep their customers Inboxes clean, streamlined and free of junk.
Nobody wants to be part of the problem.
Email was designed over 40 years ago, and the Internet was a far safer and more trusting place. If one server sent a message to another it was usually accepted and delivered to the recipient no questions asked.
However todays Internet is not the same, and email goes through a series of stringent checks before appearing in a users Inbox. Here are a few basic principles that you can follow to give your message the best possible chance of getting through.
Most of the time, failing any one of these checks doesn't mean your message won't get through. It just all adds up as an overall score on the message.
In approximate order of simplicity and invention
rDNS
Reverse DNS. This was a very early check implemented in mail servers. Themost basic check is when one server connects to another it's IP is checked against the rDNS lookup on that IP and the 2 should match. The reason behind this is that is a spammer is sending email, then it's not likely from a fully configured server on the Internet. This one can get quite tricky when people use Virtual Machines in AWS/Azure or Hosting providers as whilst forward DNS lookups are in control of teh domain holder, reverse IP lookups are in control if the IP address owner.
Tip1: Ensure the forward and reverse DNS match
SPF
Sender Policy Framework. In simple terms this is a DNS record (independent of the mail server) that other mail servers can use to see if the IP address is allowed to send mail on behalf of that domain.
If the SPF record matches the receiving mail server can be reasonably confident that the email is really from an service that is supposed to be sending email for that domain. If the SPF record doesn't match, or is missing, then the level of doubt is raised
Tip2: Setup SPF for your domain, and ensure the records are correct and kept up to date.
DKIM
Domain Keys Identified Mail. This came along in about 2011, and uses encryption technology to digitally sign a email. When it first came out the overhead was considered quite high. Meaning spammers were not likely to invest in signing millions of emails, the CPU requirements would be too high. i.e a legitimate email source is going to some effort to show they are doing the right thing.
DKIM works by publishing the senders public key in DNS (like SPF records above), and a receiving mail server can use this, plus the DKIM header in the email to validate the email. This means that not only has the email come from where it said it did, but also that it hasn't been altered along the way.
Tip3: Use DKIM to digitally sign your email
DMARC
Domain-based Message Authentication, Reporting and Conformance came along about 2015 and adds to SPF and DKIM above by specifying which of the above must be present for an email to be legit. As an email sender, when you are sure you are doing everything right, you are essentially telling the world to ignore emails from your domain that come from any other source. This vastly reduces the possibility that your good name can be exploited by scammers spoofing your email addresses.
Tip4: Once you have SPF and DKIM set up, enforce it with DMARC
Most of the time these steps happen without you even knowing. If you use a provider like Microsoft Office 365 or Gmail, that will be in place. But if you add, for example, an ecommerce web server that sends order confirmations via email, then that platform needs to play the game.
Of course, on top of this are many other technologies and tools that aim to try and filter out unwanted messages. None of them are foolproof.
As a sender you want to give your message the best chance of being read. Play by the rules and your important message has a higher chance of getting through.
Phil Snowdon
May 2023