blog post

Email Deliverability: Avoiding the Spam folder

author image

Sending emails used to be a simple mechanism but as it became more and more abused and harder to discern legit emails from spam, different counter measures got introduced.

Sender verification technologies

All currently existing counter measures are based on the assumption that you control the DNS for the domain name you are sending from.

SPF (Sender Policy Framework)

Not having an SPF-record will almost certainly land your emails straight in the junk folder of the recipient, if they even get delivered at all. In many cases the receiving server will simply drop them.

SPF is a definition of what servers are allowed to send emails using email addresses based on a domain name. This is a good start but it has a few obvious pitfalls.

  1. Often services like Sendgrid, Mailchimp (Mandrill) or similar are used to send emails. Because an SPF record is defined publicly on the DNS it’s easy to find out what service is allowed to send for a specific domain name and simply sign up to the same service and start sending emails form the domain name.
  2. There’s nothing in the SPF record that says what the receiving server should do if an email fails the check and therefore they can be treated differently.

DKIM (DomainKeys Identified Mail)

DKIM addresses some of the shortcomings of SPF and together they get closer to the goal of eliminating spam.

DKIM consists of a key pair with one key published on the DNS. The other key is kept private and used to digitally sign all outgoing messages so that the receiving server can verify the authenticity with the public key.

This technology eliminates the risk of someone impersonating a sender by using the same emailing service, since they don’t have access to the private key.

However, just like with SPF nothing instructs the receiving server how it should act once an email fails authentication.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

With a complicated name this addresses the missing directives on how to act when SPF of DMKIM fails authentication. I.e. it defines what the receiving server should do if it receives messages that for whatever reason fails either one of the aforementioned policies.

When all systems are working as expected this is set to reject all failing messages which in theory eliminates all spam messages attempting to impersonate messages from a specific domain.

While it is being set up it is advised to use it in monitoring mode while verifying correct functionality of the email delivery system. That avoids the risk of having emails getting lost in case of a misconfiguration.

DMARC is normally used in combination with some sort of reporting service, e.g. https://dmarcdigests.com/, which allows insight into messages that passes or fails the SPF and DKIM checks, and where they are sent from.

BIMI (Brand Indicators for Message Identification)

While the above techniques are good for making sure that only legit emails reach the destination using your domain name there are unfortunately other scenarios where they don’t help.

It’s unfortunately common that emails are sent in the name of a team member or a CEO using a completely different email address. Due to the way email clients work it’s often not at all obvious that the email isn’t a legit one, and so a properly written email can often convince the recipient that the person writing them is who it claims to be. The only way to verify that it isn’t is to look at the email address, and in some cases that can be hard as well if the attacker has registered a domain name that is very similar to the real one.

This is where BIMI comes in. Adding a BIMI record to your domain not only provides a logo to show alongside the email in the recipient’s email client but also certifies that said logo is a registered trademark. I.e. it is not just a matter of adding the same logo to a different domain because the logo, and the trademark, is manually verified before the certificate is issued.

Once the certificate has been issued and the record added to the DNS it will show a logo next to the legit emails for a specific domain in most major email clients.

This effort is backed by many bigger names in the tech industry, such as Google, Mailchimp, Validity and Sendgrid, and more are adopting it. https://bimigroup.org/

While the BIMI standard does allow for adding a logo without having an accompanying certificate most services don’t show the logo since it then can’t be authenticated. Therefore it’s important to have an existing registered trademark when adding BIMI.

We can help!

While this may sound complicated we have a long experience with setting it up correctly, getting certified with BIMI and resolving issues related to the different technologies.

If you are facing similar challenges, reach out to us. We specialize in unlocking your infrastructure’s potential, ensuring you can keep pace with the future.

Related Articles

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!