An email I received this morning got me thinking about how your domain name is one of the main ways you identify yourself if you’re sending email.
We talk about domain reputation quite a lot – DKIM and SPF let a sender volunteer a domain name as a unique identifier for recipients to use to track reputation, DMARC allows them to tie that domain to the domain visible to the user in the From: field. And most ISPs use the domains in links in the body of the message to track reputation, either internally or through third-party reputation providers.
But there’s also a human side. We expect people and companies to be honest in how they identify themselves – and we’re suspicious when they aren’t. We’ve been trained to be wary of messages that claim to be from a company we know but which, for whatever reason, don’t look quite right. Rightly so – a lot of phishing and credential theft is based on bad people using branding and domains that look like legitimate ones.
Here are some header snippets from this morning’s (legitimate) email:
Return-Path: <bounces@adobe-info.com>
Received-SPF: client-ip=192.243.232.156;
helo=r156.info.adobesystems.com;
DKIM-Signature: s=neolane; d=adobe-info.com
From: "Adobe" <demand@adobe-info.com>
Reply-To: "Adobe" <demand@adobe.com>
The links in the body all went to t.info.adobesystems.com, while most of the images were hosted on landing.adobe.com.
Everything lines up technically; the SPF passes for adobe-info.com, the DKIM signature is valid. Both the DKIM d= and the return-path align with the domain in the From: field. adobe-info.com does have a DMARC record – an aggressive one publishing p=reject.
But none of these domains are ones I’d recognize as having anything to do with the company Adobe, the one with the brand in the email:
Well, except for the address in the Reply-To: field, anyway. And that’s undermined by the body of the message where it says “Please do not reply to this message.” and points recipients at a t.info.adobesystems.com link instead.
What would I want to see instead?
I’ll mostly give them a pass on the hostnames and HELOs – the adobesystems.com names there are probably because the mail was sent through an ESP that’s owned by Adobe (“Adobe Campaign”, née “Neolane”) and it’s good for an ESP to be honest in naming it’s infrastructure.
But I’d really like to see the real company domain – adobe.com – in the From: header, and a hostname in the adobe.com domain in the Return-Path. There’s no technical reason that the d= used in the DKIM signature could not be “d=adobe.com”, with a dkimcore-style two element selector, but I could live with a hostname in the adobe.com domain. And the click-tracking links in the body? Ideally they’d be a hostname in the adobe.com domain too.
Something like this would make me happier:
Return-Path: <bounces@b.ac.adobe.com>
Received-SPF: client-ip=192.243.232.156;
helo=r156.info.adobesystems.com;
DKIM-Signature: s=adobe.neolane; d=adobe.com
From: "Adobe" <demand@adobe.com>
(No need for a Reply-To when you have an honest From header)
There’s no technical reason that the headers couldn’t look something like that. It would make other technically savvy recipients happier, and likely make spam filters, phishing detectors and reputation trackers more comfortable too.
Spam filters and recipients will both judge you based on a shallow first look. Try not to behave like spammers and phishers; do try to behave like other legitimate senders.
RSS - Posts
Apart from the issues of ease of domain set up which sometimes drive the decision to use a related domain instead of a subdomain of the main company, I’ve also encountered situations where companies have wanted to avoid having a subdomain of the main domain in the email in case that resulted in their corporate email being affected by something like a SpamHaus listing. Is that ever a risk?
I agree, disagree, and this you don’t go far enough.
I mostly agree, but there can be some good uses for a reply-to, ie. the e-mail can be fed into an mailbox to handle bounces to deal with unsubscribes, and even automated. Or, from the old days, the e-mail is from BigBosss@company.com, but you should reply to lowly@secretaryforBigBoss@company.com.
However you don’t go far enough. Having clear and accurate information in the Whois record is also very important. If I get an e-mail from Macy’s but it is registered using a Whois proxy or fake whois information. What legitimate company would hide its identity.
There may be reasons to use different domain names in the reply-to.
It’s a risk, but generally not a huge risk.
Thing is, if it gets to the level of a Spamhaus listing of all their subdomains or of their root domain, there are much bigger problems. ISPs are much quicker to filter mail than Spamhaus. By the time legitimate companies get to a Spamhaus listing, they are hitting bulk more than inbox for the majority of their mailings. Spamhaus listings are splashy and drive internal change. But I’ve seen a lot of really bad delivery totally unrelated to a Spamhaus listing.