Domain Assurance by Return Path

As often happens during MAAWG, email companies are announcing new products. One of the interesting ones is the new Domain Assurance product from Return Path.

Domain Assurance […] first audit[s] a company’s email streams to be sure authentication has been properly implemented. Then, the company’s domains are added to a registry. Participating ISPs can check the registry and block any unauthenticated emails coming from the domains found there. Return Path provides on-going checks for authentication accuracy and alerts participating companies any time their brand is phished or spoofed.

While this type of authentication won’t solve phishing, it is a tool to help protect end users from malicious mail.

Related Posts

MAAWG SF

Blogging will probably be light next week. Steve and I are both headed to MAAWG SF. Steve will be presenting training on Monday and at one of the later sessions, too. I managed to get out of having to work this conference, so no presenting for me.
We’re both looking forward to seeing everyone. Drop by and say hi.

Read More

Delivery resources

I’m working on a few projects designed to help provide mentoring for other delivery people and to bridge the communication gap between the various groups active in email. One of those projects is collecting, linking to, and publishing more delivery resources. Some will be linked to directly from the blog, others will be linked to from the wiki. While I’m reasonably familiar with what’s out there, it is impossible for me to know about all the useful resources available. So I ask you readers:

Read More

Who can you trust?

I’ve been recently dealing with a client who is looking at implementing authentication on their domains. He’s done a lot of background research into the schemes and has a relatively firm grasp on the issue. At this point we’re working out what policies he wants to set and how to correctly implement those policies.
His questions were well informed for the most part. A few of them were completely out of left field, so I asked him for some of his references. One of those references was the EEC Email Authentication Whitepaper.
My client was doing the best he could to inform himself and relies on industry groups like the EEC to provide him with accurate information. In this case, their information was incomplete and incorrect.
We all have our perspectives and biases (yes, even me!) but there are objective facts that can be independently verified. For instance, the EEC Authentication whitepaper claimed that Yahoo requires DKIM signing for access to their whitelist program. This is incorrect, a sender does not have to sign with DKIM in order to apply for the Yahoo whitelist program. A bulk sender does have to sign with DKIM for a Y! FBL, but ISPs are given access to an IP based FBL by Yahoo. I am shocked that none of the experts that contributed to the document caught that error.
Independent verification is one reason I publish the Delivery Wiki. It’s a resource for everyone and a way to share my knowledge and thought processes. But other experts can “check my work” as it were and provide corrections if my information is outdated or faulty. All too often, senders end up blaming delivery problems on evil spirits, or using “dear” in the subject line or using too much pink in the design.
Delivery isn’t that esoteric or difficult if you have a clear understanding of the policy and technical decisions at a range of ESPs and ISPs, the history and reasoning behind those decisions, and enough experience to predict the implications when they collide.
Many senders do face delivery challenges and there is considerable demand for delivery experts to provide delivery facts. That niche has been filled by a mix of people, of all levels of experience, expertise and technical knowledge, leading to the difficult task of working out which of those “experts” are experts, and which of those “facts” are facts.

Read More