Phishing protection

Last week Return Path announced a new service: Domain Assurance. This service allows companies who send only authenticated email to protect their brand from phishing attacks. Participating ISPs will reject unauthenticated email from domains participating in this program.

Once the sender has ensured that all their email is being authenticated, they can add their domains and sub-domains to the Domain Assurance Registry list for ISPs to automatically reject all mail coming from these registered domains that fail authentication. Email senders using Domain Assurance have access to rich data reports about their email, get alerted when fraudulent emails using their domains are observed, and are provided with email intelligence on attackers and phishing URLs so they can initiate the take down of fraudulent websites.

Related Posts

DKIM implementation survey: prelim results

First off, I want to thank everyone who participated in the DKIM implementation survey. This week has been pretty hectic so far, so I haven’t had a chance to actually dig down into the data from the survey, but I thought I’d post some preliminary results.
The ESP survey had 45 respondents. 30% of those sent more than 15 million emails a month.
Of all the respondents: 40% are signing with Domain Keys, 51.1% are signing with DKIM.
Of all respondents: 79.5% are signing with Domain Keys and 78.8% are signing with DKIM to access services (whitelists or FBLs) provided by the ISPs.
50% of those not signing with Domain Keys are not doing so because customers have not requested it.  61% of those not signing with DKIM are not doing it because of technical difficulties with deployment.
The ISP survey had 16 respondents, with 37.5% handling less than 500,000 mailboxes and 18.8% handling more than 15 million mailboxes. 75% of respondents said they are not checking Domain Keys on inbound mail. 56% said they are not currently checking DKIM on inbound mail.
Only 10 ISPs answered the question if they plan to check either Domain Keys or DKIM.

Read More

Goodmail alternatives

A number of Goodmail customers are scrambling to identify alternatives now that Goodmail is shutting down. There are two companies in the field offering similar services.
Return Path offers Return Path Certified. A number of large ISPs accept Return Path certification, including Yahoo, Hotmail and Comcast. IP addresses that are certified are not guaranteed to reach the inbox, but there are some delivery benefits to being certified. For instance, Hotmail lifts hourly delivery limits for certified IPs. Return Path closely monitors certified IPs and will remove certification from IP addresses that do not meet their standards. They are offering an expedited application process and managed transition to former Goodmail customers.
SuretyMail offers accreditation to senders. SpamAssassin does use SuretyMail as a factor in their scores. Mail from accredited IPs receives lower SpamAssassin scores. I don’t have much direct experience with SuretyMail, so I can’t talk too knowledgeably about their processes. A former customer has written, however, about their experience with SuretyMail. They are offering a half off application fee for former Goodmail customers.
The other option for senders is to find a good delivery consultant. As I said yesterday, a large number of senders are not certified or accredited and experience 95+% inbox delivery rates. Many of my customers, for instance, see 100% inbox without certification. There are certain market segments where certification makes a difference. But for senders who are sending mail that users actually want to receive and are engaged with, certification isn’t always necessary.

Read More

ESPs, Non-portable Reputation and Vendor Lock-in

I’ve seen some mentions recently of ESPs suggesting that if you use your own domain in the From: of mail you send through an ESP then that ESP can’t “do email authentication” properly unless they require you to edit your domains DNS settings. That’s not really so, but there is a kernel of truth in there.
The real situation is, unsurprisingly, a bit more complicated.
What authentication features should you look for in an ESP?

Read More