Related Posts

Gmail shows authentication data to the recipient

Yesterday Gmail rolled out some changes to their interface. One of the changes is that they are now showing end users authentication results in the user screen.
It’s really the next step in email authentication, showing the results to the end user.
So how does Google do this? Google is checking both SPF and DKIM. If mail is authenticated and the authentication matches the from address then they display the email as:
mail from steve to me
If we click on “details” for that message, we find more specific information.
full details of message showing signing domain and spf domainIn this case the mail went through our outgoing mailserver to gmail.
Mailed-by indicates that the message passed SPF and that the IP address is a valid source of mail from wordtothewise.com.
Signed-by shows the domain in the DKIM d=. In this case, we signed with the subdomain dt.wordtothewise.com. That’s what happens when you sign using the domain in the From address (or a subdomain of it).
For a lot of bulk senders, though, their mail is signed using their ESP’s domain instead.  In that case Gmail shows who signed the mail as well as the from address.

And when we click on “details” for that message we see:
3rd party signature detailsThis is an email from a sender using Madmimi as an ESP. Madmimi is handling both the SPF authentication and the DKIM authentication.
As an aside, this particular  sender has a high enough reputation that Gmail is offering me an unsubscribe option in their interface.
Gmail is distinguishing between first party and third party signatures in authentication. If the mail is authenticated, but the authentication appears to be handled by a separate entity, then Gmail is alerting recipients to that fact.
What does this mean for bulk senders?
For senders that are signing with a domain that matches their From: domain, there is no change. Recipients will not see any mention of your ESP in the headers.
However, if you are using an ESP that is signing your mail with a domain they own, then your recipients will see that information displayed in the email interface. If you don’t want this to be displayed by Gmail, then you will need to move to first party signing. Talk to your ESP about this. If they’re unsure of how to manage it, you can point them to DKIM Core for an Email Service Provider.
Gmail blogpost about the changes
Gmail help page about authentication results

Read More

Phishing protection

Last week Return Path announced a new service: Domain Assurance. This service allows companies who send only authenticated email to protect their brand from phishing attacks. Participating ISPs will reject unauthenticated email from domains participating in this program.

Read More

Goodmail alternatives

A number of Goodmail customers are scrambling to identify alternatives now that Goodmail is shutting down. There are two companies in the field offering similar services.
Return Path offers Return Path Certified. A number of large ISPs accept Return Path certification, including Yahoo, Hotmail and Comcast. IP addresses that are certified are not guaranteed to reach the inbox, but there are some delivery benefits to being certified. For instance, Hotmail lifts hourly delivery limits for certified IPs. Return Path closely monitors certified IPs and will remove certification from IP addresses that do not meet their standards. They are offering an expedited application process and managed transition to former Goodmail customers.
SuretyMail offers accreditation to senders. SpamAssassin does use SuretyMail as a factor in their scores. Mail from accredited IPs receives lower SpamAssassin scores. I don’t have much direct experience with SuretyMail, so I can’t talk too knowledgeably about their processes. A former customer has written, however, about their experience with SuretyMail. They are offering a half off application fee for former Goodmail customers.
The other option for senders is to find a good delivery consultant. As I said yesterday, a large number of senders are not certified or accredited and experience 95+% inbox delivery rates. Many of my customers, for instance, see 100% inbox without certification. There are certain market segments where certification makes a difference. But for senders who are sending mail that users actually want to receive and are engaged with, certification isn’t always necessary.

Read More