Domain transparency

An email I received this morning got me thinking about how your domain name is one of the main ways you identify yourself if you’re sending email.
We talk about domain reputation quite a lot – DKIM and SPF let a sender volunteer a domain name as a unique identifier for recipients to use to track reputation, DMARC allows them to tie that domain to the domain visible to the user in the From: field. And most ISPs use the domains in links in the body of the message to track reputation, either internally or through third-party reputation providers.
trust
But there’s also a human side. We expect people and companies to be honest in how they identify themselves – and we’re suspicious when they aren’t. We’ve been trained to be wary of messages that claim to be from a company we know but which, for whatever reason, don’t look quite right. Rightly so – a lot of phishing and credential theft is based on bad people using branding and domains that look like legitimate ones.
Here are some header snippets from this morning’s (legitimate) email:

Return-Path: <bounces@adobe-info.com>
Received-SPF: client-ip=192.243.232.156;
        helo=r156.info.adobesystems.com;
DKIM-Signature: s=neolane; d=adobe-info.com
From: "Adobe" <demand@adobe-info.com>
Reply-To: "Adobe" <demand@adobe.com>

The links in the body all went to t.info.adobesystems.com, while most of the images were hosted on landing.adobe.com.
Everything lines up technically; the SPF passes for adobe-info.com, the DKIM signature is valid. Both the DKIM d= and the return-path align with the domain in the From: field. adobe-info.com does have a DMARC record – an aggressive one publishing p=reject.
But none of these domains are ones I’d recognize as having anything to do with the company Adobe, the one with the brand in the email:
Inbox__5214_messages__11_unread_
 
Well, except for the address in the Reply-To: field, anyway. And that’s undermined by the body of the message where it says “Please do not reply to this message.” and points recipients at a t.info.adobesystems.com link instead.
What would I want to see instead?
I’ll mostly give them a pass on the hostnames and HELOs – the adobesystems.com names there are probably because the mail was sent through an ESP that’s owned by Adobe (“Adobe Campaign”, née “Neolane”) and it’s good for an ESP to be honest in naming it’s infrastructure.
But I’d really like to see the real company domain – adobe.com – in the From: header, and a hostname in the adobe.com domain in the Return-Path. There’s no technical reason that the d= used in the DKIM signature could not be “d=adobe.com”, with a dkimcore-style two element selector, but I could live with a hostname in the adobe.com domain. And the click-tracking links in the body? Ideally they’d be a hostname in the adobe.com domain too.
Something like this would make me happier:

Return-Path: <bounces@b.ac.adobe.com>
Received-SPF: client-ip=192.243.232.156;
        helo=r156.info.adobesystems.com;
DKIM-Signature: s=adobe.neolane; d=adobe.com
From: "Adobe" <demand@adobe.com>

(No need for a Reply-To when you have an honest From header)
There’s no technical reason that the headers couldn’t look something like that. It would make other technically savvy recipients happier, and likely make spam filters, phishing detectors and reputation trackers more comfortable too.
Spam filters and recipients will both judge you based on a shallow first look. Try not to behave like spammers and phishers; do try to behave like other legitimate senders.

Related Posts

Reputation is about behavior

meter19
Reputation is calculated based on actions. Send mail people want and like and interact with and get a good reputation. Send mail people don’t want and don’t like and don’t interact with and get a bad reputation.
 
Reputation is not
… about who the sender is.
… about legitimacy.
… about speech.
… about message.
Reputation is
… about sender behavior.
… about recipient behavior.
… about how wanted a particular mail is forecast to be.
… based on facts.
Reputation isn’t really that complicated, but there are a lot of different beliefs about reputation that seem to make it complicated.
The reputation of a sender can be different at different receivers.
Senders sometimes target domains differently. That means one receiver may see acceptable behavior but another receiver may see a completely different behavior.  
Receivers sometimes have different standards. These include standards for what bad behavior is and how it is measured. They may also have different thresholds for things like complaints and bounces.
What this means is that delivery at one receiver has no impact on delivery at another. Just because ISP A delivers a particular mail to the inbox doesn’t mean that ISP B will accept the same mail. Each receiver has their own standards and sometimes senders need to tune mail for a specific receiver. One of my clients, for instance, tunes engagement filters based on the webmail domain in the email address. Webmail domain A needs a different level of engagement than webmail domain B.
Public reputation measures are based on data feeds.
There are multiple public sources where senders can check their reputation. Most of these sources depend on data feeds from receiver partners. Sometimes they curate and maintain their own data sources, often in the form of spamtrap feeds. But these public sources are only as good as their data analysis. Sometimes, they can show a good reputation where there isn’t one, or a bad reputation where there isn’t one.
Email reputation is composed of lots of different reputations. 
Email reputation determines delivery.  Getting to the inbox doesn’t mean sending from an IP with a good reputation. IP reputation is combined with domain reputation and content reputation to get the email reputation. IP reputation is often treated as the only valuable reputation because of the prevalence of IP based blocking. But there are SMTP level blocks against domains as well, often for phishing or virus links. Good IP reputation is necessary but not sufficient for good email delivery.
Reputation is about what a sender does, not about who a sender is.
Just because a company is a household name doesn’t mean their practices are good enough to make it to the inbox. Email is a meritocracy. Send mail that merits the inbox and it will get to recipients. Send email that doesn’t, and suffer the repercussions.

Read More

Changes at Yahoo

Deliverability.com has a blog post from Naeem Kayani at Adknowledge about the recent Yahoo changes. They point to the reputation of the From: address as a factor. I’m not sure anyone knows what exactly Yahoo is doing, but the suggestions from Naeem are good ones.

Read More