An email I received this morning got me thinking about how your domain name is one of the main ways you identify yourself if you’re sending email.
We talk about domain reputation quite a lot – DKIM and SPF let a sender volunteer a domain name as a unique identifier for recipients to use to track reputation, DMARC allows them to tie that domain to the domain visible to the user in the From: field. And most ISPs use the domains in links in the body of the message to track reputation, either internally or through third-party reputation providers.
But there’s also a human side. We expect people and companies to be honest in how they identify themselves – and we’re suspicious when they aren’t. We’ve been trained to be wary of messages that claim to be from a company we know but which, for whatever reason, don’t look quite right. Rightly so – a lot of phishing and credential theft is based on bad people using branding and domains that look like legitimate ones.
Here are some header snippets from this morning’s (legitimate) email:
Return-Path: <email@example.com> Received-SPF: client-ip=22.214.171.124; helo=r156.info.adobesystems.com; DKIM-Signature: s=neolane; d=adobe-info.com From: "Adobe" <firstname.lastname@example.org> Reply-To: "Adobe" <email@example.com>
The links in the body all went to t.info.adobesystems.com, while most of the images were hosted on landing.adobe.com.
Everything lines up technically; the SPF passes for adobe-info.com, the DKIM signature is valid. Both the DKIM d= and the return-path align with the domain in the From: field. adobe-info.com does have a DMARC record – an aggressive one publishing p=reject.
But none of these domains are ones I’d recognize as having anything to do with the company Adobe, the one with the brand in the email:
Well, except for the address in the Reply-To: field, anyway. And that’s undermined by the body of the message where it says “Please do not reply to this message.” and points recipients at a t.info.adobesystems.com link instead.
What would I want to see instead?
I’ll mostly give them a pass on the hostnames and HELOs – the adobesystems.com names there are probably because the mail was sent through an ESP that’s owned by Adobe (“Adobe Campaign”, née “Neolane”) and it’s good for an ESP to be honest in naming it’s infrastructure.
But I’d really like to see the real company domain – adobe.com – in the From: header, and a hostname in the adobe.com domain in the Return-Path. There’s no technical reason that the d= used in the DKIM signature could not be “d=adobe.com”, with a dkimcore-style two element selector, but I could live with a hostname in the adobe.com domain. And the click-tracking links in the body? Ideally they’d be a hostname in the adobe.com domain too.
Something like this would make me happier:
Return-Path: <firstname.lastname@example.org> Received-SPF: client-ip=126.96.36.199; helo=r156.info.adobesystems.com; DKIM-Signature: s=adobe.neolane; d=adobe.com From: "Adobe" <email@example.com>
(No need for a Reply-To when you have an honest From header)
There’s no technical reason that the headers couldn’t look something like that. It would make other technically savvy recipients happier, and likely make spam filters, phishing detectors and reputation trackers more comfortable too.
Spam filters and recipients will both judge you based on a shallow first look. Try not to behave like spammers and phishers; do try to behave like other legitimate senders.