TagAuthentication

Microsoft and SPF

Many deliverability folks stopped recommending publishing SPF records for the 5322.from address to get delivery to Microsoft. I even remember Microsoft saying they were stopping doing SenderID style checking. A discussion on the emailgeeks slack channel has me rethinking that. It started out with one participant asking if other folks were seeing delivery improvement at MS if they added a SPF...

Why is DMARC failing?

Multiple times over the last few weeks folks have posted a screenshot of Google Postmaster tools showing some percentage of mail failing DMARC. They then ask why DMARC is failing. Thanks to how DMARC was designed, they don’t need to ask anyone this, they have all the data they need to work this out themselves. The DMARC protocol contains a way to request reports when DMARC authentication...

Should you publish a DMARC policy statement?

DMARC is a protocol that makes it very, very simple to shoot yourself in the foot. Setup is tricky and if you don’t get it exactly right you risk creating deliverability problems. The vast majority of companies SHOULD NOT publish a DMARC policy with p=reject or p=quarantine for their existing domains. DMARC policy statements are, essentially, a way for a company to assert the following...

Null sender address

A question came up on the email geeks slack channel about empty from addresses. I asked if they meant the 5321 or 5322 from address which prompted a question about if you could even have a null 5321 from. Yes, you can and it’s commonly used for some types of email. 5321.from is the bounce address, and the domain used in SPF authentication. Null addresses, literally <>, are used for email...

DMARC doesn’t fix phishing

Over the last few weeks I’ve had a lot of discussions with folks about DMARC and the very slow adoption. A big upsurge and multiple Facebook discussions were triggered by the ZDNet article DMARCs abysmal adoption explains why email spoofing is still a thing. There are a lot of reasons DMARC’s adoption has been slow, and I’m working on a more comprehensive discussion. But one of...

d= for data

A few ISPs use the d= value in the DKIM signature as a way to provide FBL and reputation data to senders. This has some good bits, in that senders can get FBLs and other information regardless of the IP address they’re using and whether or not they have sole access to it. There are also some challenges with using the d= as a data identifier. One of them is that ESPs may not be able to get a...

Delivery is not dependent on authentication

All too often folks come to me with delivery problems and lead off with all of the things they’ve done to send mail right. They assure me they’re using SPF and DKIM and DMARC and they can’t understand why things are bad. There is this pervasive belief that if you do all the technical things right then you will reach the inbox. Getting the technical bits right is an important...

Phishing and authentication

This morning I got a rather suspicious message from a colleague on LinkedIn. I asked around and it seems other folks got the same message and were equally confused. I didn’t click the link because that seemed risky. A few hours later one of the folks I had talked to mentioned that the person’s entire profile was gone. Likewise, the above message disappeared from my messages tab...

SenderID is dead

A question came up on the email geeks slack channel (Join Here) about SenderID. They recently had a customer ask for SenderID authentication. We’ve written about it a few times: (Hotmail moves to SPF Authentication and Until it stops moving) but we’ve not actually stated the reasons why in a post. SenderID was basically SPF version 2. It tried to use the same mechanism as SPF to...

Recent Posts

Archives

Follow Us