Right at the end of January, Microsoft appears to have made couple of changes to how they’re handling authentication. The interesting piece of this is that, in both cases, Microsoft is taking authentication protocols and using them in ways that are slightly outside the spec, but are logical extensions of the spec. The first is an extension of DMARC. They’re rolling out inbox flags for...
At the end of last year, Steve wrote a post about the different types of authentication. I thought I’d build on that and write about the costs associated with each type. While I know a lot of my readers are actually on the sending side, I’m also going to talk about the costs associated with the receiving side and a little bit about the costs for intermediaries such as CRM systems or...
Some notes on some of the different protocols used for authentication and authentication-adjacent things in email. Some of this is oral history, and some of it may be contradicted by later or more public historical revision. SPF Associates an email with a domain that takes responsibility for it. Originally Sender Permitted From, now Sender Policy Framework. It allows a domain owner to announce...
Multiple times over the last few weeks folks have posted a screenshot of Google Postmaster tools showing some percentage of mail failing DMARC. They then ask why DMARC is failing. Thanks to how DMARC was designed, they don’t need to ask anyone this, they have all the data they need to work this out themselves. The DMARC protocol contains a way to request reports when DMARC authentication...
DMARC is a protocol that makes it very, very simple to shoot yourself in the foot. Setup is tricky and if you don’t get it exactly right you risk creating deliverability problems. The vast majority of companies SHOULD NOT publish a DMARC policy with p=reject or p=quarantine for their existing domains. DMARC policy statements are, essentially, a way for a company to assert the following...
Over the last few weeks I’ve had a lot of discussions with folks about DMARC and the very slow adoption. A big upsurge and multiple Facebook discussions were triggered by the ZDNet article DMARCs abysmal adoption explains why email spoofing is still a thing. There are a lot of reasons DMARC’s adoption has been slow, and I’m working on a more comprehensive discussion. But one of...
Over on twitter Alwin de Bruin corrected me on an aspect of DMARC soft rollout I’d entirely forgotten about. It’s useful, so I thought I’d write a quick post about it. If you have a large mail stream and you want to avoid the Scary Red Flag Day when you turn on DMARC p=reject enforcement and wait for people to complain you can use the DMARC policy “pct=” tag to roll...
I’m thinking I may need to deploy DMARC report automation sooner rather than later.
… and so on, and on, and on for a lot further down the mailbox.
The intent of DMARC is to cause emails to silently vanish. Ideally deploying DMARC would cause all malicious email that uses your domain in the From address, but which has absolutely nothing to with you to vanish, while still allowing all email you send, including mail that was sent through third parties or forwarded, to be delivered. For some organizations you can get really close to that ideal...
A number of companies in the email industry have been working on a way to better identify authenticated emails to users. One proposal is Brand Indicators for Message Identification (BIMI). A couple weeks ago, Agari announced a pilot program with some brands and a number of major consumer mail providers. These logos should be available in the Yahoo interface now and will be rolling out at other...
RSS - Posts