Authentication and alignment
ISPs are changing the way that messages are displayed in the inbox. Gmail, for example, introduced the ‘priority inbox’ in 2012, the ‘tabbed inbox’ in 2013 and recently started to indicate if a message has been transferred on a TLS encrypted connection or not. Gmail also intends to start display a question mark next to any messages in the inbox that cannot be authenticated as using SPF and DKIM.
Other ISPs are also changing the way messages will be displayed, mainly to indicate if they can be authenticated or not. Yahoo intends to show corporate logos next to authenticated messages, and Hotmail/outlook.com and Office 365 already places a ‘trusted sender icon’ next to the mail, so that their customers can quickly and easily differentiate between wanted and unwanted e-mail, without having to open the message. Hotmail/outlook.com and Office 365 also already place a red safety bar to flag any messages that are suspicious. This red safety bar makes use of failed SPF and DKIM checks.
Authentication
In addition to senders using explicit and double opt-in requests, the big ISPs expect to see certain additional technical requirements fulfilled. Using consistent PTR for all IPs and formatting addresses according to RFC5322 are some of the most widely known and adapted requirements, however ISPs are now also strongly motivating senders to use the appropriate authentication for all their messages. Most people will probably already have heard of SPF and DKIM by now, but here’s a little refresher:
SPF confirms with a recipient ISP that the owner of the envelope-from domain actually is allowed to send mail via the IP on behalf of the domain (using a DNS TXT record). SPF records should be kept as short as possible and not include any unnecessary IPs; as a maximum, no IP ranges larger than /16 (65.534 IPs) should be used.
DKIM helps determine whether the administrator of the MTA (Mail Transfer Agent) behind the sending IP allows this sender domain to send from the IP in question (using private and public key matching). Due to a vulnerability in DKIM that was discovered in 2012, the use of any keys shorter than 1024 bit is considered insecure and may therefore not be accepted. It is also strongly recommended to regularly renew DKIM keys, at least once a year.
At the 36th M3AAWG summit in San Francisco in 2016, the stats indicate that these days less than 10% of worldwide E-mail traffic is sent without any form of authentication!
DMARC – The other Side
In terms of additional technologies, we also have DMARC, which allows a sender to specify what should happen in case a message cannot be authenticated with SPF and / or DKIM. DMARC allows ISPS to reject unauthenticated E-mail that claims to be from a certain domain as an effective way of preventing phishing attempts. Such attempts can harm a company’s good reputation and therefore have a negative impact on Deliverability. When an ISP is sure of the identity behind a domain, it can then assign a domain reputation (complimentary to IP reputation) which is often shared with other senders. In order to ensure maximum protection against phishing attempts using your brand, and also ensuring optimal deliverability results, your DMARC should be configured to reject any unauthenticated E-mail. (Read more about DMARC )
Domain alignment
During the summit, it was clarified that once a sender uses DMARC, domain alignment is mandatory. According to some ISPs, unaligned messages are considered unauthenticated messages!
Domain alignment is the next level where all the domain details which SPF and DKIM use are matched up, and can be either ‘strict’ or ‘relaxed’ which can be summarized as follows:
In SPF, Strict SPF alignment is where the sender / DKIM identifier and returnpath use exactly the same domain. Relaxed SPF alignment is where the sender / DKIM identifier and returnpath use different subdomains within the same main domain.
SPF records ending with “-all” are configured to allow strict SPF alignment only. “~all” stands for relaxed alignment and “+ all” means the alignment is to be ignored. The use of “+ all” should be avoided at all times!
In DKIM, the domain used for signing (shown in the “d”-field in the DKIM mail header) should be related to the domain in the FROM: header. Strict DKIM alignment is where both those domains are exactly the same domain. Relaxed alignment is where those two domains are subdomains within the same main domain.
It is sufficient to have one of the SPF or DKIM mechanisms aligned, but there is definitely no harm in using full, strict alignment for both SPF and DKIM.
How important is all of this?
Apart from the upcoming UI changes to the various inboxes for the end-users, senders who don’t authenticate their mail will be much more likely to have their content rejected or quarantined (sent to SPAM).
Authentication alone cannot provide a reliable method to make sure the content goes to where it needs to, which is why the domain reputation that DMARC helps build is so important. Otherwise ISPs are reduced to using IP reputation and content analysis… However, if you already authenticate your mail and use DMARC to protect your brand from phishing attacks, it does not automatically mean your message will be delivered to the inbox.
Meeting all the technical requirements means that more focus will be on the reputation of a sender as a key factor for deliverability. A sender that authenticates mail, but is suspected of sending unwanted messages, will still carry high risk of having their mail rejected or quarantined.
The only sure way to reach the inbox is to make the recipients happy!
To sum up: A proper technically-verified setup plus authentication and encryption configurations are a must for any sender that wants their content to get to the inbox. However, these will not guarantee that the content will arrive if the sender reputation is poor, so senders will continuously have to work on building and maintaining their reputation with quality, reliable content.
Read more on E-Mail authentication and alignment in our wiki.