Overview

Today, sending email is not so simple as just blasting out a message.  Now, recipient systems where your customers mailboxes reside have all kinds of security measures that they use to authenticate whether the message is legitimate or not.  If it's not, it could be spam (email that you don't want) or phishing, malware, or a trojan horse trying to compromise your computer or hand-held device and steal your information or take control of it.

Various Security Technologies

These security measures are complex and they are designed by people trying to maintain backward compatibility with all of the email technologies since electronic mail was invented.

Before we go too far, understand that all of these technologies are guided by an Internet Standards Body under what is called a "Request For Comment" or "RFC".  Here is the Home of ALL the RFC documentation guiding every standard on the Internet:  RFC HOME

• IP Address - every device on the Internet has a "public" IP address and it can be used to determine things like
  • what country are you from
  • what is your parent network
  • are you claiming to be sending an email from "somecompany.com" when your IP is associated with "government-sponsored-hacking-group.cn" from china... probably not "somecompany.com', right?
  • are you on a blocklist and mail servers are being advised to ignore email connections from your IP
• From Address Matching -- does your IP address match your IP and if we look up the IP in a REVERSE DNS lookup, does the IP match the name the computer your sending computer claims to be
• MX Server Authority - does your mail server have the authority to send email on your behalf
• SPF: Sender Policy Framework is a fairly recent technology used to identify which IP addresses or which IP-address-networks are allowed to send email that matches the "FROM" address
• Domainkeys and DKIM is a way of providing an encryption key that contains an encrypted version of various parts of the hidden email header and can be used to determine if the message was tampered with in transit
  • A "domainkey" is a public/private-key used to encrypt selected parts of the email header (to/from/subject/content-type, etc.) and is used for all the messages from your server, unless you have DKIM applied
  • A "DKIM" or "domain-key-individualized-message" is a domainkey applied to a message for security, but every single message sent by the sender has a different key combination so it is a "tighter" version of security
    • Some well known recipient systems such as GMAIL, and YAHOO/AOL have arbitrarily determined  that if you are not signing your messages with Domainkeys or DKIM by February 2025, they will reject your emails.  This is problematic because the security of Domainkey/DKIM signing is negligable for this very reason:
      • RFC 6376, which defines Domainkey/DKIM implementation states.
      • Prior to 2025, Microsoft Exchange (Outlook365) often did not have Domainkey or correct Domainkey signing) and when we talked to Microsoft's helpdesk about it they claimed the RFC said "if the domainkey cannot be verified" the message should be treated as though there is no domainkey signing.
        • The RFC does not state this, it says it should be treated as an "unverified" email
    • We recommend you use it
• DMARC:  Domain-based Message Authentication, Reporting and Conformance is technology used to prevent phishing and malware and allows the owner of a domain to determine if their domain is being used inappropriately.
  • we had a case the other day where we had a customer receiving bounces on emails they had not sent (a bounce attack) and we identified they were not using DMARC and we helped them implement that and the bounce attack stopped within minutes.
• Heuristic Analysis -- anti-spam software such as SpamAssassin look at email messages and they use heuristic algorithms to determine if it "looks" spammy by evaluating things like how much text there is, what phrases are being used, how many graphics are there, etc., etc., etc.
• Mail Box Age:  If you have subscribers on your email list and they don't respond for 6 months, you're supposed to stop sending email to them.  If you continue to do so, places like Spamhaus may list you.
• Domain Age:  How long have you had the domain... is it a new domain... if it is less than 90 days old recipients may block email based on that factor alone.
• Sender Rights:  You have a right to send an email to anyone ONCE.  That email should either be your solicitation or your request for them to confirm they want to continue receiving your information.  If you send them more than that, without their permission, you might be considered a spammer or bulk-unsolicited-email-sender.

Tools

We do not endorse these tools in any way, but we have found them to be helpful from other customer input:

• DNS  Diagnostics:  DNS Checker
• DMARC CHECKER:  DMARCIAN
• SPF TESTER:  SPF-Checker
• DOMAINKEY TESTER:  Open-DKIM
• MX Diagnostic:  MXTOOLBOX
• Blacklisting/RBL Checker:  Multi-URIBL
• EMAIL DIAGNOSTIC TOOL: Send an email to it and it tells you what it looks like:  https://aboutmy.email/

Blacklists

Spammers and hackers are clever and so they have figured out how to trick or bypass many of the above security measures and so there are independently owned "blacklisting" services out there and they have configured ways of collecting "spam" and analyzing it.  After analyzing it they have come up with some "recommendations" and many, many systems follow them.  These recommendations tell a receiving mail server to reject messages for one or more of the following reasons:

• IP address has been associated with spam, malware, phishing, snowshoeing, etc.
• domain has been associated with spam, malware, phishing, snowshoeing, etc.
• various othe reasons

Blacklisting Services

You may need to contact one or more of these services to get de-listed if you somehow get listed:

• spamhaus.org
• and their are dozens of others