Email Reputation · The data returned from the query includes the domain’s public key used to...

Email Reputation

Tim MartinSenior System Administrator University of Northern Colorado

First time presenter & attendee at CHECO

Email Windows Linux Apple MDM

EmailReputation and Best Practices

Who is migrating faculty and staff email

to Office 365 or another cloud provider?



What email are you left with?

Transactional List

Marketing

10,000 Recipients per day per sending

email address

Current Email Flow

Current Email Flow

Exchange

Listserv

LOB, WUG, BRM,

Recruiter

Current Email Flow

Exchange

Listserv

RelayLOB,

WUG, BRM, Recruiter

Barracudas

Current Email Flow

Exchange

Listserv

RelayLOB,

WUG, BRM, Recruiter

Barracudas

Internet

Best Practices

Best Practices• Utilize Sender Policy Framework (SPF)

• Sign email with Domain Keys Identified Mail (DKIM)

• Publish a DMARC policy

• Opt-In

• Send email from a consistent address

• Segregate IP addresses for each category of email

• Easy Unsubscribe

• Remove invalid recipients from lists

• Follow SPAM complaints with Feedback Loops

• Branding

Sender Policy FrameworkA simple validation system used to prevent email spoofing

by checking that emails originate from an authorized domain



Inbound Email



The sender address is

transmitted at the beginning of the

SMTP dialog

The recipients and body of the message is accepted

The Return-Path field is inserted in

the message header with the

sender’s address

The Return-Path variable is

checked against the sender’s

published SPF and is qualified

Inbound Email





SMTP dialog




sender’s address




Inbound Email

Outbound Email



Publish an SPF record in DNS of

addresses allowed to send as your domain



SMTP dialog




sender’s address




Inbound Email

Outbound Email

UNC’s Current SPF Record v=spf1 ip4:138.86.63.8/29 include:spf.protection.outlook.com include:emailcampaigns.net

include:blackboard.com include:_spf.qualtrics.com include:sendgrid.net -all



Header Name Header Value

X-Barracuda-Envelope-From [email protected]

X-Barracuda-Apparent-Source-IP 138.86.62.124

From "Martin, Timothy" <[email protected]>

To "[email protected]" <[email protected]>

Subject SPF Test

Date Mon, 2 Mar 2015 05:06:24 +0000

Message-ID <[email protected]>

user-agent Microsoft-MacOutlook/15.6.0.150113

x-originating-ip [138.86.97.229]

X-Barracuda-Connect exchange.unco.edu[138.86.62.124]

Return-Path [email protected]

Received-SPF Pass (protection.outlook.com: domain of unco.edu designates 138.86.63.11 as permitted sender) receiver=protection.outlook.com; client-ip=138.86.63.11; helo=barracuda.unco.edu;

Authentication-Results spf=pass (sender IP is 138.86.63.11) [email protected]; bears.unco.edu; dkim=none (message not signed) header.d=none;



DomainKeys Identified MailAn email validation system designed to detect email spoofing by allowing receiving mail

exchangers to check that incoming mail from a domain is authorized and that the email has not been modified during transport. A digital signature included with the message can be

validated by the recipient using the signer's public key published in the DNS.




Inbound Email - Verifying




The receiving SMTP server

reads the DKIM-Signature header

tags

The SMTP server uses Domain

Name and Selector tags to perform a DNS

lookup

The data returned from the query includes the

domain’s public key used to

decrypt the hash

The decrypted hash is compared to a recalculated

hash for the message. A

match proves the message is legit







tags



lookup



decrypt the hash





Outbound Email - Signing






tags



lookup



decrypt the hash





Publish a DKIM record in DNS of

the public key that you will use

Outbound Email - Signing

The sending SMTP server uses the private key to sign the relevant

parts of the message

The signature is then placed in the

DKIM-Message header field and is

sent

Header Name Header Value

X-Apparently-To [email protected]; Mon, 02 Mar 2015 18:20:43 +0000

Return-Path [email protected]

Received-SPF pass (domain of gmail.com designates 209.85.213.51 as permitted sender) AzACA3RleHQvaHRtbAMDMQ--

X-Originating-IP [209.85.213.51]

Authentication-Results mta1487.mail.bf1.yahoo.com from=gmail.com; domainkeys=neutral (no sig); from=gmail.com; dkim=pass (ok)

DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=syXG1Fso5vnRpQpZFg+4ncg0qoj/hZFYHR8cjwLFlcI=;

b=vI0ykyMa0AusIfeKaOOrPhh0LAcpyM2TMyA3p4CS992y3ECL9Z7Ls0TY2orWBioOaV X-Received by 10.236.41.132 with SMTP id h4mr26925486yhb.140.1425320443191; Mon, 02 Mar 2015 10:20:43 -0800 (PST)

From Tim Martin <[email protected]>

Date Mon, 2 Mar 2015 11:20:23 -0700

Message-ID <CAD+ROtAM+ySTu8DKtVyc9syFt+SfDMyh8zK-xVWmuTBTsBs7aA@mail.gmail.com>

Subject DKIM Test

To "[email protected]" <[email protected]>




mailto:[email protected]

Domain-based Message Authentication Reporting and Compliance

Allows a sender to indicate that their emails are protected by SPF and DKIM, and tells a receiver what to do if neither of those authentication

methods passes - such as to junk or reject the message




Enable on Spam Appliance

Inbound Email





Inbound Email

Outbound Email





Inbound Email

Publish a DMARC policy in DNS

Outbound Email

The receiving SMTP server will

evaluate the published SPF and DKIM records and give them a pass

or fail grade

The receiving SMTP server will then accept or

reject the message based on the published DMARC policy


sends abuse and forensic reports

SPF, DKIM, or DMARC

Opt-In• Ensure that we are only sending mail to users who specifically

requested it. It is not advisable to purchase mailing lists or subscribe users by having an opt-in checkbox automatically checked on your website.

• It is preferable to have a double/confirmed opt-in process. When users subscribe to our mailing lists, send them an email asking them to click to confirm their opt-in. This will reduce the number of people who sign up from fake email addresses.

• When users subscribe for your mailing list, tell them what mail to expect, how often to expect it, and what it will look like. Set recipient expectations clearly.

Easy UnsubscribeProvide an obvious unsubscribe link in our mail

Make it easy to unsubscribe from our mailing lists

Ensure the unsubscribe process is easy to use

No logging into a website in order to unsubscribe

Process unsubscribes immediately

Address BookSend our email from a consistent email address and advise our users to add that address to their address books.

Mail sent to users with our address in their address book will be delivered to the inbox with images and links enabled.

Opt-In, Unsubscribe, or Address Book

Invalid recipients

Invalid recipientsA high number of invalid recipients will harm our

reputation. We can reduce the number of invalid recipients on our lists by using double/

confirmed opt-in. We will always have some invalids

due to people changing email addresses, but the lower the

number, the better our reputation.

SPAM ComplaintsWhen users click "report spam", we can get a copy of the spam complaint through the

receiver’s Feedback Loop (FBL) systems. Ensure we are processing the complaints quickly. Treat spam complaints as an unsubscribe and remove the name from our mailing lists.

SPAM ComplaintsWhen users click "report spam", we can get a copy of the spam complaint through the

receiver’s Feedback Loop (FBL) systems. Ensure we are processing the complaints quickly. Treat spam complaints as an unsubscribe and remove the name from our mailing lists.

User clicks on “Report as Spam”

The FBL responds that our email is

being marked as spam

We remove the user from

that list

Invalid Recipients or Spam Complaints

Segregate IPsDon't send marketing email from the same IPs we use to send user mail, transactional

mail, or list mail. Each IP we send from has a reputation. By segregating our IPs according to function, we help ensure that our mail receives the best delivery possible.

Segregate IPsDon't send marketing email from the same IPs we use to send user mail, transactional

mail, or list mail. Each IP we send from has a reputation. By segregating our IPs according to function, we help ensure that our mail receives the best delivery possible.

User 138.86.63.10

Transactional 138.86.63.11

List 138.86.63.12

Marketing 138.86.63.13

Categories of Email at UNC

Category Kind Systems Domain Current Outbound

Future Outbound

User User to user email Exchange @unco.edu Barracuda EOP

TransactionalScan PDF to email,

WUG Alerts, Automatically

generated email

Scanners, WUG, The

Source, [email protected] Barracuda,

Follet 138.86.63.12

List Announcements Listserv @listserv.unco.edu Barracuda 138.86.63.13

MarketingBRM, Recruiter,

Alumni Relations

Databases @m.unco.eduBarracuda, ExactTarget,

Sendgrid138.86.63.14



What email are you left with?

Transactional List

Marketing

10,000 Recipients per day per sending

email address

How can we move to Office 365 and it’s recipient limit while

implementing these best practices?

Current Email Flow

Exchange

Listserv

RelayLOB,

WUG, BRM, Recruiter

Barracudas

Internet

Future Email Flow

Exchange

Listserv

RelayLOB,

WUG, BRM, Recruiter

Barracudas

Internet

Relay

Future Email Flow

Exchange

Listserv

LOB, WUG, BRM,

Recruiter

Barracudas

Internet

BarracudasRelay DNS is pointed here

Future Email Flow

Exchange

Listserv

LOB, WUG, BRM,

Recruiter Internet

Future Email Flow

Exchange

Listserv

LOB, WUG, BRM,

Recruiter Internet


Future Email Flow

Exchange

Listserv

LOB, WUG, BRM,

Recruiter Internet


Outbound MTA

DKIM Signing

Segregate IP based on mail category

Future Email Flow

Exchange

Listserv

LOB, WUG, BRM,

Recruiter Internet


Outbound MTA

DKIM Signing

Segregate IP based on mail category

Email Hygiene

Transactional IP

Future Email Flow

Exchange

Listserv

LOB, WUG, BRM,

Recruiter Internet


Outbound MTA

DKIM Signing

Segregate IP based on mail category List IP

Marketing IP

Email Hygiene

In House Solution

• Windows Server 2012 R2 • IIS SMTP Virtual Servers • hMailServer

Commercial Features

ThrottlingLimiting the number of connections and emails being

sent to a specific domain

Mes

sage

s Pe

r Min

ute

0

25

50

75

100

Gmail Outlook.com AOL Yahoo!

Reputation MonitoringNotification alert when a sending IP address gets

blacklisted

IP Address Warm UpSend small amounts of email at first and slowly increases

volume over time

Mes

sage

s Pe

r Day

0

3000

6000

9000

12000

Week 1 Week 2 Week 3 Week 4 Week 5 Week 6

Bounce ProcessingParses incoming bounce messages and assigns

meaning to the code

Click and Open DataTransparently modify email messages to know if users

are engaging with the message

0%

10%

20%

30%

40%

Email 1 Email 2 Email 3 Email 4

6%7%3%4%

28%32%

9%

18%

Open Rate Click Rate

Deliverability DataSee exactly what ISPs are filtering or bulking your email

Feedback Loop ProcessingParses incoming feedback loop notifications from ISPs and determines the source address and email campaign that generated the complaint

In House SolutionFeatures In House

Windows

VirtualMTAs

IP Segmentation

DKIM Signing

Free

Commercial SolutionsFeatures In House PowerMTA Green Arrow Zrinity Hurricane MTA

Windows

Linux

VirtualMTAs

IP Segmentation

DKIM Signing

Throttling

Reputation Monitoring

IP Address Warm Up

Bounce Processing

Click & Open Data

Deliverability Data

FBL Processing

Database Integration

Questions

Email Reputation · The data returned from the query includes the domain’s public key used to...

Documents

Transcript of Email Reputation · The data returned from the query includes the domain’s public key used to...