Email Reputation · The data returned from the query includes the domain’s public key used to...
Transcript of Email Reputation · The data returned from the query includes the domain’s public key used to...
Email Reputation
Tim MartinSenior System Administrator University of Northern Colorado
First time presenter & attendee at CHECO
Email Windows Linux Apple MDM
Tim MartinSenior System Administrator University of Northern Colorado
First time presenter & attendee at CHECO
Email Windows Linux Apple MDM
Tim MartinSenior System Administrator University of Northern Colorado
First time presenter & attendee at CHECO
Email Windows Linux Apple MDM
Tim MartinSenior System Administrator University of Northern Colorado
First time presenter & attendee at CHECO
Email Windows Linux Apple MDM
Tim MartinSenior System Administrator University of Northern Colorado
First time presenter & attendee at CHECO
Email Windows Linux Apple MDM
Tim MartinSenior System Administrator University of Northern Colorado
First time presenter & attendee at CHECO
Email Windows Linux Apple MDM
EmailReputation and Best Practices
Who is migrating faculty and staff email
to Office 365 or another cloud provider?
Who is migrating faculty and staff email
to Office 365 or another cloud provider?
What email are you left with?
Transactional List
Marketing
10,000 Recipients per day per sending
email address
Current Email Flow
Current Email Flow
Exchange
Listserv
LOB, WUG, BRM,
Recruiter
Current Email Flow
Exchange
Listserv
RelayLOB,
WUG, BRM, Recruiter
Barracudas
Current Email Flow
Exchange
Listserv
RelayLOB,
WUG, BRM, Recruiter
Barracudas
Internet
Current Email Flow
Exchange
Listserv
RelayLOB,
WUG, BRM, Recruiter
Barracudas
Internet
Current Email Flow
Exchange
Listserv
RelayLOB,
WUG, BRM, Recruiter
Barracudas
Internet
Current Email Flow
Exchange
Listserv
RelayLOB,
WUG, BRM, Recruiter
Barracudas
Internet
Best Practices
Best Practices• Utilize Sender Policy Framework (SPF)
• Sign email with Domain Keys Identified Mail (DKIM)
• Publish a DMARC policy
• Opt-In
• Send email from a consistent address
• Segregate IP addresses for each category of email
• Easy Unsubscribe
• Remove invalid recipients from lists
• Follow SPAM complaints with Feedback Loops
• Branding
Sender Policy FrameworkA simple validation system used to prevent email spoofing
by checking that emails originate from an authorized domain
Sender Policy FrameworkA simple validation system used to prevent email spoofing
by checking that emails originate from an authorized domain
Inbound Email
Sender Policy FrameworkA simple validation system used to prevent email spoofing
by checking that emails originate from an authorized domain
The sender address is
transmitted at the beginning of the
SMTP dialog
The recipients and body of the message is accepted
The Return-Path field is inserted in
the message header with the
sender’s address
The Return-Path variable is
checked against the sender’s
published SPF and is qualified
Inbound Email
Sender Policy FrameworkA simple validation system used to prevent email spoofing
by checking that emails originate from an authorized domain
The sender address is
transmitted at the beginning of the
SMTP dialog
The recipients and body of the message is accepted
The Return-Path field is inserted in
the message header with the
sender’s address
The Return-Path variable is
checked against the sender’s
published SPF and is qualified
Inbound Email
Outbound Email
Sender Policy FrameworkA simple validation system used to prevent email spoofing
by checking that emails originate from an authorized domain
Publish an SPF record in DNS of
addresses allowed to send as your domain
The sender address is
transmitted at the beginning of the
SMTP dialog
The recipients and body of the message is accepted
The Return-Path field is inserted in
the message header with the
sender’s address
The Return-Path variable is
checked against the sender’s
published SPF and is qualified
Inbound Email
Outbound Email
UNC’s Current SPF Record v=spf1 ip4:138.86.63.8/29 include:spf.protection.outlook.com include:emailcampaigns.net
include:blackboard.com include:_spf.qualtrics.com include:sendgrid.net -all
Sender Policy FrameworkA simple validation system used to prevent email spoofing
by checking that emails originate from an authorized domain
Header Name Header Value
X-Barracuda-Envelope-From [email protected]
X-Barracuda-Apparent-Source-IP 138.86.62.124
From "Martin, Timothy" <[email protected]>
To "[email protected]" <[email protected]>
Subject SPF Test
Date Mon, 2 Mar 2015 05:06:24 +0000
Message-ID <[email protected]>
user-agent Microsoft-MacOutlook/15.6.0.150113
x-originating-ip [138.86.97.229]
X-Barracuda-Connect exchange.unco.edu[138.86.62.124]
Return-Path [email protected]
Received-SPF Pass (protection.outlook.com: domain of unco.edu designates 138.86.63.11 as permitted sender) receiver=protection.outlook.com; client-ip=138.86.63.11; helo=barracuda.unco.edu;
Authentication-Results spf=pass (sender IP is 138.86.63.11) [email protected]; bears.unco.edu; dkim=none (message not signed) header.d=none;
Sender Policy FrameworkA simple validation system used to prevent email spoofing
by checking that emails originate from an authorized domain
DomainKeys Identified MailAn email validation system designed to detect email spoofing by allowing receiving mail
exchangers to check that incoming mail from a domain is authorized and that the email has not been modified during transport. A digital signature included with the message can be
validated by the recipient using the signer's public key published in the DNS.
DomainKeys Identified MailAn email validation system designed to detect email spoofing by allowing receiving mail
exchangers to check that incoming mail from a domain is authorized and that the email has not been modified during transport. A digital signature included with the message can be
validated by the recipient using the signer's public key published in the DNS.
Inbound Email - Verifying
DomainKeys Identified MailAn email validation system designed to detect email spoofing by allowing receiving mail
exchangers to check that incoming mail from a domain is authorized and that the email has not been modified during transport. A digital signature included with the message can be
validated by the recipient using the signer's public key published in the DNS.
The receiving SMTP server
reads the DKIM-Signature header
tags
The SMTP server uses Domain
Name and Selector tags to perform a DNS
lookup
The data returned from the query includes the
domain’s public key used to
decrypt the hash
The decrypted hash is compared to a recalculated
hash for the message. A
match proves the message is legit
Inbound Email - Verifying
DomainKeys Identified MailAn email validation system designed to detect email spoofing by allowing receiving mail
exchangers to check that incoming mail from a domain is authorized and that the email has not been modified during transport. A digital signature included with the message can be
validated by the recipient using the signer's public key published in the DNS.
The receiving SMTP server
reads the DKIM-Signature header
tags
The SMTP server uses Domain
Name and Selector tags to perform a DNS
lookup
The data returned from the query includes the
domain’s public key used to
decrypt the hash
The decrypted hash is compared to a recalculated
hash for the message. A
match proves the message is legit
Inbound Email - Verifying
Outbound Email - Signing
DomainKeys Identified MailAn email validation system designed to detect email spoofing by allowing receiving mail
exchangers to check that incoming mail from a domain is authorized and that the email has not been modified during transport. A digital signature included with the message can be
validated by the recipient using the signer's public key published in the DNS.
The receiving SMTP server
reads the DKIM-Signature header
tags
The SMTP server uses Domain
Name and Selector tags to perform a DNS
lookup
The data returned from the query includes the
domain’s public key used to
decrypt the hash
The decrypted hash is compared to a recalculated
hash for the message. A
match proves the message is legit
Inbound Email - Verifying
Publish a DKIM record in DNS of
the public key that you will use
Outbound Email - Signing
The sending SMTP server uses the private key to sign the relevant
parts of the message
The signature is then placed in the
DKIM-Message header field and is
sent
Header Name Header Value
X-Apparently-To [email protected]; Mon, 02 Mar 2015 18:20:43 +0000
Return-Path [email protected]
Received-SPF pass (domain of gmail.com designates 209.85.213.51 as permitted sender) AzACA3RleHQvaHRtbAMDMQ--
X-Originating-IP [209.85.213.51]
Authentication-Results mta1487.mail.bf1.yahoo.com from=gmail.com; domainkeys=neutral (no sig); from=gmail.com; dkim=pass (ok)
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=syXG1Fso5vnRpQpZFg+4ncg0qoj/hZFYHR8cjwLFlcI=;
b=vI0ykyMa0AusIfeKaOOrPhh0LAcpyM2TMyA3p4CS992y3ECL9Z7Ls0TY2orWBioOaV X-Received by 10.236.41.132 with SMTP id h4mr26925486yhb.140.1425320443191; Mon, 02 Mar 2015 10:20:43 -0800 (PST)
From Tim Martin <[email protected]>
Date Mon, 2 Mar 2015 11:20:23 -0700
Message-ID <CAD+ROtAM+ySTu8DKtVyc9syFt+SfDMyh8zK-xVWmuTBTsBs7aA@mail.gmail.com>
Subject DKIM Test
To "[email protected]" <[email protected]>
DomainKeys Identified MailAn email validation system designed to detect email spoofing by allowing receiving mail
exchangers to check that incoming mail from a domain is authorized and that the email has not been modified during transport. A digital signature included with the message can be
validated by the recipient using the signer's public key published in the DNS.
Domain-based Message Authentication Reporting and Compliance
Allows a sender to indicate that their emails are protected by SPF and DKIM, and tells a receiver what to do if neither of those authentication
methods passes - such as to junk or reject the message
Domain-based Message Authentication Reporting and Compliance
Allows a sender to indicate that their emails are protected by SPF and DKIM, and tells a receiver what to do if neither of those authentication
methods passes - such as to junk or reject the message
Enable on Spam Appliance
Inbound Email
Domain-based Message Authentication Reporting and Compliance
Allows a sender to indicate that their emails are protected by SPF and DKIM, and tells a receiver what to do if neither of those authentication
methods passes - such as to junk or reject the message
Enable on Spam Appliance
Inbound Email
Outbound Email
Domain-based Message Authentication Reporting and Compliance
Allows a sender to indicate that their emails are protected by SPF and DKIM, and tells a receiver what to do if neither of those authentication
methods passes - such as to junk or reject the message
Enable on Spam Appliance
Inbound Email
Publish a DMARC policy in DNS
Outbound Email
The receiving SMTP server will
evaluate the published SPF and DKIM records and give them a pass
or fail grade
The receiving SMTP server will then accept or
reject the message based on the published DMARC policy
The receiving SMTP server
sends abuse and forensic reports
Domain-based Message Authentication Reporting and Compliance
Allows a sender to indicate that their emails are protected by SPF and DKIM, and tells a receiver what to do if neither of those authentication
methods passes - such as to junk or reject the message
SPF, DKIM, or DMARC
Opt-In• Ensure that we are only sending mail to users who specifically
requested it. It is not advisable to purchase mailing lists or subscribe users by having an opt-in checkbox automatically checked on your website.
• It is preferable to have a double/confirmed opt-in process. When users subscribe to our mailing lists, send them an email asking them to click to confirm their opt-in. This will reduce the number of people who sign up from fake email addresses.
• When users subscribe for your mailing list, tell them what mail to expect, how often to expect it, and what it will look like. Set recipient expectations clearly.
Easy UnsubscribeProvide an obvious unsubscribe link in our mail
Make it easy to unsubscribe from our mailing lists
Ensure the unsubscribe process is easy to use
No logging into a website in order to unsubscribe
Process unsubscribes immediately
Address BookSend our email from a consistent email address and advise our users to add that address to their address books.
Mail sent to users with our address in their address book will be delivered to the inbox with images and links enabled.
Opt-In, Unsubscribe, or Address Book
Invalid recipients
Invalid recipientsA high number of invalid recipients will harm our
reputation. We can reduce the number of invalid recipients on our lists by using double/
confirmed opt-in. We will always have some invalids
due to people changing email addresses, but the lower the
number, the better our reputation.
SPAM ComplaintsWhen users click "report spam", we can get a copy of the spam complaint through the
receiver’s Feedback Loop (FBL) systems. Ensure we are processing the complaints quickly. Treat spam complaints as an unsubscribe and remove the name from our mailing lists.
SPAM ComplaintsWhen users click "report spam", we can get a copy of the spam complaint through the
receiver’s Feedback Loop (FBL) systems. Ensure we are processing the complaints quickly. Treat spam complaints as an unsubscribe and remove the name from our mailing lists.
User clicks on “Report as Spam”
The FBL responds that our email is
being marked as spam
We remove the user from
that list
Invalid Recipients or Spam Complaints
Segregate IPsDon't send marketing email from the same IPs we use to send user mail, transactional
mail, or list mail. Each IP we send from has a reputation. By segregating our IPs according to function, we help ensure that our mail receives the best delivery possible.
Segregate IPsDon't send marketing email from the same IPs we use to send user mail, transactional
mail, or list mail. Each IP we send from has a reputation. By segregating our IPs according to function, we help ensure that our mail receives the best delivery possible.
User 138.86.63.10
Transactional 138.86.63.11
List 138.86.63.12
Marketing 138.86.63.13
Categories of Email at UNC
Category Kind Systems Domain Current Outbound
Future Outbound
User User to user email Exchange @unco.edu Barracuda EOP
TransactionalScan PDF to email,
WUG Alerts, Automatically
generated email
Scanners, WUG, The
Source, [email protected] Barracuda,
Follet 138.86.63.12
List Announcements Listserv @listserv.unco.edu Barracuda 138.86.63.13
MarketingBRM, Recruiter,
Alumni Relations
Databases @m.unco.eduBarracuda, ExactTarget,
Sendgrid138.86.63.14
Categories of Email at UNC
Category Kind Systems Domain Current Outbound
Future Outbound
User User to user email Exchange @unco.edu Barracuda EOP
TransactionalScan PDF to email,
WUG Alerts, Automatically
generated email
Scanners, WUG, The
Source, [email protected] Barracuda,
Follet 138.86.63.12
List Announcements Listserv @listserv.unco.edu Barracuda 138.86.63.13
MarketingBRM, Recruiter,
Alumni Relations
Databases @m.unco.eduBarracuda, ExactTarget,
Sendgrid138.86.63.14
Categories of Email at UNC
Category Kind Systems Domain Current Outbound
Future Outbound
User User to user email Exchange @unco.edu Barracuda EOP
TransactionalScan PDF to email,
WUG Alerts, Automatically
generated email
Scanners, WUG, The
Source, [email protected] Barracuda,
Follet 138.86.63.12
List Announcements Listserv @listserv.unco.edu Barracuda 138.86.63.13
MarketingBRM, Recruiter,
Alumni Relations
Databases @m.unco.eduBarracuda, ExactTarget,
Sendgrid138.86.63.14
Categories of Email at UNC
Category Kind Systems Domain Current Outbound
Future Outbound
User User to user email Exchange @unco.edu Barracuda EOP
TransactionalScan PDF to email,
WUG Alerts, Automatically
generated email
Scanners, WUG, The
Source, [email protected] Barracuda,
Follet 138.86.63.12
List Announcements Listserv @listserv.unco.edu Barracuda 138.86.63.13
MarketingBRM, Recruiter,
Alumni Relations
Databases @m.unco.eduBarracuda, ExactTarget,
Sendgrid138.86.63.14
Who is migrating faculty and staff email
to Office 365 or another cloud provider?
What email are you left with?
Transactional List
Marketing
10,000 Recipients per day per sending
email address
How can we move to Office 365 and it’s recipient limit while
implementing these best practices?
Current Email Flow
Exchange
Listserv
RelayLOB,
WUG, BRM, Recruiter
Barracudas
Internet
Future Email Flow
Exchange
Listserv
RelayLOB,
WUG, BRM, Recruiter
Barracudas
Internet
Relay
Future Email Flow
Exchange
Listserv
LOB, WUG, BRM,
Recruiter
Barracudas
Internet
BarracudasRelay DNS is pointed here
Future Email Flow
Exchange
Listserv
LOB, WUG, BRM,
Recruiter Internet
Future Email Flow
Exchange
Listserv
LOB, WUG, BRM,
Recruiter Internet
BarracudasRelay DNS is pointed here
Future Email Flow
Exchange
Listserv
LOB, WUG, BRM,
Recruiter Internet
BarracudasRelay DNS is pointed here
Future Email Flow
Exchange
Listserv
LOB, WUG, BRM,
Recruiter Internet
BarracudasRelay DNS is pointed here
Future Email Flow
Exchange
Listserv
LOB, WUG, BRM,
Recruiter Internet
BarracudasRelay DNS is pointed here
Outbound MTA
DKIM Signing
Segregate IP based on mail category
Future Email Flow
Exchange
Listserv
LOB, WUG, BRM,
Recruiter Internet
BarracudasRelay DNS is pointed here
Outbound MTA
DKIM Signing
Segregate IP based on mail category
Email Hygiene
Transactional IP
Future Email Flow
Exchange
Listserv
LOB, WUG, BRM,
Recruiter Internet
BarracudasRelay DNS is pointed here
Outbound MTA
DKIM Signing
Segregate IP based on mail category List IP
Marketing IP
Email Hygiene
Transactional IP
Future Email Flow
Exchange
Listserv
LOB, WUG, BRM,
Recruiter Internet
BarracudasRelay DNS is pointed here
Outbound MTA
DKIM Signing
Segregate IP based on mail category List IP
Marketing IP
Email Hygiene
In House Solution
• Windows Server 2012 R2 • IIS SMTP Virtual Servers • hMailServer
Commercial Features
ThrottlingLimiting the number of connections and emails being
sent to a specific domain
Mes
sage
s Pe
r Min
ute
0
25
50
75
100
Gmail Outlook.com AOL Yahoo!
Reputation MonitoringNotification alert when a sending IP address gets
blacklisted
IP Address Warm UpSend small amounts of email at first and slowly increases
volume over time
Mes
sage
s Pe
r Day
0
3000
6000
9000
12000
Week 1 Week 2 Week 3 Week 4 Week 5 Week 6
Bounce ProcessingParses incoming bounce messages and assigns
meaning to the code
Click and Open DataTransparently modify email messages to know if users
are engaging with the message
0%
10%
20%
30%
40%
Email 1 Email 2 Email 3 Email 4
6%7%3%4%
28%32%
9%
18%
Open Rate Click Rate
Deliverability DataSee exactly what ISPs are filtering or bulking your email
Feedback Loop ProcessingParses incoming feedback loop notifications from ISPs and determines the source address and email campaign that generated the complaint
In House SolutionFeatures In House
Windows
VirtualMTAs
IP Segmentation
DKIM Signing
Free
Commercial SolutionsFeatures In House PowerMTA Green Arrow Zrinity Hurricane MTA
Windows
Linux
VirtualMTAs
IP Segmentation
DKIM Signing
Throttling
Reputation Monitoring
IP Address Warm Up
Bounce Processing
Click & Open Data
Deliverability Data
FBL Processing
Database Integration
Commercial SolutionsFeatures In House PowerMTA Green Arrow Zrinity Hurricane MTA
Windows
Linux
VirtualMTAs
IP Segmentation
DKIM Signing
Throttling
Reputation Monitoring
IP Address Warm Up
Bounce Processing
Click & Open Data
Deliverability Data
FBL Processing
Database Integration
Commercial SolutionsFeatures In House PowerMTA Green Arrow Zrinity Hurricane MTA
Windows
Linux
VirtualMTAs
IP Segmentation
DKIM Signing
Throttling
Reputation Monitoring
IP Address Warm Up
Bounce Processing
Click & Open Data
Deliverability Data
FBL Processing
Database Integration
Commercial SolutionsFeatures In House PowerMTA Green Arrow Zrinity Hurricane MTA
Windows
Linux
VirtualMTAs
IP Segmentation
DKIM Signing
Throttling
Reputation Monitoring
IP Address Warm Up
Bounce Processing
Click & Open Data
Deliverability Data
FBL Processing
Database Integration
Commercial SolutionsFeatures In House PowerMTA Green Arrow Zrinity Hurricane MTA
Windows
Linux
VirtualMTAs
IP Segmentation
DKIM Signing
Throttling
Reputation Monitoring
IP Address Warm Up
Bounce Processing
Click & Open Data
Deliverability Data
FBL Processing
Database Integration
Questions