Product managers and engineers from some of the world’s largest mailbox providers recently got together to explain coming changes in email authentication at an industry conference. While we can’t share all that was said, we did get permission to share their combined best practice recommendations, which will work as well for a small business as they will for a company sending millions of messages an hour on behalf of their clients.
General Practices
Any IP address you send email from should have a PTR record. This works a bit like a reverse phone directory and allows you to take a numeric IP address and get a hostname. Addresses assigned for residential Internet connections or public access points frequently don’t have a PTR record, and this is often used when evaluating incoming connections.
Use email authentication – ideally all three of DKIM, DMARC, and SPF. While using them won’t guarantee that your messages will reach the inbox even when they have “spammy” content, it does keep you from starting out in the highly suspicious column. That’s because authenticated email makes it easier to build and monitor the reputation of the sender. So good senders using authentication can be more easily recognized, while those not using it will increasingly start at a disadvantage.
SPF Practices
SPF has a lot of complex and powerful mechanisms, but don’t take that as a challenge to find ways to use them. Keep your SPF records as simple as possible, and don’t put any more hosts in your SPF records than you have to. This applies to the include: mechanism as well – use as few as possible, avoid nested includes whenever you can, and never use so many includes that you go over the 10 lookup limit.
If you specify blocks of addresses using CIDR notation in your SPF records, only use ranges between /30 and /16 inclusive (example: 10.10.10.0/24) – the higher the number after the slash, meaning a smaller block of addresses, the better. Avoid anything in the range /1 to /15 because some receivers will discount such blocks or even ignore them completely. And never, ever use or include a record with “+all” in it. The only way to productively use “all” is in the “~all” or “-all” mechanisms.
DKIM Practices
Rule number one for DKIM is to make sure your keys are at least 1,024 bits long. Signatures made using keys of less than 1,024 bits will often be ignored completely, and this practice will become more widespread as more senders switch to keys of 2,048 bits or longer.
DKIM is built on cryptographic digital signatures, and the science of cryptology has developed it’s own best practices over time. One of these is to change cryptographic keys regularly, so that bad actors don’t have years and years to try to attack the key. Unfortunately many email senders are using keys that were created five years ago, and sometimes longer! Instead you should switch to a new DKIM key, or “rotate” your keys, at least once a year. If you send millions of messages each month, or if they are particularly sensitive messages, you should really consider rotating your keys more often than that.
Another mistake too many ESPs make is to use a single DKIM key for all their customers. Instead each customer should have a unique DKIM key that’s only ever used for their messages.
And finally if you generate bounce messages for any reason, you should also be signing them with DKIM.
DMARC Practices
First, if you aren’t already using it then start using DMARC. You’ll benefit from the reporting it provides, and it allows you to signal to mailbox providers that they should block messages using your domain that don’t pass authentication. This means fraudulent messages using your domain can be identified and blocked, which will help protect your customers while improving your domain’s reputation.
If you use DMARC you have to make sure your messages have what’s called “identifier alignment.” Alignment is necessary for a message to pass DMARC’s checks, and not having it when you use DMARC could send your messages straight back to the “suspicious” queue.
Summary
Every mailbox provider reserves the right to filter out legitimate but unwanted messages, so there’s no way to guarantee 100% of your messages will always be accepted. But the recommendations shared here are intended to help you build a good reputation for yourself, and if applicable your clients, and they come straight from the very people doing the filtering. So if there are things suggested here that you aren’t doing, you may want to give some thought to what it would take to implement them.
Many thanks to the folks at ValiMail for organizing the original panel and supplying the summary of best practices that this post is based on. (ValiMail is a supporter of DMARC.org.)