Building an Email Asset Inventory to Improve Email Deliverability & Security — Who Are Your Authorized Senders?
Radicati estimates that 361.6+ billion emails are sent every day in 2024. But how do you know who is actually permitted to send email as you?
Editor’s Note: This is a guest blog contribution from Jacob Duane, CEO of Stellastra. Duane shares his insights on how email authentication and security measures help to improve email deliverability and mitigate unauthorized email sender-related issues.
We’ve all encountered situations where emails end up in spam folders or show warnings about an unverified sender in services like Gmail or Outlook. These issues, often marked by a red question mark or a notification indicating the sender cannot be authenticated, might also affect your outbound emails without your knowledge. Such incidents can severely impact your organization’s email deliverability, reputation, and even relationships with customers, thereby affecting revenue opportunities.
If such email is unauthorized, it raises the question of what, then, is considered authorized? The standard way to communicate whether an email is authorized is to implement an email asset inventory using a key set of protocols and standards. We’ll explore what this inventory is and what yours should include to help prevent unauthorized email senders from using your good name.
Let’s hash it out.
Breaking Down the Basics: What Is an Email Asset Inventory?
An email asset inventory is a resource you can use to wrap your arms around your organization’s email-related assets. Maintaining an up-to-date list helps you have a more complete picture of what’s included in your email environment — think servers, authorized domains and senders, and other pertinent assets — so you can manage everything more effectively (and, ideally, prevent email spoofing and business email compromise attacks).
An email asset inventory can be as detailed as you need it to be. For example, you can keep track of your S/MIME certificates, email server jurisdiction, and data sovereignty, but in this article, we will focus on keeping track of authorized senders to help improve email deliverability.
Each time a new email sending service is added (whether it be a mailbox service such as Google or Microsoft, or a marketing service such as SendGrid or Mailchimp), it must be explicitly authorized by the admin responsible for maintaining your DNS records.
Email Deliverability: How DNS Policies Help Emails Get Where They Need to Go
DNS, for the uninitiated, or Domain Name System, is simply a lookup service that converts domain names, such as thesslstore.com, to machine-readable internet protocol (IP) addresses (e.g., 104.22.2.46). This process allows for routing across the internet. In this DNS zone, there is a plethora of information, including
- website address (A/AAAA records for IPv4 and IPv6, respectively),
- email inbox (Mail Exchange/MX records),
- Name Servers and Start of Authority (NS/SOA) records
… and several others that we won’t detail here.
The MX records are simple; they point to the mail server that receives the domain’s email. Perform an MX lookup of a handful of domains, and you’ll likely see some pointing to Microsoft Office 365/Outlook, Google/Gmail, or a spam filtering service such as Proofpoint or Mimecast.
The recipient’s mail server sees an incoming message, but how does it know who is authorized to send it? The Simple Mail Transfer Protocol (SMTP) was founded in 1981, nine years before HTTP, which is used in every website request you make over the internet.
As was common at the time, usability was prioritized over security, leaving SMTP vulnerable to nefarious individuals. In fact, new vulnerabilities, such as SMTP smuggling, are still being found.
To deal with this authorization issue, internet standards slowly emerged to handle this need for security, to authorize who is (and who is not) authorized to send emails on behalf of an organization. But a way to verify the sender’s legitimacy was also needed. These email authentication standards are called
- Sender Policy Framework (SPF),
- DomainKeys Identified Mail (DKIM), and
- Domain-based Message, Authentication, Reporting, and Conformance (DMARC).
An organization explicitly authorizing and authenticating senders improves security and email deliverability, as it makes it harder (though not impossible) for scammers to spoof your organization. SPF, DKIM, and DMARC quickly get technical, but we can use them to map our email asset inventory.
Related Resource: 10 Email Server Security Best Practices to Secure Your Email Server
The Importance of Creating & Maintaining an Email Asset Inventory
With Google and Yahoo’s relatively new DMARC requirements, not only will building a strong SPF and DKIM policy allow you to understand who is sending on your domain, but it will also improve your email deliverability to your leads, prospects, clients, and stakeholders.
DMARC is further necessary for emerging brand authentication standards, such as brand indicators for message identification (BIMI), which (when combined with a verified mark certificate) allows you to incorporate your company’s logo into your outbound emails. (BIMI and VMCs are supported by major inboxes, including Apple and Google.)
For an additional layer of email security, you can also have your employees digitally sign their emails using S/MIME certificates. These digital files add validated digital identity to your outbound messages, providing recipients with another way to verify whether your domain’s emails are authentic and unaltered.
Note that SPF, DKIM, and DMARC require every sender to authenticate their emails correctly. Although every organization is capable of implementing an authoritative SPF record to prevent BEC and spoofing, each is different in terms of its needs and capabilities. They range from organizations that have strong authorization policies to those with no authentication at all, and everyone in between. The reasons behind this include organizational budgets, resource constraints, perceived complexity, lack of awareness, and an incomplete handover when old IT staff leave.
SPF, DKIM, and DMARC Records Don’t Exist By Default
New startups buying a domain often benefit from some sort of automatic integration when setting up their email with a major provider. Therefore, they may not be aware that they even have such records. In large organizations, departments don’t always talk with one another, creating “Shadow IT” — that is, IT infrastructure used by the organization that is unknown to the IT team.
Implementing SPF, DKIM, and DMARC requires a strong, technical know-how, and misconfigurations are easy. For example, a small number of the email marketing services we analyzed advise users to create a more permissive SPF record in an effort to increase their solutions’ perceived usability.
It’s sometimes the case that no one maintains the DNS records for an organization, or admins may outsource those responsibilities to an MSP. If you know yours, skip the next section to jump right to building an email asset inventory. Otherwise, read on to learn how to access your DNS.
How to Check Your Existing DNS Records
Using an “NS” or an “SOA” lookup (available through free online services or accessible from a local terminal), you can determine who manages your DNS records. Often, these names are not exactly the same as the company you contract with, so perform a quick search of the record to see if you recognize any of the names that appear.
For example, an SOA lookup on stellastra.com shows the record pointing to Netlify. (This is root/email address-related information for the domain’s responsible party and will belong to a different domain for most non-enterprise level organizations, hence why ours at Stellastra lists Netlify). If the SOA isn’t obvious, you can also check the NS lookup for your domain. Doing so for stellastra.com returns “dns1.p01.nsone.net.” A quick search shows Netlify using these name servers.
If it still isn’t clear, perform a WHOIS lookup of your domain to find your domain registrar. Even if you’ve delegated control of your domain elsewhere, your domain registrar should be able to assist you in recovering access to your DNS zone.
3 Steps for Building a DNS-Based Inventory to Improve Email Deliverability
Once logged in to your DNS zone, look for two major types of records (SPF and DKIM).
Start By Assessing Your SPF Records
You should have only one SPF record, but having an erroneous setup of multiple is possible and can result in authentication issues that land your emails in recipients’ spam folders. SPF records should be of type “TXT” (and sometimes, counter-intuitively but incorrectly, “SPF”), and start with “v=spf1” and end with one of the following “-all”, “~all”, “?all”, or “+all”.
Once you’ve found your record, you’ll see authorized senders. Note that a record with no senders should look like this: “v=spf1 -all”, and it’s common to have multiple authorized senders inside of the single SPF record.
Some records might be immediately obvious; others, you might need to look up. For example, the SPF record of stellastra.com has the following entry: “include:spf.protection.outlook.com”. Searching the internet, it is clear that this SPF entry belongs to Microsoft, which means Stellastra has authorized Microsoft to send emails on its behalf. Quite simply, the SPF allows certain IP addresses to send emails using Stellastra’s domain. The record itself breaks down into a collection of IP address ranges, including, for example: ip4:40.92.0.0/15, ip4:40.107.0.0/16, and ip4:52.100.0.0/14.
Sometimes, you won’t have a domain name with the “include:” or “a:” mechanism, but rather an IP address. This is where a reverse DNS lookup (PTR) or WHOIS lookup can greatly aid you in identifying the owner of the IP address and, consequently, the sender you’ve authorized.
Above is the current SPF record for stellastra.com. It is clear that Microsoft is authorized to send email on behalf of stellastra.com.
If you find any unauthorized senders in your SPF record, it is good practice to remove them. But before you do, it’s a good idea to employ DMARC monitoring, as discussed below, to ensure you don’t accidentally remove a legitimate sender. Another department, for example, may be using this mailing service, but such a service may be shadow IT, that is, unknown to the IT department.
NOTE: All domains you own should have an SPF record, even if they are not used to send email. It is not good enough to simply not send email with the domain; a recipient server must have access to a clear policy that no email is authorized from that domain. As per the official SPF standard (RFC 7208), simply replace the SPF record with “v=spf1 -all” with nothing else in between the quotation marks.
Check Whether You Have DKIM Set Up
Next, you’ll want to look for DKIM records. These are typically under a “CNAME” record that points to whichever sending service(s) you’re using, although the records may be of type TXT if you’re hosting the DKIM record directly rather than delegating it via a CNAME record.
The above records clearly show Microsoft and SendGrid DKIM keys for the stellastra.com domain. DNS records make all of this information publicly available.
So far, we’ve looked at sending services you’ve authorized. However, it is fairly common to erroneously send via unauthorized services. That is, the mailing server has never been explicitly authorized, but the sending service is configured to send email regardless. In such an instance, you’ll want to look at DMARC reports.
Check DMARC to See What Else Is Sending on Your Behalf
DMARC email delivery reports are sent from popular mailbox providers to the recipient address listed in the DMARC record. You can parse these reports if you have the technical know-how, but there are many companies that specialize in processing such data for you. These reports are an excellent snapshot of who is sending emails on your behalf.
These reports typically contain a breakdown of senders alongside their SPF, DKIM, DMARC, and even authenticated received chain (ARC) results, allowing you to diagnose many common email deliverability errors. Either way, this is the best-quantified way to determine who is sending messages on behalf of your company. This data will also allow you to identify any authorized senders who no longer send emails on your behalf. Identifying such services and disabling them helps to reduce your attack surface.
Taking such actions will go a long way in building your cyber resilience against Business Email Compromise and spoofing scams, with the FBI receiving $2.9 billion worth of BEC reported loss complaints through their Internet Crime Complaint Center (IC3) in 2023 alone.
Through a combination of DNS and DMARC report monitoring, we can ensure that we know who is authorized to send emails on behalf of our company in order to create an email asset inventory, ensuring we’re fully in control of our domain names.
Final Thoughts on Improving Email Deliverability & Preventing Unauthorized Senders
Building an email asset inventory is a proactive step to safeguard your domains from unauthorized email senders. This inventory, which tracks authorized domains, servers, and senders through protocols such as SPF, DKIM, and DMARC, ensures that only legitimate sources can send emails on your behalf.
By taking this step, you not only enhance your email deliverability and maintain a good reputation but also protect against cybersecurity threats such as BEC scams and spoofing, protecting your company from financial and reputational losses.
Be the first to comment