InboxWizards

Let’s Talk

Author: Anthony Mitchell

  • What is BIMI and How It Works: An Introduction for Email Marketers

    As an email marketer, your primary objective is to get your message across to your target audience. However, despite creating compelling email campaigns, if your emails end up in the spam folder, all your efforts would have been in vain.

    That’s where email deliverability comes in. Email deliverability refers to the ability of your emails to land in your subscribers’ inboxes. Previously we have discussed the more established methods of authentication, but one of the latest technologies that can enhance email deliverability is BIMI (Brand Indicators for Message Identification). In this article, we’ll explore what it is and how it works.

    What is BIMI?

    BIMI is an email authentication protocol that leverages brand logos to authenticate the sender’s identity, which builds upon the DMARC (Domain-based Message Authentication, Reporting, and Conformance) standard, which enables email clients to authenticate the sender’s domain name.

    It allows email marketers to display their brand logo alongside email messages in the recipient’s inbox, subject to the email passing DMARC authentication, adding an additional level of protection.

    Bimigroup.org have a great set of resources including an implementation guide along with supporting documents that they keep up to date.

    How does it work?

    First you must establish DMARC authentication for your domain name, with the policy set at least to ‘quarantine’.

    And remember! DMARC requires that SPF or DKIM has been implemented correctly as a standard so that’s two layers of protection that are required in order to proceed.

    After setting up DMARC, you can generate a BIMI record that specifies the location of your brand’s logo. This record is then publicly available in your domain’s DNS (Domain Name System).

    The recipient’s email client verifies the sender’s DMARC record whenever an email is transmitted. If the email passes, the email client then searches for a BIMI record in the sender’s DNS, and if found, the email client exhibits the sender’s logo and the email message.

    Why use BIMI?

    First and foremost, it enhances email deliverability by improving the sender’s reputation and trustworthiness, aided by the fact that it requires SPF or DKIM and DMARC to succeed.

    Also, you increase brand recognition and recall by displaying your brand logo in the recipient’s inbox, and this can in turn help improve your email open and click-through rates.

    The resulting improvement in engagement can also lead to better deliverability providing other best practices are also maintained.

    Lastly it can also help prevent email phishing attacks as it provides an extra method for verifying the sender’s identity.

    BIMI and the SPF Vulnerability

    What sounds like a bad children’s book is actually a serious case for making sure that you have authentication implemented correctly.

    In June, 2023, a security architect named Chris Plummer was able to send an email that appeared to come from UPS, managing to trick gmail to include the UPS logo and blue check.

    The official statement clarifies that the issue stems from a vulnerability that can occur if SPF is not implemented or if it has been implemented incorrectly. Gmail made some changes as a result and now DKIM is a necessary requirement as a part of your DMARC alignment, where previously SPF was also acceptable.

    Conclusion

    BIMI is a cutting-edge technology that can significantly enhance email deliverability. You can boost brand recognition and recall by showcasing your brand logo in the recipient’s inbox, heighten email open rates and click-through rates, and thwart email phishing attacks. As an email marketer, it’s prudent to implement it to stay at the forefront and enhance the efficacy of your email campaigns.

    Nobody wants to be scammed. We all want to improve subscriber engagement and deliverability that is the best it can be. Get in touch with InboxWizards today, and we can help you set up authentication correctly, troubleshoot any existing problems you might have and monitor your deliverability, ensuring that any future issues are dealt with quickly and effectively.

  • The Power of DMARC: How It Can Keep Your Business Safe

    Ensuring successful email delivery is critical for any email marketing campaign. However, many marketers may face challenges when comprehending the technical components of email deliverability. DMARC, which stands for “Domain-based Message Authentication, Reporting, and Conformance,” is one aspect that marketers need to be familiar with. In this piece we delve into what it is, its significance and impact on email deliverability.

    What is DMARC?

    DMARC is an email authentication protocol that is used to prevent fraudulent emails from being delivered to the recipient’s inbox that builds upon SPF & DKIM, requiring that at least one of them is implemented as a prerequisite.

    SPF allows email senders to specify which IP addresses are authorised to send emails on behalf of their domain.

    Additionally, DKIM, the email authentication method that uses a digital signatures to authenticate emails. The signature lets the receiver know that a message was sent and authorised by the owner of a domain, offering yet another level of security.

    If you need more information regarding how DKIM works, our article can help you get started.

    DMARC is the next layer of protection by adding further parameters that ESPs can check in order to confirm that the email is authentic. In order for an email to be considered authentic it requires that SPF alignment passes as a minimum and can be set up to check for DKIM alignment as well.

    It should be pointed out that Google recently made changes to their requirements choosing DKIM as a prerequisite after an issue arose with SPF, which we cover in our article under the risks of an incorrect setup.

    For a full list of resources linked to the implementation of DMARC visit the official DMARC.org website.

    Why does DMARC matter?

    It is crucial in ensuring email deliverability and protecting your brand’s reputation and it’s worth mentioning that German ESPs have recently placed greater importance on having it implemented.

    First of all, it enables email service providers (ESPs) to determine which emails are legitimate and which are not. This allows ESPs to make better decisions about which emails to deliver to the inbox and which to send to the spam folder, and what emails to block and reject completely.

    As a result, one of the primary benefits is its ability to prevent spoofing and phishing attacks, whereby hackers or cybercriminals send an email using your brand’s domain in order to, essentially, trick people into handing over their money.

    It goes without saying that would be detrimental to your business’s reputation.

    Also, as your customers’ personal information is protected against such attacks, it is important for compliance with regulations such as GDPR, which requires that you take steps to protect their data.

    Although when operating in the EU, RUF reports are not GDPR compliant as they can contain PII (Personally Identifiable Information.)

    To set it up for your domain, you must create a record in your DNS settings.

    What does a DMARC record look like?

    Like SPF, it requires a TXT record be added to a domain’s DNS (Domain Name System) settings. It contains various tags that define the policy and reporting options for the domain. A typical record looks like this:_dmarc.example.com. 3600 IN TXT “v=DMARC1; p=none; rua=mailto:rua@example.com; ruf=mailto:ruf@example.com; fo=1”

    Here’s a breakdown of the components in the example DMARC record:

    1. _dmarc.example.com.: This is the record’s location in the DNS, which is created as a subdomain under the primary domain (in this case, example.com).
    2. 3600: This is the Time to Live (TTL) value in seconds, which determines how long the record should be cached by DNS resolvers.
    3. IN TXT: This indicates that the record is an Internet (IN) class TXT (text) record.
    4. “v=DMARC1;: The v tag specifies the version.
    5. p=none;: The p tag defines the policy for handling emails that fail DMARC checks. In this case, none means no specific action should be taken. Other options are quarantine (to mark the message as spam or suspicious) and reject (to reject the message entirely).
    6. rua=mailto:rua@example.com;: The rua tag specifies the email address to which aggregate reports (RUA reports) should be sent.
    7. ruf=mailto:ruf@example.com;: The ruf tag specifies the email address to which forensic reports (RUF reports) should be sent.
    8. fo=1: The fo tag defines the conditions for generating forensic reports. In this case, 1 means to generate a report if either SPF or DKIM fails.

    There are additional, optional tags that can be included in a record, such as adkim, aspf, pct, and sp, to further customise the policy and reporting options. The tags should be separated by semicolons and enclosed in the double quotes within the TXT record.

    Report Types

    There are two types of reports, known as RUF (Report Using Forensic) and RUA (Report Using Aggregate), they contain data about email authentication results, including information about emails that failed SPF, DKIM, and DMARC checks. These reports help domain owners monitor their email traffic and detect potential issues or malicious activities.

    Conclusion

    DMARC is an essential aspect of email deliverability that helps to prevent spoofing and phishing attacks, improve email deliverability, and ensure compliance with regulations. It helps you protect your brand’s reputation and improve the effectiveness of your email marketing campaigns.

    We offer a full range of deliverability services, including DMARC monitoring packages to ensure that your domain is fully protected and optimised, contact InboxWizards to discuss your requirements with an expert.

  • Why SPF Matters: Protect Your Business Against Email Spoofing Attacks

    Sender Policy Framework (SPF) is an email authentication mechanism that protects businesses against spoofing attacks and unauthorised senders. As a business owner, it’s essential to know how it works and understand the benefits of implementing it.

    How Does SPF Work?

    SPF enables the receiving email server to check that an email claiming to come from a specific domain comes from an IP address authorised by that domain’s administrator. An SPF record is published in the DNS as a TXT resource type, specifying allowed-sender hosts for the selected fields.

    When an email arrives at its destination, the receiving server looks up the corresponding record and checks if the source IP address of that message matches any of those listed in the SPF record. If not, this is suspicious, as the domain’s administrator did not authorise this source.

    What are the Benefits?

    There are many benefits to your email marketing. Firstly, it prevents spoofing attacks that can be used to steal data or commit fraud, which could be disastrous for your business’s reputation and success.

    Secondly, it ensures only legitimate senders can use your domain name when sending emails on behalf of your company.

    Thirdly, it helps ensure all emails contain accurate information about their origin so that spam filters do not block legitimate emails from your company’s address.

    This means more customers are likely to receive important messages related to sales or customer service inquiries instead of getting blocked or marked as spam.

    Ultimately, you are protecting yourself and your customers by verifying and authenticating where emails are coming from and ensuring that only authorised users can send emails on behalf of your business. This process increases customer trust, improves security, and appears in full headers to show you have taken precautions to protect data.

    Risks of an incorrect setup

    Recently a security architect named Chris Plummer was able to take advantage of an SPF vulnerability that occurs when it is not implemented or is done so incorrectly.

    Using the vulnerability he was able to bypass Google’s authentication checks with spoof email claiming to be sent from UPS, even managing to get it to display the logo and blue check.

    BIMI did release a statement that explained the check works as expected and the problem is purely the result of a vulnerability that predates the existence of BIMI and DMARC.

    How To Create An SPF Record

    In order to create an SPF record you need to specify the version of SPF that you are using, the list of IP addresses that have permission to send email on behalf of the domain, any third party domains that also have permission and lastly, add the ‘all’ tag defining the policy applied if an unauthorised server sends on your behalf.

    An example, with a ‘fail’ policy will look a little bit like:
    v=spf1 ip4:xxx.xxx.xxx.xxx include: domain.com -all

    Once prepared it is possible to use a record checker tool that will compare it with a set of criteria confirming whether it has been set up correctly.

    SPF Checker Criteria

    To ensure a secure and protected email system, a record checker tool provides stringent security in identifying spoofed emails. These checks involve the criteria of making sure there are fallback mechanisms and that the SPF macro is valid.

    Another important factor the checker tool will test for is the number of DNS lookups, it’s important that it does not exceed the maximum of ten; if so, you may need to re-evaluate and simplify the configuration.

    Once you have gone through this process and passed the criteria set forth by the checker tool, you can add the record to your DNS as a TXT resource type.

    With all criteria met you can have confidence in your email reputation, knowing that only authorised senders will be able to deliver mail on behalf of your domain.

    Overall, this distinction between authenticated and non-authenticated emails provides an extra layer of trust for online users relying on messages and communication via emails.

    Conclusion

    Implementing a Sender Policy Framework correctly is essential for protecting your business, stakeholders and customers.

    While creating the TXT records and using the checker tools to verify a correct setup are relatively straightforward, troubleshooting isn’t always so easy.

    If you want to avoid all the trouble of setting up an SPF record, having a professional inbox-focused company supporting your email marketing campaigns helps you make the process easier and more efficient.

    This way, you’ll be able to ensure your business is adequately protected against malicious threats and provide a secure online environment for customers to communicate with you effectively – without having to lift a finger!

    At InboxWizards, we offer clients a comprehensive suite of email services to help keep their businesses safe and secure. Contact us today for more information!

  • Protect Your Business from Malicious Attacks By Setting Up DKIM

    Have you ever received an email from a business or service only to be suspicious of its authenticity? Has someone ever sent you an email that seemed too good to be true?

    DomainKeys Identified Mail (DKIM) helps ensure the process of sending emails is protected from bad actors. In this post we will explain what it is, why it’s important and some of the issues that may arise.

    What Is DKIM?

    DKIM uses encryption and decryption of additional signatures in email headers, which requires both public and private keys.

    This practice helps protect your brand’s reputation by ensuring that emails are sent with integrity. By adding the public key as a TXT record on your server’s DNS records, you can verify that all emails sent out by your team are legitimate and not coming from malicious sources.

    Different domain hosts have different methods for setting it up. For example, Google Apps users must manually turn it on in their Admin console, while other hosts, such as Microsoft, Zoho, or NameCheap, require different steps.

    Why Should You Use Both SPF and DKIM?

    SPF is a mechanism that allows you to specify which IPs are authorised to send emails from your domain. An SPF Check is a simple validation that the email is sent from an IP you allow, but this alone can’t guarantee the authenticity of a message.

    They both offer an important layer of protection individually and they both have their limitations. Implementing the two of them therefore reduces the potential risk of your business being the victim of cybercrime.

    It is important SPF is setup correctly to avoid the risk of a vulnerability being taken advantage of.

    Recently, Google reportedly made DKIM a mandatory requirement for DMARC after such an event. Our article on SPF will give you some pointers for getting started.

    It is also worth mentioning that, DMARC is also necessary for BIMI, which provides you with even more protection.

    And with every effort you make to protect your business and your customer information, the better your odds are of reaching the inbox and improving engagement.

    How DKIM Could Fail

    DKIM authentications can often fail due to a variety of reasons, such as misalignment between the signature domain and sender domain, an incorrect or non-existent public key, an issue with the sender’s domain DNS zone lookup, and also if the length of the key used for signing is too short.

    It is especially difficult to avoid failure during checks if auto-forwarding appends footers that change the message body. To address this challenge, major Email Service Providers (ESPs) now use Authenticated Received Chain (ARC) protocol which helps identify mail servers that handled messages before and assess their authentication at each step in handling.

    Conclusion

    Business owners and entrepreneurs need to understand the importance of DKIM to protect themselves from malicious spoofing attempts. At the same time, while many understand its value, few take the time to set it up properly.

    That is where we can help!

    At InboxWizards, we offer solutions for all aspects for email authentication settings within your email accounts and with our Domain Check-up feature, you can always be sure that things are running smoothly.

    We will make sure that all emails sent are authenticated and secure, increasing email deliverability and protecting your business from malicious attacks.

    With more than a decade of experience in the field we understand how important it is for you to protect your domain. Let us show you the power of authentication today.