Impersonators aren’t a new thing, right? They’ve been around since…..well…..at least since Elvis....
Why is my email not going through?
Or: Why am I not getting email from this person?
There is a lot that can go wrong when sending an email, don’t let a shortcut get your email blocked.
Every so often, we will get a client asking why they aren’t getting email from someone. I see this most in the escrow industry where they need emails from lots of people that they might not often email.
The most common answer, which they don’t tend to love, is because the sender told us their message should not be trusted, or at least they didn’t tell us it SHOULD be trusted.
What do I mean?
Years ago, anyone could send email as anyone else. Well, technically, you still can, although it might take a little effort. The big problem today is that many services will let you set up a sending address different from the one you’re using. For example, in gmail, I can configure alternate sender addresses. I might be using me@gmail.com while sending as me@professional.com.
This can create a problem when sending if not setup properly. The problem is that you look like someone trying to impersonate yourself. The person you’re emailing can’t tell if you are really you or if you are an imposter.
Enter SPF, DKIM and DMARC.
The first attempt at resolving the impersonation issue was called Sender Policy Framework (SPF). This identified IP addresses that were allowed to send on your behalf. It was a good first step, but there are lots of situations where it doesn’t work as well as it could.
DKIM adds a digital signature to messages when they are sent. That signature can be verified with a public key that is tied to your domain name to figure out if the message is valid or not.
DMARC is the policy that enforces SPF and DKIM. You (or the owner of your domain) set a policy that says either we trust that all our mail is properly configured or we don’t.
So, if professional.com says that all messages must have a valid DKIM signature from that domain, but you sent a message through gmail and it doesn’t have that signature, it should be treated as junk or rejected outright. (The policy can be set to reject or quarantine.)
Here’s the real gotcha. If your domain doesn’t have a DMARC policy, or it hasn't been configured properly, you’re telling the world that YOU don’t trust your own email. If you don’t trust it, why in the world should I trust it when I receive it?
A few years ago, Microsoft started treating messages that aren’t passing SPF and DKIM, even if you don’t have it configured, as suspicious, lowering your chances of getting delivered.
You can’t ignore this stuff.
How to check if you’re setup properly?
First, to see if you have a DMARC and SPF policy configured, use one of the following sites which have free testers.
This will tell you if you have a policy configured properly, but doesn't test an actual email.
Second, send a test email. This will tell you if that email is compliant with the policy.
You can also send an email to a service like mailgenius.com that will check if your message is properly signed. (Note: This service will indicate other potential issues with your email, but I've seen many times where it indicates blacklists that don't seem to be actually correct.)
Another easy way is to send an email to a Gmail account. When looking at the email, click the three dots in the top right corner and then show original. It will show you a summary at the top that should show the SPF, DKIM and DMARC test.
Now, repeat this test for any other services that you might use to send email. That includes things like marketing platforms (HubSpot, MailChimp, Constant Contact), transactional emails from your web store or website and anything else that sends emails (scanners, phone systems).
If you utilize DMARC reporting and have a system that analyzes the reports, you can see what is sending mail and find any sources that may need to be addressed. You’ll also be able to see any messages that are being sent by others trying to impersonate you.
Properly configured, DMARC should stop these messages from being delivered, or at least send them to junk/quarantine. This will help protect your legitimate emails and your sender reputation.
Finally, there are other reasons that your email may not be going through. If your email looks like junk, has malicious content or you have been sending spam (or didn’t have your policies configured properly and others were sending spam from your address), your email may still not make it to the inbox.
If any of this doesn’t make sense to you, or your policy isn’t set to reject, talk with your IT department or service provider. If you still need help, contact us and we can help.