You can no longer trust email delivery

Posted on October 21, 2020 by · Posted in Uncategorized

This particular newsletter has little to do with Web+Center, but a slow but crucial change in our Internet ethos that we have come to depend upon.  It also impacts Web+Center and any Email delivered document (Web+Center notifications, newsletters, emails, security alarm alerts, etc) that are incredible important to the continued functioning of our businesses and organizations.  It’s also another very concerning change in our world when we can no longer “trust” a system or information delivery.  Losing trust is not what we need in our society now.

As a software company, we have been focusing on application development, software updates and compatibility with various changing systems.  Over the past 1-2 years, I had a hunch that emails delivered to my clients, my friends, my family, my volunteer organizations were slowly not getting delivered to an increasing number of them, even many users that for years would always get my emails delivered.  I couldn’t really find or determine a very specific pattern of complete failure on my sending systems or email clients or a particular receiver email system.

During the course of 2020 year, several friends and long time organizational volunteers I work with began seeing emails with my emails replies in the middle that they didn’t received.  Several other times I would send out an individual or small group email and I wondered why so few replied or responded.  Were my emails that low of a priority or so poorly written I didn’t deserve a reply?  Something else was going on..

So I started to research why emails, especially emails sent to Google Gmail based systems, would always place my emails now into SPAM folders without the user ever marking emails from me as SPAM.  Here is what I discovered.

To my surprise, the lack of notification to all users, business and organization users, and anybody who uses Email must now adhere to email authentication standards that most businesses either know nothing or little about or can’t even configure with their current email system architectures is very discouraging.

SPF, DKIM and DMARC records and systems – why your emails are marked as spam or not delivered at all!

Many email systems on the receiving end  now use a combination of email authentication to prevent SPAM and mark much of your mail as SPAM unless some or all of these authentication systems are in place when and how you send your message.

  • SPF helps servers verify that messages appearing to come from a particular domain are sent from servers authorized by the domain owner.
  • DKIM adds a digital signature to every message. This lets receiving servers verify that messages aren’t forged, and weren’t changed during transit.
  • DMARC enforces SPF and DKIM authentication, and lets admins get reports about message authentication and delivery.

If you’re tech savvy, or lucky enough to have a company with an IT team, updating your SPF and DKIM records can help ensure that emails are landing in the correct inbox. An SPF, or sender policy framework record, is essentially a list of email accounts that are allowed to send messages from a specific domain. This means that only certain email addresses are allowed to send from the theoretical domain, angela dot com. DKIM, or DomainKeys Identified Mail, is a process in which emails are each sent with a key that identifies them as legitimate. Updating these records can make a big difference in your deliverability if you’re using your own domain, though if you have a Gmail account, you’re out of luck in this regard.

Unfortunately, there’s no clear, easy answer for how anyone with this issue can make sure their emails aren’t being flagged as spam. It’s simply too opaque a system for anyone, even professionals, to say for sure how to fix this problem when it arises.

Older mail systems or purchased email services at small businesses will continue be marked as SPAM without changing entire systems

I reviewed my own inet-sciences.com domain Email services that GoDaddy was hosting for years for me turned out to be completely outdated.    The mail systems software doesn’t even began to support the email authentication requirements that many of my recipients email systems were requiring.   I was never contacted by GoDaddy and told that I needed to switch email services to one of the bigger tech company services (Microsoft or Google) as they are writing their own rules and changing them daily about what THEY individually require to make an email from you authenticated.

No set standards or requirements vary for email authentication
To make matters worse, the email system authentication requirements of your recipient varies greatly from one vendor to another.  Google may require a SPAM test threshold of some combination of SPF record checking, DKIM and maybe some context checking too (like using too many !!!s).  Meanwhile,  AT&T SBC global accounts may use a different combination of email authentication, and Yahoo a different set.   Office 365 and Microsoft and set  their own standards which change. Then the recipient vendor lowers the bar each month or change things so emails delivered one month might fail the next or vice-versa.  This new email authentication, unannounced standard by which Emails are delivered also applies to those newsletters (mailchimp, constant contact, etc) or those Web+Center notification emails, etc.  Even your important server UPS notification email may now be blocked or marked into SPAM. Each of those will probably also need carefully crafted SPF records in your domain so that delivery of those email will happen now and into the future.  Depending upon which gateway you use to send those emails, delivery results can vary.

In a strange set of events, I suspect many of the older email system users may actually have a higher delivery rate (delivered into the Inbox and not SPAM) sending and receiving emails than those users  on newer Office 365 or Google based systems that do all of the authentications.  In this case, having older receiving systems might be better but worse for sending.

SPAM filters and other spam products often go on top of this layer of email authentication once the email is delivered making emails adding yet another level of whether emails are delivered.  Folks adjust spam filter levels even outside of these tests.

Configuring SPF records and DKIM systems
Configuring these SPF records and DKIM or DMARC system is not for the average business owner, domain name holder or anybody except someone very familiar with how to manage complicated EMAIL systems.

SPF
SPF record syntax is tricky, and the room for errors is easy.

how spf records works

DMARC – When I asked my GoDaddy support team about this authentication option for my domain after shifting to Outlook and Office 365 email services, I assumed it was maybe already done for me which it was not.  Even switching to one of the few large tech company Email services (Outlook MS or Google Services) does not fix your email delivery problems.

Here is an article about DMARC that might shed some light on the complexity of this yet another email authentication standard that some vendors may or may adopt.

Analogy to the U.S. Postal System
Email systems originally were termed with similar delivery and distribution words.  Email users have the same concerns we have with any mail/message delivery system of security, privacy, and correct user delivery.  Once we put a letter into our postal “system” with proper postage, we assume delivery of the mail to the recipient.  The only gate keeping factor or mail rejection in regular mail delivery is just the postal system which has, we hope, uniform policies across all delivery branches and workers.  Your mail may be rejected because of lack of proper postage or invalid address, but generally delivery is performed and we know the rules by which delivery may not happen like insufficient postage.

The world of  Email systems today now have many USPS like organizations each writing their own delivery rules whether to deliver (e)-mail or not.  We don’t even know what the rules are for most organizations and they change continually.

Conclusions:

Chances are GOOD you didn’t get this email newsletter!  If you did, consider yourself lucky!  Its not like these companies are selectively doing evil things, they are just writing their own rules without telling us they have changed them.   I don’t see this mixture of standards and SPF, DMIK, DMARC tests getting understood by the general Internet users anytime soon.  Basically, we can’t trust email delivery like we did 5+ years ago.  Going forward, when you send an important email, send a back up TEXT to confirm they got it!

Sincerely,
Scott Vanderlip
President Internet Software Sciences