[Note: If you use Microsoft Office/Outlook 365 then some of the following won’t apply – your rules are defined elsewhere]
Something we get asked a lot is “I sent an email but it wasn’t delivered”. Or the the other way around – “someone sent me an email but it didn’t arrive”. The reality is that email exchanges have increased in complexity over the years, due almost entirely to the efforts of spammers, who are constantly looking to circumvent the filters that email providers put in place.
The problem of spam is increasing. According to SpamLaws, Spam accounts for some 14.5 billion messages globally per day. In other words, spam makes up 45% of all emails. Some research companies estimate that spam email makes up an even greater portion of global emails, possibly as high as 73%. The cost to individuals in time spent deleting them, tweaking their white-lists and black-lists etc is harder to calculate, but not insignificant.
An extreme example of a spam counter-measure is the “Spambox” feature which we have available but don’t use. Spambox works by placing all incoming email in a queue, notifying the sender that the email has been received, but asking them to click a link to verify that they are a genuine or trusted sender. Of course, we are all far too busy to do that, so Spambox is very unpopular. Don’t place the burden of your spam rules on me !
Moving right down the scale, there are filters that work in the background and attempt to block spam without any user intervention. We use SpamAssassin, an excellent tool and highly configurable, but on a good day will only filter about 80% of incoming spam. It will occasionally identify a legitimate incoming email as spam and at best, the email will end up in your junk folder, or at worst, be discarded.
What else can we do in the face of this spam tsunami ? The industry is fighting back. Some years ago, it began with the Sender Policy Framework (SPF). We adopted SPF not long after it was introduced in 2014 but sadly, it has become less effective over time to the point that it is now pretty much useless, as the spammers have learned to fake the SPF records.
About the same time, we implemented DKIM (Domain Keys Identified Mail). The combination of DKIM, SPF and SpamAssassin definitely had an effect and lowered the amount of spam that got into folk’s inboxes, but recently we’ve seen a trend toward increasing numbers making it through.
To tackle this, we’re introducing two new counter-measures.
DMARC is an enhancement to SPF and DKIM that strengthens the ability of receivers to validate the source of the email. In other words, it makes it more likely that email you send will be delivered, rather than being tagged incorrectly as spam. Of course, our clients never send spam 😉 Unfortunately, DMARC requires a bit of configuration, there is no one-click “default” record that we can put in place, but we can add a DMARC record to your account as part of a service-level agreement.
Secondly, we have begun using Greylisting. When an incoming email is received, it is “temporarily rejected”. If the sender is legitimate, it should (after some delay) try again, at which point the email is accepted. Early indications are that greylisting is having a positive effect. It does mean that all your incoming email will be delayed, by at least by 5 minutes, but sometimes longer, depending on how often the sending system re-tries. If you’re finding that delay unacceptable, you can easily turn greylisting off in your control panel.
Our aim is to get as close to 100% of spam emails filtered out as we can, but getting up to 90% is probably more realistic, given that a lot of spam comes from compromised accounts and will pass every test applied to it.
If you’d like to know more about options for spam counter-measures, feel free to get in touch with us.
Have a good week.