The Holy Trinity of Email Delivery

Show Notes

In this episode, the team discuss Domain Message Authentication Reporting & Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF)- the holy trinity of email delivery.

The podcast breaks down what each DMARC, DKIM & SPF are and the importance of MSPs being aware of them and ensuring it is implemented correctly.

Simon has written a blog to accompany this episode which can be found below:

http://blog.sembee.co.uk/post/podcast-holy-trinity-for-email-delivery-dmarc-dkim-and-spf

Luke Betteridge from Inbay hosts the Cyber Anxiety Podcast, with regular speakers including Daniel Welling from Welling MSP and Simon Butler from Sembee. We created this podcast to help support MSPs through the ever-evolving field of the digital world. The goal is to give tangible tips and strategies that MSPs and others in the tech industry can use while releasing the built-up anxiety around the sector. 

Transcript

00:00:02:23 - 00:00:23:11
Luke B
Hello, everyone. My name's Luke Betteridge and welcome back to the Inbay podcast and another episode in our Cyber Anxiety series. I'm joined by my series Regulars and very good friends, Daniel Welling and Simon Butler. Thank you for joining me, guys. Before we get started on this week's topic, let's just have a quick around the room of what everyone's been up to in the last month I know we’ve just had Easter.

00:00:23:23 - 00:00:33:12
Luke B
Has there been anything interesting or any interesting stories out of the last couple of weeks that you guys want to share with us in terms of the I.T. world or something going on at home?

00:00:34:08 - 00:01:09:05
Daniel W
Well, I can speak for Simon and I, because we both attended the much heralded British touring car championship MSP meetup event a couple of weeks ago. The weather wasn't very kind to us at Donington It was rainy and cold. But it's the second event that we've organised and went really well that the operation of it far improved. We had some great interaction from the audience and yeah really looking forward to brands hatch on the 6th of October.

00:01:09:15 - 00:01:15:13
Daniel W
Shameless plug where one of our partners will be Inbay so look forward to having you having you along to brands hatch.

00:01:15:13 - 00:01:41:08
Luke B
Brilliant looking forward to that one already. Sounds good. So today's topic is email delivery and what we like to refer to as the Holy Trinity. So I'm going to hold my hands up now and say that I don't know a huge deal about this, but I know Simon, you are our resident expert on the subject. So what I'll do is probably hand over to you Simon to kind of I know you gave a great analogy to us before we had this call, so I think it'd be good to maybe start on that.

00:01:41:09 - 00:01:50:13
Luke B
The analogy around what email delivery is and maybe if you can give a bit of an overview of the kind of the three types of email delivery.

00:01:50:13 - 00:02:18:15
Simon B
Okay. So the analogy that he's referring to is driving around with your car headlights on during dusk doesn't help you, but it helps everyone else. And what we're talking about here today is what we call the holy trinity of DMARC DKIM and SPF. So, starting with SPF, because that's the oldest one of the three and that's stands for sender policy framework, sort of started to come out in the early 2000s.

00:02:18:15 - 00:02:45:01
Simon B
So it's quite an old technology, if you like. It uses exclusively DNS records. It does not require the email server to support anything for sending email anyway. Basically what you do with that is you list what servers are allowed to send email for your domain. So that would include things like your primary email platform. Office 365, for example, plus any marketing or other services that could send email as your domain.

00:02:46:20 - 00:03:06:03
Simon B
Obviously there are drawbacks with that because it's only IP addresses or DNS names. So if you've got everything behind the same IP address, that could still allow a compromised machine inside your network to send email as your domain. So then we move on to the next one, which sort of at the time was sort of seen as a competitor to SPF.

00:03:06:03 - 00:03:41:13
Simon B
But when it came out, it works very well alongside which is DKIM stands for Domain Keys Identified Mail and what that one does is it actually signs the email message. So again, you put the public key into your DNS and when the email is sent out the key is used to sign the message, which means in the combination of the two, you can say this IP address or DNS name is allowed to send email and the server that's actually sent the email is allowed to send email.

00:03:42:09 - 00:04:14:21
Simon B
So obviously we have these two things they’ve both been around for ten, twelve years at the point that the third one came out, which is called DMARC which stands for Domain-based Message Authentication Report & Conformance, Lovely long acronym there and this one came out about 2012, something about that. And what that does is to tell recipients of the email what to do if the message fails a test on SPF and/or DMARC.

00:04:16:10 - 00:04:43:28
Simon B
There are two, well three parts to it. One is basic do nothing. Second one is quarantine, and the third one is reject. And then the other part that it can do is report, which literally sounds exactly what it is, which is where the receiving server can send a predefined email address also stored in DNS, a report of what it did with the messages.

00:04:45:00 - 00:05:11:25
Simon B
These are designed to go into a computer, if you like, to be read by a machine rather than read by a human because they’re an XML file and these messages can then be created into a report that the email admin can see and allow them to identify whether a server is behaving itself, whether someone is trying to spoof, whether there is a concerted campaign going on to spoof.

00:05:12:03 - 00:05:47:04
Simon B
But it can also, which is where it helps MSPs, is it can help identify where the shadow IT going on, where a marketing team have, for example, set up some marketing service to use the domain, not told the IT team and they appear in the DMARC records. So that's basically what the three elements do. We work, we use all three elements to improve the deliverability of a client's email so that we have the emails being delivered in a reliable way, but also so that we have knowledge and insight as to how well the deliverability is taking place.

00:05:48:11 - 00:06:02:03
Luke B
So if you're an MSP who hasn't really delved into email delivery before, kind of any of these kind of features, what would be your advice of the best way to kind of get started in terms of setting up the kind of three types of email delivery.

00:06:02:03 - 00:06:19:13
Simon B
Okay so the first thing I always do these days now obviously, is I set up DMARC reporting, even if you’ve got nothing else, you just set up the reporting DNS record. It can take, you know, like a week before you start to get anything meaningful, so it’s one of these things you can just sort of set it up and then forget about it for a week.

00:06:20:13 - 00:06:44:05
Simon B
And the easiest one I use right at the beginning is the one from Postmark, which is a free weekly report, and they create a DNS record for you. You put it into your DNS and then you can see what you get back that's really risk free. It won't do anything to impact your email deliverability because it's literally just the report element of the DMARC report.

00:06:45:04 - 00:07:07:29
Simon B
You can then start to think about doing some more, more of the advanced stuff. Example, if you're using Office 365 and you're sending all your email out through Office 365, you can enable DKIM and Microsoft will give you the DNS record to put into your DNS, and that will allow the messages to start to pass that.

00:07:07:29 - 00:07:42:23
Simon B
That's quite straightforward. Again, pretty much risk free if you are using any third party services. You can also ask them if they support DKIM. Most of the big boys do like SendGrid, Salesforce, etc. They'll have instructions on their website on how to set up DKIM. DKIM will be an additional DNS record you have a DNS record for each key pair for each service, and then you can start to look at SPF and that's a little more involved because you've obviously got to collect all of the email services up together because you can only have one SPF record per domain.

00:07:43:02 - 00:08:19:13
Simon B
So you've got to collect them up. But starting with DMARC you know, it's literally, you know, four or 5 minutes probably per network. You know, once it's done, you can you know, you can forget about it. You know, you can have all the reports coming to the same email address and all that sort of stuff. So you can consolidate it on the associated blog post for this podcast, I've got some strategies that I've used for deployment on to make it so that it's very easy for an MSP with multiple domains, multiple tens to actually set it up in a way that's easy for them to manage.

00:08:20:05 - 00:08:36:01
Simon B
Ultimately, further on down the line, you can start to use third party services that are multi-tenanted that are designed for MSPs. You can take all of these reports and generate, you know, something nice that you can show to the client and sort of say, you know, this is what is happening to your email.

00:08:36:15 - 00:08:44:26
Luke B
So I guess a good question for me is have there been any kind of common misconceptions or maybe common mistakes you've seen with MSPs or IT companies implementing this?

00:08:45:13 - 00:09:21:17
Simon B
Well, obviously, what the major point we had at the beginning and one of the one of the sort of barriers, if you like, to the uptake of SPF and DKIM in particular, was the fact that a lot of email admins weren't really interested in it because had no impact on their inbound spam. They were only interested in things that would reduce the amount of spam that their users were receiving because that's obviously where the most pressure was, which is why the analogy I use at the beginning about car headlights comes into play because a lot of this stuff is not really helping you for your inbound email.

00:09:21:25 - 00:09:52:19
Simon B
It's helping everyone else to see you, to see your email. The next common one is where we get particularly where the company doesn't necessarily have an internal IT person where they just put in the DNS record. That's been issued by maybe a bulk email provider. So they started to use SendGrid, for example, or one of the online CRM tools who say you need to put this DNS record into your DNS to allow emails from our platform to work properly.

00:09:54:00 - 00:10:17:17
Simon B
What will these providers have in common is they'll provide you with the complete record, which pretty much includes just their servers So I saw a service, sorry, a server from a client a couple of weeks ago which was set up in such a way that they were basically telling the rest of the internet that the only email servers that were allowed to send email for their domain was those belonging to, I think it was SendGrid at that time.

00:10:17:17 - 00:10:41:21
Simon B
So they had not got their Office 365 tenant listed anywhere. So what I tend to say there is that, you know, start off with your primary email service. So if you're using Office 365 Microsoft give you the records to put in as part of their onboarding process, follow that and then build on top of those records to put on and advance records.

00:10:41:26 - 00:11:01:23
Simon B
You know, it's all documented and what you need to do. So you get lots and lots of these services. You know, you can start to have problems with the length of the DNS record, but there are ways around that. But you need to get started somewhere. And Microsoft do a very good job on getting those initial DNS records in place for their tenants.

00:11:03:02 - 00:11:20:05
Luke B
Brilliant sounds spot on. Daniel I was going to ask you from your side, from maybe kind of the financial side, is there any way that you can kind of, you know, implement this that's going to have any sort of, you know, financial implication or assistance with the MSP world?

00:11:21:26 - 00:11:44:12
Daniel W
Yeah, Great. Great question. Luke, to focus back on the commercials, if there's anyone listening that's a not technical side of the business, they may have started to tune out. So yeah, I mean I think this is a great opportunity commercially, both from a new business perspective as well as an account management and account perspective as well.

00:11:44:12 - 00:12:25:11
Daniel W
So to put my new business hat on for a moment, if I was talking to a prospective customer, DNS Records is absolutely one of the things that I'm going to look at before I have a conversation with them. Because from those DNS records, I can tell whether they use Microsoft 365 for their email. I can see whether or not they have DKIM records and DMARC records and immediately I can demonstrate if they are not following best practice and that casts doubt on whatever they're doing at the moment or they're incumbent.

00:12:25:21 - 00:12:54:07
Daniel W
And it's an opportunity to to move the conversation on the commercial opportunity. If you're an if you have an existing customer, is this is something that needs to be done. So there is a time charge, there's a benefit for them doing it. There's a time charge to be made. And it's not a particularly big or onerous activity.

00:12:54:07 - 00:13:30:21
Daniel W
So it's the kind of thing that can fall through a budget hole quite easily. And so yeah I would say any MSP should be doing both of those because if you're doing it from an account management perspective, you're going to be forting any potential new business suitors from your competition. So you know there's a double reason for doing it from an MSPs perspective both in terms of winning new business revenue generation and also defending against attrition.

00:13:30:21 - 00:13:43:09
Daniel W
Well, and of course the fourth thing it's good for your customer because it probably means that they're going to get their email delivered to their customers. Prospect suspects far better than if they didn't have it.

00:13:44:25 - 00:14:02:13
Luke B
That's spot on. And like you said, that's exactly what this is all about, is making sure that your email is being delivered successfully. That's kind of the key to what this is, is making sure that your email is delivered successfully and it's received and it isn't put into your customer spam or anything like that. So it sounds simple.

00:14:02:13 - 00:14:23:12
Luke B
Obviously, it's much more complex when you get into the nitty gritty of it, but that's simply what we're trying to achieve here. And ultimately, I think we were speaking about this earlier as well. It's a case where actually, if it's implemented incorrectly, that can be more detrimental than not having it at all. I'm not sure if I've got that right.

00:14:23:12 - 00:15:09:10
Daniel W
Implementing it incorrectly is worse than implementing it. Not at all. So you either do it right, you don't do it at all or you do it wrong. So wrong. Doing it wrong is the the worst version. But again, from a commercial perspective, most MSPs are selling to non technical buyers and therefore to be able to package this up in a story, in a scenario, in a case study and and to explain exactly that, you know, there are these records that you should have it helps you deliver email but beware you can do it wrong.

00:15:09:26 - 00:15:23:02
Daniel W
And again that then reinforces the concept that end user should be going to a reputable professional provider to help them with their IT.

00:15:24:12 - 00:15:48:22
Luke B
Yeah, definitely. And just to let everyone know there will be a blog post that comes out alongside this podcast which Simon’s put together a bit more detail about the, as we said the holy trinity of email delivery and put together some best practices and a bit of advice on how you can implement it yourself. So before we round off Simon, do you have any kind of final thoughts or any last words of wisdom for the audience around this?

00:15:48:22 - 00:16:09:14
Simon B
I don't think so. I think Daniel sort of summed it up is when I look at a new email platform, the first thing I always look at, particulary the client has reported email deliverability issues is the DNS records to see whether they are set up properly. And you know, so often it is easy to make mistakes.

00:16:09:14 - 00:16:28:18
Simon B
This is because, you know, we're using so many different email services, so many different vendors now. It's not like the old days where you just threw everything through your exchange server and be done with it. You know, there's so many cloud services, you know, various marketing things you'll see around your payroll, your accountants, you know, you could be sending your invoices out through one thing.

00:16:28:18 - 00:16:48:02
Simon B
You could be sending out your payroll through something else. And they all want to send out as your domain so that, you know, you get, you know, an email that appears to be coming from the business. And so, you know, it's just keeping on top of it. But obviously, that's where the MSP comes in. You know, it's keeping on top of all these things.

00:16:48:02 - 00:17:08:29
Simon B
And the MSP having a good communication with the customer that, you know, when they implement a new payroll system, the MSP goes and says, right, you want to send emails to domain, we need these DNS records. And then, you know, updating, you know, that client's DNS records to take into account so that the DMARC reports are coming back and showing that the emails are being delivered exactly as they want.

00:17:08:29 - 00:17:28:28
Simon B
You know, all companies want to be able to have their invoices delivered, for example. They want to have their other important correspondence actually delivered. And implementing these correctly significantly improves that ability for them to be arrive where they need to.

00:17:29:21 - 00:17:46:14
Luke B
Exactly. Simon, Daniel, thank you very much for your time today. I really appreciate it. And for anyone listening, if you have any further questions around this topic, then please feel free to reach out to any of us and we'll get back to you as soon as we can. Thank you very much. Appreciate your time again. Thank you. Bye.