Verbosity 2.0 ~ Talking about life on Drupal

I work with a lot of individuals who run their own businesses and I am often surprised by the variety of email addresses from these clients and service providers. Nearly all of them have their own websites, but yet only some of them actually use their website address as their email provider as well.

Back in the early days of the Internet I think this practice was less common. If you had a domain, you used it. It is a good promotion strategy for your website if people can find your product information, right?

So what happened?

You probably won't be surprised to learn that SPAM was likely the main cause of this mess. People keep getting more and more SPAM so some big companies with interests online decided to try and authenticate
email. The idea is that you send a message to someone, then the recipient will "look you up" to see if you are who you say you are. If the email is not from you, it gets rejected. That means less spam for everyone because spoof emails get cut out of the picture.

This is an improvement on the "as-is" system of processing mail where most everything goes to junk mail unless it comes from someone (or some organization) that you regularly correspond with. That isn't good if you're trying to follow up with a contact who has never received an email from you before.

Of course, big companies never get along so there are many ways of authenticating users. Here are a few:

• Sender Policy Framework, or SPF, which is an open standard
• 
  Sender ID, a Microsoft variant that tries to do what SPF does, even going as far as copying the syntax and calling itself "SPF2"(sigh)
• Domain Keys Identified Mail,
  or DKIM, a variant pushed by Yahoo which requires each message to
  be modified before it goes out, and lastly:
• DomainKeys,
  the original Yahoo creation that spawned DKIM

Whew. That's a lot of stuff to configure.

If you go through the process though you will get less "false positives" going into your recipients junk mail folder so it is worth the effort. If you are sending out newsletters, these technologies might be a vital step to increase your open rates.

Who is using email authentication?

I know almost all webmail service providers use at least one form of email authentication to verify incoming mail. I know of some offices with off the shelf firewalls that also check this information as it comes in. What is surprising though, is that many email marketing companies, the ones who send things out, such as Constant Contact and Cvent, do not provide a means of authenticating email. This is probably why they are so cheap compared to providers like Responsys which publish their email authentication records so their client messages get through to all of their subscribers.

You can test your configuration by following the verification steps on this page or by sending an email to a test server which is also
discussed in this article about SPF records. For a server without any of these services you should always get "neutral" as a response for each test. If you have these services configured, you should see "passed" for each method you setup.

Currently I have implemented Sender Policy Framework and Sender ID for all of my hosting clients. These two are the most widely deployed and also the most easy to implement. If you could only do one I would recommend Sender Policy Framework as many services should respect those settings as they are similar to Sender ID. If you absolutely must get into Hotmail inboxes I will always
recommend both.

I am not certain that DKIM & DomainKeys will last due to the complexity of the setup. If they do last awhile longer I will probably add these methods to the server too, but for now I am taking a wait-and-see approach.