Mail relays - Part 1 | Authenticate your outgoing mail!

Why does this matter?

In the past year, several big receivers have started a push towards “no auth, no entry”, meaning that bulk mail should be properly authenticated before being accepted. While this is primarily targeted at bulk senders, and currently does not impact small senders, eventually it will trickle down to them. An example of a small sender would be a lone web shop sending out the occasional confirmation mail to a visitor. The corner store rather than the supermarket.

That does not mean that smaller senders can just sit still and ignore progress. It is here that operators of mail relay services can play a vital role in helping their customers comply with the latest standards. At the same time, these mail relays can also protect their customers by ensuring only legitimate mails are being sent.

Reputation is everything.

The cleaner your mail is, the better.

For every incoming email, the reputation of the sender plays a major role in determining the fate of the mail; whether it is summarily rejected, placed in the inbox, or banished to a spam folder. When a mail relay doesn’t provide any authentication information, the only reliable way to determine who the sender is, is with the sending IP address. This means that if one of your clients gets compromised and starts sending phishing mail, then it will affect all the mail from your IP address. If the issue is not caught quickly enough, Spamhaus may place your IP address on a blocklist. Some big receivers also have similar low reputation lists, and not all of them will be transparent about it.

A solution is to make sure the mails that are sent are properly authenticated: each client should use their own domain to authenticate their mails. That way, when one client is compromised, only that specific sender can be blocked on a per-domain basis.

How can we do that?

Not every small sender is capable of implementing email authentication by themselves. This is where mail relays can play a pivotal role. Things like Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) take some skill to get right.

However, not everything can be done by the mail relay. That “send a friend” or "contact us" form on a website should not try to send mail impersonating the visitor of the website - these features are trivially abused by spammers and they break existing email authentication that mailbox providers are implementing.

Clients should understand that every email sent is sent from their own domain, or from a specialised subdomain dedicated to the website. If you must include the visitor's email, put it in the mail body or in the reply-to header, and resist the temptation to send a copy to them too. That can and does make forms trivial to abuse.

Mail relays can then start to enforce this, and provide authentication at the same time. Ensuring that for each outgoing mail, the envelope sender and the email in the "From" header match the domain of the client. Once that is achieved, it is relatively easy to ensure that SPF is correct for that domain, and it should also be quite feasible to add a DKIM signature to the message, using the same domain.

As an added bonus, you could add rate limits for each client, to prevent them from sending a volume of mails that is incompatible with their normal behaviour, which usually means something suspicious is happening.

Authenticated mail, improved deliverability

Once all of these features are in place, you will have effectively given your clients better email deliverability, and at the same time you protect your resources against abuse. Receivers will notice the consistent presence of email authentication from your platform, and you are much less likely to be blocked based on your IP address.

In Part 2, discover how forwarding mail can be more trouble than it’s worth - especially when it’s done without checks, validation, or spam filtering.