If you send emails, never forget that your outbound is someone else's inbound, and if you do forget, not only could your email end up in a spam mailbox, but your IP reputation or domain reputation may be impacted, or worse yet, either could be blocklisted.
Therefore, always remember that email protection exists both on the inbound and outbound.
- Enterprises are responsible for blocking malicious outbound spam emails from compromised users.
- Mailbox Providers and Hosting Providers are responsible for blocking malicious outbound spam emails from compromised users, over-aggressive marketers, and fake accounts.
- Outbound Marketing Email Service Providers like Constant Contact and MailChimp are responsible for blocking spam emails from overly aggressive marketers and bad actors that leverage their platform to send their email campaigns.
The challenge protecting your outbound mail
While every email environment has unique challenges with outbound mail spam protection, they also have several common, standard best practices.
These best practices for outbound mail are:
- During user authentication, block senders from compromised systems.
- Always authenticate the sender's domain SPF and DKIM records.
- Always verify that content does not contain malicious domains and that URLs and attachments don't contain malware.
- Watch the bounce rates by user.
- Manage your feedback loop (FBL).
Rule #1: During user authentication, block senders from compromised systems.
Your outbound email server needs to use real-time blocklists when sending email. However, the blocklists used for outbound emails differ from those used for inbound emails.
For enterprises and mail operators, determining whether the user originates from a compromised system is one of the first and most crucial steps for sending email. Identifying at-risk users and forcing a password reset reduces the likelihood of outbound spam and phishing attacks from your email server.
This is a common problem at ISPs, Hosting Providers, Mailbox Providers, and Enterprises.
The Abusix AuthBL real-time blocklist that comes with the Abusix Mail Intelligence suite solves the problem by blocking IP addresses of senders attempting to authenticate with your outbound mail servers from compromised systems.
Rule #2: Always authenticate the sender's SPF and DKIM records.
Your outbound email server must authenticate the sender's SPF and DKIM records when sending an email.
If you are a Mailbox Provider, Hosting Provider, or Marketing Email Service Provider, authenticate your senders at the start of the outbound content session before their mail leaves your servers.
Authentication checks should include the following:
- While you already checked the authenticating user, now check the entire received header for any compromised IP addresses that match the AuthBL used in any hops to send email.
- Next, perform SPF/DMARC checks on the outbound email to ensure the email won't fail at the receiver. This is especially important if your company is a Hosting, Mailbox Provider, or Email Service Provider.
- Additionally, "Mutating," "Display Names," and "Reply To Addresses" should concern any postmaster because this is an easy way to identify compromised accounts on the outbound.
Remember, your reputation is at stake; block the bad before it impacts everyone sending from your platform.
Rule #3: Check content for known malicious payloads so your reputation isn't impacted.
Your outbound email server must ensure that it isn't sending malicious payloads.
Suppose you are an ISP, Hosting, Mailbox, or Marketing Email Service Provider. Before email leaves your environment, you must check for known malicious payloads such as spam domains, URLs, and attachments.
Content checks of the header and body text should include the following:
- Check for blocked email domains on a well-designed real-time domain blocklist like the Abusix Domain Blocklist. Don't let your user content damage your reputation.
- Ensure no outbound mail headers or body domains have recently been associated with spam.
- Email domains that have never been used previously in email are often used for phishing attacks. A well-designed passive DNS list like the Abusix NOD (Newly Observed Domain) List is ideal for detecting domains that have first appeared in an email for the first time within the last 25 hours. While being new doesn't mean the domain is bad, handling the message cautiously is prudent since it has zero known reputation. Ensure none of the outbound mail headers or body domains have zero reputation.
- Your content filter should check short URLs and document storage URLs (like Google Docs, OneDrive, Dropbox, Box, and others) against lists like the Abusix Short Hash (Short URL List) Blocklist and Abusix Disk Hash (Drive Storage URL List) Blocklist. Ensure none of the outbound mail body URLs hit any of these lists, as these URLs have already been hitting spam traps. If you get a hit, invariably, you are blocking an email from a hacked account.
- Lastly, employ an anti-virus (A/V) scan to check attachments. AV scans are critical to protecting against zero-day attacks from Senders with no history or those with a low Sender reputation.
Rule #4: Watch the bounce rates by user.
Watch the bounce rates by user, as they are often used to determine your email-sending reputation. Too many hard bounces will trigger the placement of all your emails in the spam filter.
Standards do not dictate what specific actions you must take with future mail to that address. Therefore, email senders must decide what to do with future mail based on the responses. A hard bounce typically describes mail that could not be delivered due to a non-existent address. A soft bounce describes mail that could not be delivered, but the address is valid, and future mail may be attempted. A spam bounce often describes mail that could not be delivered due to a policy decision.
- 5xy is a permanent failure or a hard bounce, which means I won't take this mail ever.
Repeatedly sending to addresses that do not exist hurts the sender's reputation at most receivers, so don't do it, and remove hard-bounce email addresses from all future sends.
A new user with many hard bounces indicates stale address lists and potential risk. Rate limiting of new users until a reputation is fully established is always recommended.
- 4xy is a temporary failure of a soft bounce, which means ****I can't take this mail now; come back in a little bit.
Mail administrators must actively monitor soft bounces. Many soft bounces (temporary failures) can indicate a reputation problem, as many mailbox providers (ISPs, Hosting Providers, MailBox Providers, and enterprises) use temporary failures to slow down low-reputation mail.
Soft, bounced, undelivered emails may be attempted without hurting the overall reputation. However, the Mail Administrator should always be wary of this user and consider rate limiting their mail until soft bouncing is eliminated or reduced. 3. While spam bounces are not a category defined in the standards, they may occur due to specific reputation or content problems. Usually, the problem is explained in the bounce message. Don't ignore spam bounces; understand them and act appropriately.
Be aware that occasionally, bounces occur after the receiving server accepts the message. These asynchronous bounces are typically sent to the return path address. Most modern MTAs handle these types of bounces.
Rule #5: Manage your feedback loop (FBL).
Lastly, "Feedback Loops (aka FBLs or "This is Spam" Complaints) are messages that are returned from users clicking on the Spam Button in their UI.
The FBL mechanism allows senders to receive emails from Mail Platforms (ISPs, Hosting Providers, Mail Box Providers) when a user clicks the "This is Spam" button. When they take this action, an email is returned to the sender to indicate the message was considered spam.
It is essential for sending administrators to know whether
- their users are sending campaigns from their platform, even if they are an ISP or Hosting Provider, which may or may not violate their AUP.
- also, if the same campaign comes from more than one user account, it often indicates several compromised users or a spam gang infiltration.
- if campaigns are allowed, it is essential to track (a) the speed of reports returned and (b) the ratio of [FBL reports/Messages sent] per campaign by active FBL receivers to have an indication of an emerging problem as well as how well the message was received.
In summary
Responsible senders use real-time blocklists designed to enhance outbound filtering and spam filtering. They authenticate user domains and also actively monitor traffic on their servers.
They also regularly read up on email standards, best practices, and laws. Staying in the know will help ensure you and your users are safer.
Lastly, if you want to read more about spam protection, you can watch our video on YouTube on "How to Stay Off Email Blocklists" or read our article about inbound spam filtering: "The more filters, the better."