Trusted Sender Score Metrics
What metrics are in the Trusted Sender Score algorythm?? The Trusted Sender Score Metrics are various inputs based off email configuration, domain name server (DNS) records
and other security elements such as SSL / TLS. Certain assumptions are made:
1.) The DNS entries are in the control or under instruction of the domain owner.
2.) M3AAWG email sending best practices are continued used as a benchmark by webmail and email service providers.
3.) DMARC compliance based off RFC 7489 as defined by the algorithm published on Github by Zulu Labs Founder David Barnes, that is applied by other applications such as MX Toolbox is accepted by users of the Trusted Sender Score.
4.) Until proven otherwise, spoofing DMARC authenticated domains can only be done however double check authentication is safe.
You can view the timeline that went into the research and production of Trusted Sender Score here. Essentially when a significant change to email authentication was starting to be mandated by Gmail, Yahoo, AOL and Hotmail for email service providers, it triggered a series of events that has lead us to a score that represents the trustworthiness of a domain with respects to email.
The Trusted Sender Score algorithm is made up from 14 condition based metrics. These metrics are basis of what webmail providers have been including in their feedback loops for many years with some key modifications.
The metrics include:
- DMARC compliance (there are two key variables, a reject or quarantine policy, the free algorithm we built (can be found here)
- The second component to the equation is based on the domain only using double check DMARC implementations. That means it is impossible to SPOOF the domain. We SPOOFed single check DMARC and our CEO published this blog on SourceForge. These first check and part of the second check can be done using DNS lookups and then from there we check certain entries against known email platforms that do not allow for double check and so the result is zero.
- Other checks using the Whois record lookups, important to be able to verify the domain owners physical address, dnssec is also important.
- Publishing an Anti-SPOOF policy is vital as this helps any email user to verify what domains are being used and how etc. We have a sample in the footer of this page.
- On top of all of that we also look for email subsciber forms not just being email only and asking for some relevant information, SSL and finally user feedback.
That is all combined, sometimes with a weighting applied, depending on the results etc to give email users, domain owners and anyone who has an interest in a simple score that is highly complex in it's engineering.
We have even provided domain owners with their own tools to manage this process, mostly free of charge, so there is no excuse not to protect us from email scams etc
We most certainly are.
Absolutely, in 2020 HSTS is being phased in and as we improve our service the algorithym is likely to change.
You have out guarantee that all changes will be applied across every domain evenly.
No. To handle the sheer volume of domains and the resource intense lookups we complete we run a series of services to complie the data.
For domains not yet in the data base we provide an indicative score, which is pretty accurate however the final score will be published within hours and sometimes up to 3 days after the initial search.