Trusted Sender Score Metrics

What metrics are in the Trusted Sender Score algorythm?? The Trusted Sender Score Metrics are various inputs based off email configuration, domain name server (DNS) records and other security elements such as SSL / TLS. Certain assumptions are made:

1.) The DNS entries are in the control or under instruction of the domain owner.
2.) M3AAWG email sending best practices are continued used as a benchmark by webmail and email service providers.
3.) DMARC compliance based off RFC 7489 as defined by the algorithm published on Github by Zulu Labs Founder David Barnes, that is applied by other applications such as MX Toolbox is accepted by users of the Trusted Sender Score.
4.) Until proven otherwise, spoofing DMARC authenticated domains can only be done however double check authentication is safe.

You can view the timeline that went into the research and production of Trusted Sender Score here. Essentially when a significant change to email authentication was starting to be mandated by Gmail, Yahoo, AOL and Hotmail for email service providers, it triggered a series of events that has lead us to a score that represents the trustworthiness of a domain with respects to email.

Given more than 90% of email users are protected by Anti-SPOOF authentication there is no reason for anyone to suffer from an email scam, an email hoax or any crime that uses email in a fraudulent manner. If domain owners just implemented the free steps to securing their domain we would have next to no SPAM and negligible email attacks.

The Trusted Sender Score algorithm is made up from 14 condition based metrics. These metrics are basis of what webmail providers have been including in their feedback loops for many years with some key modifications.

The metrics include:

  • DMARC compliance (there are two key variables, a reject or quarantine policy, the free algorithm we built (can be found here)
  • The second component to the equation is based on the domain only using double check DMARC implementations. That means it is impossible to SPOOF the domain. We SPOOFed single check DMARC and our CEO published this blog on SourceForge. These first check and part of the second check can be done using DNS lookups and then from there we check certain entries against known email platforms that do not allow for double check and so the result is zero.
  • Other checks using the Whois record lookups, important to be able to verify the domain owners physical address, dnssec is also important.
  • Publishing an Anti-SPOOF policy is vital as this helps any email user to verify what domains are being used and how etc. We have a sample in the footer of this page.
  • On top of all of that we also look for email subsciber forms not just being email only and asking for some relevant information, SSL and finally user feedback.

That is all combined, sometimes with a weighting applied, depending on the results etc to give email users, domain owners and anyone who has an interest in a simple score that is highly complex in it's engineering.

We have even provided domain owners with their own tools to manage this process, mostly free of charge, so there is no excuse not to protect us from email scams etc

We most certainly are.

Absolutely, in 2020 HSTS is being phased in and as we improve our service the algorithym is likely to change.

You have out guarantee that all changes will be applied across every domain evenly.

No. To handle the sheer volume of domains and the resource intense lookups we complete we run a series of services to complie the data.

For domains not yet in the data base we provide an indicative score, which is pretty accurate however the final score will be published within hours and sometimes up to 3 days after the initial search.


About Trusted Sender Score

Trusted Sender Score is an easy to understand, email domain trust rating, to help email users know if a website URL (domain) can be trusted more


Check it first

Help promote cyber safety and a better email planet by posting your Trusted Sender Score results with #tdd and #checkitfirst. Simply screen shot the score and share it on your favourite social media app.


Terms of Use

Please use this application as a guide only, you have the final decision as to whether you trust an email or domain. Zulu Labs Pty Ltd and associated companies can not be held liable for any decsions made by using this application. For further terms of use please click here