https://mapp.com/blog/what-are-aligned-domains/

SIGN UP FOR OUR NEWSLETTER

What Is Domain Alignment, and Why Does It Matter?

Florian Vierke,
Senior Manager Deliverability Services @ Mapp
What Is Domain Alignment, and Why Does It Matter?');
share
linkdin
twitter
facebook

Trust is crucial in the online world. After all, customers are only communicating with technology, trusting it with confidential information or even financial transactions. But how does one establish trust in a brand digitally?  

Phishing attacks are constantly happening everywhere and are threatening your domain’s reputation. Sometimes it’s just little dips; other times it’s larger attacks. Either way, it can affect the credibility of your domain and your reputation in the real world. The earlier you protect your domains, the better.

One option is a BIMI mark for emails. Just like a verification badge or blue checkmark on social platforms, it creates trust in your brand while directly communicating with customers. BIMI shows your logo in inboxes, reassuring recipients that your brand is really behind the communication. It also makes your messages stand out between less colorful email previews.

The requirement for BIMI, and Deliverability in general, is domain alignment. We see more and more demand for domain alignment, and I predict this to be a trending topic in the coming years.  In this blog, I’ll dive deeper into the definition and the benefits of aligning domains and the need for DMARC authentication in our recent use case.

Generally, deliverability is a matter of trust and reputation. Email providers want to deliver messages from trusted sources that recipients actually want to see. In order to prove to the services that you are a “trusted source”, you need to do the equivalent of showing your ID: unveil your identity by authenticating yourself.

Historically, emails didn’t contain any mechanisms for authentication. A few years later, marketers had the option to add a DKIM-signature to prevent the first phishing attacks. This digital signature has a function similar to a letter envelope, confirming that the email has not been compromised on its way into the recipients’ inbox.

Aligned domains also have the goal to create trust in the validity of the sender.

How does this look like on a technical level?

Let’s imagine the following situation: the SMTP protocol asks for a “FROM” information (5321.FROM). If we stay in the letter analogy, this is the “Envelope FROM”. In the meantime, the email header contains another FROM field, which is called 5322.FROM (or “DISPLAY FROM”). That alone would already confuse a regular mailman. Additionally, we see the added DKIM-signature-From. And why have it simple when all three forms can technically look different?

If you compare that to an old-fashioned snail mail letter, it looks like this:

  • Envelope: FROM is the equivalent of the 5321.FROM
  • Display FROM is the equivalent of the 5322.FROM
  • And we sign the letter with our signature, which is again different (“best regards, DKIM”).

 

Mapp-Non-Aligned-Domains-Example

Mapp: Non-Aligned Domains Example

The “alignment” requirement is probably clear at this point: the goal is to use the same domain in all these fields – or let’s say in as many as possible. While the “envelope from” can be different to the message content, we can all agree that the author of a message should also sign it himself. This alignment of 5322.FROM and DKIM-From is seen as the minimum requirement to ensure your domain is to be the main source of trust for your email sender reputation.

And if you don’t..?

Well, the answer is: it depends. Some ISPs will still accept the message, others won’t. If you let someone else sign your letter, the trust in it is obviously lower than if you sign it yourself. The Certified Senders Alliance (CSA) expects that starting March 2023, all certified emails will need to be DKIM-signed and aligned. As CSA member, Mapp is currently working on aligning all existing customer setups.

What needs to be done?

Already a Mapp customer? The default settings on Mapp Engage as well as Mapp Empower ensure that the FROM and DKIM domains are already aligned. This is great news, as it positively affects your reputation, and no action needs to be taken. If you use an alternative FROM address on Mapp Engage, please get in touch with our Deliverability Team. We’re happy to double-check your individual setup and advise you on potential improvements.

Double up with DMARC to combat phishing & drive deliverability rates 

Domain alignment is a mandatory precondition for implementing DMARC. Once this has been implemented, you can ensure you’re “phishing-proof” through DMARC authentication. The general benefits of this are:

  • Precise email traffic analysis
  • See the exact percentage of how many emails are actually arriving in subscribers’ inboxes
  • Phishing attacks become less threatening because they can be identified quickly as non-authorized emails

Below is a seven-day real traffic overview for clients with a DMARC visualization tool, showcasing the % of Threat/Unknown VS DMARC pass:

Mapp-DMARC

While the majority of sent emails is already DMARC-compliant (authenticated correctly), we still see around 0.1% unauthorized traffic.

The phishing attacks we see are coming in chunks, across multiple clients and originate from all over the world:

Mapp-DMARC-2

Here’s how phishing attacks can look like for a single customer:

Mapp-DMARC-3

Setting up DMARC as quickly as possible helps secure deliverability for your emails. If a phishing attack is happening against your domains, the reject policy can prevent messages from being delivered. Without that policy, it’s up to the mailbox providers how these messages are being handled – and why give something you can control out of your own hands? You may end up doing more harm than good to your reputation and risk that your emails end up in the junk folder.

DMARC enables you to set a policy of “none”, “quarantine”, or “reject”. This defines how many recipients treat emails with failing authentication. Once the domain is ready to be set on reject (the explicit wish from the sender towards the recipients to reject mails with failing authentication from their domain) as the ultimate layer of phishing protection, our team is there to support you with regular consulting.

Stay on top of your email deliverability rate 

Our Deliverability Team offers a service to setup and monitor your domains. Once set up, the domains are protected against future phishing attempts and we distribute a weekly report to the client, while our experts monitors and review your activity.

If you’re not yet a Mapp customer, but curious to learn more about the benefits of aligned domains and DMARC authentication, get in touch with us to discuss how we can assist you!






BACK TO THE BLOG ›
Recent Articles

What Is Domain Alignment, and Why Does It Matter?

Florian Vierke,
Senior Manager Deliverability Services @ Mapp
What Is Domain Alignment, and Why Does It Matter?');
share
linkdin
twitter
facebook

Trust is crucial in the online world. After all, customers are only communicating with technology, trusting it with confidential information or even financial transactions. But how does one establish trust in a brand digitally?  

Phishing attacks are constantly happening everywhere and are threatening your domain’s reputation. Sometimes it’s just little dips; other times it’s larger attacks. Either way, it can affect the credibility of your domain and your reputation in the real world. The earlier you protect your domains, the better.

One option is a BIMI mark for emails. Just like a verification badge or blue checkmark on social platforms, it creates trust in your brand while directly communicating with customers. BIMI shows your logo in inboxes, reassuring recipients that your brand is really behind the communication. It also makes your messages stand out between less colorful email previews.

The requirement for BIMI, and Deliverability in general, is domain alignment. We see more and more demand for domain alignment, and I predict this to be a trending topic in the coming years.  In this blog, I’ll dive deeper into the definition and the benefits of aligning domains and the need for DMARC authentication in our recent use case.

Generally, deliverability is a matter of trust and reputation. Email providers want to deliver messages from trusted sources that recipients actually want to see. In order to prove to the services that you are a “trusted source”, you need to do the equivalent of showing your ID: unveil your identity by authenticating yourself.

Historically, emails didn’t contain any mechanisms for authentication. A few years later, marketers had the option to add a DKIM-signature to prevent the first phishing attacks. This digital signature has a function similar to a letter envelope, confirming that the email has not been compromised on its way into the recipients’ inbox.

Aligned domains also have the goal to create trust in the validity of the sender.

How does this look like on a technical level?

Let’s imagine the following situation: the SMTP protocol asks for a “FROM” information (5321.FROM). If we stay in the letter analogy, this is the “Envelope FROM”. In the meantime, the email header contains another FROM field, which is called 5322.FROM (or “DISPLAY FROM”). That alone would already confuse a regular mailman. Additionally, we see the added DKIM-signature-From. And why have it simple when all three forms can technically look different?

If you compare that to an old-fashioned snail mail letter, it looks like this:

  • Envelope: FROM is the equivalent of the 5321.FROM
  • Display FROM is the equivalent of the 5322.FROM
  • And we sign the letter with our signature, which is again different (“best regards, DKIM”).

 

Mapp-Non-Aligned-Domains-Example

Mapp: Non-Aligned Domains Example

The “alignment” requirement is probably clear at this point: the goal is to use the same domain in all these fields – or let’s say in as many as possible. While the “envelope from” can be different to the message content, we can all agree that the author of a message should also sign it himself. This alignment of 5322.FROM and DKIM-From is seen as the minimum requirement to ensure your domain is to be the main source of trust for your email sender reputation.

And if you don’t..?

Well, the answer is: it depends. Some ISPs will still accept the message, others won’t. If you let someone else sign your letter, the trust in it is obviously lower than if you sign it yourself. The Certified Senders Alliance (CSA) expects that starting March 2023, all certified emails will need to be DKIM-signed and aligned. As CSA member, Mapp is currently working on aligning all existing customer setups.

What needs to be done?

Already a Mapp customer? The default settings on Mapp Engage as well as Mapp Empower ensure that the FROM and DKIM domains are already aligned. This is great news, as it positively affects your reputation, and no action needs to be taken. If you use an alternative FROM address on Mapp Engage, please get in touch with our Deliverability Team. We’re happy to double-check your individual setup and advise you on potential improvements.

Double up with DMARC to combat phishing & drive deliverability rates 

Domain alignment is a mandatory precondition for implementing DMARC. Once this has been implemented, you can ensure you’re “phishing-proof” through DMARC authentication. The general benefits of this are:

  • Precise email traffic analysis
  • See the exact percentage of how many emails are actually arriving in subscribers’ inboxes
  • Phishing attacks become less threatening because they can be identified quickly as non-authorized emails

Below is a seven-day real traffic overview for clients with a DMARC visualization tool, showcasing the % of Threat/Unknown VS DMARC pass:

Mapp-DMARC

While the majority of sent emails is already DMARC-compliant (authenticated correctly), we still see around 0.1% unauthorized traffic.

The phishing attacks we see are coming in chunks, across multiple clients and originate from all over the world:

Mapp-DMARC-2

Here’s how phishing attacks can look like for a single customer:

Mapp-DMARC-3

Setting up DMARC as quickly as possible helps secure deliverability for your emails. If a phishing attack is happening against your domains, the reject policy can prevent messages from being delivered. Without that policy, it’s up to the mailbox providers how these messages are being handled – and why give something you can control out of your own hands? You may end up doing more harm than good to your reputation and risk that your emails end up in the junk folder.

DMARC enables you to set a policy of “none”, “quarantine”, or “reject”. This defines how many recipients treat emails with failing authentication. Once the domain is ready to be set on reject (the explicit wish from the sender towards the recipients to reject mails with failing authentication from their domain) as the ultimate layer of phishing protection, our team is there to support you with regular consulting.

Stay on top of your email deliverability rate 

Our Deliverability Team offers a service to setup and monitor your domains. Once set up, the domains are protected against future phishing attempts and we distribute a weekly report to the client, while our experts monitors and review your activity.

If you’re not yet a Mapp customer, but curious to learn more about the benefits of aligned domains and DMARC authentication, get in touch with us to discuss how we can assist you!






BACK TO THE BLOG ›
Recent Articles