The "Internet of Things" to Increase Reliance on Domain Based Reputation

Just like “Big Data”, the “Internet of Things” is quickly becoming the most recent buzz-worthy term in the business and internet world. It essentially describes how a large number of devices become interconnected and communicate via the internet. While it is not a new concept, it’s becoming more of a reality and getting a lot of attention from companies like Google and Cisco.  Several sources forecast an additional ten billion devices could be brought online by 2018.

Device Forecast

With billions more devices connecting via the internet and communicating with each other or with other people over the next decade, there is a huge opportunity for abuse. An example of this kind of abuse was referenced in a recent Engadget article which reported that thousands of smart gadgets were hacked to send spam and phishing emails. Now imagine what it will be like when billions of other devices are connected to the Internet – it is a little overwhelming to think of the possible implications. On the one hand it could provide your business with a whole new way to serve and communicate with your customers; on the other, it could also give spammers and phishers more opportunities to harm your brand and your subscribers.

Why will the "Internet of Things" lead to increased reliance on domain reputation?

Many of you are already familiar with the concept of an IP address, which is needed to connect computers and devices to the internet. For years, the business and computing world has used a specific version of an IP address (IPv4) without much concern about running out of numbers (there are a total of 4.3 billion IPv4 IP addresses available). However, with the increase in the number of computers and computing devices, the number of IPv4 addresses will run out eventually. In 1998, the Internet Engineering Taskforce (IETF) created a new IP standard called IPv6 to address this issue. The total number of IPv6 addresses that are available is unimaginably large, but basically it is in the hundreds of trillions – we won’t run out anytime soon.

Since sending reputation is primarily based on your IP address, over time it will essentially be impossible to calculate a sending reputation based on the IP address alone using the new IPv6 version. Using an IPv6 IP address, spammers could send one message from one IP address and never use it again. It would be nearly impossible to stop. As a result, the domain(s) that you use will become more of a focal point when calculating your sending reputation.

According to George Bilbrey, Co-founder and President at Return Path: "Domain reputation is becoming more important over time.  It has been the case and continues to be the case that *both* IP and domain reputation will be considered in making inbox placement decisions.  IP reputation checks are inexpensive to make.  Domain reputation checks, particularly those that are tied to authenticating the domain via DKIM, are a little more expensive to make (they require more computational resources)."

He adds: "There are a few things that are making domain reputation more important from a mailbox provider view:

  1. DMARC makes checking DKIM more interesting for more mailbox providers.  Since they are already checking DKIM, domain reputation now makes more sense.
  2. Mailbox providers need to accept mail over IPv6.  IPv4 blacklists (and reputation services) are very effective.  IPv6 gives too much “room to hide”  to create an effective blacklist.  Domain reputations can work well in an IPv6 world (as would IPv6 or domain whitelists)."

What should I do now?

First of all, don’t panic. IPv6 is being adopted slowly and connecting an “Internet of Things” is no small task. You’ll be able to use your current IP addresses for some time. Mailbox providers will continue to use a combination of IP and domain reputation in the foreseeable future since domains can be easily spoofed and until more effective domain reputation protocols can be developed and adopted. In the meantime, here are some tips for maintaining a high reputation:

  1. Keep tracking your IP reputation using Return Path’s Sender Score, Inbox Monitor and any internal methods but start paying attention to your domain(s). If you are tracking complaint rates, unknown user rates and other metrics by IP address, start to track them by domain. High volume and bad performing IP addresses can hurt the domain reputation, so ensure that all IPs and email streams that share common domains are performing at a high level.
  2. Ensure you are authenticating with SPF and DKIM. If you aren’t, get started right away. Read Dale Langley's blogs on creating an SPF record and DKIM record.
  3. Consider using DMARC and start to receive the summary reports by setting “p=none” in the DMARC record.  Also, check out Return Path’s Email Brand Monitor, Domain Secure and Domain Protect products for additional help and information on protecting your domains and your brand.
  4. Keep the number of domains (mail-from, DKIM, sender-from, content URLs) to as minimal a number as possible, depending on the needs of your email program. A higher number of domains will make it easier for spammers and phishers to exploit them and make it more difficult to track and monitor.
  5. If you include 3rd party domains in your email, keep a close eye on the performance of those email campaigns or email streams. You may be unknowingly identifying yourself as a potential spammer if those domains are on domain blacklists or are associated with spam.
  6. Regularly monitor domain blacklists such as SURBL, URIBL and Spamhaus DBL to ensure your domains are not listed. If your domain is listed, be sure to investigate and fix the root cause to avoid future listings.
  7. Be careful when using affiliate marketing and be sure you fully understand the affiliate’s sending practices. It is preferred that you don’t use affiliates, but if you do, perform your due diligence and understand the risks. An affiliate that is blasting out your domain can place your domain on blacklists as well as harm your sending reputation and inbox placement at mailbox providers such as Gmail.

While the actual adoption of a purely domain based reputation system is unlikely anytime in the near future, don’t be caught off guard. Mailbox providers are relying on your domain reputation for filtering decisions and this reliance will only increase as more computing devices are connected to the "Internet of Things". And, as domain reputation becomes more ingrained in the spam filter algorithms at the major mailbox providers, Return Path will be ready to assist you.