Overview: to ensure outbound email has the best possible reputation score "out-of-the box", without using expensive "Email Reputation Consultants", follow this tested guide.
- Step 1: Register a new domain (or recycle existing) that will exclusively be used only to send email, not for website access
- It is vital that no custom DNS records be added, not even a WWW web server
- Add to Microsoft 365, and configure Microsoft to host the DNS zone (not a 3rd-party ISP)
- IMPORTANT:
- Do NOT add any custom DNS records (apart from DKIM/DMARC & BIMI below)
- Organizations with a trademarked logo should add a BIMI record and VMC certificate; contact us for assistance (average certificate cost $1000 to $1500 per year, depending upon CA provider)
- Do NOT edit the SPF record, MX record or any other records
- Do NOT add a WWW record or any other website record
- If you want to know why, expect a consultancy fee; after-all this valuable article is being provided to you for free!
- ..."but what about the website?" Please go back to Step 1
- Do NOT add any custom DNS records (apart from DKIM/DMARC & BIMI below)
- IMPORTANT:
- Enable DKIM in Exchange Online and Microsoft DNS
- See https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide#steps-to-create-enable-and-disable-dkim-from-microsoft-365-defender-portal
- Add DKIM CNAME records
- Step i: copy the generated DKIM records (CNAMEs) here https://security.microsoft.com/dkimv2
- Step ii: add the CNAMEs to Microsoft DNS
- Record type: CNAME
- Record hostname 1: selector1._domainkey
- Record hostname 2: selector2._domainkey
- Values ("points to"): (as copied in step i)
- Step iii (After allowing 15 mins. for DNS propagation): Enable DKIM signing (same URL as in step i)
- Add DMARC record to domain, using the strict ("reject") format:
- Record type: TXT
- Record name: _dmarc.my-domain-name.com (note the leading underscore "_" character)
- Record value: v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:dmarc@my-domain-name.com ;ruf=mailto:dmarc@my-domain-name.com ;ri=86400;aspf=s;adkim=s;fo=1
- Ensure that aliases/mailboxes exist for dmarc@
- Check domain using external tools such as https://testconnectivity.microsoft.com/
More info at https://learn.microsoft.com/en-us/defender-office-365/email-authentication-dmarc-configure
- Add List-Unsubscribe rule to Exchange Online mail flow
- Exchange Admin Centre > Mail flow > Rules > Add > Add Rule: Modify Messages
- Name: List-Unsubscribe
- Apply rule if: The sender | domain is my-domain-name.com
- Do the following: Modify the message properties | set a message header
- Set the message header: List-Unsubscribe
- ...to the value: <mailto:unsubscribe@my-domain-name.com?subject=unsubscribe>
- Rule mode: Enforce
[Finish] - Status: Enabled
- Make sure that the unsubscribe@ email address is added as an alias to a real user mailbox so that you comply with any unsubscribe emails.
- Exchange Admin Centre > Mail flow > Rules > Add > Add Rule: Modify Messages
- Add BIMI brand logo
- Important if emailing Apple/Gmail/Yahoo email recipients
- Must be square dimensions (ideally 200x200px), SVG “baseProfile” attribute set to “tiny-ps” verison 1.2
- Conversion tool at: https://bimigroup.org/svg-conversion-tools-released/
- Upload logo to a server the same as email domain; example: https://my-domain-name.com/bimi-logo.svg
- Add TXT record
- Name: default._bimi.my-domain-name.com
- Value: v=BIMI1; l=https://my-domain-name.com/bimi-logo.svg;
- DMARC record must have Policy option (p) must be set to quarantine or reject & Percent option (pct) must be set to 100
- Verify at https://bimigroup.org/bimi-generator/
- Disable IMAP/POP/SMTP for all users whose primary domain is this dedicated email domain; users must ONLY send using Outlook Desktop (MAPI), Exchange ActiveSync, Exchange Web Services (EWS) protocols, or Outlook online (OWA) thus removing their office or broadband IP from the email header.
- Enforce MFA on all users, such as Microsoft Authenticator app & SMS
- Instruct iPhone and Android users to send using the Microsoft Outlook app rather than built-in mail apps
- Tighten M365 inbound Anti-Spam/phishing policies
- Important: if some of your mailboxes are not hosted on Microsoft (aka "hybrid") then please implement changes on the alternate mail server to handles "junk" email headers - see https://learn.microsoft.com/en-us/exchange/standalone-eop/configure-eop-spam-protection-hybrid
- Navigate to https://security.microsoft.com> Email & Collaboration > Policies & rules > Threat policies > Anti-spam > Inbound: [Edit Spam threshold and properties]
- Empty message: On
JavaScript or VBScript in HTML: On
Frame or iFrame in HTML: On
Web bugs in HTML: On
Object tags in HTML: on
Sensitive words: on
SPF record hard fail: On
Sender ID filtering hard fail: On
Backscatter: On
From these countries: [Add any countries to block; begin typing name and choose from list]
[Save], then edit Description: "Customized" [Save]
Edit Actions
Retain spam in quarantine for this many days: 30
As above, edit the phishing policy, enabling:
User protection
Domain protection ("Include domains I own")
Mailbox intelligence
Actions
Move to junk (or quarantine)
[Save]
REQUIRMENT: An admin will need to check monthly (or weekly) if any "false positives" need to be released from quarantine; navigate to https://security.microsoft.com > Email & Collaboration > Review > Quarantine
Recommended: Enable Native external sender callouts
- Optional: Append threat check statements to all emails
- Navigate to https://admin.exchange.microsoft.com/#/transportrules
- Create new rule > Rule name: Checked for INBOUND spam
- Apply rule if: The Sender: External/Internal > OUTSIDE organization
- Text: (Copy & Paste the following line)
✉✅ INBOUND: Checked for threats (spam, phishing, malware/virus) by Microsoft™ 365 Exchange Online - Fallback: Wrap
- Next > "Enforce" > Next > Finish
IMPORTANT: Set rule status: Enabled
- Create new rule > Rule name: Checked for OUTBOUND spam
- Apply rule if: The Sender: External/Internal > INSIDE organization
- Do the following: Apply a disclaimer to the message (Append)
- Text: (Copy & Paste the following line)
✉✅ OUTBOUND: This email was checked for threats (spam, phishing, malware/virus) by Microsoft™ 365 - Fallback: Wrap
- Next > "Enforce" > Next > Finish
IMPORTANT: Set rule status: Enabled
- CONTENT (phone numbers): Ensure any "tel://" links or plain telephone numbers are registered
- Many responsible providers are using 3rd-party verification of telephone numbers, and if your numbers are not registered they may be scored negatively, affecting the overall "unsolicited" score of your emails
- Some verification providers have allowed businesses to register their numbers for free, such as Hiya - see https://www.hiya.com/products/registration
- CONTENT (general): Ensure email signatures and email content adheres to "good practice" for emails, such as:
- Subject line: maximum of 255 characters (160 is safer limit)
- Test special UTF-8 characters on Gmail / Outlook / iPhone (see https://symbl.cc/en/)
- Recipients: maximum number of recipients generally 300 (50 is safer limit)
- Other limits:
- No more than 30 emails per minute, and no more than 10,000 per day
- 25 MB maximum attachment size (10 MB is safer)
- Check recipient server if unsure (some only allow plain text, or restrict attachment size)
- Text limit 5,000 characters (about 1,000 words); would span around 2 average pages and take around 3 minutes to read....anything more should be in an attachment.
- All links (inc. external images) via SSL
- Images/videos/audio:
- Include ALT tag for all images, specify exact image size, "-nosend-" tags (nosend="1" border="0")
- Size no larger than 600 px
- Non-static media: No GIFs, no video, no audio; feel free to link to external media
- PNG or JPG, no other formats
- Allow for "dark mode"; don't assume the recipient's background is white in their email client
- Tables: use HTML tables instead of DIVs
- HREFs: force clean style (style="text-decoration:none;")
- CSS: do not use CSS; each element must have "style" tag (if styling required)
- Fonts: Only use web-safe fonts
Arial
Verdana
Tahoma
Trebuchet MS
Times New Roman
Georgia
Garamond
Courier New
Brush Script MT
Cursive Sans
Helvetica
Oswald
- Arial, Verdana Tahoma, Trebuchet MS, Times New Roman, Georgia Garamond, Courier New, Brush Script MT, Cursive Sans, Helvetica, Oswald
- Do not use bullets, check-marks or numbering
- Minify all HTML; ensure "full" HTML (stand-alone document)
- Plain text version supported, max. 5,000 characters
- Attachments:
- ZIP files to increase chance of passing filtering
- Only attach unzipped if file format can be easily viewed online (PDF, Word, Excel)
- Generally accepted maximum size of an entire email is 25 MB, inc. attachments
- Test all email signatures on variety of mobile devices
- If sending using a mobile, edit the signature (“Sent from my iPhone" is an automatic negative score!)
- Give thought to avoiding phrases that recipient mail servers may flag as spam, such as "Flash sale!"
- Familiarize all senders with local country regulation and legislation about sending emails
- Do not send repeat unsolicited emails, if indeed any at all...
- Do not use offensive or inappropriate language, innuendo or slang
- Subject line: maximum of 255 characters (160 is safer limit)
- Additional steps: feel free to contact us to discuss additional steps that your organization can implement to retain and improve your email reputation scores. Other 3rd-party tools which may be of use include:
- https://unspam.email/ - send an email and have it analyzed
- https://glockapps.com/inbox-email-tester/ - send an email and have it analyzed
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article