Overview: to ensure outbound email has the best possible reputation score "out-of-the box", without using expensive "Email Reputation Consultants", follow this tested guide.
- Step 1: Register a new domain (or recycle existing) that will exclusively be used only to send email, not for website access
- It is vital that no custom DNS records be added, not even a WWW web server
- Add to Microsoft 365, and configure Microsoft to host the DNS zone (not a 3rd-party ISP)
- IMPORTANT:
- Do NOT add any custom DNS records (apart from DKIM & DMARC below)
- Organizations with a trademarked logo should add a BIMI record and VMC certificate; contact us for assistance (average certificate cost $1000 to $1500 per year, depending upon CA provider)
- Do NOT edit the SPF record, MX record or any other records
- Do NOT add a WWW record or any other website record
- If you want to know why, expect a consultancy fee; after-all this valuable article is being provided to you for free!
- ..."but what about the website?" Please go back to Step 1
- Do NOT add any custom DNS records (apart from DKIM & DMARC below)
- IMPORTANT:
- Enable DKIM in Exchange Online and Microsoft DNS
- See https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide#steps-to-create-enable-and-disable-dkim-from-microsoft-365-defender-portal
- Add DKIM CNAME records
- Step i: copy the generated DKIM records (CNAMEs) here https://security.microsoft.com/dkimv2
- Step ii: add the CNAMEs to Microsoft DNS
- Record type: CNAME
- Record hostname 1: selector1._domainkey
- Record hostname 2: selector2._domainkey
- Values ("points to"): (as copied in step i)
- Step iii (After allowing 15 mins. for DNS propogation): Enable DKIM signing (same URL as in step i)
- Add DMARC record to domain, using the strict ("reject") format:
- Record type: TXT
- Record name: _dmarc.my-domain-name.com (note the leading underscore "_" character)
- Record value: v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:dmarc@my-domain-name.com ;ruf=mailto:dmarc@my-domain-name.com ;ri=86400;aspf=s;adkim=s;fo=1
- Ensure that aliases/mailboxes exist for dmarc@
- Check domain using external tools such as https://testconnectivity.microsoft.com/
- Disable IMAP/POP/SMTP for all users whose primary domain is this dedicated email domain; users must ONLY send using Outlook Desktop (MAPI), Exchange ActiveSync, Exchange Web Services (EWS) protocols, or Outlook online (OWA) thus removing their office or broadband IP from the email header.
- Enforce MFA on all users, such as Microsoft Authenticator app & SMS
- Instruct iPhone and Android users to send using the Microsoft Outlook app rather than built-in mail apps
- CONTENT: Ensure email signatures and email content adheres to "good practice" for emails, such as:
- Subject line: maximum of 255 characters (160 is safer limit)
- Recipients: maximum number of recipients generally 300 (50 is safer limit)
- Other limits:
- No more than 30 emails per minute, and no more than 10,000 per day
- 25 MB maximum attachment size (10 MB is safer)
- Check recipient server if unsure (some only allow plain text, or restrict attachment size)
- Text limit 5,000 characters (about 1,000 words); would span around 2 average pages and take around 3 minutes to read....anything more should be in an attachment.
- All links (inc. external images) via SSL
- Images/videos/audio:
- Include ALT tag for all images, specify exact image size, "-nosend-" tags (nosend="1" border="0")
- Size no larger than 600 px
- Non-static media: No GIFs, no video, no audio; feel free to link to external media
- PNG or JPG, no other formats
- Allow foo "dark mode"; don't assume the recipient's background is white in their email client
- Tables: use HTML tables instead of DIVs
- HREFs: force clean style (style="text-decoration:none;")
- CSS: do not use CSS; each element must have "style" tag (if styling required)
- Fonts:
- Only use web-safe fonts (Arial, Arial Black, Gadget, Comic Sans MS, Impact, Charcoal, Lucida Sans Unicode, Lucida Grande, Tahoma, Geneva, Trebuchet MS, Verdana, Courier New, Lucida Console, and Times New Roman)
- Do not use bullets, check-marks or numbering
- Minify all HTML; ensure "full" HTML (stand-alone document)
- Plain text version supported, max. 5,000 characters
- Attachments:
- ZIP files to increase chance of passing filtering
- Only attach unzipped if file format can be easily viewed online (PDF, Word, Excel)
- Generally accepted maximum size of an entire email is 25 MB, inc. attachments
- Test all email signatures on variety of mobile devices
- If sending using a mobile, edit the signature (“Sent from my iPhone" is an automatic negative score!)
- Give thought to avoiding phrases that recipient mail servers may flag as spam, such as "Flash sale!"
- Familiarize all senders with local country regulation and legislation about sending emails
- Do not send repeat unsolicited emails, if indeed any at all...
- Do not use offensive or inappropriate language, innuendo or slang
- Additional steps: feel free to contact us to discuss additional steps that your organization can implement to retain and improve your email reputation scores. Other 3rd-party tools which may be of use include:
- https://unspam.email/ - send an email and have it analyzed
- https://glockapps.com/inbox-email-tester/ - send an email and have it analyzed
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article