First, some background.
For reasons I will not go into here, it is technically very straightforward to ‘spoof’ an email address. I could within the space of ten minutes set up an email account, send you an email, and pretend it is from any email address in the world. This is why when you get an email from bill@microsoft.com or elonmusk@tesla.com you can be pretty sure it is junk.
This does NOT mean their systems have been compromised and used to send that email, the actual email will not originate from or go anywhere near their systems. It’s like me phoning you up and pretending to be either of these people. It’s simply a lie.
Over the years various systems have been developed to help email systems spot these “spoofed” emails. In the early days, emails would be marked as junk based on content or design, attachment types and so on. These filters usually worked but were not foolproof and caused ‘false positives’ so genuine email is marked as junk (as as we used to call it, spam). Over the years I have seen genuine emails get discarded simply because they had links to various social media sites (e.g. a link to twitter) listed on the email footer or were pictures of text as opposed to pictures and text. Some email filters still employ these kinds of techniques as a line of defence, but for some time now there have been some extra and better tools in the toolbox to prevent junk mail as we shall see below.
There are now three well established tools we can use to help ensure genuine email that you send gets delivered and try and stop spoofers pretending to be you. They are called SPF, DKIM and DMARC. If you would like to read detailed, technical information about these tools (I wouldn’t) start here:
If (after reading these articles), your brain hurts, or you have wisely skipped those links, lets call these tools Fred, Wilma and Bam-Bam and let me give you an easier explanation:
SPF, DKIM and DMARC for Dummies
The SPF Record (Fred)
Fred is pretty clever. He knows which servers are allowed to send email from your domain. When emails from your domain are received by an email server it will check to see if they are on Fred’s list. If they aren’t on his list there is something dodgy about those emails.
The DKIM record (Wilma)
Wilma is also pretty clever, and she has a magical key. All emails you send have an equally magical lock hidden inside them that can only be unlocked by Wilma’s magical key. When emails from your domain are received by an email server, they’ll call up Wilma and see if she thinks the emails are genuine. If Wilma can’t unlock the magical lock with her magical key then there is something a bit dodgy about those emails.
DMARC (Bam-Bam)
Bam-Bam is not so smart but she is pretty loud and will do what you tell her to. If Fred or Wilma spot there’s something dodgy going on Bam-Bam will hold up a sign that says “that email is junk” or “that email is genuine”. Not only that but BamBam can give out her email address and ask servers across the whole world to let her know how things are going with the whole good email versus evil email situation.
A final note…
There are lots of reasons why emails you send might go into the recipients spam, but unless you have your SPF, DKIM and DMARC properly set up, we can probably identify the root cause, but might not be able to stop it.