Trusted Sender Score - Metrics & Methodology
What metrics are in the Trusted Sender Score algorithm?
The Trusted Sender Score Metrics are various inputs based off email configuration, domain name server (DNS) records and other security elements such as SSL / TLS. Certain assumptions are made:
1.) The DNS entries are in the control or under instruction of the domain owner.
2.) M3AAWG email sending best practices are continued used as a benchmark by webmail and email service providers.
3.) DMARC compliance based off RFC 7489 as defined by the algorithm published on Github by Zulu Labs Founder David Barnes, that is applied by other applications such as MX Toolbox is accepted by users of the Trusted Sender Score.
4.) Until proven otherwise, spoofing DMARC authenticated domains can only be done however double check authentication is safe.
You can view the timeline that went into the research and production of Trusted Sender Score here. Essentially when a significant change to email authentication was starting to be mandated by Gmail, Yahoo, AOL and Hotmail for email service providers, it triggered a series of events that has lead us to a score that represents the trustworthiness of a domain with respects to email.
The Trusted Sender Score algorithm is made up from 14 condition based metrics. These metrics are basis of what webmail providers have been including in their feedback loops for many years with some key modifications.
The metrics include:
- DMARC compliance (there are two key variables, a reject or quarantine policy, the free algorithm we built (can be found here)
- The second component to the equation is based on the domain only using double check DMARC implementations. That means it is impossible to SPOOF the domain. We spoofed single check DMARC and our CEO published this blog on SourceForge. These first check and part of the second check can be done using DNS lookups and then from there we check certain entries against known email platforms that do not allow for double check and so the result is zero.
- Other checks using the Whois record lookups, important to be able to verify the domain owners physical address, DNSSEC is also important.
- Publishing an Anti-SPOOF policy is vital as this helps any email user to verify what domains are being used and how etc. We have a sample in the footer of this page.
- On top of all of that we also look for email subscriber forms not just being email only and asking for some relevant information, SSL and finally user feedback.
That is all combined, sometimes with a weighting applied, depending on the results etc to give email users, domain owners and anyone who has an interest in a simple score that is highly complex in it's engineering.
We have even provided domain owners with their own tools to manage this process, mostly free of charge, so there is no excuse not to protect us from email scams etc
Are we open to feedback and suggestions?
keyboard_arrow_downWe most certainly are, please feel free to send in your feedback or make suggestions relating to the any aspect of the app. In particular we are always seeking suggestions as to where and how you would like to use the domain scoring and how we could make your lives easier and safer online and off in some cases.
Is it likely that the Trusted Sender Score metrics or algorithm will change?
keyboard_arrow_downAbsolutely, as standards develop or improve we will need to proportion the weighting to current metrics as well as introduce or even remove metrics as the internet and email develops. For example in 2020 HSTS is being phased in and we see that as a need to monitor and enhance the algorithm.
We do pledge that that all changes will be applied across every domain evenly.
Are Trusted Sender Scores viewed in real-time or are they cached?
keyboard_arrow_downTrusted Sender Scores are not compiled in real time. To handle the sheer volume of domains and the resource intense services we complete, we compile the necessary metrics and perform some pre-calculations once a day. We try and update scores twice monthly which is more than enough considering project times for most established domains takes more than 4 weeks.
For domains not yet in the data base we provide an indicative score, which is pretty accurate however the final score will be published within hours and sometimes up to 3 days after the initial search.