Trusted Sender Score - Metrics & Methodology

What metrics are in the Trusted Sender Score algorithm?

The Trusted Sender Score Metrics are various inputs based off email configuration, domain name server (DNS) records and other security elements such as SSL / TLS. Certain assumptions are made:

1.) The DNS entries are in the control or under instruction of the domain owner.
2.) M3AAWG email sending best practices are continued used as a benchmark by webmail and email service providers.
3.) DMARC compliance based off RFC 7489 as defined by the algorithm published on Github by Zulu Labs Founder David Barnes, that is applied by other applications such as MX Toolbox is accepted by users of the Trusted Sender Score.
4.) Until proven otherwise, spoofing DMARC authenticated domains can only be done however double check authentication is safe.

You can view the timeline that went into the research and production of Trusted Sender Score here. Essentially when a significant change to email authentication was starting to be mandated by Gmail, Yahoo, AOL and Hotmail for email service providers, it triggered a series of events that has lead us to a score that represents the trustworthiness of a domain with respects to email.

Given more than 90% of email users are protected by Anti-SPOOF authentication there is no reason for anyone to suffer from an email scam, an email hoax or any crime that uses email in a fraudulent manner. If domain owners just implemented the free steps to securing their domain we would have next to no SPAM and negligible email attacks.

The Trusted Sender Score algorithm is made up from 14 condition based metrics. These metrics are basis of what webmail providers have been including in their feedback loops for many years with some key modifications.

The metrics include:

  • DMARC compliance (there are two key variables, a reject or quarantine policy, the free algorithm we built (can be found here)
  • The second component to the equation is based on the domain only using double check DMARC implementations. That means it is impossible to SPOOF the domain. We spoofed single check DMARC and our CEO published this blog on SourceForge. These first check and part of the second check can be done using DNS lookups and then from there we check certain entries against known email platforms that do not allow for double check and so the result is zero.
  • Other checks using the Whois record lookups, important to be able to verify the domain owners physical address, DNSSEC is also important.
  • Publishing an Anti-SPOOF policy is vital as this helps any email user to verify what domains are being used and how etc. We have a sample in the footer of this page.
  • On top of all of that we also look for email subscriber forms not just being email only and asking for some relevant information, SSL and finally user feedback.

That is all combined, sometimes with a weighting applied, depending on the results etc to give email users, domain owners and anyone who has an interest in a simple score that is highly complex in it's engineering.

We have even provided domain owners with their own tools to manage this process, mostly free of charge, so there is no excuse not to protect us from email scams etc