<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Email Delivery, End to End | Antoine Weill--Duflos</title>
    <link>https://antoine.weill-duflos.fr/en/courses/email-delivery/</link>
      <atom:link href="https://antoine.weill-duflos.fr/en/courses/email-delivery/index.xml" rel="self" type="application/rss+xml" />
    <description>Email Delivery, End to End</description>
    <generator>Hugo Blox Builder (https://hugoblox.com)</generator><language>en-us</language><lastBuildDate>Mon, 29 Jun 2026 00:00:00 +0000</lastBuildDate>
    <image>
      <url>https://antoine.weill-duflos.fr/media/icon_hu_d686267daab28486.png</url>
      <title>Email Delivery, End to End</title>
      <link>https://antoine.weill-duflos.fr/en/courses/email-delivery/</link>
    </image>
    
    <item>
      <title>SMTP Basics</title>
      <link>https://antoine.weill-duflos.fr/en/courses/email-delivery/01-smtp-basics/</link>
      <pubDate>Mon, 29 Jun 2026 00:00:00 +0100</pubDate>
      <guid>https://antoine.weill-duflos.fr/en/courses/email-delivery/01-smtp-basics/</guid>
      <description>&lt;h2 id=&#34;what-smtp-is&#34;&gt;What SMTP is&lt;/h2&gt;
&lt;p&gt;The Simple Mail Transfer Protocol (SMTP) is the backbone of email. It is the standard that lets mail move between different servers and networks. Think of it as the postal service of the internet: when you send a message, your client hands it to an SMTP server, that server figures out how to route it, the message travels across the internet to the recipient&amp;rsquo;s mail server, and that server drops it into the inbox.&lt;/p&gt;
&lt;p&gt;Just as postal workers follow set procedures to sort and deliver physical mail, SMTP servers follow standardized commands and responses.&lt;/p&gt;
&lt;h2 id=&#34;the-pieces-involved&#34;&gt;The pieces involved&lt;/h2&gt;
&lt;p&gt;A message passes through several agents on its journey:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;MUA (Mail User Agent)&lt;/strong&gt;: your email client, such as Gmail&amp;rsquo;s web app or Outlook.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;MSA (Mail Submission Agent)&lt;/strong&gt;: receives mail from clients and verifies the addresses.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;MTA (Mail Transfer Agent)&lt;/strong&gt;: processes and transfers mail between servers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;MDA (Mail Delivery Agent)&lt;/strong&gt;: delivers the message into the recipient&amp;rsquo;s mailbox.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;SMTP itself comes in a few flavors depending on the role a server plays: &lt;strong&gt;originating&lt;/strong&gt; (introducing mail to the internet), &lt;strong&gt;delivery&lt;/strong&gt; (receiving mail for a local mailbox), &lt;strong&gt;relay&lt;/strong&gt; (passing mail along unchanged), and &lt;strong&gt;gateway&lt;/strong&gt; (passing mail and possibly transforming it).&lt;/p&gt;
&lt;h2 id=&#34;the-extensions-worth-knowing&#34;&gt;The extensions worth knowing&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;ESMTP (Extended SMTP)&lt;/strong&gt; adds features to the original protocol. It opens a session with &lt;code&gt;EHLO&lt;/code&gt; instead of &lt;code&gt;HELO&lt;/code&gt; and supports extra parameters.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;SMTPS&lt;/strong&gt; secures the connection with TLS or SSL, encrypting the message during transmission.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;SMTP-AUTH&lt;/strong&gt; requires a client to log in with a username and password before sending, which stops strangers from using your server as an open relay.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&#34;smtp-is-a-conversation&#34;&gt;SMTP is a conversation&lt;/h2&gt;
&lt;p&gt;Under the hood, SMTP is a back-and-forth of commands and numeric responses, almost like dialogue:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-fallback&#34; data-lang=&#34;fallback&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Client: HELO example.com
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Server: 250 Hello example.com, pleased to meet you
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Client: MAIL FROM: &amp;lt;sender@example.com&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Server: 250 OK
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Client: RCPT TO: &amp;lt;recipient@example.org&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Server: 250 OK
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Client: DATA
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Server: 354 Start mail input; end with &amp;lt;CRLF&amp;gt;.&amp;lt;CRLF&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Client: [Email content...]
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Client: .
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Server: 250 OK
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Client: QUIT
&lt;/span&gt;&lt;/span&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;Server: 221 Bye
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Each step has a clear role: &lt;code&gt;HELO&lt;/code&gt;/&lt;code&gt;EHLO&lt;/code&gt; introduces the sending server, &lt;code&gt;MAIL FROM&lt;/code&gt; names the sender, &lt;code&gt;RCPT TO&lt;/code&gt; names the recipient, &lt;code&gt;DATA&lt;/code&gt; carries the message body, and &lt;code&gt;QUIT&lt;/code&gt; ends the session. This rigid structure is what makes delivery reliable across wildly different systems.&lt;/p&gt;
&lt;p&gt;The important thing to notice for later chapters: nothing in this conversation proves the sender is who they claim to be. &lt;code&gt;MAIL FROM&lt;/code&gt; is whatever the client types. That gap is what authentication, the next chapter, exists to close.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Authentication with Alice and Bob</title>
      <link>https://antoine.weill-duflos.fr/en/courses/email-delivery/02-authentication/</link>
      <pubDate>Mon, 29 Jun 2026 00:00:00 +0100</pubDate>
      <guid>https://antoine.weill-duflos.fr/en/courses/email-delivery/02-authentication/</guid>
      <description>&lt;h2 id=&#34;the-spoofing-problem&#34;&gt;The spoofing problem&lt;/h2&gt;
&lt;p&gt;When Alice mails a paper letter to Bob, trust is built into the envelope: a return address, recognizable handwriting, and a postal service that knows which mailbox the letter came from. Email keeps none of these. As the previous chapter showed, the &lt;code&gt;MAIL FROM&lt;/code&gt; and the visible &amp;ldquo;From&amp;rdquo; line are just text the sender fills in. Anyone can write &lt;code&gt;From: alice@example.com&lt;/code&gt; without being Alice. This is &lt;strong&gt;email spoofing&lt;/strong&gt;, and it is the foundation of most phishing.&lt;/p&gt;
&lt;p&gt;Authentication rebuilds the missing trust signals in a form machines can verify. Three protocols each recreate one physical signal:&lt;/p&gt;
&lt;table&gt;
  &lt;thead&gt;
      &lt;tr&gt;
          &lt;th&gt;Physical world&lt;/th&gt;
          &lt;th&gt;Email equivalent&lt;/th&gt;
          &lt;th&gt;What it answers&lt;/th&gt;
      &lt;/tr&gt;
  &lt;/thead&gt;
  &lt;tbody&gt;
      &lt;tr&gt;
          &lt;td&gt;Approved mailboxes&lt;/td&gt;
          &lt;td&gt;&lt;strong&gt;SPF&lt;/strong&gt;&lt;/td&gt;
          &lt;td&gt;Did this come from a server Alice authorized?&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;A unique wax seal&lt;/td&gt;
          &lt;td&gt;&lt;strong&gt;DKIM&lt;/strong&gt;&lt;/td&gt;
          &lt;td&gt;Was the message tampered with in transit?&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Handling instructions&lt;/td&gt;
          &lt;td&gt;&lt;strong&gt;DMARC&lt;/strong&gt;&lt;/td&gt;
          &lt;td&gt;What should Bob do if a check fails?&lt;/td&gt;
      &lt;/tr&gt;
  &lt;/tbody&gt;
&lt;/table&gt;
&lt;h2 id=&#34;spf-which-mailboxes-may-send-for-me&#34;&gt;SPF: which mailboxes may send for me&lt;/h2&gt;
&lt;p&gt;SPF (Sender Policy Framework) is Alice telling the post office to only accept letters that come from specific mailboxes. The domain owner publishes a list of authorized mail servers in DNS, and the receiver checks the connecting server against it.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-fallback&#34; data-lang=&#34;fallback&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;example.com.  3600  IN  TXT  &amp;#34;v=spf1 include:_spf.google.com ~all&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;v=spf1&lt;/code&gt; declares an SPF record.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;include:_spf.google.com&lt;/code&gt; authorizes Google Workspace&amp;rsquo;s servers. Add more &lt;code&gt;include&lt;/code&gt; mechanisms for more providers.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;~all&lt;/code&gt; is a soft fail for everything else. The stricter &lt;code&gt;-all&lt;/code&gt; rejects outright.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;SPF is easy to set up and stops mail sent through unauthorized servers. Its weaknesses: it checks only the connecting server, never the content, and it breaks on forwarding, because a forwarded message arrives from the forwarder&amp;rsquo;s server rather than an authorized one.&lt;/p&gt;
&lt;h2 id=&#34;dkim-a-seal-only-alice-can-make&#34;&gt;DKIM: a seal only Alice can make&lt;/h2&gt;
&lt;p&gt;DKIM (DomainKeys Identified Mail) is a wax seal only Alice can produce. Her server signs each message with a &lt;strong&gt;private key&lt;/strong&gt; and publishes the matching &lt;strong&gt;public key&lt;/strong&gt; in DNS. The receiver verifies the signature.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-fallback&#34; data-lang=&#34;fallback&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;selector1._domainkey.example.com.  IN  TXT  &amp;#34;v=DKIM1; k=rsa; p=MIGfMA0GCSq...IDAQAB&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;If the signature verifies, two things are proven: the message came from a holder of the private key, and the signed content was not altered. Because the signature travels inside the message, DKIM survives forwarding where SPF does not. What it does not do alone is decide what happens when a message is unsigned or fails. That needs a policy.&lt;/p&gt;
&lt;h2 id=&#34;dmarc-instructions-and-reporting&#34;&gt;DMARC: instructions and reporting&lt;/h2&gt;
&lt;p&gt;DMARC (Domain-based Message Authentication, Reporting and Conformance) is the note Alice hands Bob in advance. It tells receivers what to do when SPF or DKIM fails, and it sends reports back to the domain owner.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-fallback&#34; data-lang=&#34;fallback&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;_dmarc.example.com.  IN  TXT  &amp;#34;v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;p=&lt;/code&gt; is the policy on failure: &lt;code&gt;none&lt;/code&gt; (monitor), &lt;code&gt;quarantine&lt;/code&gt; (send to spam), or &lt;code&gt;reject&lt;/code&gt; (refuse).&lt;/li&gt;
&lt;li&gt;&lt;code&gt;rua=&lt;/code&gt; is where aggregate reports go.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;DMARC&amp;rsquo;s quietly crucial job is &lt;strong&gt;alignment&lt;/strong&gt;: the domain that passes SPF or DKIM must match the domain shown in the visible &amp;ldquo;From&amp;rdquo; address. This closes the hole SPF alone leaves open, where an attacker passes SPF for their own infrastructure while still displaying your domain to the reader.&lt;/p&gt;
&lt;p&gt;A safe rollout is to start at &lt;code&gt;p=none&lt;/code&gt;, watch the reports until you are sure your real mail aligns and passes, then tighten to &lt;code&gt;quarantine&lt;/code&gt; and finally &lt;code&gt;reject&lt;/code&gt;.&lt;/p&gt;
&lt;h2 id=&#34;why-all-three&#34;&gt;Why all three&lt;/h2&gt;
&lt;p&gt;Each protocol covers a gap the others leave:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;SPF&lt;/strong&gt; confirms an authorized server but ignores content and breaks on forwarding.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;DKIM&lt;/strong&gt; confirms integrity and survives forwarding but does not dictate failure handling.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;DMARC&lt;/strong&gt; ties the first two to the visible sender, decides the outcome, and reports back.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Deploy only SPF and an attacker can still forge a convincing message showing your domain in the &amp;ldquo;From&amp;rdquo; line. Used together, the three form a layered system far stronger than any one alone. As the next chapter shows, having them configured is also one of the inputs to your domain&amp;rsquo;s reputation.&lt;/p&gt;
</description>
    </item>
    
    <item>
      <title>Reputation</title>
      <link>https://antoine.weill-duflos.fr/en/courses/email-delivery/03-reputation/</link>
      <pubDate>Mon, 29 Jun 2026 00:00:00 +0100</pubDate>
      <guid>https://antoine.weill-duflos.fr/en/courses/email-delivery/03-reputation/</guid>
      <description>&lt;h2 id=&#34;the-credit-score-of-email&#34;&gt;The credit score of email&lt;/h2&gt;
&lt;p&gt;Authentication proves &lt;em&gt;who&lt;/em&gt; sent a message. It says nothing about whether that sender is &lt;em&gt;trustworthy&lt;/em&gt;. That second question is reputation, and it is what decides whether a mailbox provider hands your mail to its users.&lt;/p&gt;
&lt;p&gt;Think of email reputation like a credit score. Banks use a credit score to decide whether to lend to you; providers like Gmail, Outlook, and Yahoo use a reputation score to decide whether to trust you with inbox space. Like a credit score, it is built slowly, damaged quickly, and follows you around.&lt;/p&gt;
&lt;p&gt;There are two reputations, tracked separately.&lt;/p&gt;
&lt;h2 id=&#34;ip-reputation&#34;&gt;IP reputation&lt;/h2&gt;
&lt;p&gt;The trustworthiness of the specific IP address your mail leaves from. Key factors:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Sending volume and consistency.&lt;/strong&gt; Steady flow looks legitimate; sudden spikes look like a compromised account.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Complaint rate.&lt;/strong&gt; How often recipients hit &amp;ldquo;mark as spam.&amp;rdquo; The tolerance is very low.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Bounce rate.&lt;/strong&gt; Both hard bounces (address does not exist) and soft bounces (temporary failures).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Spam trap hits.&lt;/strong&gt; Mail sent to addresses that exist only to catch senders with dirty lists.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Recipient engagement.&lt;/strong&gt; Opens, replies, and retention.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Historical sending patterns.&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&#34;domain-reputation&#34;&gt;Domain reputation&lt;/h2&gt;
&lt;p&gt;The trustworthiness of your sending domain regardless of which IP it goes out on. As providers move toward domain-based filtering, this matters more every year. Its factors overlap with IP reputation and add:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Whether &lt;strong&gt;authentication&lt;/strong&gt; (SPF, DKIM, DMARC) is configured at all.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Content quality&lt;/strong&gt; and relevance.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Engagement&lt;/strong&gt; metrics.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Domain age&lt;/strong&gt; and sending history.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Blacklist appearances.&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This is the direct link back to the authentication chapter: setting up SPF, DKIM, and DMARC is not only about stopping spoofing, it is also an input to whether providers trust your domain.&lt;/p&gt;
&lt;h2 id=&#34;shared-versus-dedicated-ip&#34;&gt;Shared versus dedicated IP&lt;/h2&gt;
&lt;p&gt;One early decision shapes your IP reputation: send from an IP shared with others, or one that is yours alone?&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Shared IP&lt;/strong&gt; pools many senders on one address. It suits low volume (roughly under 100,000 emails a month), inconsistent sending, and tight budgets. The catch is that your reputation is partly hostage to your neighbors on that IP.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Dedicated IP&lt;/strong&gt; is used only by your organization. It suits high volume (over 100,000 a month), corporate needs requiring whitelisting, and well-maintained lists. The trade-off is that a brand new dedicated IP has &lt;em&gt;no&lt;/em&gt; reputation and must be &lt;strong&gt;warmed up&lt;/strong&gt;: volume raised gradually so providers learn to trust it, rather than dumped all at once.&lt;/p&gt;
&lt;h2 id=&#34;monitoring-and-improving&#34;&gt;Monitoring and improving&lt;/h2&gt;
&lt;p&gt;You cannot manage what you cannot see. Useful tools:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Google Postmaster Tools&lt;/strong&gt;: spam rates, authentication, and delivery errors for Gmail.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Talos Intelligence&lt;/strong&gt;: IP and domain reputation data.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Sender Score&lt;/strong&gt;: rates an IP from 0 to 100.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Blacklist monitoring services&lt;/strong&gt;: alert you if you land on a blocklist.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The improvement playbook is unglamorous and effective:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Implement proper authentication (SPF, DKIM, DMARC).&lt;/li&gt;
&lt;li&gt;Use double opt-in so recipients actually want your mail.&lt;/li&gt;
&lt;li&gt;Maintain consistent sending volumes.&lt;/li&gt;
&lt;li&gt;Clean your lists regularly and reduce bounces.&lt;/li&gt;
&lt;li&gt;Work with a reputable email service provider.&lt;/li&gt;
&lt;li&gt;Create relevant, engaging content.&lt;/li&gt;
&lt;li&gt;Warm up new IP addresses properly.&lt;/li&gt;
&lt;/ol&gt;
</description>
    </item>
    
    <item>
      <title>Deliverability</title>
      <link>https://antoine.weill-duflos.fr/en/courses/email-delivery/04-deliverability/</link>
      <pubDate>Mon, 29 Jun 2026 00:00:00 +0100</pubDate>
      <guid>https://antoine.weill-duflos.fr/en/courses/email-delivery/04-deliverability/</guid>
      <description>&lt;h2 id=&#34;the-sum-of-everything&#34;&gt;The sum of everything&lt;/h2&gt;
&lt;p&gt;Deliverability is the bottom line: consistently landing in the inbox rather than the spam folder or a rejection. It is not a single setting. It is the culmination of every factor in this course working together:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Technical&lt;/strong&gt;: authentication, infrastructure, and correct configuration.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reputation&lt;/strong&gt;: sender history, IP and domain reputation.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Content&lt;/strong&gt;: message quality, relevance, and engagement.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;List hygiene&lt;/strong&gt;: clean recipient lists and proper bounce handling.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Providers constantly improve their spam filters, which is a challenge even for legitimate senders. A few mechanics deserve their own attention.&lt;/p&gt;
&lt;h2 id=&#34;bounces&#34;&gt;Bounces&lt;/h2&gt;
&lt;p&gt;A &lt;strong&gt;hard bounce&lt;/strong&gt; is a permanent failure: an invalid address or a domain that does not exist. Remove these from your list immediately. Continuing to send to them signals a sender who never cleans house.&lt;/p&gt;
&lt;p&gt;A &lt;strong&gt;soft bounce&lt;/strong&gt; is temporary: a full mailbox or a server briefly down. Retry, but drop the address after several consecutive failures.&lt;/p&gt;
&lt;p&gt;Keep &lt;strong&gt;hard bounce rates below 2 percent&lt;/strong&gt; and &lt;strong&gt;total bounce rates below 5 percent&lt;/strong&gt; to maintain good deliverability.&lt;/p&gt;
&lt;h2 id=&#34;feedback-loops&#34;&gt;Feedback loops&lt;/h2&gt;
&lt;p&gt;Most large providers (Gmail, Yahoo, Microsoft, AOL, and others) offer &lt;strong&gt;feedback loops (FBLs)&lt;/strong&gt;. When a recipient marks your message as spam, the provider notifies you so you can remove that person from your list. Register for them.&lt;/p&gt;
&lt;p&gt;Keep your &lt;strong&gt;complaint rate below 0.1 percent&lt;/strong&gt;, which is one complaint per thousand emails. It sounds tiny because it is; complaints are expensive.&lt;/p&gt;
&lt;h2 id=&#34;throttling-and-rate-limiting&#34;&gt;Throttling and rate limiting&lt;/h2&gt;
&lt;p&gt;Sending too much too fast trips rate limits at receiving servers, causing temporary blocks or deferrals. Throttling, deliberately pacing your sends, matters because it:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Avoids overwhelming receiving servers.&lt;/li&gt;
&lt;li&gt;Reduces the risk of being flagged as a spammer.&lt;/li&gt;
&lt;li&gt;Produces cleaner delivery data to monitor.&lt;/li&gt;
&lt;li&gt;Keeps sending patterns consistent.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;In practice: implement rate limiting in your infrastructure, adjust to each domain&amp;rsquo;s limits, retry temporary failures sensibly, and raise volume gradually when warming up an IP.&lt;/p&gt;
&lt;h2 id=&#34;best-practice-checklist&#34;&gt;Best-practice checklist&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;Technical setup&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Implement SPF, DKIM, and DMARC.&lt;/li&gt;
&lt;li&gt;Set up reverse DNS (PTR) records.&lt;/li&gt;
&lt;li&gt;Use consistent sending infrastructure.&lt;/li&gt;
&lt;li&gt;Monitor blacklists and address listings promptly.&lt;/li&gt;
&lt;li&gt;Use TLS for transmission.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;List management&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Use double opt-in for new subscribers.&lt;/li&gt;
&lt;li&gt;Clean lists regularly and remove inactive subscribers after re-engagement attempts.&lt;/li&gt;
&lt;li&gt;Process unsubscribes immediately.&lt;/li&gt;
&lt;li&gt;Segment lists for better targeting.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Sending practices&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Maintain consistent volumes and frequencies.&lt;/li&gt;
&lt;li&gt;Warm up new IPs properly.&lt;/li&gt;
&lt;li&gt;Test before sending to large audiences.&lt;/li&gt;
&lt;li&gt;Use a recognizable sender name and reply-to address.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Content&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Create relevant, valuable content.&lt;/li&gt;
&lt;li&gt;Avoid spam trigger words and excessive punctuation.&lt;/li&gt;
&lt;li&gt;Keep a good text-to-image ratio and mobile-friendly design.&lt;/li&gt;
&lt;li&gt;Include a clear unsubscribe option.&lt;/li&gt;
&lt;/ul&gt;
</description>
    </item>
    
    <item>
      <title>Security and Encryption</title>
      <link>https://antoine.weill-duflos.fr/en/courses/email-delivery/05-security/</link>
      <pubDate>Mon, 29 Jun 2026 00:00:00 +0100</pubDate>
      <guid>https://antoine.weill-duflos.fr/en/courses/email-delivery/05-security/</guid>
      <description>&lt;h2 id=&#34;authentication-is-not-privacy&#34;&gt;Authentication is not privacy&lt;/h2&gt;
&lt;p&gt;Everything so far has been about &lt;em&gt;trust and delivery&lt;/em&gt;. None of it makes a message &lt;em&gt;secret&lt;/em&gt;. An email can pass SPF, DKIM, and DMARC and still be read by anyone who intercepts it. Left unprotected, email faces real threats:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Tampering&lt;/strong&gt; by anyone with administrator access to a mail server.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Repudiation&lt;/strong&gt;: a sender denying they sent a message, since mail is easy to fake.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Eavesdropping&lt;/strong&gt; on unsecured connections.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Privacy invasion&lt;/strong&gt;: transmission can reveal details like IP addresses.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Unprotected backups&lt;/strong&gt;: plaintext copies sitting on servers and in backups.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Identity theft&lt;/strong&gt;: credentials captured if servers are accessed insecurely.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Three layers of protection address these, increasing in both strength and effort.&lt;/p&gt;
&lt;h2 id=&#34;tls-the-encrypted-tunnel&#34;&gt;TLS: the encrypted tunnel&lt;/h2&gt;
&lt;p&gt;Transport Layer Security wraps the connection between mail servers in an encrypted tunnel, protecting the message &lt;strong&gt;in transit&lt;/strong&gt;. It is the baseline: simple to set up, the recipient needs no special configuration, and it is widely supported. Its limit is that it protects the pipe, not the stored message; once delivered, the mail sits in plaintext on the server.&lt;/p&gt;
&lt;h2 id=&#34;smime-and-pgp-end-to-end-encryption&#34;&gt;S/MIME and PGP: end-to-end encryption&lt;/h2&gt;
&lt;p&gt;When the content itself must be protected end to end, you need message-level encryption.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;S/MIME&lt;/strong&gt; (Secure/Multipurpose Internet Mail Extensions) uses certificates issued by a certificate authority. It is built into many mail clients, provides both encryption and digital signatures, and is popular in corporate environments. Both sender and recipient need certificates set up.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;PGP&lt;/strong&gt; (Pretty Good Privacy) uses public and private key pairs without a central authority. It offers very strong security, has a long track record, and has good open-source options. It also requires both parties to manage keys, which keeps it niche outside technical circles.&lt;/p&gt;
&lt;h2 id=&#34;how-the-encryption-works&#34;&gt;How the encryption works&lt;/h2&gt;
&lt;p&gt;Email encryption transforms readable text into ciphertext that only the right key can decode. Two types are used:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Symmetric encryption&lt;/strong&gt; uses the same key to encrypt and decrypt. It is fast but requires a secure way to share the key.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Asymmetric encryption&lt;/strong&gt; uses a &lt;strong&gt;public key&lt;/strong&gt; to encrypt and a &lt;strong&gt;private key&lt;/strong&gt; to decrypt, removing the need to share a secret.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Most systems combine them: asymmetric encryption to exchange a symmetric key securely, then fast symmetric encryption for the message body.&lt;/p&gt;
&lt;h2 id=&#34;comparing-the-methods&#34;&gt;Comparing the methods&lt;/h2&gt;
&lt;table&gt;
  &lt;thead&gt;
      &lt;tr&gt;
          &lt;th&gt;Feature&lt;/th&gt;
          &lt;th&gt;TLS&lt;/th&gt;
          &lt;th&gt;S/MIME&lt;/th&gt;
          &lt;th&gt;PGP&lt;/th&gt;
      &lt;/tr&gt;
  &lt;/thead&gt;
  &lt;tbody&gt;
      &lt;tr&gt;
          &lt;td&gt;Ease of use&lt;/td&gt;
          &lt;td&gt;High&lt;/td&gt;
          &lt;td&gt;Medium&lt;/td&gt;
          &lt;td&gt;Low&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Security level&lt;/td&gt;
          &lt;td&gt;Medium&lt;/td&gt;
          &lt;td&gt;High&lt;/td&gt;
          &lt;td&gt;High&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Recipient setup&lt;/td&gt;
          &lt;td&gt;Not required&lt;/td&gt;
          &lt;td&gt;Required&lt;/td&gt;
          &lt;td&gt;Required&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Corporate adoption&lt;/td&gt;
          &lt;td&gt;High&lt;/td&gt;
          &lt;td&gt;High&lt;/td&gt;
          &lt;td&gt;Low&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Protects stored message&lt;/td&gt;
          &lt;td&gt;No&lt;/td&gt;
          &lt;td&gt;Yes&lt;/td&gt;
          &lt;td&gt;Yes&lt;/td&gt;
      &lt;/tr&gt;
  &lt;/tbody&gt;
&lt;/table&gt;
&lt;h2 id=&#34;best-practices&#34;&gt;Best practices&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;Use TLS for all transmissions as a baseline.&lt;/li&gt;
&lt;li&gt;Add S/MIME or PGP for sensitive communications needing end-to-end encryption.&lt;/li&gt;
&lt;li&gt;Verify digital signatures to confirm authenticity.&lt;/li&gt;
&lt;li&gt;Keep private keys secure and never share them.&lt;/li&gt;
&lt;li&gt;Use strong passwords and enable two-factor authentication.&lt;/li&gt;
&lt;li&gt;Keep clients and security software up to date.&lt;/li&gt;
&lt;li&gt;Train users on why encryption matters.&lt;/li&gt;
&lt;/ul&gt;
</description>
    </item>
    
    <item>
      <title>Implementation</title>
      <link>https://antoine.weill-duflos.fr/en/courses/email-delivery/06-implementation/</link>
      <pubDate>Mon, 29 Jun 2026 00:00:00 +0100</pubDate>
      <guid>https://antoine.weill-duflos.fr/en/courses/email-delivery/06-implementation/</guid>
      <description>&lt;h2 id=&#34;from-theory-to-dns-records&#34;&gt;From theory to DNS records&lt;/h2&gt;
&lt;p&gt;This chapter turns the previous ones into a practical setup. The goal is the same for any domain owner: configure SPF, DKIM, and DMARC correctly, protect your primary domain&amp;rsquo;s reputation, and verify everything works before tightening the rules.&lt;/p&gt;
&lt;h2 id=&#34;a-multi-domain-strategy&#34;&gt;A multi-domain strategy&lt;/h2&gt;
&lt;p&gt;Organizations often run several domains and more than one email provider, for example a business-mail provider like Google Workspace alongside a bulk-sending service like Mailjet or SendGrid. A sensible split:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Primary domain&lt;/strong&gt; (for example &lt;code&gt;example.co&lt;/code&gt;): business communications and transactional mail through your main provider.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Dedicated sending domain&lt;/strong&gt; (for example &lt;code&gt;example.com&lt;/code&gt; or a subdomain): mass sending (notifications, marketing) through the bulk service.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Spare domains&lt;/strong&gt;: keep as a backup or redirect to the main domain.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Separating mass sending from your primary domain protects the primary domain&amp;rsquo;s reputation if a bulk campaign runs into trouble. Each domain needs its own properly configured SPF, DKIM, and DMARC records, even when they point at the same services.&lt;/p&gt;
&lt;h2 id=&#34;spf-in-practice&#34;&gt;SPF in practice&lt;/h2&gt;
&lt;p&gt;To authorize two providers on one domain, combine their includes:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-fallback&#34; data-lang=&#34;fallback&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;example.com  TXT  &amp;#34;v=spf1 include:_spf.google.com include:spf.mailjet.com -all&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;include:_spf.google.com&lt;/code&gt; authorizes Google Workspace.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;include:spf.mailjet.com&lt;/code&gt; authorizes Mailjet.&lt;/li&gt;
&lt;li&gt;&lt;code&gt;-all&lt;/code&gt; is a strict policy that rejects unauthorized senders.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If a domain only sends through the bulk service, simplify it to &lt;code&gt;v=spf1 include:spf.mailjet.com -all&lt;/code&gt;. Verify each record with &lt;code&gt;dig TXT example.com&lt;/code&gt; or an online SPF validator.&lt;/p&gt;
&lt;h2 id=&#34;dkim-in-practice&#34;&gt;DKIM in practice&lt;/h2&gt;
&lt;p&gt;DKIM keys are generated per provider, each with its own selector so the public keys do not collide:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-fallback&#34; data-lang=&#34;fallback&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;selector._domainkey.example.com  TXT  &amp;#34;v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;Typical flow with common providers:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Google Workspace&lt;/strong&gt;: in the Admin console, go to Apps &amp;gt; Google Workspace &amp;gt; Gmail &amp;gt; Authenticate email, generate the record, add it to DNS, then start authentication.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Mailjet&lt;/strong&gt;: in Account Settings &amp;gt; SPF &amp;amp; DKIM, select the domain, copy the record (often using a &lt;code&gt;mailjet&lt;/code&gt; selector, so the record name is &lt;code&gt;mailjet._domainkey.yourdomain.com&lt;/code&gt;), add it to DNS, and verify.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&#34;dmarc-in-practice&#34;&gt;DMARC in practice&lt;/h2&gt;
&lt;p&gt;Start in monitoring mode so you can see what is happening without affecting delivery:&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-fallback&#34; data-lang=&#34;fallback&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;_dmarc.example.com  TXT  &amp;#34;v=DMARC1; p=none; rua=mailto:dmarc-reports@example.co; pct=100;&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This monitors authentication, sends aggregate reports to your address, and applies to all traffic. For a multi-domain setup:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Put identical monitoring records on all domains first.&lt;/li&gt;
&lt;li&gt;Analyze reports for two to four weeks to identify every legitimate sender.&lt;/li&gt;
&lt;li&gt;Tighten the main business domain toward &lt;code&gt;quarantine&lt;/code&gt; then &lt;code&gt;reject&lt;/code&gt; gradually.&lt;/li&gt;
&lt;li&gt;Move bulk-sending domains to stricter policies faster if all their sending is controlled through one service.&lt;/li&gt;
&lt;li&gt;Consider a DMARC report analysis tool to make the reports readable.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;After editing DNS, allow time for propagation (up to 48 hours) before expecting changes to take effect.&lt;/p&gt;
&lt;h2 id=&#34;application-and-crm-senders&#34;&gt;Application and CRM senders&lt;/h2&gt;
&lt;p&gt;Systems that send mail on your behalf (an ERP like Odoo, a CRM, ticketing tools) need the same care:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Route them through an authenticated provider.&lt;/li&gt;
&lt;li&gt;Set the &amp;ldquo;From&amp;rdquo; address to match an authenticated domain, and configure Reply-To correctly.&lt;/li&gt;
&lt;li&gt;Consider a subdomain or separate domain for automated system mail.&lt;/li&gt;
&lt;li&gt;Test deliverability of generated mail and watch bounce and complaint rates.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&#34;troubleshooting-common-issues&#34;&gt;Troubleshooting common issues&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;SPF &amp;ldquo;too many DNS lookups.&amp;rdquo;&lt;/strong&gt; SPF allows at most 10 DNS lookups. Stacking many includes can exceed it. Flatten the record by replacing nested includes with their IP addresses.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;DKIM verification failures.&lt;/strong&gt; Check that the correct selector is used and that the DNS record has no stray line breaks or spaces.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;DMARC alignment issues.&lt;/strong&gt; Ensure the &amp;ldquo;From&amp;rdquo; domain matches the domain used for DKIM signing or SPF authentication, which is especially important when sending through third parties.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Third-party senders that cannot authenticate against your root domain.&lt;/strong&gt; Use subdomain delegation or a dedicated sending domain.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id=&#34;the-rollout-checklist&#34;&gt;The rollout checklist&lt;/h2&gt;
&lt;p&gt;For each domain you send from:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Publish an &lt;strong&gt;SPF&lt;/strong&gt; record listing every legitimate sending source.&lt;/li&gt;
&lt;li&gt;Enable &lt;strong&gt;DKIM&lt;/strong&gt; signing on each source and publish the matching keys.&lt;/li&gt;
&lt;li&gt;Publish a &lt;strong&gt;DMARC&lt;/strong&gt; record at &lt;code&gt;p=none&lt;/code&gt; with a reporting address.&lt;/li&gt;
&lt;li&gt;Read the reports and confirm your real mail aligns and passes.&lt;/li&gt;
&lt;li&gt;Tighten DMARC to &lt;code&gt;quarantine&lt;/code&gt;, then &lt;code&gt;reject&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Layer in TLS everywhere, and S/MIME or PGP where secrecy is required.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Treat this as ongoing maintenance, not a one-time task. Sending sources change, providers come and go, and the DMARC reports are what keep you honest.&lt;/p&gt;
</description>
    </item>
    
  </channel>
</rss>
