<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Reputation | Antoine Weill--Duflos</title>
    <link>https://antoine.weill-duflos.fr/en/tag/reputation/</link>
      <atom:link href="https://antoine.weill-duflos.fr/en/tag/reputation/index.xml" rel="self" type="application/rss+xml" />
    <description>Reputation</description>
    <generator>Hugo Blox Builder (https://hugoblox.com)</generator><language>en-us</language><lastBuildDate>Mon, 29 Jun 2026 00:00:00 +0000</lastBuildDate>
    <image>
      <url>https://antoine.weill-duflos.fr/media/icon_hu_d686267daab28486.png</url>
      <title>Reputation</title>
      <link>https://antoine.weill-duflos.fr/en/tag/reputation/</link>
    </image>
    
    <item>
      <title>Email Delivery, Volume 2: Reputation, Deliverability, and Encryption</title>
      <link>https://antoine.weill-duflos.fr/en/post/email-delivery-vol2/</link>
      <pubDate>Mon, 29 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://antoine.weill-duflos.fr/en/post/email-delivery-vol2/</guid>
      <description>&lt;p&gt;A while back I wrote &lt;a href=&#34;https://antoine.weill-duflos.fr/en/post/emails/&#34;&gt;a guide to email delivery&lt;/a&gt;: SMTP, the DNS plumbing, the different kinds of email, and a first look at authentication. That post answered &amp;ldquo;how does a message physically get from me to you, and how do I prove it is really me.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;This is Volume 2, and it picks up where that left off. Proving who you are (authentication) is necessary but not sufficient. A perfectly authenticated email can still land in spam, still bounce, still be read by the wrong people in transit. So this post covers the parts that decide what happens after authentication passes: &lt;strong&gt;reputation&lt;/strong&gt;, &lt;strong&gt;deliverability&lt;/strong&gt;, and &lt;strong&gt;encryption&lt;/strong&gt;. I will start with a tighter retelling of authentication, because it is the foundation everything else rests on, and then move into the new ground.&lt;/p&gt;
&lt;h2 id=&#34;part-1-authentication-retold-with-alice-and-bob&#34;&gt;Part 1: Authentication, retold with Alice and Bob&lt;/h2&gt;
&lt;p&gt;When Alice mails a paper letter to Bob, trust is baked into the envelope: a return address, recognizable handwriting, a postal service that knows which mailbox it came from. Email keeps none of that. The &amp;ldquo;From&amp;rdquo; line is just text, and anyone can type &lt;code&gt;From: alice@example.com&lt;/code&gt; without being Alice. That is spoofing, and three protocols exist to rebuild the missing trust signals.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;SPF (Sender Policy Framework)&lt;/strong&gt; is Alice telling the post office which mailboxes are allowed to send on her behalf. She publishes a list of authorized mail servers in DNS, and Bob&amp;rsquo;s server checks that the message arrived from one of them.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-fallback&#34; data-lang=&#34;fallback&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;example.com.  3600  IN  TXT  &amp;#34;v=spf1 include:_spf.google.com ~all&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;&lt;strong&gt;DKIM (DomainKeys Identified Mail)&lt;/strong&gt; is a wax seal only Alice can make. Her server signs each message with a private key, publishes the matching public key in DNS, and Bob&amp;rsquo;s server verifies the signature. If it holds, the message was not tampered with, and unlike SPF the proof survives forwarding.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;DMARC&lt;/strong&gt; is the note Alice hands Bob in advance: what to do if the mailbox check or the seal fails (deliver, quarantine, or reject), and please send reports. Its quietly crucial job is &lt;strong&gt;alignment&lt;/strong&gt;, requiring that the domain passing SPF or DKIM matches the domain shown in the &amp;ldquo;From&amp;rdquo; line. That is what closes the gap SPF alone leaves open.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; class=&#34;chroma&#34;&gt;&lt;code class=&#34;language-fallback&#34; data-lang=&#34;fallback&#34;&gt;&lt;span class=&#34;line&#34;&gt;&lt;span class=&#34;cl&#34;&gt;_dmarc.example.com.  IN  TXT  &amp;#34;v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;You need all three because each covers the others&amp;rsquo; blind spots. If you want the long version, I turned the whole topic into a structured &lt;a href=&#34;https://antoine.weill-duflos.fr/courses/email-delivery/&#34;&gt;course on email delivery&lt;/a&gt;, with a full chapter on the Alice and Bob authentication walkthrough. The rest of this post assumes authentication is handled and asks: now what?&lt;/p&gt;
&lt;h2 id=&#34;part-2-reputation-the-credit-score-of-email&#34;&gt;Part 2: Reputation, the credit score of email&lt;/h2&gt;
&lt;p&gt;Here is the uncomfortable truth that authentication does not solve on its own. You can pass SPF, DKIM, and DMARC perfectly and still have your mail filed under spam. Authentication proves &lt;em&gt;who&lt;/em&gt; sent the message. It says nothing about whether that sender is &lt;em&gt;trustworthy&lt;/em&gt;. That second question is reputation.&lt;/p&gt;
&lt;p&gt;Think of email reputation as a credit score. Banks use a credit score to decide whether to lend to you. Mailbox providers like Gmail, Outlook, and Yahoo use a reputation score to decide whether to trust you with their users&amp;rsquo; inboxes. And just like a credit score, it is built slowly, damaged quickly, and follows you around.&lt;/p&gt;
&lt;p&gt;There are two reputations in play, and they are tracked separately.&lt;/p&gt;
&lt;h3 id=&#34;ip-reputation&#34;&gt;IP reputation&lt;/h3&gt;
&lt;p&gt;This is the trustworthiness of the specific IP address your mail leaves from. The main factors:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Sending volume and consistency.&lt;/strong&gt; A steady, predictable flow looks human. A sudden spike looks like a compromised account or a spam run.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Complaint rate.&lt;/strong&gt; How often recipients hit &amp;ldquo;mark as spam.&amp;rdquo; This one is brutal; the threshold for trouble is low.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Bounce rate.&lt;/strong&gt; Both hard bounces (the address does not exist) and soft bounces (temporary failures).&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Spam trap hits.&lt;/strong&gt; Sending to addresses that exist only to catch senders with dirty lists.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Recipient engagement.&lt;/strong&gt; Whether people open, reply, and keep your mail.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id=&#34;domain-reputation&#34;&gt;Domain reputation&lt;/h3&gt;
&lt;p&gt;This is the trustworthiness of your sending domain regardless of which IP it goes out on. As providers increasingly filter by domain, this matters more every year. Its factors overlap with IP reputation but add:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Whether you have &lt;strong&gt;authentication&lt;/strong&gt; (SPF, DKIM, DMARC) configured at all.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Content quality&lt;/strong&gt; and relevance.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Domain age&lt;/strong&gt; and sending history.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Blacklist appearances.&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Notice that authentication is a &lt;em&gt;factor&lt;/em&gt; in domain reputation. This is the link back to Part 1: setting up SPF, DKIM, and DMARC does not just stop spoofing, it is also one of the inputs to whether providers trust your domain in the first place.&lt;/p&gt;
&lt;h3 id=&#34;shared-versus-dedicated-ip&#34;&gt;Shared versus dedicated IP&lt;/h3&gt;
&lt;p&gt;One practical decision shapes your IP reputation from day one: do you send from an IP shared with other senders, or one that is yours alone?&lt;/p&gt;
&lt;p&gt;A &lt;strong&gt;shared IP&lt;/strong&gt; pools many senders onto one address. It suits low volume (roughly under 100,000 emails a month), inconsistent sending, and tight budgets. The catch is that your reputation is partly hostage to the other senders on that IP. A neighbor sending garbage can drag you down.&lt;/p&gt;
&lt;p&gt;A &lt;strong&gt;dedicated IP&lt;/strong&gt; is used only by your organization. It suits high volume, corporate needs that require whitelisting, and well-maintained lists. The trade-off is that you own the reputation entirely, which means a new dedicated IP starts with &lt;em&gt;no&lt;/em&gt; reputation and must be &lt;strong&gt;warmed up&lt;/strong&gt;: volume increased gradually over days or weeks so providers learn to trust it, rather than dumped all at once.&lt;/p&gt;
&lt;h3 id=&#34;monitoring-it&#34;&gt;Monitoring it&lt;/h3&gt;
&lt;p&gt;You cannot manage what you cannot see. A few tools make reputation visible:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Google Postmaster Tools&lt;/strong&gt; reports spam rates, authentication results, and delivery errors for mail sent to Gmail.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Talos Intelligence&lt;/strong&gt; gives IP and domain reputation data.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Sender Score&lt;/strong&gt; rates an IP from 0 to 100.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Blacklist monitoring services&lt;/strong&gt; tell you if you have landed on a blocklist.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The improvement playbook is unglamorous and effective: authenticate properly, use double opt-in so people actually want your mail, keep sending volumes consistent, clean your lists regularly, watch your bounce rate, and write content people engage with.&lt;/p&gt;
&lt;h2 id=&#34;part-3-deliverability-the-sum-of-everything&#34;&gt;Part 3: Deliverability, the sum of everything&lt;/h2&gt;
&lt;p&gt;Deliverability is the bottom line: the ability to consistently land in the inbox rather than the spam folder or a rejection. It is not a single setting you flip. It is the culmination of the technical setup, the reputation, the content, and the hygiene of your recipient list. A few mechanics deserve their own attention.&lt;/p&gt;
&lt;h3 id=&#34;bounces-and-why-you-must-handle-them&#34;&gt;Bounces, and why you must handle them&lt;/h3&gt;
&lt;p&gt;A &lt;strong&gt;hard bounce&lt;/strong&gt; is a permanent failure: the address is invalid or the domain does not exist. Remove these from your list immediately. Continuing to send to them is a fast way to look like a spammer who never cleans house.&lt;/p&gt;
&lt;p&gt;A &lt;strong&gt;soft bounce&lt;/strong&gt; is temporary: a full mailbox, a server briefly down. Retry, but if it keeps failing across several attempts, drop it too.&lt;/p&gt;
&lt;p&gt;The rough thresholds to stay under: hard bounces below 2 percent, total bounces below 5 percent. Cross those and providers start treating you with suspicion.&lt;/p&gt;
&lt;h3 id=&#34;feedback-loops&#34;&gt;Feedback loops&lt;/h3&gt;
&lt;p&gt;Most large providers (Gmail, Yahoo, Microsoft, AOL, and others) offer &lt;strong&gt;feedback loops&lt;/strong&gt;. When a recipient marks your message as spam, the provider notifies you, so you can remove that person from your list. Register for them. The target to stay under is a complaint rate of 0.1 percent, which is one complaint per thousand emails. It sounds tiny because it is; complaints are expensive.&lt;/p&gt;
&lt;h3 id=&#34;throttling&#34;&gt;Throttling&lt;/h3&gt;
&lt;p&gt;Sending too much too fast trips rate limits at receiving servers, causing temporary blocks or deferrals. Throttling, deliberately pacing your sends, avoids overwhelming the far end, reduces the chance of being flagged, and gives you cleaner delivery data to monitor. It is also exactly how you warm up a new IP: start slow, raise volume gradually, and adjust to each provider&amp;rsquo;s limits.&lt;/p&gt;
&lt;h2 id=&#34;part-4-encryption-because-authentication-is-not-privacy&#34;&gt;Part 4: Encryption, because authentication is not privacy&lt;/h2&gt;
&lt;p&gt;This is the part the first guide did not cover at all, and it is worth being clear about: authentication and reputation are about &lt;em&gt;trust and delivery&lt;/em&gt;, not &lt;em&gt;secrecy&lt;/em&gt;. A message can be perfectly authenticated and still be readable by anyone who intercepts it. Email, left alone, faces real threats: tampering by anyone with access to a mail server, eavesdropping on unsecured connections, and plaintext copies sitting in backups.&lt;/p&gt;
&lt;p&gt;There are three layers of protection, increasing in strength and in effort.&lt;/p&gt;
&lt;h3 id=&#34;tls-the-encrypted-tunnel&#34;&gt;TLS: the encrypted tunnel&lt;/h3&gt;
&lt;p&gt;Transport Layer Security wraps the connection between mail servers in an encrypted tunnel, so the message is protected &lt;em&gt;in transit&lt;/em&gt;. It is the baseline. It is simple to set up, the recipient needs no special configuration, and it is widely supported. Its limit is that it protects the pipe, not the stored message; once the mail lands, it sits in plaintext on the server.&lt;/p&gt;
&lt;h3 id=&#34;smime-and-pgp-end-to-end-encryption&#34;&gt;S/MIME and PGP: end-to-end encryption&lt;/h3&gt;
&lt;p&gt;When the content itself must be protected, end to end, you need message-level encryption.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;S/MIME&lt;/strong&gt; uses certificates issued by a certificate authority. It is built into many mail clients, provides both encryption and digital signatures, and is popular in corporate environments. The cost is that both sender and recipient need certificates set up.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;PGP&lt;/strong&gt; (Pretty Good Privacy) uses public and private key pairs without a central authority. It offers very strong security, has a long track record, and has good open-source options. It also requires both parties to set up keys, which is why it stays niche outside technical circles.&lt;/p&gt;
&lt;p&gt;Both rely on the same underlying idea: a &lt;strong&gt;public key&lt;/strong&gt; anyone can use to encrypt a message to you, and a &lt;strong&gt;private key&lt;/strong&gt; only you hold to decrypt it. In practice, systems combine asymmetric encryption (to exchange a key securely) with faster symmetric encryption (for the actual message body).&lt;/p&gt;
&lt;table&gt;
  &lt;thead&gt;
      &lt;tr&gt;
          &lt;th&gt;Feature&lt;/th&gt;
          &lt;th&gt;TLS&lt;/th&gt;
          &lt;th&gt;S/MIME&lt;/th&gt;
          &lt;th&gt;PGP&lt;/th&gt;
      &lt;/tr&gt;
  &lt;/thead&gt;
  &lt;tbody&gt;
      &lt;tr&gt;
          &lt;td&gt;Ease of use&lt;/td&gt;
          &lt;td&gt;High&lt;/td&gt;
          &lt;td&gt;Medium&lt;/td&gt;
          &lt;td&gt;Low&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Security level&lt;/td&gt;
          &lt;td&gt;Medium&lt;/td&gt;
          &lt;td&gt;High&lt;/td&gt;
          &lt;td&gt;High&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Recipient setup&lt;/td&gt;
          &lt;td&gt;Not required&lt;/td&gt;
          &lt;td&gt;Required&lt;/td&gt;
          &lt;td&gt;Required&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
          &lt;td&gt;Protects stored message&lt;/td&gt;
          &lt;td&gt;No&lt;/td&gt;
          &lt;td&gt;Yes&lt;/td&gt;
          &lt;td&gt;Yes&lt;/td&gt;
      &lt;/tr&gt;
  &lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The sensible default: use TLS everywhere as a baseline, and add S/MIME or PGP for the communications that genuinely need end-to-end secrecy. Pair that with the unglamorous basics: strong passwords, two-factor authentication, up-to-date clients, and users who know why this matters.&lt;/p&gt;
&lt;h2 id=&#34;the-whole-picture&#34;&gt;The whole picture&lt;/h2&gt;
&lt;p&gt;If Volume 1 was &amp;ldquo;how email works and how to prove it is you,&amp;rdquo; Volume 2 is &amp;ldquo;how to make sure it arrives, and arrives safely.&amp;rdquo; The pieces stack:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Authentication&lt;/strong&gt; (SPF, DKIM, DMARC) proves who you are and feeds your domain reputation.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Reputation&lt;/strong&gt; decides whether providers trust you enough to deliver.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Deliverability&lt;/strong&gt; practices (clean lists, bounce handling, feedback loops, throttling) protect that reputation over time.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Encryption&lt;/strong&gt; (TLS, S/MIME, PGP) keeps the contents private along the way.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;None of these is a one-time setup. Reputation drifts, lists rot, keys expire, and providers keep changing the rules. But understood together, they turn email from something you hope arrives into something you can actually reason about.&lt;/p&gt;
&lt;h2 id=&#34;further-reading&#34;&gt;Further reading&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;https://datatracker.ietf.org/doc/html/rfc7208&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;SPF (RFC 7208)&lt;/a&gt;, &lt;a href=&#34;https://datatracker.ietf.org/doc/html/rfc6376&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;DKIM (RFC 6376)&lt;/a&gt;, &lt;a href=&#34;https://datatracker.ietf.org/doc/html/rfc7489&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;DMARC (RFC 7489)&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://postmaster.google.com/&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;Google Postmaster Tools&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://senderscore.org/&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;Sender Score&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://dmarc.org/overview/&#34; target=&#34;_blank&#34; rel=&#34;noopener&#34;&gt;DMARC.org overview&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</description>
    </item>
    
  </channel>
</rss>
