Emails and Spam - what you need to know

Why do emails go into 'Spam' instead of an inbox?

One of the big reasons why it is getting harder to avoid emails going to spam is that spam filtering has become more rigorous. Webmail providers are simply cracking down harder on spam. However, the filters aren’t 100% accurate, so sometimes legitimate emails go to spam too.

Most spam filters work by assigning your emails a score according to a list of factors that indicate spammy email practices. Having messages marked as spam hurts your sender reputation, which impacts all of the emails you send from then forward.

What are 'Spam Filters' and how do they work?

A spam filter is a software program that scans emails as they flow by. It’s programmed with a specific set of criteria for what spam looks like, and pulls email that meet enough of those criteria out of the flow. Any decent internet mail server is equipped with a spam filter, and they can also be installed on network servers and individual pcs.

Typically, each identified quality of the email that is spam-like earns that email points. When a certain threshold or point value is reached during the scan, the email is identified as spam and flagged, deleted, or quarantined.

Precisely how these values are calculated are highly proprietary and depend on the individual filter. There are general features in common, however. Each spam filter is going to be scanning the same basic components of an email.

•             Subject Line: looking for common words and phrases associated with spam.

•             Content: looking for suspicious links, low text to image ratios, and other spammy hallmarks.

•             Metadata: looking at the To/From/CC fields, the sender’s domain, and embedded code.

•             IP address: looking for IPs that has been flagged frequently as spam by both filters and recipients in the past.

Every time an email you send is marked as spam by a recipient, more scrutiny is placed on your future emails by filters.

While we don’t really think about it, there’s a whole world of journeying in store for an email after we hit click the send button. It’s easy to lose sight of that because we don’t have an active role in anything that happens to the email after we click send. What we do with the email before we click send can make all the difference in it reaching its destination though.

There are some things you can do to help improve the odds of successful delivery.

What can be done?

Domain Name Masking

TalentLink supports domain masking, which helps prevent TalentLink emails sent between colleagues from being treated as spam or junk mail. Senders who have a configured corporate email address held in TalentLink may be blocked by spam filters when sending emails to colleagues behind a security firewall. The treatment of externally created TalentLink emails means that they are often considered an internal security risk.

As TalentLink often uses a spoofed domain (dependent on configuration) to send emails, some recipients do this DNS check which detects that the domain listed in the email address differs from the domain that the email has been sent from and rejects the email. The email will not make it to the end user.

In these cases, it's possible to add the recipient's/sender's domain into the Talentlink secured domain section. An alternate domain is included which is basically an authentic domain which will pass reverse DNS lookup checks and is used for any recipient who has an email address matching any of the domains within the secured domain section.

This has already been defined in TalentLink and all domain names have been masked to westmidlands.recruitmail.com

ACTION:

If in doubt about which domains have already been added to TalentLink, please raise a service centre ticket listing all domains which you allow to be used by TalentLink. Generally these will be the top domain such as “@wmemployers.org.uk”.

Authentic Emails

Email authentication can be tricky, but it’s easiest to remember that authenticating your email verifies that you are who you say you are and that you’re sending legitimate email. Inbox providers, like Google and Yahoo, trust authenticated email more and are more likely to deliver mail from authenticated email into the inbox. 

Wherever possible use “real” email addresses as the sender email in TalentLink, rather than fictitious emails such as “noreply@wme.gov.uk”

ACTION:

Check each standard email used in your selection process in Talentlink.  Ensure the “From” sender address is a real email address.

The following methods authenticate your email and prove to the inbox providers that your email is worthy of the inbox and not the spam folder.

DKIM – “Domain Keys Identified Mail”

Proper configuration of the mailing system (DKIM) will switch on encryption of messages being transferred between different elements of the infrastructure adding an additional protection of personal data being transferred in the form of emails.

Both DMARC and SPF use DKIM results as methods for receivers to check email.

ACTION:

• Check with your ICT team if DKIM is used in your organisation.
• If so, this protocol can be set up in Talentlink.  Raise a service centre ticket specifying your domain name e.g. “Sandwell.gov.uk” and include the contact details of an ICT colleague who can work with Lumesse to set this up.

DMARC - Domain-based Message Authentication, Reporting & Conformance

DMARC is an email authentication, policy and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

SPF - Sender Policy Framework

Enables the owner of a domain to specify their email sending policy, for example which mail servers they use to send emails from their domain. The technology requires two sides to work together: the domain owner publishes this information in an SPF record in the domain's DNS zone, and when someone else's mail server receives a message claiming to come from that domain, the receiving server checks whether the message complies with the domain's stated policy. Organisations (owners of the domain) should add the TalentLink mail server IP address to their SPF record in the DNS zone file. TalentLink can then send emails using the customer’s domain to SPF protected mail servers.

ACTION:

• Ask your ICT colleagues to add the IP address 18.196.215.67 / “recruitmail.com” to your SPF Record in the DNS zone.

Emails to Candidates

In your initial email that you send to candidates (auto reply) you are able to add text about whitelisting your emails or add the sender email address to their contacts or address book. If they have them as a contact, most email services should know that they want to receive messages from them, and won’t mark them as spam.

You could also include the same or similar in the footer of each of the emails you send to candidates.

If possible, do not send HTML-only messages (send plain-text messages instead, or multi-part MIME messages with a text/plain component).

ACTION:

• Edit your auto reply email (the email sent by TalentLink automatically when a candidate submits an application to your job) asking them to whitelist your emails or add the sender email address to their contacts or address book.
• Consider adding a similar message to other emails sent to candidates during a selection process.

You can edit your 'Auto-reply' email, by accessing Communication Templates where your template will sit under the Document Type 'Email used in Candidate Communication';