Message hygiene

The department has multiple layers of message hygiene in place to protect staff from receiving SPAM, phishing, and malicious emails including system emails as well as user configured filters and rules.

Email scoring

All incoming mail is reviewed and given a Spam Confidence Level (SCL) score that helps determine how mail is actioned. Mail that is scored poorly can result in email being delivered to the Junk Mail folder, caught in quarantine, or blocked.

To help improve the SCL score and reduce the likelihood of your emails not being delivered to the inbox, here are things you can do:

• Ensure your mail service has SPF and DKIM configured
• DMARC is strongly recommended and preferred to have enabled. If enabled your DMARC policy should be set to either reject or quarantine
  • Having DMARC configured protects your domain from bad actors spoofing your domain and sending unauthorised emails on your behalf
  • DMARC checks your SPF and DKIM records to confirm who can send emails from your domain(s) and mail services will action based on your policy
• Format your emails correctly
  • ensure good spelling/grammar
  • make sure it is mobile friendly
  • avoid all images, spam trigger words, inappropriate or harassing words, all capitals, lots of emojis etc
  • avoid links to bad websites or files
  • avoid attachments where possible and link to them instead
• Use a reputable mail provider
  • avoid services where you share IP addresses with others as their emails may pull the reputation of those IP addresses down. These services can also result in only partial, intermittent, or failed delivery
  • Having a dedicated IP address(es) is strongly recommended where possible. These are available from major reputable bulk email service providers.
• For large numbers of emails, spread your email delivery out over a longer period of time

Checking my domain

If you are not sure if you have SPF, DKIM or DMARC enabled, you can check by going to https://mxtoolbox.com/ and entering your domain name and clicking MX Lookup. Once you get your reply, use the drop down to select the component you want to check and click the button.

Note that when doing a DKIM lookup you will need to add a selector to your search at the end of your domain name. Typically this is S1 but you it could have been set to anything eg mycompany.com.au:s1

What can I get recipients to do?

If you mail is not arriving in the recipient’s inbox, get them to:

1. Check if focused inbox is enabled. If this is enabled your email may be in the ‘other’ view. They can select the Other view to see non-focused email or they can disable the focused inbox so that all email is displayed
2. Check if the email is in their Junk Mail folder. If it is, ask them to check their mailbox rules and blocked sender lists in case they accidently configured your mail to go to Junk Mail.

Can I get my domain whitelisted?

The department does not whitelist domains by default as this poses a large security risk as it will allow emails from a whitelisted domains to bypass multiple message hygiene checks. If a whitelisted domain is compromised emails would be delivered to staff without a full set of checks being undertaken.

If a domain is approved for whitelisting, it must be configured for DMARC and have a policy set to either reject or quarantine and is only enabled for a short defined period and not a permanent bypass.