How does DNS server reputation affect email deliverability?

Key findings

• Indirect impact: DNS servers do not directly send emails, but their reputation can indirectly affect a domain's deliverability, as seen with how DNS records align with email infrastructure.
• Associated risk: If a DNS server or the associated registrar is linked to many domains engaged in shady activities, legitimate domains using those services may also experience a reputation hit.
• Hijacked domains: Criminals sometimes hijack domains and change their name servers, leading to the affected domains being listed on blocklists like the DBL (Domain Blocklist).
• Spam association: DNS servers can be a mechanically recognizable common factor for snowshoe spammers, making them a data source for anti-spam systems.
• Provider vetting: Larger DNS providers, despite hosting many domains, typically don't vet clients for email sending practices, potentially leading to issues if a bad actor uses their services.

Key considerations

• Choosing a DNS provider: Opting for reputable and widely used DNS providers can offer a degree of protection, as the sheer volume of legitimate domains they host dilutes the impact of any bad actors. However, it is always important to understand the impact of changing nameservers.
• Self-hosting DNS: While feasible, setting up an in-house DNS server requires significant expertise to maintain a good reputation and avoid issues like inadvertent blocklisting, which might be easier to manage with a specialized provider.
• Monitoring for abuse: Businesses should actively monitor their DNS records and domain reputation to detect any signs of compromise or unexpected blocklisting that could stem from DNS server issues. Learn more about understanding your email domain reputation
• Contextual blocking: Reputation providers often use crude IP-based blocklists and try to avoid false positives, meaning a shared platform might not be impacted as severely as a dedicated IP or in-house server for equally bad mail due to the potential for collateral damage.

Key opinions

• Scale advantage: Many marketers believe that using large DNS providers such as Cloudflare or AWS Route53 offers an advantage, as these services host vast numbers of domains, diluting the impact of any single shady domain on overall reputation.
• In-house challenges: There is a strong sentiment that setting up and maintaining in-house DNS and email servers can be exceptionally difficult for organizations, particularly startups, even when they are not sending spam. Learn more about email deliverability issues.
• Perceived unfairness: Some feel that blocklists and reputation providers do not apply their technical logic consistently, appearing more lenient to large providers (like Gmail/Outlook) even when their IPs are listed, compared to the punitive approach taken against private IPs or in-house servers.
• ASN blocklisting: Marketers sometimes experience entire Autonomous System Numbers (ASNs) being blocklisted, which can severely impact deliverability without immediate knowledge or clear cause.

Key considerations

• Due diligence for DNS providers: When choosing a DNS provider, consider their reputation and historical association with malicious activity, as even seemingly reputable providers might inadvertently host problematic domains. It is critical to grasp how DNS impacts email deliverability.
• Balancing in-house vs. external: Organizations should realistically assess their internal expertise and resources before committing to an entirely in-house email and DNS infrastructure, recognizing the complexities of deliverability management.
• Monitoring blocklists: Implement robust monitoring for domain and IP blacklists to quickly identify and address any listings, regardless of the DNS or email hosting setup.

Key opinions

• Criminal association: Experts have observed cases where domains are hijacked, including their name servers being changed, leading to the domains being listed in Domain Blocklists (DBLs) because they are under criminal control.
• Registrar reputation: If a registrar operates with spammers, it's assumed any domain registered there is a spamming domain, especially if served by the registrar's DNS server.
• Hallmarks of suspicion: Immediate blocking of a new DNS server indicates suspicious hallmarks, suggesting it's likely under the control of someone sending mail eligible for blocklisting (e.g., on Spamhaus).
• Snowshoe spam detection: DNS servers can be a common and easily recognizable factor for identifying snowshoe spammers, providing useful data for anti-spam systems.
• No inherent blocklisting for in-house DNS: There is no evidence that legitimate companies using their own DNS servers are automatically blocklisted; issues arise from actual bad mail or behavior.
• Blocklist objectives: Reputation providers prioritize their customers (email recipients) by curating inboxes, not senders. The focus should be on sending desired mail, which resolves many filtering issues.

Key considerations

• Shared vs. dedicated IP impact: Bad mail on large, shared platforms (like Gmail) might avoid immediate blocklisting due to collateral damage concerns, but moving that same mail to a dedicated, in-house IP will likely result in blocks because it's clearly spam.
• ASN-level blocks: While some providers (e.g., UCEProtect, Microsoft) block entire ASNs, this is distinct from domain or IP-specific blocklists like Spamhaus. This relates to the broader discussion on what a DNSBL is and its deliverability impact.
• Consultant's role: Consultants cannot give unqualified 'yes' or 'no' answers to in-house setup questions. Their role is to provide comprehensive information for informed decisions, considering client business models and resources.
• Hosting provider reputation: Providers like Linode, OVH, and Digital Ocean are widely blocklisted due to their historical association with spammers, making it advisable to avoid sending mail from those networks.
• Fixing blocklists: Legitimate blocklistings can often be fixed. It's crucial to address the root cause of the listing rather than assuming it's a false positive, especially if mail is consistently blocked from a dedicated setup. You might be interested in how email blacklists actually work.
• Permission-based sending: Gaining genuine consent from recipients is key to successful email delivery. Senders who avoid sending to blocklist maintainers (often spam traps or direct lists) do so by strictly adhering to permission-based practices.

Key findings

• Association-based reputation: Documentation from organizations like Spamhaus indicates that domain reputation can be affected by the DNS server used, as well as the hosting service, the IP, or a combination of these factors.
• DNSBL criteria: Domain-based blacklists (DNSBLs) often list domains based on problematic DNS configurations or associations, such as domains hosted on name servers known for facilitating spam or malware.
• Abuse patterns: Security research highlights that certain DNS infrastructure components, including specific name servers or registrar networks, are frequently exploited by spammers and phishers, making them targets for reputation systems.
• Shared infrastructure risk: While large DNS providers are generally robust, the documentation sometimes implicitly warns that if abuse is concentrated on a specific subnet or cluster within a large provider, it can still lead to localized reputation issues affecting domains using that specific part of the infrastructure.

Key considerations

• DNS configuration for authentication: Proper DNS configuration, especially for records like SPF, DKIM, and DMARC, is critical. Misconfigurations can severely impact deliverability regardless of the DNS server's reputation.
• Monitoring DNS health: Regularly checking DNS records for unauthorized changes or issues, such as those that might occur during a domain hijack, is essential to prevent reputation damage. This relates to the importance of domain reputation.
• Understanding reputation components: Recognize that DNS server reputation is one component of a broader sender reputation, alongside IP and domain reputation. All these elements contribute to how ISPs perceive your email.