Why are my emails going to the promotions tab in Gmail? - Knowledge Base

Summary

Experts, marketers, and documentation sources overwhelmingly recommend authenticating primary domains, even when used solely for internal communications. Implementing SPF, DKIM, and DMARC prevents internal phishing, spoofing, and unauthorized domain usage. Authentication not only secures internal communications but also protects domain reputation, and may reveal unauthorized email practices. While not strictly mandatory, especially with lenient DMARC policies, proper implementation is crucial to avoid inadvertently blocking legitimate emails.

Key findings

Phishing Prevention: Authentication significantly reduces internal phishing attacks and spoofing attempts.
Enhanced Security: SPF, DKIM, and DMARC improve internal email security.
Domain Protection: Authentication helps protect the domain and its subdomains from unauthorized use.
Reputation Management: Preventing internal emails from being flagged as spam helps to maintain a positive domain reputation.
Policy Applicability: DMARC principles apply universally, regardless of whether the communication is internal or external.

Key considerations

DMARC Implementation: Properly configure DMARC, particularly when using 'p=reject,' to avoid blocking legitimate internal emails.
SPF/DKIM: Ensure SPF and DKIM records are correctly configured for all sending sources.
Regular Audits: Audit internal email practices to identify and address unauthorized or poorly configured email sources.
Cost vs. Benefit: While there are costs, such as set-up and maintenance, the benefits of increased security and deliverability should outweigh the investment.
Internal Vulnerability: Recognize that internal emails can be vulnerable to spoofing and unauthorized access, similar to external emails.

What email marketers say

12 marketer opinions

Authenticating a primary domain, even if solely used for internal communications, is highly recommended. It fortifies security by preventing internal phishing attacks, spoofing, and unauthorized domain usage by malicious actors. Implementing DMARC, SPF, and DKIM helps protect not only external email traffic but also internal communications, ensuring a secure environment within the organization. Furthermore, authenticating internal emails safeguards domain reputation, prevents internal emails from being flagged as spam, and enables the discovery of unauthorized email practices.

Key opinions

Enhanced Security: Authentication prevents internal phishing attacks and spoofing, securing internal email communication.
Domain Protection: Applying DMARC policies on the root domain protects all subdomains and prevents unauthorized usage.
Reputation Management: Authenticating internal domains helps prevent emails from being flagged as spam, preserving domain reputation.
Issue Resolution: Proper authentication of Google Workspace can fix internal email issues.
Risk Mitigation: Authentication methods significantly reduce the risk of internal phishing attacks and spoofing attempts.

Key considerations

DMARC Implementation: Implementing DMARC is crucial for protecting the entire organization, including internal communications.
SPF and DKIM: Utilize SPF and DKIM records to authenticate email and prevent spoofing.
Regular Audits: Perform regular audits to discover any unauthorized or poorly-considered email practices.
Proactive Security: Authentication secures domains against exploitation by spammers and malicious actors.
Deliverability: Authentication improves email deliverability, ensuring important internal communications reach their intended recipients.

Marketer view

Email marketer from EmailonAcid explains that authentication is crucial for protecting your entire organization, including internal communications. It minimizes the risks of unauthorized use and internal phishing.

25 Oct 2021 - EmailonAcid

Marketer view

Email marketer from SuperOffice explains that DMARC is also important for internal email security. Internal phishing attacks can be devastating to your organization. Even if a domain is primarily used for internal communications, it is essential to implement DMARC.

12 Dec 2021 - SuperOffice

What the experts say

6 expert opinions

Experts recommend authenticating your primary domain, even if only used for internal communications, to prevent internal phishing, spoofing, and unauthorized use. While not strictly mandatory, authentication improves security, helps discover poorly-considered email practices, and ensures internal emails are less vulnerable to spoofing. Proper implementation, especially with DMARC, is crucial to avoid blocking legitimate emails.

Key opinions

Phishing Prevention: Authentication helps prevent internal phishing attacks and spoofing.
Improved Security: Authentication improves overall security even for internal communications.
Unauthorized Discovery: Authentication can help discover unauthorized or poorly-considered email practices.
Domain Protection: Protects domain from spoofing and unauthorized use.
Recommendation: Experts generally recommend domain authentication even for internal emails.

Key considerations

DMARC Setup: Proper DMARC implementation is crucial; incorrect setup can block legitimate emails.
SPF, DKIM, DMARC: Implement SPF, DKIM, and DMARC (at least p=none) to protect email traffic.
Not Mandatory: While beneficial, authentication is not strictly mandatory.
Internal Filters: Authentication helps avoid accidental blocking by internal filters.
Vulnerability: Internal mail can be just as vulnerable to spoofing as external mail.

Expert view

Expert from Email Geeks shares the importance of implementing SPF, DKIM, and DMARC p=none to protect traffic.

5 Dec 2022 - Email Geeks

Expert view

Expert from Email Geeks warns that DMARC can cause problems if implemented incorrectly, such as using p=reject without valid SPF/DKIM, potentially blocking legitimate emails.

17 Jun 2023 - Email Geeks

What the documentation says

5 technical articles

Documentation from Google Workspace Admin Help, Microsoft Learn, DMARC.org, RFC Editor, and AuthSMTP consistently recommends authenticating domains, even those used solely for internal communications. Implementing SPF, DKIM, and DMARC is crucial to prevent internal phishing, spoofing, and unauthorized domain usage. These mechanisms ensure that only authorized sources send emails using the domain, thereby strengthening internal security.

Key findings

Phishing Prevention: Authentication prevents internal phishing and spoofing attacks.
Enhanced Security: Configuration of SPF, DKIM, and DMARC enhances overall security for internal domains.
Unauthorized Usage: DMARC ensures only authorized sources can send email using the domain.
Universal Applicability: DMARC principles apply to all emails claiming to be from a domain, internal or external.
Secure Internal Traffic: Authentication ensures secure internal email traffic.

Key considerations

SPF, DKIM, DMARC: Implementing SPF, DKIM, and DMARC is essential for authentication.
Exchange Online Protection: Exchange Online Protection (EOP) relies on SPF, DKIM, and DMARC for authentication.
Internal Security Posture: Authentication strengthens internal security against spoofing and phishing.
Authorized Sources: Ensure that only authorized sources can send email using the domain through DMARC policies.
Domain Protection: Protect your domain from unauthorized use with DMARC.

Technical article

Documentation from Google Workspace Admin Help explains that even if a domain is primarily used for internal communications, authenticating it with SPF, DKIM, and DMARC helps prevent internal phishing and spoofing, ensuring secure internal email traffic.

27 May 2023 - Google Workspace Admin Help

Technical article

Documentation from Microsoft Learn explains that Exchange Online Protection (EOP) relies on SPF, DKIM, and DMARC to authenticate incoming email. Configuring these records for internal domains enhances security and prevents spoofing attacks.

26 Aug 2023 - Microsoft Learn