Are my BI Helper reports being delivered to my recipients? Or are they often ending up as spam?
Read on to learn about email authentication in BI Helper, and how to set it up to ensure that your reports are delivered to end-users.
What happens if I don't authenticate your sender email ID?
If you don't authenticate your sender email ID, you risk your PDF and Power Point reports being marked as spam and not being delivered to the recipients. Leading email providers like AWS SES, Gmail, Yahoo and Outlook are increasingly enforcing email authentication to ensure the identity of email senders and distinguish legitimate emails from spam and phishing emails. For companies sending over 5,000 emails in a day, email authentication for DMARC compliance is mandatory to ensure delivery to the recipients.
What is DMARC? Will DMARC compliance ensure that my reports don't end up as spam?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that helps domain owners prevent email spoofing and phishing by specifying how receiving servers should handle unauthenticated messages. By doing this, DMARC compliance makes it easy for email providers to ensure that genuine emails don't end up as spam.
Email is one of the most prominent channels for cyberattacks in organizations because it is the most popular method for corporate communication. Unauthenticated domains are highly vulnerable to phishing and other malicious activities. According to research by Verizon in 2024, 90% of all malware is delivered by email, making it critical for organizations to differentiate between real and fake emails.
Email authentication is an effective process to confirm the identity of email senders. It plays a critical role to minimize the risk of cyberattacks in any email-based business by helping users distinguish legitimate emails from spam and phishing emails.
The foundational protocols in email authentication that collectively enhance trust and email deliverability are:
1. Domain-based Message Authentication, Reporting and Conformance (DMARC) - Helps domain owners ensure that emails are sent from their domains, and control how they want unauthorized messages to be treated.
2. Sender Policy Framework (SPF) - Authenticates emails by helping organizations publish an authorized list of senders.
3. DomainKeys Identified Mail (DKIM) - Uses digital signatures to sign emails and ensure that they remain unaltered through the delivery process.
For organizations that send over 5,000 emails daily, DMARC compliance is mandatory for inbox placement with leading email providers like Gmail, Yahoo and Outlook. DMARC validation ensures that:
1. Emails are genuinely sent from the user’s domain using SPF and/or DKIM checks. It does this by matching the SPF record and DKIM key with the sender's root (primary) domain.
2. Spoofing and phishing are prevented by giving inbox providers clear instructions on how to handle unauthenticated messages.
3. Reporting is enabled so that domain owners can monitor authentication results and spot any abuse.
For smaller volume email senders, these leading email providers have started flagging DMARC non-compliant emails. Instead of being delivered to the recipient’s Inbox, non-compliant mails often end up in the Junk/Spam folder, in the Other tab (in Outlook) or get archived or redirected by rules set up by the user.
BI Helper uses the Amazon Simple Email Service (AWS SES) to send PDF/ PPTX reports from Power BI or Tableau to end-users. Every email sent from AWS SES has two parts:
DMARC requires that the domain in Header From aligns with the domain in Envelope From.
This addresses a major vulnerability where a malicious actor can send an email that passes the individual SPF and DKIM checks and looks genuine. The recipient has no reason to be suspicious of it, but the email is a complete fraud.
Identifier alignment: In order to be DMARC compliant, you need to connect a branded email sending subdomain to your account that matches the root domain in your ‘from email ' address.
For example, if your root domain is mycompany.com and you send emails from sales@mycompany.com, then you can use reports.mycompany.com as a branded sending subdomain.
IMPORTANT:
1. Please work with your DNS admin / Azure admin to set up DMARC compliance for your sender email IDs in BI Helper.
2. The specifics of the implementation depend on your DNS or hosting provider. Please review their documentation before you start.
1. Go to Settings > DMARC Compliance in BI Helper and click on the ‘+ Add Subdomain’ button. The requirements for the subdomain are given in the page.
2. Pick a subdomain, enter it and click on ‘Save’. BI Helper will generate 3 CNAME records, 2 TXT records and one MX record for SPF and DKIM in the same page.
3. Copy and publish them to your DNS provider. Click on ‘Continue’ to complete the DMARC setup.
4. Allow up to 72 hours for your DNS provider to propagate them.
5. Once your domain is verified, please ensure that your ‘from email’ address is aligned with your ‘mail from’ subdomain. This satisfies DMARC's alignment requirement for SPF.
1. To check the DMARC status of your ‘From email', go to the Send Email tab in BI Helper, enter your Sender Email and click on Check DMARC.
2. When you see the green 'DMARC Compliant' box, it means that the process is complete and your emails from BI Helper will now have the highest deliverability levels.
Complying with DMARC authentication protocol in Amazon SES - Amazon Simple Email Service
Using a custom MAIL FROM domain - Amazon Simple Email Service
