EVERY STANDARD.
EVERY PROTOCOL.
VERIFIED.
Deliverability is not a feature you toggle on. It's the result of implementing authentication protocols correctly, maintaining infrastructure discipline, and monitoring reputation continuously. This page documents the specific standards we comply with and the practices that back them.
SPF
DNS TXT records declare which IP addresses are authorized to send on behalf of a domain. Receiving servers check inbound mail against this published list. Messages from unauthorized IPs fail validation.
Every sending IP in our Azure infrastructure is declared in SPF records. No broad "include" chains that dilute authorization scope.
DKIM
Cryptographic signatures attached to message headers let receiving servers verify the message was not altered in transit and originated from the claimed domain.
2048-bit RSA key pairs generated per sending domain. Signatures applied to every outbound message. Public keys published in DNS for receiver verification.
DMARC
Policy layer tying SPF and DKIM together. Tells receiving servers what to do when authentication fails and sends reports back to the domain owner.
Strict alignment enforcement. Aggregate and forensic reports monitored. Policy set to reject, not quarantine. Failed messages get blocked, not filed.
ARC
Preserves email authentication results across forwarding hops. When messages pass through mailing lists or forwarding services, ARC seals maintain the original authentication chain.
ARC headers applied to outbound messages traversing indirect paths. Authentication integrity preserved even through multi-hop delivery.
MTA-STS
Forces SMTP connections to use TLS encryption. Prevents downgrade attacks where a man-in-the-middle strips encryption from the transport layer.
MTA-STS policies published for all sending domains. TLS 1.2+ enforced on every SMTP connection. Opportunistic encryption is not good enough.
BIMI
Displays verified brand logos in supporting email clients. Requires DMARC enforcement at reject level and a Verified Mark Certificate from a qualifying authority.
Infrastructure supports BIMI-ready configurations. DMARC enforcement at reject level is a prerequisite we already meet by default.
DEDICATED IP ALLOCATION
No shared IP pools. Each client sends from dedicated IPs with isolated reputation. One bad actor on a shared pool cannot drag down your deliverability.
IP WARMING SCHEDULES
New IPs follow industry-standard volume ramp protocols. Gradual increases over weeks, not days. ISPs see consistent, predictable sending patterns that build trust.
DISTRIBUTED AZURE REGIONS
Sending infrastructure spans multiple Azure regions. Geographic distribution prevents single-point reputation damage and provides routing redundancy.
REVERSE DNS VERIFICATION
Every sending IP has correctly configured PTR records matching the HELO/EHLO identity. Forward-confirmed reverse DNS verified. ISPs that check -- and most do -- see clean infrastructure.
GOOGLE POSTMASTER TOOLS
Domain and IP reputation tracked through Google's own reporting. Spam rate, authentication success, encryption status, and delivery errors -- measured, not guessed.
MICROSOFT SNDS
Smart Network Data Services provides direct visibility into how Microsoft's mail infrastructure views sending IPs. Complaint rates, trap hits, and filter verdicts from the source.
FEEDBACK LOOP ENROLLMENT
Registered with major ISP complaint feedback loops. When a recipient marks a message as spam, the signal reaches us within hours. Reputation issues caught before they cascade.
BOUNCE CLASSIFICATION
Hard bounces and soft bounces handled differently. Invalid addresses purged immediately. Transient failures retried with backoff. Repeated soft bounces escalated to suppression.