Email Blogs
I thought it would be fun to take a moment and look back at a prior webinar. This presentation that Tonya Gordon and I put together for Klaviyo users in early 2023 was one the most popular webinar I put together for my then-employer. Klaviyo users seem to hunger to learn more about deliverability and best practices, and I think the guidance here is still accurate and will help put folks on a solid deliverability footing. In the webinar, Tonya and I break down the difference between delivery and deliverability, how to put your best deliverability foot forward (it starts with your authenticated domain name), how to measure and monitor for deliverability issues, and much much more! Google and Yahoo’s new sender requirements had yet to be announced when we presented this webinar; thus we did not touch on them. Klaviyo has put together a Yahoo/Google compliance guide here; and
Just recently discovered in my own inbox: a notice from Google indicating that they’re going to require OAuth access for third party applications connecting to “Gmail, Google Calendar, Contacts via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP.” Most modern apps support OAuth already, but there are a number of legacy tools out there that do not — anything where you might have configured an app password to link that third party functionality to your Google (Workspace) account. Starting June 15, 2024, Google will remove the allow “less secure access” app password settings from Google Workspace admin. Currently configured apps and passwords should continue to work until September 30, 2024, at which time support for that functionality will be disabled for Google Workspace users. Read more details here. Does this affect you? Impact here likely isn’t broad, and certainly I’m a fan of better security. But I also do
It’s time to decode another deliverability acronym. Today, we’re going to tackle DMARC, which stands for “Domain-based Message Authentication, Reporting and Conformance.” It’s a bit of a mouthful, but it’s actually a relatively simple and good thing. This domain-level setting allows a domain owner to: Tell receiving internet service providers (ISPs) and mailbox providers (MBPs) (think Gmail, Yahoo, Outlook.com and others), what to do with email messages sent to email users on their platforms, purporting to be from your domain, but failing authentication checks. Protect your domain name by locking it down, setting a policy that says that mailbox providers should not trust mail from my domain unless it authenticates properly. Instruct mailbox providers where to send reports to help summarize and monitor for email authentication compliance. DMARC is implemented via a DNS text record. Learn more about that here. DMARC effectively requires correctly configured SPF (Sender Policy Framework) and/or
As part of their continuing efforts to lock down unrestricted public access to their reputation data, Spamhaus has announced that as of February 14, 2024, they’ll be blocking DNSBL queries made via Digital Ocean’s Cloud Server infrastructure. Read more about it here. This isn’t really a bad thing; those who want can still sign up for the free tier of “DQS” access from Spamhaus for small volume or hobbyist usage. Requiring registration for this (and using their unique subdomain-based process) reminds me a bit of email authentication — the goal is so that Spamhaus can see you as you, not as just some random bits of data in the blob of all the requests coming from public servers. I’ve blogged about this before. So if you’re wondering how to safely query Spamhaus reputation data, read this and be informed. Email admins asleep at the wheel tend to wake up weeks
It all starts with a list of top domains. Top ten million, in this case. Of those top, around 12% of them have published a DMARC record. Of those, which ones have a BIMI record in place? That’s what this data shows. That means that it’s a percentage of a percentage of an arbitrary measure of “top domains.” But hey, we can still have fun with this — sort of questionable data set, so let’s do that! BIMI logo adoption is growing in this data set. Perhaps not exploding like gangbusters, but it is still good to see it growing, from 1.26% of top domains up to 1.38%. Today, that’s nearly 17,000 domains (of that top 10 million) that have published a BIMI record. From June through December 2023, the rate at which BIMI-publishing domain owners also implemented a Verified Mark Certificate (VMC) rose from around 10% to around 14%.
Google’s Gmail might be the preeminent mailbox provider. Launched in 2004, Gmail has grown from the “new kid on the block” into one of the biggest hosts of individual email mailboxes in the world. Depending on what data you look at, you might even see Gmail as the #1 mailbox provider, at least here in the US. Gmail’s spam filtering systems incorporate user feedback and engagement. And they know what they’re doing. If you are not sending wanted mail to people who requested that mail and who read that mail at high enough percentages, you’re going to struggle. You won’t reliably get your mail to the inbox. Their systems are too good — their magic spam fighting robots look at metrics very closely — and their view of certain metrics can even change over time! What got you to the inbox in 2019 might not be good enough to get
The worst thing about the yahoogle requirements has been their use of the term “one-click unsubscribe”. It’s an overloaded term that’s being used here to mean RFC 8058 in-app unsubscription. That’s a completely different thing to what one-click unsubscription has been used to mean for decades, often in the context of complying with legal requirements around unsubscription. It’s confusing. So here’s the simple explanation. To comply with everyone’s unsubscription requirements you need to do two things. First thing You need to have a clear link visible in the body of your message that allows users to unsubscribe. It’s the link you already have in the footer of your message: When the user clicks on it they should go to a web page. That web page must have a clear, conspicuous button that the user can click to unsubscribe. It cannot require them to provide any other information. That page can
Brand Indicators for Message Identification (BIMI) is an email spec that allows email senders to display a brand or company logo alongside email messages when displayed in different email applications and webmail platforms. It helps to promote trust and security by requiring proper underpinnings of email authentication and a Yahoo study indicated that the logo display can increase chances that recipients will interact with your email messages. The BIMI specification is overseen by a collaborative email industry group known as the AuthIndicators Working Group, comprised of email senders, email receivers, email security and deliverability experts. Which mailbox providers and webmail platforms will display BIMI logos? As of January 2024: Supports BIMI: Apple (iOS and MacOS email clients), Cloudmark, Fastmail, Gmail, La Poste, Onet Poczta, Yahoo Mail and Zone. (This also includes Pobox, AOL/Netscape, and Google for Business/Gsuite mailboxes). Considering BIMI Support: atmail, BT, Comcast, Qualitia, Seznam.cz, GMX/Web.de, Yahoo Japan. Does not support BIMI: Microsoft. Implementation Considerations:
Salesforce Pardot (aka “Marketing Cloud Account Engagement”) is a B2B-focused marketing automation tool meant to help companies nurture leads and build engaged email relationships with their subscribers. If you’re a Pardot user and wondering how do I set myself up for deliverability success? And how do I know ongoing if I’m having deliverability challenges or not? Then this content is perfect for you. In this fifteen minute recorded webinar, I’ll walk you through the deliverability basics when it comes to the Salesforce Pardot platform. Find the recording on Youtube or embedded below, and thanks for watching! For ease of navigation, below I have included all of the different links I referenced in the recorded webinar. Happy surfing! Configure DKIM authentication in Pardot. “Warm up” your IP and domain in Pardot. More on 2024 Yahoo and Gmail sender requirements. Opt-in performs better. Should I use a purchased email list? Pardot Reporting
Reporting is an important part of DMARC. It provides valuable feedback from mailbox providers to help you identify any problems with authentication of your legitimate emails, and allows you to monitor for fraudulent email misuse of your domain name. But lots of people set up DMARC without understanding the reporting component — I myself have been guilty of simply routing DMARC reports (which tend to comprise a low volume if emails containing XML-formatted data attachments) to a folder or mailbox to review them “someday.” And if that day ever comes, I figure it would be good to understand what I’m looking at as far as the two different types of DMARC reporting — and why, ultimately, RUA (aggregate) reporting is all I (and you) should rely on. When creating a “reporting address” for your DMARC record, you might notice that there are two different “reporting” fields in the DMARC record