Over the last few years, Validity has purchased and merged several companies relating to email deliverability, primarily BriteVerify, Return Path, and 250ok. Return Path and 250ok were the top competitors in deliverability tools, specifically for inbox placement, so it’s been a very uncertain time. On August 18, Validity put to rest some of the questions we had about what tools we would have available with the announcement of their new email success platform, Everest.
According to their press release, Everest integrates the best of BriteVerify, RP, and 250ok and adds some tools and features that weren’t yet available to the industry.
Everest offers marketers a fully integrated solution to build, test, measure, and optimize email campaigns
• Platform includes best of 250ok, Return Path, and BriteVerify, plus all-new capabilities designed to maximize email marketing ROI
• Features and pricing editions make Everest attractive for businesses of all sizes that rely on email to engage customers
Al Iverson of Spamresource has made it his mission to test every possible deliverability tool, suite, or service, so make sure to keep your eyes out for the results of his testing.
Deliverability is a function of engagement over time, so something has been going amiss for at least a couple of weeks by the time you notice a drop in inbox rates. It’s imperative to react quickly to minimize any additional reputation damage while you dig into the root of the problem. One of the tactics I recommend is to maintain a list of subscribers that are your most active subscribers. This is easy to do before you run into problems and should be refreshed monthly.
To create this list of core subscribers, you’ll want to run a report showing which subscribers have engaged with your email multiple times. Limit your search to the last three months. Focus on recent opens and clicks, and prioritize subscribers who regularly open and/or click your messages. These subscribers drive up your engagement metrics dramatically.
As soon as you start to see a drop in deliverability, open, or click rates, you’ll want to change your list to your core subscribers plus about 20% more less engaged subscribers for the next few sends. For example, if you have 10,000 core subscribers your total send volume will be 12,000 for the next two to three sends. Slowly add in subscribers who haven’t engaged recently, so your next send might be 14,000 subscribers and include subscribers who haven’t opened or clicked in four to five months.
There will come a point when you’ll see a dramatic drop in your open and click rates for your sends. Once that happens, remove the last batch you added and create a re-engagement campaign for any addresses of that age and older, or suppress all older addresses from all subsequent sends.
While this won’t get you to the root of the issue, it will allow you to continue marketing while you work on finding the root cause and creating a plan to address it. If you need some help with setting up processes for immediate remediation tactics or with getting to the root cause, you can contact me through the Contact form or email me at firstname.lastname@example.org.
Sender authentication is a cornerstone of good deliverability. Sender auth is an advanced topic, but even beginners need to know enough about it to have a conversation about it because it is foundational to your deliverability. There are a few different forms of sender auth and what you need to know is the basics of how they work. Sender authentication methods are used to track your reputation, increase your company’s security, customer confidence, and reduce phishing and fraud.
When you send email, there is a lot of work happening behind the scenes and a lot of information recorded that you don’t usually see. I’ll share full headers and explain them in a future post, but what you need to know for now is those are the “envelope” for your email. Sender authentication methods validate different parts of the envelope to boost confidence that the email your recipient gets is the same content you sent and is really from you.
It’s about to get confusing, but we’ll have future posts that get more in-depth on each form of sender authentication. I’ve linked to the RFCs (Requests for Comments, or the rules that the internet operates by) that relate to each type of sender authentication for intermediate and advanced learning. If you’re just getting into email and deliverability, skip those for now. They’re very technical and can be confusing even for experts.
DNS usage in Sender Authentication
First, you need to understand some basics about DNS, or Domain Name Service. DNS has multiple different types of records that allows computers to “talk” to each other. While there are many more types of records, these are the ones you need to know for conversations about sender authentication to make sense:
TXT (text) records provide basic information about your domain.
A (address) records translate your IP (internet protocol) address. (which is made of all numbers) into words like www.directdeliverability.com.
MX (Mail eXchange) records say where to deliver email to you.
CNAME (canonical name) records let you set an alias. This may not apply to you unless your ESP handles your DNS records for you. We won’t be talking about them in detail here, but I’m including them in case they come up in conversation.
SPF, or Sender Policy Framework
SPF stands for Sender Policy Framework and is defined in RFC7208. SPF authenticates your sending IP address using a TXT (or text) record, which is comparable to your street address on a physical envelope. SPF checks your “envelope from” not your friendly from. Your envelope from goes by many names but the most common are Return-path or bounce address. We’ll get into the technical terms for these different from addresses in more advanced posts. Your envelope from is not usually displayed to your recipients. Your friendly from is the address you set up in your email client or ESP’s UI to display to your customers.
You may have a shared IP address, meaning other senders also use the same IP, a single dedicated IP, multiple dedicated IPs, or multiple vendors. All of these IPs need to be included in your SPF record and may be labeled as A, MX, ip4, ip6, or includes based on how they are formatted and grouped together. (There are additional types, but we’ll get into those when we look at SPF more in-depth.) If your SPF record is improperly formatted or does not include all of your originating IPs, SPF will fail which will cause your email to be placed in the spam folder or rejected.
DKIM, or DomainKeys Identified Mail
DKIM stands for DomainKeys Identified Mail and is defined in several RFCs, which can be found linked in the Documents section on the DKIM website. The DomainKeys Identified Mail (DKIM) Services Overview (RFC5585) establishes the protocol and gives an overview of the service. DKIM is comparable to the envelope you put physical mail in. It creates an encrypted “wrapper” around your content and headers like your subject line and From address.
In the full email headers, your mail server will include some information about which headers are included, the hash for the encryption, a selector (indicates different parts of your mailstream), and the domain or subdomain that is authenticating the message. In the image showing the from addresses, you can see which headers are being included by looking at the list after h=. (Text-only version available here.)
It is possible and somewhat common to have multiple different DKIM signatures on the same email. This just means that each signer is authenticating what they’re sending on is what they received from you. The signer may be very different from the original sender.
DKIM requires that the signers have a TXT record in your DNS entries that includes the type of cryptography used and a public encryption key. The recipient mail server makes a query to the signers’ DNS server(s) to ask for the public encryption key and compares its results to the information in your headers. If the results don’t match, DKIM fails. Your email will be marked as failing and placed in the spam folder or rejected.
Note: DomainKeys, as opposed to DKIM, is deprecated.
DMARC, or Domain-based Message Authentication, Reporting, and Conformance
DMARC stands for Domain-based Message Authentication, Reporting, and Conformance and is defined in RFC7489. DMARC relies on DKIM or SPF in a few different ways. While neither SPF nor DKIM require that they align with your friendly from, DMARC requires that at least one does. Remember, SPF has to align with your Return-path or envelope from while DKIM relies on the signer’s domain value in the full headers? That’s a bit confusing, so why is the DMARC requirement different? DMARC is intended to combat online phishing and fraud, so it makes sense that the requirement of the email address you see is the one that has to be aligned to pass authentication.
DMARC requires a TXT record that recommends to a provider how they should place your email if DKIM and SPF do not align with the friendly from or both fail to pass and what percentage of email to apply the policy to. Policy options are none (deliver as normal, used for initial setup and troubleshooting), quarantine, or reject. Many providers will choose to quarantine rather than reject email regardless of the policy set.
BIMI, or Brand Indicators for Message Identification
BIMI stands for Brand Indicators for Message Identification and is the newest protocol. BIMI is still in draft and has not yet reached the point of having an RFC. The draft is available at https://tools.ietf.org/id/draft-blank-ietf-bimi-00.html. Because it is still in draft, implementation is limited, however there are a number of providers who have implemented BIMI as of late July 2020.
BIMI allows DMARC-compliant mail with an enforcement policy (quarantine or reject at 100%) to display a company logo in your subscriber’s mail interface. In order to display your logo, you must produce a Scaled Vector Graphic Tiny PS version of your logo and make it available via a URL. Once that is available, you publish a DNS TXT record that indicates where your logo is.
BIMI is not available at all mailbox service providers or for all senders yet, but it’s an exciting advancement and we’ll keep you updated as its use becomes more common.
All forms of sender authentication use DNS TXT records. To implement sender auth, you may need to pull in your IT team or DNS provider.
Sender auth is used by reputation systems. Not having sender authentication implemented, or having them implemented wrong can decrease your inbox delivery.
SPF conirms your envelope from (or return-path) domain matches an IP you have authorized to send mail on your behalf.
DKIM confirms the content of the email sent is the content your recipient received and uses the domain listed in the DKIM header for authentication.
DMARC requires either DKIM or SPF to pass and also to align with the friendly from address. DMARC lets you tell mailbox providers how you want mail that doesn’t pass authentication to be treated.
BIMI uses your DMARC policy to add a logo next to your email in some web interfaces for email providers. It is the newest protocol and likely to be adopted at a much wider scale in the coming years.
Sender authentication can be very complicated to get right. If you’re looking for additional help, you can contact me via the Contact form or via email at email@example.com.
Last week, I had a small electrical fire. Fortunately, I know enough to turn off the breaker and unplug the appliances. Beyond that, I know you have to Do Things(tm) with measurement tools to check for and fix other damage.
What’s that have to do with deliverability, though? I work with a lot of clients who know they have a small fire and have taken some steps to put it out, but they’re not sure what to do after that to check for and fix reputation damage. They’re stressed because they’re behind on their goals and uncertain how to get back into the inbox. One of the first questions I get when we talk is “What does this process look like?”
First, take stock, or create an inventory.
You are likely sending out more email from more sources than you realize. It’s important to identify all your mail streams so we can investigate each component, much as you would want an electrician to make sure all of your appliances are still working right.
Second, create a timeline of changes.
Reputation is a function of engagement over time. While most reputation systems only go back 4-6 weeks, I like to look at all the changes from the last three months. Mapping out a timeline helps to visually see what effect specific changes have had on engagement metrics.
Third, check for damage and identify the main negative reputation factors affecting your deliverability.
Use the timeline and the inventory to identify high-risk practices, infrastructure weaknesses, and mailing habits. So much goes into reputation and deliverability that it is impossible to work on everything at once. Without first assessing the damage and identifying what caused the damage, you don’t know what needs to be fixed or what you’ll have to replace. Figuring out where the most severe damage is being done allows you to prioritize where you put your resources.
Fourth, create an action plan.
Now that you’ve identified the highest risk and highest priority issues negatively affecting your reputation, it’s time to create an action plan. Much like the electrician gave me an estimate for additional work, I give my clients all this information in an audit report that outlines the key take-aways from the proceeding steps, lays out the path forward, and allows them to determine how much of their company resources will need to be spent on fixing the damage.
Fifth, implement the plan.
This is the most time-intensive step. Oftentimes, there are steps for multiple departments and some are dependent on each other. Approaching this step as a managed project helps make it go more smoothly. Some steps, like DNS updates, may need to be done first. Others, like creating trend reporting, can be handled independently of all other tasks. Each action should have clear substeps, if needed, and a defined end goal.
Sixth, maintain best practices.
Now that you’ve put in the work to improve your reputation, created reporting to help you see emerging problems before they become major problems, and have some training on how to handle different types of problems, keep up with best practices. If you were purchasing addresses before, don’t add that practice back. If your DNS entries were messy, create a maintenance plan to keep them clean. If you had a lot of older addresses, develop and use list hygiene practices that regularly remove inactive subscribers.
Good deliverability requires regular maintenance and attention to changing trends. It’s easy to forget, when things are going right, that each component needs regular review and maintenance. Without it, you risk having a fire break out before you realize there’s a problem and you need an expert.
When you’re looking for an expert, ask them what their process is for improving your deliverability. It may not look exactly like mine, but it should have steps for discovery, identification, resolution, and possibly training. (Many consultants provide the relevant training during each step rather than include it as a separate step.) If you’re in the middle of your fire, it helps to work on the discovery (inventory and timeline) while you’re looking for an expert to help you.
If you’re already familiar with BIMI, you’re probably excited about it. If you aren’t familiar with it, you’re probably shaking your head at there being yet another acronym in email. BIMI stands for Brand Indicators for Message Identification and it allows senders to add a branded logo within supporting email clients. What this means in simple terms is that your email subscribers will now see your logo beside your email, before they even open their mail.
It’s worth working towards implementing BIMI because BIMI relies you having set a DMARC policy that instructs mailbox providers to quarantine or reject email that claims to be from you but isn’t helps protect your customers from fraud. Displaying your logo, and the increased brand recognition that comes with it, is an added bonus for increased security!
If you do implement BIMI, which of your subscribers will see your logo before even opening your email? Because it relies on DMARC being set to a quarantine or reject policy, it’s non-trivial to implement so it’s important to know how much reach BIMI has. As an emerging technology, who has implemented BIMI is subject to change quickly but there’s already quite a reach.
What is the status for mailbox providers supporting BIMI currently?
Gmail announced the launch of it’s BIMI pilot this week.
Verizon Media Group has offered BIMI for some time.
Microsoft is not currently offering BIMI support and has not announced any intent to do so. Hopefully, we’ll see them add BIMI support soon.
Throughout internet history, there has been confusion about what is freedom of speech, protected by federal law, and what is permissible speech at internet, hosting, email, and content providers. US internet-based providers tend to stick closely to federal law as a matter of philosophy. However, each provider has specific contract rules outlined under their Acceptable Use Policy (AUP) or Terms of Service (ToS) that are more stringent than federal law. Violations of the AUP and ToS are breaches of contract and enforceable under the terms of the contract.
During the best of times, these contract limits are hotly contested and frequently debated within the industry. During times of civil unrest and overwhelming federal response, these debates increase in intensity. Legal challenges to your policies are increased during time of civil unrest, so ensure your Legal team is involved as early as possible.
While my recent focus is on deliverability, most of my career has included both Compliance and deliverability. I’ve taken part in several conversations recently where experienced Compliance employees – who are deeply familiar with federal law, their employers’ contracts, and their employers’ lawyers’ decisions – have made statements regarding the acceptability rhetoric as part of their AUPs. Because these conversations are focused on rhetoric only, they have a chilling effect on less-experienced employees and can prevent them from acting when rhetoric turns into a call to action, or CTA.
There are a few questions to answer with your Legal teams and your Compliance teams in order to adequately address the potential misuse of your service during times of civil unrest.
What is the difference between rhetoric and a call to action? Rhetoric is speech designed to have persuasive influence on your audience, but is often understood to have little substance or meaningful content.
A call to action, by contrast, is a request to take an action with the intent of achieving a goal.
Rhetorical speech normally contains a call to action and sometimes it can be difficult to tell when speech is rhetorical. The rhetoric stirs up the emotion that motivates people to respond to the call to action, but some language can be rhetoric in one situation and a call to action in another, based on the external situation, speaker, and audience.
When should Compliance initiate conversation with their Legal teams about how to enforce their AUP and ToS during times of civil unrest? What, if any, additional training do Abuse and Compliance employees need to recognize rhetoric and calls-to-action? Optimally, you should have these conversations during times of peace and implement training and testing to allow less-experienced employees to grow their confidence and ensure your Legal team agrees. If you haven’t done this, set up a meeting with the teams, take examples, and set clear internal standards – including the standard of what should be brought to Legal immediately.
New employees should be taught past examples and taught the outcome of those cases. Training should include examples where the customer became abusive towards the employee and what their next steps should be when, not if, that happens to them.
Legal and Compliance teams should meet on at least an annual basis, and after any major legislative changes, to ensure alignment and legal compliance. Training should be reviewed immediately after those meetings to ensure they are in alignment with any changes and updated with recent examples.
Should companies change how enforcement of calls-to-action, such as those inciting violence, during times of civil unrest?
No. Your company may decide that different specific situations are rhetoric or CTA, but how those are enforced should be consistent over time. If a customer is inciting violence, that customer should have the same repercussions regardless of external circumstances. Your company may want to publish a statement about the repercussions of violent calls to action, but your enforcement policy should remain the same.
An exception to this is if a current case load and severity of cases lead your Legal team to determine that past compliance standards are insufficient and your company is committed to maintaining the new standard in the future.
The line between rhetoric and a call to action isn’t always clear, due to how languages blend persuasion and direct orders. Make sure you’ve taken steps to align with your legal team and that anyone who is involved in enforcing policy is trained and confident about enforcing your policies.