Believe it or not, if a spam filtering system deems your email as spam or if your intended recipients mark your email as spam, your reputation score will go down. In this post you’ll learn five email deliverability best practices for achieving a good sender reputation with Yahoo! Mail. Yahoo Mail determines a sender’s overall reputation by considering many factors including, but not limited to:
- IP address reputation
- URL reputation
- Domain reputation
- Sender reputation
- Autonomous System Number (ASN) reputation
- DomainKeys Identified Mail (DKIM) signatures
- Domain-based Message Authentication Reporting and Conformance (DMARC) authentication
Below are the top 5 best practices that can help maintain delivery with Yahoo.
- Remove subscribers that won’t engage. If an email address hard bounces (no longer exists) or returned in the complaint feedback loop (marks your message as spam) remove them immediately from future mailings. SparkPost suppresses both hard bounces and complaint feedback loop subscribers.
- Authenticate. Make sure your messages are DKIM signed.
- Send consistently. If you send emails at a certain rate and suddenly have a spike of activity, you could get flagged as a compromised sender. Honor the intended frequency of a list. Don’t send daily to a list that was intended to be sent to monthly. When ramping up volume, never send more than double your previous average send.
- Content matters. The subject line should not appear to be generic nor should the content. Sending email to subscribers who do not find your content relevant therefore not reading the message or marking it as “spam” will hurt your overall reputation.
- Reconfirm the unengaged. Consider sending a reconfirmation email to inactive subscribers periodically.
Curious about best practices for Gmail? Read this blog post.
Yahoo has just announced that they will be dropping Return Path from managing their Complaint Feedback Loop (CFL). On June 29, 2015 Yahoo will transition the Yahoo CFL administration to their own Yahoo Customer Care. Yahoo does plan to port over all configurations as-is, stating no actions should be required and they will continue sending spam reports during the transition. However, senders should save existing CFL information as it will not be available after the transition.
As a customer of SparkPost Elite or SparkPost.com, no further action will be necessary. The Deliverability Services team will manage all SparkPost Elite CFL snapshots. SparkPost.com is double-signing DKIM for their customers so that only a snapshot of the SparkPost domain is needed and therefore managed by the Compliance team.
As a Message Systems On-Prem Customer that manages your own FBLs, you will want to visit the Yahoo site to take a snapshot of your current CFL configuration prior to June 29, 2015 as it will not be available once the transition is complete.
To save the existing CFL information:
- Go to http://feedbackloop.yahoo.net
- Sign-in with the email address you used for registration
- Go to ‘Manage Existing CFLs’ section (3rd tab at the top)
- Select all the information for existing domains
- Copy and paste the information to a file for future reference
Another major mailbox provider has moved to the DMARC policy reject mode due to recent spoofing attacks on its members. Yesterday, AOL announced that it was following in Yahoo’s footsteps with p=reject.
Over the past few days, “You’ve Got Mail” users have complained about hackers gaining access to their AOL accounts and sending many emails with malicious links to their friend lists. The link in the email leads to malware, phishing attacks and viruses. If you have an AOL account, it is highly recommended that you check your sent folder to see if your account is affected. If you see a suspicious email in your sent folder, you need to delete the email and change your account password immediately.
Although the number of affected users is unknown, this attack has received a lot of attention on Twitter with the trending hashtag #AOLHacked. The AOL anti-spam team regard this as a serious attack, and has taken firm action to defend their users (full disclosure: I’m a former AOL employee). In order to stop hackers and cyber criminals, as well as restore trust in their brand, they announced publicly yesterday that their DMARC policy has been changed from (p=none) to reject (p=reject). With this DMARC policy change, AOL will now only allow traffic from AOL.com users through their mail servers. Other providers who honor DMARC policies such as Gmail, Yahoo and outlook.com are now been instructed to reject mail sent on behalf of AOL Mail users via non-AOL servers.
This big step and revolutionary DMARC reject policy was recently initiated by Yahoo following the earlier lead of Twitter, Facebook & Linkedin, and is now followed by AOL. Hopefully, other major mailbox providers will soon follow suit. The Message Systems’ team fully supports Yahoo’s and AOL’s decision to put stricter DMARC policies in place to battle spam and phishing attacks. Our core messaging engine, Momentum, fully supports all authentication methods such as DKIM and DMARC out of the box, and our support and technical teams are available to address any questions and concerns customers might have with regards to complying with these new email authentication polices.
Want to learn more about DMARC? Read the How DMARC Is Saving Email E-Book today!
Much thanks to Franck Martin at LinkedIn and Josh Aberant at Twitter for providing technical guidance on this post.
Most countries require visitors to have a passport and valid visa at the point of entry – whether at the border or airport. These requirements, however, do not always prevent people from entering illegally. Malicious individuals may impersonate someone by stealing their passport and claiming their identity in order to gain access at checkpoints and deceive the border police. As a result, immigration officers now implement more advanced security and background checks to secure the borders.
Unfortunately, the Internet and the global email system have a lot in common with immigration and border security. While the main purpose of inventing the Internet in 1960s was open communication between universities, colleges and government agencies, cybercriminals have undermined that openness for the rest of us. Just like identity thieves, they subverted the system by using techniques like email spoofing and phishing, and as a result, the major Internet services providers (ISPs) have had to establish anti-abuse departments.
From botnets to malware, phishers to 419 scammers, malicious mail accounted for 85% of Internet traffic by 2012. In order to protect their members from these cybercriminals, major ISPs began to require stricter email security measures such as SPF and DKIM. Finally, DMARC was conceived in 2012.
DMARC or Domain-based Message Authentication, Reporting and Conformance is a security technique that fights cybercrime, including domain spoofing, phishing and spear phishing, that relies on SPF and DKIM authentication in order to guarantee message integrity. It’s a mutual reporting protocol whereby domain owners – email senders – can indicate to ISPs that their emails are protected by SPF and/or DKIM, and tell the receiver (the ISP) what to do if neither of those authentication methods passes. Through their DMARC policy, senders can request ISPs to reject non-compliant email outright, or to quarantine it for further review. In fact, there are three “report modes” for DMARC: report mode (p=none), reject (p=reject), and quarantine (p=quarantine) – more on this below.
DMARC is specifically designed to combat one of the most common types of phishing attacks, where the “from address” in an email is forged. We see this when cybercriminals create emails that appear to be from prominent Internet brands or financial services companies, and usually contain links to malicious websites. We also see this in spear phishing attacks where criminals impersonate close contacts of their intended victims. Email recipients who fall for these kinds of scams can inadvertently download and install malware, or hand over sensitive account login information or passwords, or become a victim of identity theft. Of course, the damage is most severe for the individual, but service providers and brands suffer as well.
DMARC is a powerful tool to combat this kind of activity, and the major ISPs have been steadily implementing it over the past two years. It should be pointed out that DMARC does two things, really, both a) protecting mailboxes from receiving phish and forgeries, and b) stopping criminals from using your domains. Because 85% of mailboxes in the USA are now protected by DMARC (60% worldwide), applying a DMARC policy on your domain is a very effective way to project your brand and make the email a more difficult channel for criminals to exploit.
Earlier this month, Yahoo took the bold step of changing their DMARC policy from report mode (p=none) to reject (p=reject). Yahoo’s SVP of Communications Products Jeff Bonforte explained the change in a Tumblr post:
“On Friday afternoon last week, Yahoo made a simple change to its DMARC policy from “report” to “reject”. In other words, we requested that all other mail services reject emails claiming to come from a Yahoo user, but not signed by Yahoo.
Yahoo is the first major email provider in the world to adopt this aggressive level of DMARC policy on behalf of our users.
And overnight, the bad guys who have used email spoofing to forge emails and launch phishing attempts pretending to come from a Yahoo Mail account were nearly stopped in their tracks.”
This policy now rejects and blocks traffic coming from yahoo.com email users who are on other networks, and not on Yahoo servers. The change will only affect traffic coming from Yahoo.com (not Yahoo hosted domains, it is up to each customer to decide whether or not to apply a DMARC policy on their hosted domain) based on the “From Address” that is not signed by Yahoo. This new policy has stopped millions of phishers already. This was a necessary move and no doubt there will be some education needed in the field to encourage small businesses to register and use their own domain if they haven’t already. But at the end of the day, these little challenges are a necessity, because email phishing has become one of the major channels for initiating cybercrime. After all, this was the reason DMARC was created, to give senders and receivers the power to define policies and protect the Internet from the criminals.
No doubt, Yahoo’s new policy is a disruption for small business owners and mailing list owners who send email on behalf of individuals. Yet DMARC has been embraced by many of the major Internet brands, and the effort to create a more secure messaging environment is likely to keep progressing. This is good for everyone who enjoys email and surfing the web. We encourage our ESP clients to only allow traffic from the domains they control to leave their network. We at Message Systems fully support Yahoo’s new DMARC policy and any effort to make the Internet a better and safer place. Our in-house expertise is available to assist any of our clients who use our core engine, Momentum, which provides for email authentication and is fully equipped to face any challenges in complying with Yahoo DMARC acceptance policies.
Find out more about DMARC email authentication in the The Benefits of Adopting DMARC Email Authentication in the joint webinar by Return Path, Groupon and Message Systems.
Weekly Email Marketing News Digest
Great start to 2013… and the second post of the year for our email marketing news series! From tactics, predictions and new technological email features, there’s a little bit of something for all email marketers.
Good email marketers know that email marketing is great for lead nurturing and stretching your customer lifetime value. Incredible email marketers know the cool tactics that will drive customer engagement and clickthrough. Here’s how:
- The Reward Delivery – Everyone loves a freebie. Using email marketing to increase customer loyalty through member rewards and promotions is a great way to get that buy-in.
- The Double Opt-In – Confirmation opts in. Do you really want to risk annoying customers with this? Yes, you do. And a lot of the time, the customer is actually looking for this. For brand loyalists, it gives them peace of mind. It’s also a good way to ensure that you have accurate email addresses to ensure email deliverability. Yahoo.com may seem easy to spell, but Jack Hogan, CTO, LifeScript, found there are more than 500 ways to get that spelling wrong.
- The Welcome Series – The Welcome Series is a great way to give the customer an overview of what to expect from the newsletter or mailing list they opted into. If your potential customers are opting in, it means they are looking for news about you – and that means higher clicks.
- The Amazing Email Marketing Integration – Marketing in silos? Not so hot anymore. Integrating your email marketing efforts with social and across other channels brings about a much higher clickthrough rate. It’s all about cross-channel these days – that’s how the conversation’s taking place.
Here’s a list of what the movers and shakers in the online world are saying about integrated marketing. We’re particularly interested in this comment:
“In 2013 we will see social media teams working much closer with e-commerce teams, and ‘integrated digital marketing’ will take shape. The laggards will be email marketers who will still feel comfortable in their established metrics and existing silo’d processes.”
Since this blog is all about email marketing, you’d think we’d take issue with this comment. But we’re going to go out on a limb and agree – email marketers will lag… IF they continue marketing in silo. We’ve been advocating cross-channel marketing for a while and we still stand behind that. Email still drives the highest ROI, – it’s not even an issue for debate anymore. Adding social and mobile tools to your arsenal will only increase the chances of customer conversion.
We’ve often featured articles that talk about improving deliverability from a content perspective – this one differs in that it takes a slightly more technical view and lists 7 areas you should look at when it comes to improving the chances of email getting into your customer’s inbox.
- Data source and collection practice
- Poor bounce management
- Poor complaint feedback loop management
- Content issues
- Poor data management
- Infrequent emailing
- Lack of authentication (SPF, DKIM)
Also have a look at the Top 5 Reasons Your Newsletter Will Go To Spam where the issues of cold IPS, unusual bursting, content, improperly setup infrastructure and incomplete list maintenance is covered in greater detail.
Yet another company finds itself in hot water for text spam. The Telephone Consumer Protection Act states that companies cannot use automated dialing systems without the consent of the consumers. Violations result in a $500 fine. Despite the heavy focus on mobile marketing due to its explosive growth, it is an area where companies can easily cross the legal line, despite recent updates to the Act. The answer to avoiding all this legal trouble then, lies again in .
Google’s constantly tweaking Gmail for improved usability. The new Compose Now view gives you the ability to add labels and stars to your email as you are writing it, saving time spent looking for the email and starring or labeling it only after it has been sent.
Learn more about improving your email deliverability and feedback loops in the Proven Tips for High Volume Sending webinar!
There has been a great deal of talk in the email marketing industry recently about tuning for delivery and effective IP reputation management, but much of it seems to be misguided or misinformed in my opinion. Many of the articles I have read in past months focus on the concept of “getting around” ISP spam filters, or “bypassing” the bulk folder. (more…)