Email Authentication

Every sales team doing outbound needs to know this about email deliverability in 2024: No EXCEPTIONS. Email deliverability is a “death by a thousands paper cuts” type of situation. Stop stacking paper cuts. ✅ Set up secondary domains. If you are still cold emailing off your primary email domain you may be in big trouble. The last thing you want (especially if you aren’t a reputable company) is to burn your primary domain. This doesn’t just affect your sales team. It affects everybody at your company. ✅ Set up your DNS (DMARC, SPF & DKIM) records for ALL of your secondary domains. ✅ Secondary domains should link to your primary. You want to make sure your prospects are being directed to your actual company domain if they are curious and click. ✅ Instantly.ai recommends limiting yourself to 3 email addresses per domain. ✅. Email Warmup - Domains should be “warmed up” for 14 days before cold emailing. Send at least 20-40 warm up emails per day per email account, with a 40% reply rate. This builds your domain reputation. NEVER switch off email warm-up. ✅ Email Volume - do NOT send more than 30 emails per day per email account. ✅ Keep your email signature plain text. No Links. AT ALL. Add your address in your signature and make sure you put a picture in your Outlook or Gmail profile. ✅ Vary your cold email copy. Sending the same template to every prospect signals that you are a spammer. Take the time to personalize emails. For emails further in your sequence, use Spintax. Use alternate phrases “Hi, Hey, Hello”. ✅ Understand that your domain gets TORCHED when people mark your email as spam. Good and relevant copy matter. Also, don’t run 7+ email step sequences. It’s okay to have sequences that are 15 steps. But make them multi-channel (Calls, LinkedIn, Email). ✅ Constantly monitor your email deliverability. Highly recommend using Instantly.ai to make this all easier. Maintaining good deliverability over time is key in the success of outbound. Curious - what else should I have mentioned here?

Important Email Update! New requirements from Gmail and Yahoo Mail effective February 2024. 𝐄𝐦𝐚𝐢𝐥 𝐬𝐞𝐧𝐝𝐢𝐧𝐠 𝐛𝐞𝐬𝐭 𝐩𝐫𝐚𝐜𝐭𝐢𝐜𝐞𝐬: As part of their ongoing commitment to enhance email security and protect user inboxes, Gmail and Yahoo Mail have announced a set of new requirements for email senders, effective February 2024. The new requirements include long-standing best practices that all email senders should follow in order to achieve good deliverability with mailbox providers. What's new is that Gmail, Yahoo Mail, and other mailbox providers will require alignment with these best practices for those who send bulk messages over 5000 per day or if a significant number of recipients indicate the mail as spam. 𝐑𝐞𝐪𝐮𝐢𝐫𝐞𝐦𝐞𝐧𝐭𝐬: - SPF (Sender Policy Framework) is a domain-based way to determine what IPs are allowed to send email on somebody's behalf. - DKIM (Domain Keys Identified Mail) is a message-based signature that uses asymmetric cryptography to sign email and verify that a message was not altered in transit. - DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on top of SPF and DKIM and instructs receivers to approve, quarantine, or reject email messages. 𝐖𝐡𝐲 𝐢𝐭 𝐦𝐚𝐭𝐭𝐞𝐫𝐬: For senders of bulk messages, meeting these requirements is crucial to maintaining good deliverability and ensuring that your emails reach the intended recipients' inboxes. Failure to comply may result in emails being marked as spam or rejected by mailbox providers. 𝐖𝐡𝐚𝐭 𝐲𝐨𝐮 𝐬𝐡𝐨𝐮𝐥𝐝 𝐝𝐨: Review your current email sending practices to ensure alignment with SPF, DKIM, and DMARC. If necessary, update your SPF, DKIM, and DMARC configurations to comply with the new requirements. Check the diagram showing how SPF and DKIM work together with your DMARC policy. #EmailSecurity #GmailUpdate #YahooMail #SPF #DKIM #DMARC #Authentication #CyberSecurity #EmailBestPractices

If you don't understand DKIM, SPF, or DMARC, email will get a lot harder. New email requirements from Google and Yahoo, kicking off next month, are not just updates but will significantly impact your email programs. Outbound or Inbound. As a HubSpot customer, you'll get an email in the next few days that recap this news. 𝗛𝗲𝗿𝗲'𝘀 𝘄𝗵𝗮𝘁 𝘆𝗼𝘂 𝗻𝗲𝗲𝗱 𝘁𝗼 𝗸𝗻𝗼𝘄: 𝗘𝗺𝗮𝗶𝗹 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗚𝗲𝘁𝘀 𝗦𝘁𝗿𝗶𝗰𝘁𝗲𝗿 • DKIM, SPF, and DMARC: These aren't just fancy acronyms; they're your new best friends in email marketing. They will become mandatory to combat spam and ensure your emails don't bounce back.    𝗢𝗻𝗲-𝗖𝗹𝗶𝗰𝗸 𝗨𝗻𝘀𝘂𝗯𝘀𝗰𝗿𝗶𝗽𝘁𝗶𝗼𝗻 • The power shifts to the receiver. Ensuring your recipients can opt out easily is more than a courtesy; it's a requirement. 𝗙𝗼𝗰𝘂𝘀 𝗼𝗻 𝗪𝗮𝗻𝘁𝗲𝗱 𝗘𝗺𝗮𝗶𝗹𝘀 • Keeping your spam rate below 0.1% isn't just good practice; it's essential. High spam rates can lead to severe email deliverability issues.    𝗪𝗵𝘆 𝗦𝗵𝗼𝘂𝗹𝗱 𝗬𝗼𝘂 𝗖𝗮𝗿𝗲? These changes aren't just about following rules; they're about enhancing email deliverability and building trust with your audience. It's about sending emails that your audience wants and values, not just what you want to send. How Does This Affect You? If you think, "I'll deal with it later," think again! These changes call for a proactive approach. They require a deep dive into your current email strategies and a significant overhaul to align with these new requirements. 𝗪𝗵𝗮𝘁 𝗖𝗮𝗻 𝗬𝗼𝘂 𝗗𝗼? 1. Start by reviewing your email authentication methods and technical setup. 2. Make sure your unsubscribe process is thought out. 3. Proactively monitor your email engagement and spam rates 4. Run re-engagement campaigns to confirm opt-in 5. Use email verification 6. Monitor sequence sender scores if you're running your Outbound through HubSpot.     I've included a cheat sheet below that explains these technical terms in-depth and provides suggestions for addressing them. Reach out with questions! #hubspot #email #marketing #spam  

Key Email Authentication Methods: SPF, DKIM, and DMARC To protect against email spoofing, phishing, and other malicious activities, three primary email authentication methods are used: SPF, DKIM, and DMARC. SPF (Sender Policy Framework) : 📧 Verifies the sending server’s authorization How it works : • The domain owner publishes a list of allowed mail servers in a DNS record. • When an email is received, the recipient’s mail server checks the sender's IP address against the SPF record. • If the sender's IP is in the list, the email passes SPF; otherwise, it fails. SPF Record : nslookup -type=txt shodan.io | grep -i spf nslookup -type=txt _spf.google.com | grep -i spf dig example.com TXT | grep -i spf DKIM (DomainKeys Identified Mail) : 🔒 Confirms the email's authenticity How it works : • The sender's domain signs the email with a private cryptographic key. • The recipient’s mail server uses the public key to verify the signature. • If the signature matches, the email passes DKIM; if not, it fails. DKIM Record : v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1LfA... This record specifies the public key used to verify the DKIM signature. DMARC (Domain-based Message Authentication, Reporting & Conformance) : 🛡️Combines SPF and DKIM and enforces authentication and provides reporting How it works : • DMARC requires that either SPF or DKIM (or both) pass and align with the domain in the “From” header. • The domain owner sets a DMARC policy in their DNS record that tells the receiving server what action to take if authentication fails: none (monitor), quarantine (mark as spam), or reject. DMARC Record : v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com This DMARC policy specifies that emails failing SPF/DKIM should be rejected, and reports should be sent to dmarc-reports@yourdomain.com. How They Work Together : • SPF checks whether the server sending the email is authorized to do so. • DKIM ensures that the email content has not been tampered with during transit. • DMARC enforces alignment between the domain in the “From” field and the domains used for SPF and DKIM, and it instructs receiving mail servers on what to do if SPF or DKIM checks fail. https://lnkd.in/eiQ2kYFn https://lnkd.in/eCZRqGGf https://lnkd.in/eKjEgggP #EmailSecurity #SPF #DKIM #DMARC #PhishingProtection #EmailAuthentication #InfoSec

There’s a story that unfolded in my DMs after my last #coldoutbound post. Brave sales and growth teams, battling an unknown frontier of email deliverability, stuck with legacy platforms built for 2019, not 2023. And that’s largely why I joined rift: we work with teams to get them to a place of best-in-class email deliverability & strong engagement on cold outbound email. But I know that a lot of you aren’t decision makers. You’re trying to get to goal using whatever stack you’ve already got. So after countless DMs, I put together a quick guide tailored for individual contributors. Here’s what you can do to get more emails in inboxes WITHOUT spending a dime on new tools: 1. Go to learndmarc.com and check that the domain you’re sending from has DMARC, DKIM, and SPF set up correctly. Seeing some errors? Get in touch with IT. (Seriously — do not just bring it to your manager or RevOps or ask in #sales, just go straight to IT.) 2. Keep it as plain-text as possible. Adding images can slow down email loading times and attachments often trigger spam filters. A link back to your website should be fine, so long as you… 3. Turn off click tracking! Click tracking can hurt your deliverability because the embedded tracking links and pixels can be flagged by spam filters as suspicious, potentially causing your emails to be categorized as spam or blocked entirely. 4. Do not send to unverified email addresses. I know it’s tempting to guess emails when they all have similar structures, but a bounce is the biggest way to shout to email service providers from the top of your lungs that you’re sending to people you don’t know. (ZeroBounce is best for this but use whatever you already have, even Apollo/ZoomInfo is better than nothing) 5. Send consistent volumes, Monday to Friday. This is probably one of the hardest things to do, but suddenly going from 15 emails a day to 75 is also a super obvious red flag that you are doing cold outbound. Try to stay as “flat” as possible unless you’re scaling up or down volumes due to performance (more on that next) 6. Become an engineer of your email performance. If you send 30 emails a day and get good open rates, reply rates, and low bounce rates, you can slowly (over time!) ramp up to ~50 emails a day, all the way up to ~100 if your performance is stellar. If your open and reply rates are decreasing, you need to ramp your volume DOWN. Yes. You need to SEND LESS. Tracking closely is the only way to do this. Continuing the same volumes with decreasing performance can lead to you burning your sender reputation all together. (If you’re a decision maker, you may be thinking “I’m supposed to rely on every one of my AEs and BDRs to do this manually?” – well…yeah. Or come chat with us at rift.)

Your emails are going to spam because of your DNS records, even with SPF, DKIM, and DMARC configured You did everything right. — SPF? ✅ Passed. — DKIM? ✅ Passed. — DMARC? ✅ Configured. Yet, your emails are still landing in spam. What’s going on? 🔎 Alignment Google (and other providers) don’t just check if SPF and DKIM pass They check if they’re aligned with your “From” address If they’re not? Your email looks spoofed Even if it’s 100% legit 📌 Look at the screenshot. — SPF ✅ — DKIM ✅ — Alignment ❌ → Google throws a warning. DMARC is only fully effective when SPF or DKIM aligns with the “From” domain. If they don’t match? Spam. This is why so many emails fail silently—they pass authentication but still get filtered. How to Fix It? — Make sure your sending domain is consistent across SPF, DKIM, and “From.” — Use strict alignment in your DMARC (aspf=s; adkim=s) if you want real protection. — Check your email headers. Gmail → “Show Original” → Look for domain mismatches. Most people think just setting up SPF, DKIM, and DMARC is enough Or worse, they *think* they're aligned. It’s not. Alignment is the missing piece Fix it. Get out of spam because of technicalities If you need help figuring out if your DNS records are aligned, drop me a comment and I'll do a quick audit for you :D

If you’re still sending email from an onmicrosoft.com address, Microsoft is tightening the rules. This matters because your messages could start getting throttled or blocked, which means invoices, password resets, and customer updates might never arrive. Microsoft’s goal is to stop spammers who spin up fresh tenants and abuse the shared onmicrosoft.com domain. But the side effect is real organizations will see lower deliverability and limits on bulk or automated sends until they move to a proper, verified domain. What’s changing? Microsoft is putting sending limits and stricter checks on any email that leaves an onmicrosoft.com address. Because it’s a shared domain used by millions, one bad actor can hurt the reputation for everyone. The fix is simple but urgent: switch to your own branded domain and set up modern email authentication (SPF, DKIM, and DMARC). That tells receiving mail systems, “Yes, this is really us,” and helps keep your mail out of spam and off block lists. What should you do now? Audit where onmicrosoft.com shows up—service accounts, no-reply inboxes, ticketing tools, scanners, CRM alerts, and scripts. Register or connect your custom domain, add the DNS records, and rotate apps and automations over to the new addresses. Test mail flow, watch for bounce backs, and update address books, forms, and templates. Train your team so they know which sender addresses are approved going forward. A little cleanup today will save a lot of missed messages tomorrow. #Microsoft365 #EmailSecurity #ITAdmin #ChangeYourPassword Follow me for regular updates on Microsoft 365 changes, security tips, and clean-up checklists that keep your org’s email flowing.

Email marketers, it's time to mark your calendars. On February 1st, 2024, Google and Yahoo will require bulk senders to authenticate their emails, make unsubscribing easy, and stay under a spam rate limit. Let's walk through the new standards: ✅ Email Authentication: Senders need DMARC, SPF, and DKIM verification. 🚫 Easy Unsubscription: One-click unsubscribe with a two-day honor period. 🙅 Low User-Reported Spam: Under 0.3% spam rate threshold. These new requirements are a good thing! Less spam in inboxes means your legitimate emails are more likely to be seen. Authenticated emails are also essential for security reasons, making phishing attempts easier to squash. Emails also look more reputable and on-brand from your organization's domain than your technology provider's. (The same guidance applies to URLs.) For nonprofits, these rules take effect after the EOY fundraising season. That said, February 1st will be here before you know it. Here are some steps to take: EMAIL AUTHENTICATION There are two ways to verify if you have DMARC, SPF, and DKIM records in place. 1. Find an email from your organization sent to your personal Gmail address. Click the three dots and select "Show Original." Each record should be marked as "PASS." 2. Use a web tool such as EasyDMARC's domain scanner. Enter each domain you use to send bulk emails, and it will show you whether DMARC, SPF, and DKIM records are in place. If you don't have all three in place, check with your tech provider for a how-to guide. EASY UNSUBSCRIPTION To meet the new "one-click" unsubscribe requirements, emails must include a List-Unsubscribe header. Email services use this to add unsubscribe links directly to their interfaces, so readers don't need to dig through the fine print to find the link. Look for an underlined "Unsubscribe" link in Gmail next to the email sender. In Yahoo's interface, click the three dots next to the spam button and look for an "Unsubscribe" option. Most modern email platforms have this covered, but contact yours if it is not in place. Honoring unsubscribes within two days means ensuring you have your email tool(s) set up correctly to exempt opt-outs. This should be instant, but watch out if you send from multiple platforms. When someone asks to unsubscribe from one tool, make sure their choice is respected in all the others. This is all the more reason to integrate your tech stack and have a centralized system for collecting consent, sending emails, and managing opt-outs. LOW USER-REPORTED SPAM With the right tools, the 0.3% threshold is easy to manage. First off, enable Google's Postmaster Tools to see where you stand. Secondly, make sure you only send to engaged contacts. This will reduce your spam rate and increase your engagement rates. Email deliverability doesn't need to be a mysterious process! Familiarize yourself with the terminology, get your house in order, and commit to better email practices.

Emails going to Spam? Here’s how to fix it If your email open rates are below 25%, your emails are consistently getting filtered into spam and email providers don’t trust you. But here’s the good news: you can fix it. *The 4-Step Framework to Diagnose & Fix Email Deliverability Issues* → Step 1: Check your Sender Reputation Your sender reputation is like your credit score. It determines how trustworthy your emails appear to inbox providers like Gmail and Outlook. ▸ Use tools like Google Postmaster Tools or SenderScore to check your email reputation. ▸ If your reputation is low, it’s often due to high bounce rates, low engagement, or spam complaints. How to Fix it: Clean your email list regularly. Remove inactive subscribers who haven’t engaged in 90+ days and AVOID sending to purchased lists. → Step 2: Authenticate Your Emails Email providers block or filter out emails that seem suspicious. Authentication proves your emails are legitimate. ▸ SPF: Confirms your email is coming from an authorized sender (also blocks UV rays). ▸ DKIM: Ensures the email hasn’t been altered after being sent. ▸ DMARC: Prevents phishing attacks using your domain. How to Fix it: Ask your email provider or IT team to set up SPF, DKIM, and DMARC records. Without them, your emails will always be at risk. → Step 3: Optimize your Email Content to avoid Spam Triggers Spam filters scan for certain words, formats, and practices that make emails look untrustworthy. ▸ Avoid excessive capitalization and punctuation (🔥 LIMITED TIME OFFER!!!). ▸ Use a branded sender name instead of a generic one (“Ryan from [Dispensary Name]” instead of “info@[dispensary].com”). How to Fix it: Keep your emails natural, balanced, and engaging. If an email looks or feels spammy, it probably is. → Step 4: Improve Engagement Metrics Email providers prioritize senders who get high engagement (opens and clicks) and penalize those who get ignored. ▸ Start with engaged customers. Send emails to your most active list segment first before emailing everyone else. ▸ Monitor your open rates. If it’s consistently under 25%, your emails are likely being flagged. How to Fix it: Segment your audience, remove unengaged contacts, and write subject lines that actually make people want to open. → Test It: Want to see if you have a problem? Send a test email to multiple inbox types (Gmail, Outlook, Yahoo, etc.) and check where it lands. It can take 3-4 weeks to go from a low reputation to medium in Google Postmaster, so be patient. If more people get your emails in their main inbox it will lead to 💵 💵 💵 If you’re seeing issues, or just want to guarantee your emails reach more customers—we can help. Tact Firm specializes in cannabis email marketing that actually gets delivered. Let’s fix this together.

In the past 8 months, I've helped over 100 clients fix their email authentication, preventing costly deliverability issues. Here are the 5 most common (and avoidable) mistakes Back in 2023, I wouldn’t have called myself an email deliverability expert. But I’ve always been tech-savvy and known for tackling complex challenges. When Google and Yahoo announced new email authentication protocols, something unexpected happened -  past clients started reaching out, asking for help navigating these changes. They had email lists. But didn't understand the new protocols. They trusted me to find solutions. So, I dove in— ✔ researching everything I could, ✔ consulting with industry experts, ✔ reviewing the implications, and ✔ testing out tools. As I worked with client after client, I began to notice patterns. The same mistakes showed up repeatedly, blocking emails from landing in inboxes. Fast forward to today: - I’ve helped over 100 clients authenticate their emails. - I’ve identified the top issues that impact deliverability. - And now, I get to help businesses prevent these costly errors. But I keep seeing the same mistakes... Over and over again. Here are the 5 biggest mistakes I saw when working with clients on email authentication: 1. Jumping into authentication without preparing the list - Skipping list preparation leads to deliverability problems - Unclean, unsegmented lists trigger spam filters - Damaged sender reputation is hard to repair 2. Not understanding SPF, DKIM, and DMARC - Many set up authentication without knowing the details - Misconfigured SPF or DKIM causes failed authentication - Leads to poor deliverability and email failures 3. Only setting up DMARC without reporting - DMARC is powerful but needs reporting to be effective - Without reports, you’re in the dark about email performance - Reports help identify issues and guide adjustments 4. Starting with a strict DMARC policy - Jumping straight to “reject”  is risky - The best practice? Start with the lowest level and monitor results - Gradually increase enforcement as your setup stabilizes 5. Failing to monitor email list data. - Authentication isn’t set-it-and-forget-it - Regular monitoring prevents unnoticed failures - Catching shifts in performance is crucial for inbox placement TAKEAWAY If your emails aren't landing in inboxes, your time and money are going to waste. The truth? You can start your email list with 1 subscriber. You can start with one email. But you shouldn’t start without understanding deliverability. --------- Questions about your email list? DM me to chat.