If you’re using any bulk email service such as Mailchimp, Constant Contact or something similar then you may have noticed recently that your emails are showing as ‘unverified’ in the recipient’s inbox, particularly if they are using Outlook.
This is because of changes that Microsoft has made to the way in which it verifies that emails are actually from who they appear to be from. Google and Yahoo have announced that they will be making similar changes in February but with more of a zero tolerance policy for ambiguity, so where an email may just show as unverified in Outlook, Google and Yahoo will simply not deliver it.
The objective here is to protect consumers (the people who receive your emails) from phishing attempts, spoofing (where an email appears to come from you but in fact comes from a dishonest third party) and spam. All major email providers (Outlook, Google, Yahoo etc) are making these changes and the effect will be potentially catastrophic for anyone who sends out bulk emails as part of their marketing efforts. If you do nothing to address this then the likelihood is that many of the emails you send will simply stop being delivered from February onwards, with potentially disastrous effects on your marketing and customer communication.
How can I ensure my emails are still delivered after February?
You need to explicitly demonstrate to Google, Microsoft, Yahoo and so on that emails that are sent from your domain are definitely from you. Additionally you need to show that you have robust antispam measures in place. The things you need to do fall into three categories:-
- Bulk emails must have a one click unsubscribe link
- Spam rates must fall below a certain threshold
- Technical changes at your emailing platform and your domain
We will deal with each of these in turn.
Bulk emails must have a one click unsubscribe link
This means that recipients of your emails must be able to click a link in the email you have sent them which immediately unsubscribes them from your mailing list. You cannot require them to take any further action so, for example, clicking on the unsubscribe link and then taking people through to a web page where they have to confirm their email address is not compliant. Similarly, requiring people to reply to the email with ‘unsubscribe’ in the subject line is not compliant.
This is something that you should already be doing anyway as it’s a requirement of GDPR which states that it cannot be more work for someone to unsubscribe from your list than it was for them to subscribe. If I can subscribe to your list effectively in one click by entering my email address and pressing ‘subscribe’ then I must be able to unsubscribe just as easily.
If you are using Mailchimp, Constant Contact or any other similar emailing platform then you will almost certain be compliant with this requirement already as all these platforms have one click unsubscribe built into them.
Spam rates must fall below a certain threshold
Google, Yahoo and so on are looking for evidence that your emails are legitimate and not spam so if you have a high rate of emails being flagged by recipients as spam then this is going to seriously damage the deliverability of any future emails that you send.
Whilst this is not something you can control directly, you certainly can take steps to minimise the chances of someone flagging your email as spam. If you stick to email best practice and only email people who have either explicitly stated that they are happy to hear from you (given their consent) or who are highly likely to be interested in the thing that you are emailing them about then you’re more likely to keep your spam complaint rate low.
You can also take steps to make your emails look less ‘spammy’ through the words you use in your subject line and in the email itself.
Technical changes to prove that emails you’re sending really do come from you
This is the slightly trickier thing to address and the fact that people have not made these changes is the main reason why we’re seeing so many emails flagged as unverified now. Essentially Microsoft, Google and so on require you to prove that your emails are legitimate, that emails that appear to come from you really do come from you. This requires you to make technical changes to your SPF, DMARC and DKIM records at your email sending platform and at your domain.
What is the SPF record and what do I need to do to ensure my emails are still delivered?
SPF stands for sender policy framework. It is a record in your DNS (domain name system – the system that converts human readable domains such as awesometechtraining.com into IP addresses that tell browsers where to find your website).
The SPF enables you to specify which servers are allowed to send emails from your domain. For example, if you use Mailchimp to send all your bulk emails then your SPF specifies that to be the case. If you also use Salesforce or any other systems to send bulk emails then they also need to be added into your SPF.
Doing this does two things. Firstly, it protects you from any malicious third party that might be trying to spoof your emails and pretend to be you. If you have Mailchimp only specified in your SPF and someone else tries to send emails appearing to be from you but from another system, those emails will not be delivered. Secondly, it protects the recipients of your emails and means they can be confident that emails appearing to be from you really are from you.
What are DKIM and DMARC and what do you need to do to ensure your emails get delivered?
DKIM is a “key” which signs your emails. In your DNS you should have a DKIM record. This forms the key. When Mailchimp (or whoever you use) sends your emails it “signs” them with that key. When your email is received, the recipient’s email client can see that the email has been signed with that key so knows that the email is legitimately from you. You need to set up a key for each of the different ways that you send emails, so if you’re using Mailchimp and Salesforce to send bulk emails then you would need a separate DKIM record for each.
DMARC is a set of rules that you publish to tell servers that receive your emails what to do with any emails that don’t pass these tests (e.g. they don’t have an SPF or DKIM correctly defined or if the email is incorrectly signed or does not appear to be from you for any other reason). You can tell servers just to reject any emails that look like they haven’t come from you, or to quarantine them, or some other more technical options. You can also set up a dedicated mailbox to which any such rejected emails can be forwarded, enabling you to see which of your emails have not been delivered and start to diagnose why not.
What is happening in February 2024 that will affect the deliverability of your emails?
Google and Yahoo have announced that from February 2024 onwards they will be blocking any bulk email senders who do not have their email configured correctly. This is to protect their users from unsolicited emails and spam and will affect around a third of all email accounts in the world.
This means that if you do not have your SPF, DKIM and DMARC correctly configured then there is a good chance your emails will no longer be delivered to any Google or Yahoo email address. Microsoft is likely to follow suit which would then mean over half of the email addresses in the world will be affected. If you rely on email for any part of your marketing, or have a newsletter that you use to communicate with your customers then it is extremely important that you take action now to prevent your emails from potentially being blocked.
I’ve changed my SPF, DKIM and DMARC and my emails are still showing as unverified – what’s going on?
Configuring your SPF, DKIM and DMARC is essential. If you don’t do this then your emails will almost certainly run into significant trouble come February. However, configuring your SPF, DKIM and DMARC in this way is not a guarantee that your emails definitely will be delivered.
Microsoft uses both explicit and implicit authentication. Explicit authentication includes things like the changes to the SPF, DKIM and DMARC that we’ve spoken about in this blog whereby you as the sender are explicitly telling Microsoft that your email is not spam. Without this, your emails will show as unverified and you may well run into problems with deliverability. Implicit authentication is Microsoft’s own algorithmically driven assessment of how likely an email is to be spam. This considers factors such as sender reputation, sender history, recipient history and behavioural analysis.
We can’t say for sure what is included here as Microsoft keeps that information secret, but it’s likely to be things such as whether people have responded to your previous emails, bounce rates, open rates, the nature of the email content itself and so on. This changes all the time as Microsoft refines the techniques it uses to identify spam. The only way to protect yourself from failing the implicit authentication tests is, as already discussed, to adhere to email marketing best practice in terms of sending emails that have real value to people who really want to receive them.
How we can help you
If you would like us to check your SPF, DKIM and DMARC configuration for you and make any changes that are needed then please do get in touch. We can quickly and easily check to tell you whether you do need any changes and then, if you do, we can make those changes for you. Our checking service is free so drop us an email at info@awesometechtraining.com if that’s something you’d like us to do for you. If you do then need any changes we offer a fixed price service at £300 to get everything correctly set up for you.
