Spam is a big problem. Like really big. According to Semantec, “Spam represents as much as 75 percent of all email sent across the internet,” and a 2012 report estimates that it could have a negative impact on the economy of over $20 billion per year. Ouch.
So, in the fight against email fraud, identity theft, and clogged inboxes, email service providers (ESPs) teamed up with a group of software engineers to create DMARC (Domain-based Message Authentication, Reporting & Conformance), a standardized approach to email authentication that intends to cut down on the volume of spam email users experience.
While we can all be grateful that we have champions fighting spam on our behalf, there’s a downside for certain email marketers who send legit emails to big groups.
If you send email marketing messages (or plan to do so) for your small business and you aren’t using your business’ unique domain name—i.e. right now you send from a personal account like Gmail or Yahoo—DMARC could have a major impact on your business: there’s a very high probability that very few, if any, of your emails will get delivered to your list’s inboxes.
All this email talk can get technical, so I’ll keep it as high level as possible. Nonetheless, you should understand the basics so you can take action.
What you should know about DMARC
Spammers have used a bait-and-switch tactic, called “spoofing” to dupe humans into clicking through their emails. A spoof email appears to be from one email domain, (that’s the “gmail.com” in [email protected], for example), but actually was sent from a different server (i.e. not gmail.com). If a spoof email is delivered to an inbox, the recipient user can’t tell where the email actually came from. DMARC is an email policy that sets out to stop spoofers.
The only way for the recipient’s email client (the software the runs your email) to know if it’s OK for the other server to send on behalf of, in this case, Gmail, it has to ask Gmail. Authentication is when the two servers talk to each other. If the sender doesn’t authenticate, then the client can assume with high probability it’s spam, and it will dump the message into the spam folder, or reject it altogether.
Most major email clients like Gmail, AOL, the Microsoft suite of email clients, and Yahoo!, now choose to comply with DMARC by refusing to authenticate any email from their own domain. This means that they will never let another entity send emails on behalf of their domain. This should cut down on spam, because it will make it much harder for spoofers to use emails to commit fraud.
Unfortunately, if you send marketing emails, you can probably see where this is headed.
Many legitimate, non-spam marketing messages are sent via a tactic that’s very similar to spoofing. ESPs like Infusionsoft or MailChimp send marketing emails on behalf of the marketer. But now, if the marketer wanted to send a mass email message to their list using a Gmail.com account via an ESP like Infusionsoft or MailChimp, Gmail won’t authenticate the emails because the email wasn’t sent directly from the Gmail account. This means that all the legitimate marketing emails will be treated like spam. Not good.
SPF—The code that keeps your inbox safe from spoofers
The Sender Policy Framework (SPF) cuts down on spoofed emails in your inbox by adding an extra layer in the authentication process. When the receiving server gets an email that’s been sent by an ESP, it authenticates with the origin domain. With SPF, the sending domain hands the receiving server a list of ESPs that are allowed to send an email on its behalf. If the ESP that sent the email doesn’t match the list, the receiving email server treats that email like spam.
For example, if your domain is yourbusiness.com, and you use Infusionsoft to send marketing messages on your behalf, you’ll need to be sure that Infusionsoft is added to your SPF list. When you send out your marketing message, each of your recipient’s servers would authenticate with yourbusiness.com, asking for your SPF list. If Infusionsoft is on the list, they’d say, “OK. We’ll accept this email.” If you hadn’t added Infusionsoft to the list, it would be rejected.
How do I know if this affects me?
Simple answer: If you use your business’ own unique domain for the email (i.e. [email protected]), and you’ve updated your SPF records to include all the ESPs who send emails on your behalf, you’ll be fine. Your domain will authenticate the use of the alternate ISP, and it will pass all the checks as normal. You won’t experience anything from DMARC except the benefit of fewer spam emails in your inbox.
If, however, you use any of the following email domains for your business’ emails, they won’t authenticate, and you’ll be in big trouble:
Second, if you haven’t updated your SPF to include any ESP that sends your marketing messages, then those won’t authenticate, either.
Any email inbox that requires authentication will reject these emails as spam, and your recipients won’t ever see them.
Uh oh. I’m in trouble! How can I fix this?
The best practice is to send emails from a custom business domain (i.e. [email protected]). If you don’t have your own business domain, we recommend that immediately obtain one, setup an email address, and update the “From” fields for any email sent from your Infusionsoft account.
Be sure to update your SPF entries. You can use tools like mxtoolbox.com to check your current entries, or you can work with your web host. If you’re an Infusionsoft customer, we have more detail on updating SPF for Infusionsoft.
Keep in mind, too, that this is not an Infusionsoft issue. This is happening because the major email client domains have updated their spam policies, so every email service provider will be affected, this goes for Mailchimp, Constant Contact, and everyone else.
How does DMARC affect deliverability?
This only negatively affects deliverability for unauthenticated emails. If you use your own custom business domain as the sender for your marketing message, you’ll have the same deliverability concerns as normal. Authentication doesn’t guarantee deliverability, it just helps you pass a very big spam check.
While DMARC puts a hard rejection of emails that don’t comply, as a policy it does not put a special priority on emails that do comply. In other words, they don’t do any special favors to increase your deliverability if you are in compliance. Rather, they just penalize you if you aren’t.
Essentially this means that you have to comply if you want your email to hit DMARC compliant inboxes (which most are), and your reward for complying is that your email gets treated normally. If you choose not to comply, you’ll be penalized with a full rejection, like 0 percent chance your recipients will ever see your email.
Fortunately, it isn’t too difficult to get compliant. It’s relatively easy and worth the small investment of setting up your own custom business web domain and email. If you are affected or are considering launching a new business, don’t put DMARC compliance on the back burner. It’s not worth the risk.