Email is pretty complicated but having some basic email knowledge will put you on the right path to better secure your brand, help you hit inboxes better and actually know what is going on with your brand. As a domain name/ brand owner, you actually control what happens.
Are you saying, “Duh,” right now? Well, let’s go one step further.
So you write an email and send it out to your customers, or they get a purchase receipt, newsletter etc. but are you helping mailbox providers prove this email actually came from you? Did you know you can control what happens with emails bad guys are trying to send (impersonating you) and where those emails go?
These spam, spoofing and phishing attacks can ruin your brand, hurt your deliverability, and even put customers and your business at risk!
This is serious stuff, and you likely have no clue what is happening “behind the scenes.” But you can and should know. You can help control what email service providers actually do and do not deliver from both you and the villains pretending to be you.
If what I just said doesn’t get your attention, read it again!
If I do have your attention, here is what I recommend you do and why you need to do it. These three things simply go into your DNS record of your domain name via a TXT file.
SPF (Sender Policy Framework)
The SPF record says, “Hey, email from my domain name should be coming from these specific mail servers, and if it’s not, it’s not me!” If it’s not from you or your mail server, mailbox providers are told this in a checks and balances process of delivering the email by checking your SPF record. This is the first red flag in delivering your mail, or delivering an email from somebody acting (spoofing/phishing/spamming) as your brand.
DKIM (DomainKeys Identified Mail)
The DKIM record says, “Yes, I own this domain name, and the contents of this message have not been modified between my systems and the recipient systems. Here’s my signature on the dotted line to prove it.” Having a DKIM record proves you own the domain name from which the email originated, and that the content was not modified in transit.
When a mailbox provider decides whether to send an email to an inbox, spam folder or simply not deliver it, DKIM is another vital record checked in the decision process. No DKIM match? Red flag number two! Remember, it’s equally important to verify your mail and detect the bad guys trying to act like you. Having SPF and DKIM records for your domain helps mailbox providers decide if they should or should not deliver your messages.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC is the newest kid in town, and it is here to help! DMARC is a reporter and defender all controlled by you, the domain name owner.
As Email Service Providers and mailbox providers send and receive emails on the back-end, DMARC provides you with that behind-the-scenes road-map of activity related to your domain name via daily reports. This data is from both your email messages (good guy), and from others abusing your domain (bad guys) .
Having your SPF and DKIM records configured correctly is an important step in this process. Working together, these authentication tools validate your email server and your signature by confirming these emails are from you on your domain name. DMARC then reports the good and the bad.
“But my brand isn’t very big, people aren’t trying to act like me.”
That’s what I thought!
Simply not having SPF and DKIM records in your DNS makes you and your domain/brand a target. Without DMARC, they know you can’t see the things happening in the background, so you are still a target.
Why do the bad guys do this? That’s a great question, and it’s one that’s hard to truly answer. Nevertheless, they do it, and they do it a lot!
But you’re in control and it’s time you do something about it. Not next week: Now!
Since I thought DotWeekly wasn’t really a big enough brand to need to worry about it, I didn’t do anything. Then I started questioning the deliverability of my email, and thinking I should take my email more seriously. So, I started to learn (also known as all the above information I’ve shared).
Since I wasn’t even doing the basic stuff needed to help mailbox providers in really any way, I felt I was letting my brand down and opening the doors for bad things to happen.
Now, I am taking charge and doing what should be done.
Since I use Google’s G Suite as my mailbox provider, they already had an SPF record for me to “include” in my domain configuration when I set it up on my domain with them. I also set up my domain’s DKIM via the G Suite key generator. For DMARC, I use 250ok.com, which helps me verify I have my SPF and DKIM records set up correctly, and I get my DMARC record and reporting from them. Since DMARC is a “baby-steps process,” you can tweak your DMARC record over time. Once you learn what’s going on, you can tighten the rule of your DMARC policy. I’d highly suggest using a professional service like 250ok.com for this, as it can be quite complicated. They are email geeks; you and I are likely not. 250ok offers a suite of email products and services for maximizing email performance, so you can choose what you think you need. I’d start with an Authentication, Privacy & Compliance audit to verify what you actually need.
The proof
Sure enough, bad guys are trying to act like DotWeekly! After about one week of using 250ok DMARC, it reported 59 mail sources. What? I only use one: Google. That means 58 other mail servers are sending mail from bad guys acting like my brand, DotWeekly.com. Wow! That’s more than 180 emails sent by bad guys that didn’t match my SPF record. After just 1 month, these numbers continued to grow! 96 mail sources, 437 emails sent by bad guys that didn’t match my SPF record! Ouch!
Now I know what is going on “behind the scenes,” thanks to DMARC reporting and 250ok, bad guys are trying to act like my brand and I can take action. Since DMARC is a baby-steps process, I’m still in the “Observation” stage, but working towards upgrading to a “Quarantine” policy. In quarantine and reject modes, you start telling receiving mailbox providers what to do with emails with compliance issues that do not match your SPF and DKIM records. To note, you should be sending at a very minimum of 10,000 or more emails a month for a service like 250ok to make sense. The more transactional emails, customer communication, newsletters etc that you send, the more you need the services of 250ok! DotWeekly is a very low volume sender.
I hope this article helps you understand the importance of taking control of your brand and email. It’s up to you to protect your brand and your customers, and every little bit helps. Email is important, so processes are in place; you just have to use them. Using SPF, DKIM and DMARC on your domain name will greatly assist you and I’d suggest doing it right now.
Full disclosure: Jamie Zoch is the director of industry relations for MailboxPark, which is a 250ok.com owned company. If I didn’t believe in the above article, I wouldn’t write it! I was not specifically paid for this article or requested to write it. After further educating myself on email basics, I see the vast amount of brands not doing the basics, and I’m trying to help with that by providing my experiences.