Make Your Email Take Off By Following Best Practices!

Steve Jones from LinkedIn and Carmen Piciorus from La Poste cautioned the CSA Summit delegates that before boarding a flight to destination Inboxland, it is necessary to get your baggage in order. They explored best practices for sending marketing emails from both the perspective of the sender (Jones) and the receiver (Piciorus).

Be compliant 

Carmen Piciorus encourages clean mailboxes, with no messages to be tagged as spam. The fewer customer complaints the better for ISPs. Steve Jones explains that they want to make sure that every message sent to someone is a message they want to receive. He recommends requiring Double Opt-In (DOI) and confirming addresses. It is also important to make sure that receivers expect to receive messages – and not to surprise them. Senders should provide opt-out for all email contact, and offer the users a way to access their settings. Piciorus added that an unsubscribe link is very important. She explained that users are not techies, so processes like unsubscribe need to be made easy.

Be clean

Piciorus explained that a lot of mailboxes that have been archived because of no login in the past four months become a trap for unwary senders. Senders should read bounce codes coming back from these, or from addresses that are blocked, or from full mail boxes and stop sending messages to those addresses. It is very important not to spend time, money, etc. re-sending those messages. 

Steve pointed out that anything that makes the end user unhappy makes the receiver unhappy, which in turn slows down deliverability. He emphasized that senders should pay attention to feedback loops and bounces. These addresses can be flagged to reconfirm the address the next time they use the app or visit the website, for example. In addition to the bounces, Jones thinks it is good to track how interactive the user is, in order to gauge the relevance of messages being sent to each address. 

Piciorus explained that they pay a lot of attention to the feedback loop. They have a limit rate, and when the limit is reached, IP reputation sinks, at least temporarily.

Be clear

Carmen Piciorus advised sender to always be clear, meaning using a different IP address for different functions. Steve agreed, recommending ideally the use of one single domain. Such consistency maximizes clarity. If it is necessary to use different domains, subdomains are the best option.

Furthermore, IP sending patterns should not lead to sudden peaks. Traffic control is important – that means functions to allow traffic to be smoothed out, so that there are not too many emails going out per day. When using an outside sender, warm up the IP by increasing volume slowly. It is good to start out with transactional emails, because they are less likely to get flagged by the receiver as spam, which helps to establish a good reputation for the new IP.

Jones also pointed out that different receivers have different tolerances, and it is important to respond as quickly as possible when a sender has exceeded the limit. 

Be confirmed

Steve Jones advised that when it comes to confirmation, it’s all about making it as easy as possible for the receivers to identify you, to tie your identity to the messages you send, and make sure that the receiver can see that you are clearly a responsible sender following best practices. That means senders should use as many methods of authentication as possible, both IP-based, like SPF, or signature-based, like DKIM, or a protocol that brings all of these together, like DMARC – which in turn provides you with a reporting tool to improve practices. 

Jones went on to say that, apart from it being important to keep the records clean and delete old addresses, DKIM keys need to be large enough (greater than 1K) and should be rotated at least once a year, and the sender needs to have somebody capable of analyzing DMARC reports and responding to what’s going on.

One issue in authentication is forwarding, because a forwarded message may fail the authentication regimes. Piciorus mentioned the problems ISPs have with the forwarding of an email that is part of a mailing list: In this situation, SPF can fail and the DKIM signature can break. This creates the situation where users complain that emails are not getting through. In her experience, implementing DMARC resolved 80% of these cases, and she is hoping to solve the remaining 20% with ARC.

Be prepared

Jones pointed out that receivers are dealing with enormous volumes of messages, and they need simple ways of determining good from bad. Authentication gives them that, and allows them to make a faster evaluation – leading to the famous Google Gmail statement “no authentication, no entry”. Therefore, using authentication will allow you to be treated well by the receivers, and to get your messages delivered fast and reliably. Without authentication, the receivers need to spend more time evaluating, and deliverability will be slowed down.

However, he explained that the issue with forwarding emails meant that the Google “no authentication, no entry” had to be put on hold. The ARC protocol for forwarding is currently going through the IETF, and Steve hopes it is quite close to a last call. 

Jones forecasts that the need for authentication is only going to get stronger as receivers get stricter, whether they use the “no authentication, no entry” slogan or not.

Piciorus described elements of the La Poste enforcement policy: If SPF authentication fails multiple times, then the IP will be tagged “suspect” and then will be temporarily blocked. If the message fails the DKIM control, it goes to spam. Messages should also be signed with the sending domain. The next step for La Poste is that they are considering implementing ARC.

Be transparent

Carmen Piciorus continued to say that La Poste monitors incoming traffic to check if the domain returns an IP and that it has an A or an MX entry. Steve Jones highlighted the importance of implementing DNSSEC. Authentication raises the bar that the bad actors need to get over in order to get their messages through. As well as this, TLS should not only be implemented, but also tracked – TLS 1.3 is on the horizon.