Recent Yahoo DMARC Reporting Issues

Over the weekend, Yahoo! experienced issues with DMARC reporting to email senders.  DMARC processing reports appeared garbled which rendered the reports unusable.  

What is a DMARC Report?

DMARC reports are critical to understanding email delivery.  They contain XML descriptions of email delivery results sent by Inbox Providers to email senders and DMARC reporting tools.  A DMARC report details email volume, SPF, DKIM and DMARC compliance information for a domain sending to that Inbox Provider. It is important for emailers to act upon the information in a DMARC report to improve their email delivery and protect their brand.

How does this affect Email Senders?

MxToolbox Delivery Center customers and others that sent email to Yahoo! over the weekend will not have accurate information on their DMARC reports back from Yahoo! This will appear as lower than normal email volume, but this should not affect compliance rates.

It is possible that Yahoo! will resend the information now that the issue has been corrected, but it is unlikely.  It is also possible that the data is no longer available or was corrupted at the source, so users can expect a hole in the data for the weekend.

Does this make DMARC less reliable?  How does this affect DMARC reporting?

This appears to be a one-time issue with Yahoo!   The issue appears to be DMARC reporting, and not DMARC compliance processing, so this does not affect email security or the value of DMARC as an email delivery technology nor does it seem to affect inbound email.  DMARC compliant email will always be prioritized over non-compliant email by large Inbox Providers like Google, Outlook.com and Yahoo!  The main issue is a short-term lack of information from one Inbox Provider, not an issue with DMARC itself.

MxToolbox Helps You Process DMARC Reports

If you have a single, small DMARC report to checkout, MxToolbox provides a free DMARC Report Analyzer.  This will give you good insight into how compliant your email was to a single Inbox Provider over a short period of time.

Getting DMARC compliant will improve your email delivery.  To achieve DMARC compliance, you need a DMARC Reporting tool like MxToolbox Delivery Center.  Delivery Center processes, aggregates and analyzes all your DMARC reports across all Inbox Providers.  You get a single interface to understand your SPF, DKIM and DMARC compliance across all your senders.

Why are my SPF Pass Rates so low?

SPF is an important technology for email delivery.  If your email is not SPF compliant, then it is highly unlikely that an Inbox Provider will deliver the email to the recipient’s inbox.  Inbox Placement is key to getting your message heard and SPF compliance is key to making the Inbox.  MxToolbox Delivery Center provides a comprehensive resource for understanding and managing SPF, DKIM and DMARC compliance, but there are few things you need to know about SPF regardless of the tools you choose.

SPF Compliance

To be SPF Compliant, an email must SPF Authenticated and SPF Aligned.  The standard provides a strict compliance that also allows a domain to designate 3rd parties as valid senders.

SPF Authentication

An email is considered SPF Authenticated when the email originates from an SMTP server on an IP address that is contained in the sending domain’s SPF records.  This enables a business to designate a 3rd party emailer as a valid sender of email.  

SPF Alignment

SPF uses the header of the email to determine Alignment.  An email is considered SPF Aligned when the domain in the “From:” address of the email is the same as the domain in the Return-Path field of the header or with a domain that is Authenticated with the valid list of senders in the SPF record.

MxToolbox SPF Pass Rates

MxToolbox has two metrics useful for understanding SPF Compliance: SPF Authentication Rates for Aligned Domains and SPF Pass Rates for Verified Sources.  These metrics enable you to report upon and analyze your email providers for areas to improve upon.

SPF Authentication Rates for Aligned Domains

As part of our SPF management processes, MxToolbox Delivery Center gathers a list of valid return path domains and subdomains and analyzes the amount of email from these SPF Aligned domains that is properly SPF Authenticated.   Email that is Aligned but not properly Authenticated indicates that one or more email senders are missing from your SPF records, or that your SPF records are too large and violate SPF include rules.  You will need to add the missing senders to your SPF record or use an SPF Flattening tool.

SPF Pass Rates for Verified Sources

As part of MxToolbox Delivery Center, we automatically detect the sources that are sending email on behalf of your domain. These include your own servers, your corporate Inbox Provider, 3rd party marketing tools, CRMs, etc.  Verified Sources should be in your SPF records, meaning they should be Authenticated. 

Our second analysis looks at the SPF Alignment rates for each of these Authenticated senders – the SPF Pass Rate.  A low SPF Pass Rate for a sender indicates that the sender’s “From” and “Return-Path” domains are not the same or not contained in your SPF record.  Unknown sources that arise from this analysis could be threats to your brand or rogue senders that need to be added to your SPF records.

There are potentially several reasons for low SPF Pass Rates for Verified Sources:

  • Spoofing – A malicious actor is trying to use your domain to legitimize their spam or malware.
  • Forwarding – Many people use inbox forwarding or mailing lists to manage email distribution or aggregate email. Forwarded email will change the return-path, breaking SPF Alignment.
  • Missing Senders – Someone may have legitimately contracted with a 3rd party emailer and failed to add the full or correct entry to the SPF record. The sender could be SPF Aligned, but not Authenticated.

To fully understand why your SPF Pass Rate for a Verified Source you need to investigate the largest sources of misaligned email, SPF Unaligned Domains. Typically, you will see benign domains like gmail.com, googlemail.com, and other subdomains of legitimate senders. Occasionally, you’ll see large volumes from other sources, which could be benign or fraud. Investigating these can improve your email delivery.

Does DMARC and email deliverability seem too complicated?

MxToolbox Experts are here with a Managed Services approach to your email configuration issues.

Do you know what you don’t know about your email?

As a marketer, I typically know if a prospect opens my email, clicks on a link or buys a product.  All 3rd party email marketing tools provide this information.  But, what happened before the Open?  

Did the email make it to the Inbox?  

Did it get delivered to the Spam or Junk folder?

Does my language, text, grammar or content seem spammy?

Did my email configuration affect my open rates?  

Are my 3rd party senders blacklisted or otherwise hurting me?

Are my prospects complaining about me to their Inbox Providers?

There are many layers protecting inboxes from spam and undesired email. Your business needs a strategy to ensure that your email passes through each layer to reach the recipient.   Your open rates will thank you. 

What can you measure?

Actually, with the right tools, you can get answers to all these questions.  Inbox Providers like Google, Yahoo!, and Office365 wants their inboxes to show relevant email so they provide data via DMARC Reports and Feedback Loops to help legitimate businesses.  Neglecting these key resources is equivalent to driving in traffic without a GPS: you don’t know what traffic incidents or twists and turns are waiting for you.

How does MxToolbox Help?

Inbox Placement

Will your email make the Inbox, Junk folder, Spam folder or fail to get delivered?

Inbox Placement allows you to test prospective campaigns with the most common Inbox Providers – Google, Yahoo! and Office365.com.  We’ll tell you if the email is delivered and to what folder.  We’ll even analyze the contents of your email to give you MxTips(™) to improve your inbox placement.  Some simple tweaks to verbiage or construction can often improve Inbox Placement tremendously.  

DMARC Reporting

Is your email configuration affecting your email delivery?  Are all your emails SPF, DKIM and DMARC compliant?  

To optimize your email delivery, and get your message heard, you need to constantly analyze and manage your email configuration.  Inbox Providers will send out DMARC digests giving you data on your SPF, DKIM and DMARC pass rates.  With this data, you can determine if you have senders missing from your SPF records, DKIM issues, or potential risks from fraud and spoofing.  MxToolbox Delivery Center gives you all the tools you need to take DMARC data and turn it into actionable email delivery insight.

Feedback Loops

Did a recipient complain about receiving your email to their Inbox Provider?  Did the recipient mark it as unsubscribed with the Inbox Provider?  Was the email address invalid or shut down?

Many Inbox Providers offer feedback loops or complaint mechanisms to validated emailers.  Once configured, you can get information on email addresses and campaigns and how recipients view your emails.  Analyze your recipient complaints, remove complainers, unsubscribers, and closed email boxes to massively improve your email delivery. MxToolbox Delivery Center allows you to configure and aggregate complaints across Inbox Providers to get insight into how your campaigns are perceived by recipients.

Adaptive Blacklist Monitoring

Are your 3rd party ESPs blacklisted and harming your email delivery?

Due to the nature of their business, 3rd party emailers will always have a few IP addresses blacklisted and it is probable that some portion of your email will be sent from a blacklisted IP address.  This only becomes an issue when a significant amount of your email from that provider is sent from blacklisted IP addresses.  MxToolbox Delivery Center included Adaptive Blacklist monitoring to detect, via DMARC, the IP addresses being used to send your email and analyze the blacklist status of the IP when the email was sent.  You’ll know if your 3rd party ESP is helping or harming your email delivery.  

Are Blacklists still relevant?

Blacklists were developed as a way to mark IP addresses used to send spam, IP addresses at risk of sending spam due to poor configuration or domains used in spam emails.  Blacklists would be consulted by an inbox owner when making email delivery decisions and should not be used to modify web traffic.  

The Arms Race

Early on spammers could set up an email server on any network and send unsolicited email to whatever email addresses they could scrape off the Internet.  Inbox Providers and other Companies then set up lists of IP addresses that were sending spam and shared them with each other – the first blocklist/blacklists came from these casually developed lists.  Eventually, blacklist providers emerged as a profitable business model and even developed traps to harvest the IP addresses of spammers without impacting actual users.  Blacklists became highly useful to block malicious email from a single email-sending IP address or small network.

Spammers could see the inevitable downturn in their scams and quickly changed IP addresses to resume sending spam.  Blacklists detected the new spam IP address, listed it and Inbox Providers blocked email from it.  This cycle continued.  Some Blacklists started listing entire networks and Internet Service Providers to stop them facilitating spam.  The downside is that legitimate senders can get caught in this cycle, but often have trouble changing IP addresses.  Delisting is available but sometimes time-consuming which delays or degrades regular business operations.  

Legitimate Email Marketing Can Be Blocked

Email marketing became a necessity to get a business growing on the Internet.  Setting up a mail server, maintaining it and keeping it off of a blacklist with any sort of email volume was difficult for smaller businesses.  Large companies could easily afford a big pool of IP addresses and several mail servers to shift load around. Entrepreneurs stepped in and created email marketing/email blasting companies to fill the gap. Email marketing firms took on the risk of blacklisting and the responsibility of moving the load around, as well as getting the IP addresses delisted in a timely manner.  But, which emailers were legitimate and which were spammers?   SPF, Sender Policy Framework, allowed businesses to designate an email marketing company as a legitimate partner.

New Technologies Emerge

Inbox Providers then changed the game, scanning for SPF to ensure legitimate outsourcing.  Most companies will not process an email if it does not pass SPF Authentication or SPF Alignment.  The next step was checking digital signatures using DKIM and tying it all together with DMARC.  This created a big bar to jump for many spammers, but also businesses.  An email needs to pass SPF or DKIM checks to be DMARC compliant and a sender needs to actively manage email configurations to get an email delivered.  A comprehensive email delivery tool like MxToolbox Delivery Center has become a necessity for understanding DMARC reports, managing configurations and maintaining good email delivery.

Spammers are beginning to adapt by hacking legitimate business email accounts or adopting SPF, DKIM and DMARC for their look-alike spam domains.  Unfortunately, small businesses are still lagging behind and their email delivery is suffering. SPF, DKIM and DMARC have become the minimum for good email delivery,  

So, are Blacklists Still Relevant?

Blacklists are less important than they were in the past.  You should think of email security as layers on an onion:

  • Blacklists
  • SPF
  • DKIM
  • DMARC
  • Internal Filters
  • Relevance Filters

If being on a blacklist is affecting your business, your email isn’t even making the first layer of security and you’ve failed to take advantage of all the tools you have available to manage your email deliverability.  Being blacklisted is like a heart attack, it’s a sign that you need to rethink everything, change your email practices and adapt to the new technology landscape.

Ultimately, blacklists may only be useful for on-premise email hosts and will lose some relevance, especially for Inbox Providers like Google, Yahoo! and Office365. Blacklists are brute-force and can eliminate legitimate, relevant email when blocking spam. There are many more layers to jump through before you get to the Inbox that are easier for Inbox Providers to maintain and more effective at blocking undesired email and passing legitimate useful communications.  All businesses need to adopt the current email best practices: 3rd party email senders, setting up SPF, DKIM, DMARC, leveraging DMARC Reporting, etc.  

How can MxToolbox help?

Get started with Inbox Placement!  Your goal is to get to the Inbox, so start there.  We’ll analyze your email configuration and content to give you clear reasons why your campaigns aren’t making it and make recommendations to help you get there. MxToolbox Delivery Center also provides deep insight into DMARC, SPF and DKIM configurations and allows you to obtain feedback on recipient complaints, DMARC reports and emerging email threats.  Get comprehensive insight into your email delivery with Delivery Center.

DKIM is no longer optional

DKIM has been around for more than a decade but was not widely used until the DMARC standard added DKIM alignment and authentication as one of it’s passing criteria. Even now, many of our customers are telling us that DKIM is difficult to implement and they view is as less important than a proper SPF configuration. However, a new trend is making DKIM an absolute email delivery requirement.

What is DKIM?

DKIM is a technology that allows email senders to cryptographically sign their outbound email. This signature can then be verified by the recipient as proof that the email was legitimately from the domain signing it and that the message was not altered during transit to the recipient system. You can learn more about DKIM on our blog.

How does DKIM work with DMARC?

For an email to be DMARC compliant (and therefore more likely to be accepted and make it to the Inbox), an email must either pass SPF checks or DKIM alignment and authentication checks. This allowed for some edge cases, for example: an email could fail SPF because the sending IP address was new or because Marketing adopted a new 3rd party email sender that was not in the SPF record, but if DKIM was properly implemented, it would still be DMARC compliant. Similarly, if DKIM was missing or if a forwarder had broken the DKIM signatures, then the email could be DMARC compliant if it passed SPF checks. When DMARC was still in the adoption phase, these allowances for edge cases made sense and are still part of the standard.

How did DKIM become necessary?

While the DMARC standard specifies a minimum threshold for compliance, Inbox Providers and businesses can set higher thresholds to protect their users. Our Experts are now seeing Inbox Providers and many large businesses require DKIM compliance as part of their inbound email vetting processes. Basically, if your email does not pass both SPF and DKIM compliance checks, you may not make the inbox.

Get DKIM compliant as soon as possible! The only downside is the cost of initial setup but the long-term (and potentially immediate) benefit of DKIM compliance means that you are more likely to get delivered and make the inbox.

How can MxToolbox help?

Our Experts are here to get you SPF, DKIM and DMARC compliant and help you manage the on-going maintenance that keeps your email delivery in peak form. MxToolbox Delivery Center has tools to get you DMARC compliant, test Inbox Placement and react to Recipient Complaints. Or leverage our expert team with Managed Email Services.

The Days of Unsolicited Email are Over

What is Unsolicited Email?

Sending email to any email address with which your company does not have a direct relationship is considered Unsolicited. Unsolicited email has also been called “spam” but we prefer to reserve that term for email that has a malicious component. Legitimate businesses may send an unsolicited email without it being nefarious. To get an email address legitimately, your company, domain, marketing team must have direct contact with the owner of the address.

Who is still sending Unsolicited Email?

Amazingly, many legitimate businesses are still sending unsolicited emails and some of them are quite dependent on it. While marketing best practice is to only use email addresses that have been double opted into receiving email, it is still very easy to purchase lists from events, 3rd parties, list scrapers and “related businesses”. One favored tactic is to bury the right to give the “company or its partners” the right to use an email address in the Terms and Conditions of the website or application. Most of the time, this is a legal way of ensuring that it is acceptable to send email using an email marketing service on behalf of the domain, but it can also be legal padding for reselling the email address.

It is very tempting for small or startup businesses to purchase “seed lists” to get started on their email. This is now highly risky for your brand.

What is killing it?

Inbox Providers, like Google, Yahoo and Outlook/Office365 are in a constant battle to not only eliminate malicious emails like spam, phishing attempts and malware from the inbox, but also improve email relevance.

Email is relevant when:

  1. The recipient opted to receive email from the sending domain.
  2. The user does not mark the email as spam or more it to the spam folder.
  3. The user opens the email (typically because the subject line or sending domain is interesting).
  4. The user clicks on a link in the email (typically because the content of the email is interesting).
  5. The user moves the email from the Spam Folder to the Inbox.

Inbox Providers are now aggregating statistics for email sending domains across all their hosted inboxes. This means behavior in one inbox affects your email delivery to other inboxes at the same Inbox Provider. Inbox Providers cannot measure #1, but they can, and do, measure the other parameters. High rates of being marked as spam, low open rates and low click-through rates are huge indicators that the email is unsolicited. Over time, domains that send large amounts of irrelevant, unsolicited email will be dumped in the spam folder. This type of Domain Burnout can be fatal for a domain.

How can MxToolbox help?

If you have burned out your sending domain, we can help you setup a new domain, but realize, unless you change your email practices, this will happen again. DMARC, and a DMARC management tool like MxToolbox Delivery Center will help your sending domain achieve the best possible email delivery. In addition, our Inbox Placement feature will tell you if your campaigns are being dumped into the spam folder or making it to the Inbox and which Inbox Provider you are having trouble sending to.

Getting to the Inbox

The Inbox is The Target for email marketers. If the email doesn’t make the Inbox, then no one can open it or click on all our wonderful pitches. Getting dumped in the Spam or Junk folder can be a death sentence for your email marketing. There is a taint of suspicion to legitimate email that ends up in Junk or Spam folders. Is the email real or an exceptionally good phishing attempt? Is the sender spammy and not to be trusted? It leaves unanswered questions to your recipients.

Best Practices for making the Inbox

To achieve Inbox Placement, you need to develop an email marketing strategy based upon relevance, supplemented by good technology. The days of scatter shot email are gone. Emails must be tailored…

  • Target your Marketing to a Specific Persona – Know who you are communicating with. Too often email is used to attempt engaging a broad audience and fails miserably.
  • Have a Clear Objective – What is your goal? Engagement, a sale, a return to the shopping cart, the store, the site, a whitepaper, etc.?
  • Use Engaging Subject Lines – Do not be generic. Avoid “we have a sale” unless you are targeting bargain shoppers.
  • Make the Content Relevant and Interesting – How many emails do you receive every day that are completely irrelevant to your business or your interests? Those go in the trash right? (We call that Stealth Unsubscribing) Write content that resonates with the interests of your target persona.
  • Be Brief – Rather than have a laundry list of things to discuss, make it simple, direct and brief. Add too much and it reduces engagement.
  • Make Clear Calls to Action – Clearly ask for the click, the sale, the download, etc. Whatever your metric, make it clear.
  • Limit Your Linking – A few links are good to drive traffic to your website. Add too many links and you become confusing. Which is the most important? If there is really ONE objective, why do you have 20 links? This is just another scattershot approach.
  • Be DMARC Compliant – DMARC compliance allows you to demonstrate clear ownership of your emails and provides a level of trust for recipients. Inbox Providers are increasingly wary of non-compliant email and favoring compliance. To have the best chance to make the Inbox, your email must be DMARC compliant.

Why do “soft” factors matter as much as technology?

Relevance keeps the recipient from ignoring your email, marking you as spam, deleting your email without reading it or unsubscribing. Inbox Providers are now factoring in behavior across their inboxes for future email delivery decisions. A boring, irrelevant email might just be the last one that makes the inbox.

How can MxToolbox Help?

We provide free tools and paid to help you with email delivery. Most people start with our free Blacklist lookup tool to see if their sending domain or IP addresses are on a blacklist. While Blacklisting can prevent your email from making it to the inbox, it is no longer the most important factor. Two other tools have become important to Inbox Placement.

DMARC Compliance

To make the inbox, not only do your marketing campaigns need to be DMARC compliant, but all your email must be DMARC compliant regardless of source or volume. To achieve DMARC compliance for your email domain, you need a solid DMARC Reporting tool, like MxToolbox Delivery Center, and regular monitoring and management of your DMARC compliance.

Inbox Placement Analysis

Our Inbox Placement feature allows you to send a test email or campaign to us. We determine if the email will make the inbox at major Inbox Providers like Google, Yahoo! and Outlook.com/Office365. We also analyze important technology and soft factors like:

  • DMARC Compliance
  • Broken or copious links
  • Wordiness
  • Broken or too many images
  • Spammy verbiage
  • Other indicators of spam

Fortunately, Inbox Placement is a feature of all Delivery Center plans, so you can test your marketing emails and improve your DMARC compliance all in one place.

Does DMARC and email deliverability seem too complicated?

MxToolbox Experts are here with a Managed Services approach to your email configuration issues.

The Myth of Free Email Marketing

For the last 20 years, email marketing has been considered “free” marketing. The monetary costs to send an individual email have been negligible: once an email address is legally obtained, your marketing team can send all sorts of emails to that address with the only costs being the creative assets, the pitch and the price of the email marketing tool. With the main expense being the cost of getting the email address legitimately, you could try every pitch in your playbook until something sticks, right?

Unfortunately, recipients and inbox providers are looking for relevant, engaging content. Hammering away at any random pitch is now jokingly referred to as “spamming”. Let’s look at some of the costs and issues MxToolbox Experts see on a daily basis with our customers.

Note: DMARC compliance has ZERO influence on any of these issues. Being DMARC compliant and using a DMARC reporting service like MxToolbox Delivery Center is a minimum for email delivery. This article is about best (and worst) practices in email marketing.

Email Fatigue

Simply put – sending too many irrelevant emails to the same people until they are bored and tired of it. Eventually, they will unsubscribe or mark you as spam. At that point, you are done with that recipient.

For example: We worked with a company where every Product team wanted to target the CEO as a key decision maker. The customer sent weekly campaigns for each of their five products, so essentially a daily drip to the most important client. How long was it before the targets unsubscribed? (By the way, don’t expect C-level people to read non-targeted, non-customized email.)

The cost of email fatigue is an unsubscribe, a lost ear/eye for your products that could be relevant to the recipient. If you think you have something relevant to say, shouldn’t you say it first? Don’t use a shotgun approach, try a single, targeted shot.

Brand Erosion

Similar to email fatigue, recipients get tired of seeing emails that do not reflect their interaction with the brand. Typically, these are poorly targeted emails, emails off brand or offensive. Over time they stop doing business with your brand entirely.

Every week, I receive at least five emails from a major US retailer. Most of the email is “we have a sale!!!”, but it is completely generic and requires me to click on one of thirty links to do a search on their site to see if there is anything that interests me. I don’t. Why don’t they use their extensive history of my purchases to highlight at least one sale item I might buy? Why don’t they use my age and location to suggest purchases? It’s lazy and poor marketing and makes me concerned for the long-term of that company.

The cost of brand erosion is complete turn-off to the brand. This can lead past casual boycott to negative promotion to others.

Stealth Unsubscribers

When a recipient unsubscribes, it’s a clear signal that they no longer want marketing emails from you. However, users often unsubscribe by stealth – basically ignoring your messages by deleting them or marking them as read. This is a sign of email fatigue or brand erosion, but it’s subtle and you have lost connection to a potential buyer. They don’t hate you enough to unsubscribe, but, no longer pay attention to you.

By looking at open rates for individuals, you can see those that have tuned you out. Pull them from your lists for a while or revisit your campaign settings to find relevant content to reengage them.

Domain Burnout

Recently, MxToolbox has seen a spike in customers complaining that all their email is marked as spam. This is a symptom of Domain Burnout and can be for one or multiple inbox providers. Unfortunately, this domain is now tainted and may become permanently banned, unless corrected quickly.

In an attempt to make email relevant to their users, Inbox Providers developed algorithms that look at email volume by sending domain and the volume of email marked as spam. At a certain ratio, an entire email campaign is considered spam. Overtime, if this continues, the entire domain will be considered a source of spam and dumped in the spam folder.

We typically see this with domains that send large volumes of unsolicited email. However, as Inbox Providers clamp down on spam, we feel this is a significant risk for all small and medium sized businesses. Whether you are buying lists to get your business started or using old lists, care must be taken to limit the amount of email sent to suspect lists. Sending large amounts of unsolicited, or semi-consensual email will impact your domain’s reputation.

MxToolbox Expert Take

Email is not a free commodity. Every email address you receive has value and should be treated with respect. Mistreatment of an email address leads to poor email delivery and negative consequences for your brand. Take care to target your marketing, be careful with the volume, make your copy relevant and be mindful of the age of your email addresses. Remember for B2B contacts, people change jobs every 3-5 years.

Your email configuration should always be carefully configured and controlled. SPF, DKIM and DMARC are minimum requirements for email delivery. Use a DMARC reporting service like MxToolbox Delivery Center to ensure peak email deliverability. And, read our Blog to keep up to date with email trends.

Is BIMI Dead?

When Google, Yahoo and Apple announced their email applications would support BIMI, it appeared that BIMI was ready to become an important standard in email marketing. Think about it: Your precious logo directly attached to every email you send, right there in the subject line. You get instant brand recognition and, thanks to the DMARC requirement, trust.

But, BIMI adoption is hitting some serious speed bumps…

What’s going wrong?

BIMI has two major technical issues and one misconception contributing to slow adoption by businesses. Let’s start with the misconception.

BIMI Requires Strict DMARC policies

In order for an email to even be considered for BIMI, the sending domain must have implemented DMARC, must send DMARC compliant email and must configure their DMARC policy to 100% Reject or Quarantine. The major misconception we hear from our customers is: “Strict policies might stop some legitimate email from getting to the recipient”.

There is some truth to this, so, let’s break it down:

  • Email that is not DMARC compliant is inherently assumed to be suspect by the Inbox Provider.
  • Email that is DMARC compliant has a higher trust level.
  • Strict DMARC Policies instruct the Inbox Provider to stop non-compliant email.
  • Inbox Providers may choose to ignore or accept DMARC policies, but most incorporate them into their inbox placement algorithms.

Regardless of your DMARC policy, non-compliant email will be suspect, however, with a stricter policy ALL your compliant email will have a higher trust level. Going to a strict DMARC policy is better for your email delivery. You can fix a temporary compliance issue, earning trust is hard.

MxToolbox Delivery Center was designed to help keep all of your legitimate email DMARC compliant and quickly alert you to areas of non-compliance to keep your email deliverability at the highest level.

Getting a BIMI-Compliant Logo can be Difficult

The BIMI standard requires a square logo that reflects the brand of the domain, formatted in SVG, that meets very specific requirements and often requires “a few manual tweaks”. For most of our clients attempting to adopt BIMI, MxToolbox has found that getting a BIMI-compliant logo to be time-consuming and difficult. Until this process is simpler, companies will struggle to adopt BIMI.

Most BIMI Inbox Providers Require a Certificate

The BIMI Group originally made BIMI completely open on the assumption that achieving DMARC-compliance with strict policies was sufficiently difficult to prevent spoofing. However, spammers and fraudsters are quite savvy and capable of adapting quickly. For example, grab a BIMI logo from a legitimate company like Bank of America, setup a fake domain like BanofAmerica.net with SPF, DKIM, DMARC and BIMI and start spamming. It looks legitimate enough to fool the average spamming target and leverages a known brand’s legitimate logo.

To combat this potential loophole, BIMI Inbox Providers are requiring an evidence document called a Verified Mark Certificate (VMC) issued by a 3rd-party authority like DigiCert or Entrust Datacard. These authorities investigate your domain and issue a credential that certifies your DMARC and BIMI setup and issues a certification specific to your domain. This is similar to having a Secure Certificate for SSL/HTTPS.

The speed bump for BIMI adoption is that there are only two VMC issuers at present and the cost is $1100-$1500 per year, per domain. While this is negligible for big, well-known brands, smaller companies or companies with multiple domains may be priced out of the market further reducing the potential of BIMI.

The MxToolbox Expert Take

BIMI has become a bit of a moving target that makes it difficult to recommend at present. While our team of experts stands by to help you adopt SPF, DKIM, DMARC and BIMI, we no longer see BIMI as being essential or urgent until the standard stabilizes and/or the costs decrease.

Adopting DMARC and getting DMARC to a strict policy is imperative for good email delivery and adopting BIMI. Get started today with MxToolbox Delivery Center

Apple to Support BIMI in Native Mail Applications

Apple Mail recently announced BIMI adoption within its email applications in iOS 16 and MacOS Ventura. In September. Apple will become the most recent email client to support BIMI.

Why adopt BIMI?

BIMI gives email recipients more confidence in messages they receive and helps them avoid fraudulent emails by forcing senders to utilize new technologies to make email more secure.

BIMI gives marketers and businesses enhanced branding opportunities by attaching the company’s logo to verified messages in the inbox as a reward for adopting DMARC email security technologies. Your customers will trust your correspondence more and your brand will be enhanced.

What is BIMI?

BIMI, or Brand Indicators for Message Identification, is a DNS-based email technology that allows a company to specify a logo for inbox providers to display in an email client. Email providers, such as Gmail, Yahoo Mail, and now Apple Mail, can show this logo to their users in the subject line of certified messages from the sending company. If you receive a legitimate email from Yahoo!, for example, this logo will appear:

How do I get BIMI?

BIMI requires DMARC. Before you can get your logo displayed in Apple Mail’s inbox, you need to get your email fully DMARC compliant, then apply strict DMARC policies. Becoming DMARC compliant is a process, but it is very beneficial and strongly recommended. You need to know who is sending email on your behalf, ensure they are properly configured with both SPF and DKIM, and regularly monitor DMARC delivery reports to understand DMARC compliance.

Once your verified email sources are fully DMARC compliant, you can start enforcing stricter “Quarantine” or “Reject” policies with your DMARC configuration. Inbox Providers like Yahoo!, Google and now Apple Mail will only attach a BIMI logo to your email if the email is DMARC compliant and you have a “100% Reject policy”.

Need Help with BIMI and DMARC?

Checkout your BIMI configuration

Our free BIMI Lookup tool searches for a BIMI record for any submitted domain name. If a record is found, it is shown in detail after a series of diagnostic checks are performed against the record. For example, below are the results for chase.com.

Get DMARC Compatible!

To maintain the highest levels of email deliverability using DMARC, businesses like yours need a proven Email Delivery management system, such as MxToolbox Delivery Center. Our Delivery Center provides valuable insight into your email delivery status and the continual maintenance necessary to sustain peak performance, including:

  • Manage SPF, DKIM, DMARC, and BIMI to improve compliance and reduce the threat of fraudsters and phishing campaigns using your domain.
  • Review daily volume and SPF, DKIM, and DMARC compliance rates to ensure the best email deliverability.
  • Implement Feedback Loops (FBLs) to gain unique data on how your recipients view your emails and when they mark them as spam.
  • Gradually move your DMARC policy to “Reject” to enable better inbox placement opportunities and reduce the risk of phishing and fraud using your domain.
  • Manage the ongoing requirements of maintaining optimal levels of email deliverability and security.

Want more assistance? MxToolbox has a Managed Services offering to get you DMARC compliant and maintain the highest levels of email delivery.