Email Authentication

Starting from February 1st, Gmail and Yahoo are making some big changes to their policy. But the no.1 requirement is one too technical for most marketers: “Authenticate outgoing emails setting up SPF, DKIM, and DMARC” Here’s what all those terms means, and what you need to do to make sure your emails continue to reach your users: What email clients want is for a way to check the “authenticity” of your emails. So they ask you to set up these authentication techniques: 1. SPF allows a domain to specify which IP addresses can send that mail. It’s like specifying which ‘postman’ is allowed to deliver the mail. 2. DKIM is like a digital signature. Imagine a seal on the envelope telling you its contents were not altered. 3. DMARC is a policy that decides what to do with the mail if both SPF and DKIM fail. *** How can you check if your email is authenticated as a sender?  1. Open an email in your desktop  2. Click the three dots on top right  3. Click “Show original”  4. Should show PASS for SPF/DKIM/DMARC *** Besides having these in place, here are some other recommendations in the recent updates by Gmail & Yahoo: 1. DMARC policy of p=none is enough for now. DMARC policies can be of different types. In ‘p=none’, you don’t take any action against emails that have failing SPF/DKIM. But you receive reports to keep an eye. But if your brand has already seen phishing emails being sent in your name, it’s better to switch to p=reject/quarantine.  2. Separate email types by IP or DKIM domain I.e., don’t send marketing emails and transactional emails from the same source. It ensures that any negative response to a marketing campaign doesn’t also lead to your important transactional emails to land in spam. *** None of these requirements are new. They were just more often called ‘best practices.’ If you need any other questions about these changes, ask away in the comments below

It’s official: email best practices are no longer best — they’re required. Here’s why... Microsoft recently announced new bulk sender requirements that mirror the ones Google and Yahoo rolled out last year. And they aren’t just doing this for fun, promise. They’re doing it because too many senders ignored best practices when they were optional. So, now they’re mandatory. ¯\_(ツ)_/¯ Starting May 5th, if you’re sending more than 5,000 emails a day and not following the rules, Microsoft’s going to start rejecting your mail. Not junking it. Rejecting it. And I wanna be clear here: this isn’t coming out of nowhere. The writing’s been on the wall for a while... and mail has been silently filtered away from the inbox all this time. Now it's just that the rules aren't written in invisible ink! So, what are these rules I speak of? 💌 Authentication (SPF, DKIM, DMARC) Yes, we’re still talkin’ about this… get used to it. Microsoft wants the same setup Google and Yahoo asked for. If your domains aren’t properly authenticated and aligned, your deliverability will suffer. 💌 Valid “From” and “Reply-To” Addresses Microsoft wants to make sure that when someone replies to your message, there’s someone on the other end. No more sending from a “noreply@brand.com” black hole. 💌 One-Click Unsubscribe (RFC 8058) They’re cracking down on bad unsubscribe flows. Make it easy. No weird hoops or loops or “oops, we need 10 days to process your request.” Just a simple unsubscribe option that actually works. If you’re already sending it right (ahem, compliant with Google and Yahoo’s requirements), this is mostly a “cool, cool, carry on” moment. But you’ll need a whole lotta margaritas and tacos to overcome your sorrow if you’ve been dragging your feet. May 5th (ahem, cinco de mayo!) is not the day to find out Microsoft doesn’t play. What happens if you’re not ready? If you need help figuring out where you stand, here are a few fast checks: ✅ SPF, DKIM, and DMARC passing in headers? ✅ “Reply-To” address monitored and functioning? ✅ One-click unsubscribe live and working? ✅ Lists clean and bounce/spam complaint rates under control? If not, now’s the time to fix it. Not next week. Not next quarter. Now. TLDR: if you’re not sending responsibly, you’re not sending at all. Because come Monday — yes, THIS Monday — non-compliant mail will be rejected at the door. No inbox. No spam folder. Just blocked. So, get it together, you (not so) filthy animals! LinkedIn says I’m outta characters, but if you need tool recommendations or a second set of eyes on your setup, I'm happy to help. Reach out, email scout. 💌

We send 800k+ emails a month, and I have spent the last 2 years understanding every reason for emails landing in spam. Today, I am sharing all the good resources I found during this journey! Most emails don’t get blocked because you’re a spammer. They get blocked because you missed one tiny config buried in a 20-year-old spec. Email delivery feels a little like a black box! Old docs, conflicting advice, and invisible rules. So sharing the list I wish I had when we started. 1. LearnDMARC (learndmarc.com) - An interactive visualizer that makes SPF, DKIM, and DMARC simple and easy to understand. 2. Postmark’s “Why Emails Go to Spam.” - The clearest explanation of sender reputation, content filters, and engagement signals. 3. MXToolbox - Debug SPF/DKIM/DNS issues 4. Mail-tester.com - Send a test email, get a deliverability score. My go-to before every big template change. 5. Google Postmaster Tools - Gmail’s own dashboard for domain reputation. No more guessing. 6. RFC 5321 (SMTP spec) - Yes, this feels intimidating. But even skimming it gave me massive clarity on how email really works. 7. Spamhaus blog: Word to the Wise - Insights on sender reputation straight from the people who run the biggest blocklists. This is one of the best blogs I have found on the internet! Email isn't glamorous. But it’s critical infrastructure. And most of the knowledge is scattered across forums and old blog posts. If you’re building anything that sends email, save this! It’ll save you a loooot of time debugging!

I thought great copy was the secret to cold email. Then I realized 80% of my emails were landing in spam. Here’s what we found: 1️⃣ Domain protection is the #1 lever for deliverability → Most teams burn their main domain without realising it. Once a domain is flagged, everything gets filtered (even normal emails). We run 100+ secondary domains to protect our brand and reduce risk. Tool stack: Google Workspace, Namecheap, Warmup tools Next step: Move every outbound sequence off your primary domain. 2️⃣ Safe volume beats high volume → Sending 500 emails/day from one domain is the fastest path to spam. Deliverability collapses instantly. We spread volume across hundreds of mailboxes and stay under 40/day for each. Impact: Fewer red flags, higher trust, better inbox placement. Next step: Audit how many sends each domain is doing right now. 3️⃣ Authentication is non-negotiable → SPF, DKIM, and DMARC are the foundation ESPs check before letting anything through. Without proper authentication, you look suspicious by default. Tools: dmarcian, Google Admin, Cloudflare Next step: Run a deliverability test and fix whatever shows up in red. 4️⃣ Warm-up → Most domains get burned because people start sending too early. ESPs need time to trust you. We warm each domain for two full weeks before sending anything. Why it works: Slow ramp-up = better deliverability. If you just bought a domain, don’t touch it for 14 days. 5️⃣ Natural variation reduces spam triggers → Sending the same message repeatedly creates patterns that ESPs flag. You need micro-variation to look human. We use subtle spintax + a few message versions per campaign. Tools: Instantly.ai, Smartlead Next step: Add small variations to your first lines and CTAs. 6️⃣ Clean tracking protects your domain reputation → Tracking links are an instant red flag. Most agencies don’t realize this. We use custom tracking domains or disable tracking entirely for key campaigns. Next step: Replace all generic tracking links. The results: → 500,000+ emails/month reaching real decision-makers → Higher inbox placement across every ESP → Predictable revenue for ColdIQ clients → Stable domain health across all mailboxes Deliverability isn’t the flashy part of outbound, but it’s the part everything else depends on. If you want our 7-day GTM deliverability setup (domains, warm-up, templates, monitoring tools)... drop me a message, happy to help.

Your emails are going to spam because of your DNS records, even with SPF, DKIM, and DMARC configured You did everything right. — SPF? ✅ Passed. — DKIM? ✅ Passed. — DMARC? ✅ Configured. Yet, your emails are still landing in spam. What’s going on? 🔎 Alignment Google (and other providers) don’t just check if SPF and DKIM pass They check if they’re aligned with your “From” address If they’re not? Your email looks spoofed Even if it’s 100% legit 📌 Look at the screenshot. — SPF ✅ — DKIM ✅ — Alignment ❌ → Google throws a warning. DMARC is only fully effective when SPF or DKIM aligns with the “From” domain. If they don’t match? Spam. This is why so many emails fail silently—they pass authentication but still get filtered. How to Fix It? — Make sure your sending domain is consistent across SPF, DKIM, and “From.” — Use strict alignment in your DMARC (aspf=s; adkim=s) if you want real protection. — Check your email headers. Gmail → “Show Original” → Look for domain mismatches. Most people think just setting up SPF, DKIM, and DMARC is enough Or worse, they *think* they're aligned. It’s not. Alignment is the missing piece Fix it. Get out of spam because of technicalities If you need help figuring out if your DNS records are aligned, drop me a comment and I'll do a quick audit for you :D

If you’re still sending email from an onmicrosoft.com address, Microsoft is tightening the rules. This matters because your messages could start getting throttled or blocked, which means invoices, password resets, and customer updates might never arrive. Microsoft’s goal is to stop spammers who spin up fresh tenants and abuse the shared onmicrosoft.com domain. But the side effect is real organizations will see lower deliverability and limits on bulk or automated sends until they move to a proper, verified domain. What’s changing? Microsoft is putting sending limits and stricter checks on any email that leaves an onmicrosoft.com address. Because it’s a shared domain used by millions, one bad actor can hurt the reputation for everyone. The fix is simple but urgent: switch to your own branded domain and set up modern email authentication (SPF, DKIM, and DMARC). That tells receiving mail systems, “Yes, this is really us,” and helps keep your mail out of spam and off block lists. What should you do now? Audit where onmicrosoft.com shows up—service accounts, no-reply inboxes, ticketing tools, scanners, CRM alerts, and scripts. Register or connect your custom domain, add the DNS records, and rotate apps and automations over to the new addresses. Test mail flow, watch for bounce backs, and update address books, forms, and templates. Train your team so they know which sender addresses are approved going forward. A little cleanup today will save a lot of missed messages tomorrow. #Microsoft365 #EmailSecurity #ITAdmin #ChangeYourPassword Follow me for regular updates on Microsoft 365 changes, security tips, and clean-up checklists that keep your org’s email flowing.

🚨 Salesforce is requiring all outbound email domains to be verified or your emails will be silently dropped. No bounce. No error. Just gone. Deadlines: 📅 Sandboxes: March 30 📅 Production: April 27 What to do: ✅ Audit your sending domains in Setup ✅ Set up DKIM keys (recommended, also improves deliverability) ✅ Or use Authorized Email Domains as a fallback ✅ Get DNS records published ASAP, propagation alone can take 72 hours This affects Apex email, Flow-triggered emails, Workflow alerts, and Process automations, not just manual sends. Don't let broken customer communications sneak up on you. Verify your domains now. https://lnkd.in/e3cqP34r #Salesforce

Using HubSpot for marketing emails? When's the last time you verified your domain authentication on HubSpot? I can't tell you how many times I've seen this overlooked. I consistently find it not authenticated in accounts. Here's what happens when your domain isn't properly authenticated: • Your deliverability tanks • Emails hit spam folders instead of inboxes • Your sender reputation takes a hit • You're burning budget on emails nobody sees The fix takes minutes. Go to Settings → Content → Domains & URLs Check for these three things: 1. SPF record (green checkmark) 2. DKIM record (green checkmark) 3. DMARC policy (configured) If you see red X's or warnings, fix them today. Your IT team can help if you're not sure how to update DNS records. HubSpot's documentation walks through it step by step. Don't let a simple technical oversight kill your email performance. Check it now. Your campaigns will thank you.

New Outlook rules take effect today & Microsoft will begin rejecting / bouncing emails from domains that lack proper authentication. If your domain isn’t set up with SPF, DKIM, and DMARC, your emails may not reach any Outlook, Hotmail, or Live users. This is especially critical for anyone sending emails to more than 5,000 recipients at once. Initially, Microsoft announced that unauthenticated emails would be filtered into spam. However, last week they changed course and decided to enforce rejections right from the start. As a result, many companies will likely see more rejected / bounced emails, flagged with the 550 5.7.515 error code. Whatever system you use for mail distribution, make sure your domain is properly authenticated with their infrastructure. Even if you think it is, it's worth double-checking the authentication settings and analyzing your #DMARC reports from the past month to ensure all existing mail streams are properly configured. #Microsoft #EmailDeliverability

Stop using your company's primary domain for cold outreach. Here's why that's killing your deliverability (and your brand): Your main domain is your reputation. It's where your team communicates. Where customers email you. Where partners reach out. One bad cold email campaign can torch that reputation. Forever. When you cold email from your main domain: → Every bounce damages sender reputation. → Every spam complaint hurts your primary domain. → Every risky campaign puts your whole company email at risk. Then one day, your CEO's emails start landing in spam. Your support team's responses get filtered. Your invoices disappear. All because you tried to save $12/year on a separate domain. The better approach is to buy a secondary domain for cold outreach. Similar to your main domain, but slightly different. • Main: company.com → Cold: getcompany.com • Main: acme.com → Cold: acmeteam.com • Main: brand.com → Cold: trybrand.com Keep them related but separate. → Your main domain stays clean. If something goes wrong with cold email, your primary communications are protected. → You can test aggressively. Try new campaigns. Scale quickly. Without risking your core business operations. If a cold domain gets flagged, you can switch to a new one without touching your main brand. "But people won't trust emails from a domain they don't recognize!" If your cold email is good, they won't care. They care about the value you're offering, not whether you're using .com or .io. And if they do care that much, they weren't going to respond anyway. The setup: 1️⃣ Buy a secondary domain ($12-15/year) 2️⃣ Set up proper DNS records (SPF, DKIM, DMARC) 3️⃣ Warm it up for 2-3 weeks before sending 4️⃣ Keep your sending volume conservative 5️⃣ Monitor deliverability separately from your main domain The cost of not doing this: One bad campaign. One blacklist. One spam complaint spiral. Your entire company's email reputation destroyed. Is that worth saving $12/year? Separate your domains. Protect your brand. Are you using a separate domain for cold outreach? Or risking your main domain?