Episode 1:
Demystifying Email Deliverability with LB Blair from Email Industries

Date Icon February 29, 2024

Email deliverability is a complicated beast. LB Blair knows email deliverability. Having worked in construction, culinary, data analytics, even ATF compliance, it’s fair to say LB has seen it all. So when we wanted to get to the bottom of the very deep and complex domain that is email deliverability, LB was our first call.

In this episode, LB joins our hosts, Scott Cohen and Garin Hobbs, to help us demystify what happens when you press “Send” on an email campaign.

The discussion dives into why ISPs care about protecting their users from scams and attacks, the big changes at Gmail and Yahoo with regard to DMARC authentication and spam complaint thresholds, and what we really mean when we say “sender reputation.”

This is a fun, in-depth, very informative session that had the hosts writing notes, too! Enjoy!

Share

What you will learn

  • 00:00 - Introduction to Email Deliverability
  • 01:29 - The Email Ecosystem and Sending Process
  • 06:14 - The Importance of Email Deliverability
  • 07:07 - Why ISPs Care About Email Deliverability
  • 08:04 - Protecting Users from Scams and Attacks
  • 09:03 - Spam Filtering and Risk Management
  • 10:00 - The Impact of Bad Email Experience
  • 11:55 - Authentication: SPF, DKIM, and DMARC
  • 15:14 - Explanation of SPF, DKIM, and DMARC
  • 25:08 - Setting Up Authentication with ESP and IT Team
  • 27:33 - Implementing IT Change Management
  • 28:25 - Understanding Sender Reputation
  • 31:20 - Remediation Strategies for Sender Reputation
  • 34:17 - The Challenges of Gaming the System
  • 35:16 - Enforcement of DMARC Alignment
  • 38:44 - Minimizing Unsubscribes and Spam Complaints
  • 43:26 - Future Trends in Email Deliverability
Transcript

Scott Cohen: Hello, all. Welcome to that inbox army podcast. I’m your host, Scott Cohen, VP of marketing and strategy here. And with me as always is Garren Hobbs. Welcome, Garren.

Garin Hobbs: Thank you, Scott.

Scott Cohen: And today, we’re gonna be talking about a crucial topic in email marketing that, let’s face it, nobody really wants to think about unless it’s necessary. But it is necessary, of course, we’re talking about email deliverability. It is a complicated beast. So we’re here to try to demystify this as much as possible. And frankly, rather than me trying to pretend I know what I’m doing, we went out and got one of the foremost experts on the topic.

Joining us today is LB Blair, head of deliverability and managing partner, Email Industries. Welcome to the show, LB.

LB Blair: Awesome. Thank you so much for having me, Scott. And, you’re you’re really too kind with your introduction. I I honestly I just kind of you know, as you were saying, nobody wants to think about deliverability. The reason I got into it is I worked the overnight shift, at IBM for their marketing cloud, and it was the thing nobody really wanted to deal with.

And, like, we didn’t have, you know, deliverability people all, you know, all night. Sometimes we had a huge presence in Australia. So I honestly just started reading on it because it was the stuff, like, everybody’s like, ah, that’s delivered. Somebody else will have to deal with it. And I was like, well, maybe I’ll just crawl in this rabbit hole a little bit.

And, yeah, now, like, almost 10 years later, here I am.

Scott Cohen: It’s like, you know, similar story to me. Once email gets their hooks in you, you just never it it just never leaves. It never leaves. Well, to paraphrase the princess bride, let’s go back to the beginning. There is a technical you call your you’re here.

Email ecosystem expert. Let’s talk about that ecosystem.

LB Blair: So it it canonical deliverability answer is it depends, but it depends a bit on how your your email provider is built. But in general, you’re interacting with the user interface of the application. So when you press send, that triggers, you know, the application to put together whatever element. So if we’re talking about, like, a bulk send or something, you’re doing Klaviyo, Salesforce Marketing Cloud, It’s gonna go at the application level, it’s going to communicate with its databases, pull any relevant personalization data, and it’s gonna, you know, pair and prepare the HTML file and all the mail packets. And it will or it’s gonna prepare the send and then it’s gonna pass it to the MTA, which is the message transfer agent.

And that’s really what I like to call the send engine. That’s what does the business of pushing the mail out the door. So then once you’ve you know, the send engine queues those up and make sure to respect all the different connection rates that the various different mailbox providers expect, you know, because Gmail is not the same as Comcast, is not the same as Hotmail, is not the same as Yahoo. They all have, you know, some, like, different connection rates and different ways they approach this, and MTA really manages all of that. Well, the MTA and MTA engineers that work on them manage all of that and keep it tuned so that things are being submitted.

And then, basically, it’s, you know, either you’re gonna get a 250 okay success response. That’s the SMTP success response. And that means your message for that subscriber has been accepted, or you’re gonna get some kind of bounce back like a 400 something, 500 something saying, hey. You know, either that’s not a good email address or their mailbox is full or you’ve been blocked due to policy, whatever reasons. Though there are obviously exceptions.

Sometimes you can get a bounce that comes back after you’ve gotten a delivery. But, really, once the packet you know, once the MTA does that handshake with the mailbox provider and passes them the mail packet, it’s really in their hands. So from there, we don’t know as much about what happens. That’s why we have open tracking pixels. That’s why we have click tracking servers and links to make sure we get any visibility into what happens to the mail once it’s been passed to the mailbox provider.

Because, really, we don’t know. They don’t tell us. They don’t you know, Gmail doesn’t tell you this much of your mail landed in spam, this much landed in the inbox, none of that. So we really have to kind of proxy or intuit any of that based on different other data sources.

Scott Cohen: Interesting. And you mentioned mail packets. I mean, is that just a fancy name for the emails going through, or is there something more technical to that?

LB Blair: Yeah. There’s something a little more technical, just insofar as there is, there you know, I mean, it’s SMTP connection. But actually, you’re not just passing the HTML, you’re passing an MIME message body, which supports numerous different types. So, you know, you’ve probably heard numerous, deliverability professionals tell you, hey. It’s a best practice to have a text body and an HTML body.

Those are separate within those are both delivered within the MIME message packet. And you can even do an AMP message body now. You could have 3 different message bodies so that providers that support accelerated mobile pages like Google because I think they developed it. You know, they basically, you know, you can send those different type of bodies and it the mail client, once it’s if it’s accepts the mail, will display the one that either the user has the preference for or that they decide is gonna result in the best experience.

Garin Hobbs: Got it. I’m really happy we’re having this conversation. Demystification is certainly the right term. I think at this point, we’ve probably already dropped at least a half a dozen acronyms. Right?

The Office of TPMI, MTA. Remember when people used to call MTAs mail canons? I don’t know. Maybe that’s just me, and I’ve been in this industry too long. But

LB Blair: I call them that or SendinGen, you know, but, basically, you know, I think of it almost as, like, the the MTA is, like, what pushes the little baby birds out of the nest. Like, your mail provider, you know, helps you you, you know, you and the mail provider make the eggs, hatch the eggs, make sure they’re ready to leave the nest. And then the MTA is what kind of pushes them out out of the nest into the wild.

Garin Hobbs: You know, deliverability kinda strikes me as being similar to high finance and the fact that a lot of people view it as something very scary, unknown, it’s arcane, it’s full of all these things that I couldn’t possibly know, so I’m just gonna decide not to. It’s a great inspiration for Oster syndrome. Right? Bury your head in the sand, pretend it’s not there until you absolutely can’t ignore it any longer. So for these folks, I’d like to take a big step back and really kind of explore the why of deliverability.

Right? So let’s let’s let’s I’d love to ask you, L. B. Why do ISPs care about what lands in your inbox? Like, what is their vested interest?

I mean, Google, Yahoo, Microsoft, these, they’re great, but these aren’t exactly organizations driven by altruism. So what is the stake in game for them?

LB Blair: Oh, absolutely. So, you know, they I mean, I would I will say I would quibble a little bit. While the organization, you know, and their business goal obviously is to produce value for the shareholders. There are, you know, a lot of people that work in anti spam are in it for altruistic reasons. Like, either they had a bad experience or they had a friend or family member, especially elderly family members, or are especially targeted by phishing scams, virus scams, things like that.

You think about it, you’ve got a significant elderly population, you know, in the US and around the world. And in a lot of cases, they have a lot, you know, they’ve got their retirement nest egg. And then, of course, you’ve got people that are trying to separate them from that. And email, you know, like, 80% or more of all hacking attempts, originate via email, honestly. Like, 80% or more of all hacking scam malicious actor, you know, attack attacks originate with email.

Whether it’s an infected document trying to put, you know, a Trojan horse on your computer, or, you know, malware that’s, you know, something that’s gonna mine Bitcoin for them, whatever, or just email everyone in your contact list to propagate itself, or scam people out of it. So, I mean, honestly, they’re trying to protect their users against having a bad experience because they know that’s crucial to maintaining the eyeballs. Because let’s make no mistake. Google is a marketing services company, by and large. They are a marketing software and services company, and they really have you know, I feel like they took a very different approach to spam filtering than has previously been taken because, you know, really and I think this is still pretty true.

Microsoft and and Yahoo, in many ways, they look at the IP address because that’s the first thing you see connecting in. Like, what IP address is this thing coming from? What do I think of its reputation? Etcetera. So if you make the decision there to, like, not accept the mail, that’s the cheapest possible way to filter spam because you’re just like, I I spent as minimal processing on this.

Because you gotta think, email I mean, Gmail receives, I think, you know, 1,000,000,000 perhaps messages a day, I would assume. And because there’s everything we see that actually reaches the inbox or the spam folder, that’s just the tip of the iceberg. There’s a bunch of other mail that they block. So they’re receiving all this mail, and what they’re really trying to do is honestly just curate and protect the user experience so that the users stay with the mail, stay using their products. Because otherwise, you know, if I’m on Gmail and I get hacked left, right, and center, or I get a gazillion phishing span phishing emails, you know, if I have a bad experience, I’m really likely to jump ship as a user.

I I think, you know, with a product like that, with consumer products, it’s almost you know, like, somebody goes to a fast food restaurant, they have a bad time, and they never go back. Right? Yeah. It could be like that. Your customers might just leave or your users might just leave, and then that diminishes Google’s value to their advertising customers.

So I I think that’s a big part of it. And and, I mean, also, the more if they just let viruses come into their system, malicious mail come into their system, there’s a chance they get infected, which would be very costly. I mean, the other thing I would say too is, you know, when you’re receiving 1,000,000,000 of messages a day perhaps, you gotta think about it. When you put something in the inbox versus the spam folder or versus rejecting it, you’re storing that message for that user indefinitely pretty much. That adds up over time.

That adds up when you have millions of users. I think Google has over 300,000,000, you know, monthly active accounts. So when you have millions of users receiving millions of emails, you multiply those together, and it’s a lot of storage space. So I think part of it is, also just expense management. But I I I really think more than anything, spam filters are are risk management systems.

I think they take they’re managing the risk that the user has a bad experience in their email client.

Scott Cohen: Yeah. I heard this morning literally somebody said 99% of email gets blocked these days.

LB Blair: Oh, yeah.

Scott Cohen: So the 1% that gets through and you think about how much gets through, you go, that’s just 1%. Dear god, that’s a lot of email. So it’s well I mean let’s talk about the you know the the various filters and pieces and forms and functions that all these providers been putting in place authentication is kind of, you know, it’s one of the topics du jour. Right? I mean, with the February 1st changes, a lot of acronyms there too, but it’s much better in trying

LB Blair: to

Scott Cohen: talk them out. But walk us through if you can. I mean, people are gonna go, oh my god. I need to get SPF, DKIM, and DMARC set up, and they just don’t know what those are. So, you know, I’d love to just almost like a primer.

What what are these, and what are the differences, and what do people need to do?

LB Blair: Yeah. No. Totally. And I will I will try in the spirit of demystifying. I will try to make this a bit less technical just because, like, I’ve I’ve seen too much.

I’ve delved, like like, the, you know, the dwarves that delve deep into the minds of Moria, just to make sure, you know, people know that they’re dealing with a nerd here. I’ll drop that reference. It I’ve seen too much. But, really, I I’ve got a simple way to kinda explain each of these. S SPF is sender policy framework.

It’s really simple. It is just the list of servers, and there’s a few different ways you can reference them, but it’s a way of authorizing servers to send on behalf of your domain. It’s basically the the foundational thing and the reason that there’s a big focus on authentication is if you can adjust the DNS records for a domain, functionally, you own it. Like, that is the test of ownership, and we know this based on the fact that Google and Klaviyo and several other platforms require you to publish just a simple text record that won’t interfere with anything to set up things like Google Analytics or Google Postmaster Tools or, you know, even authenticating your domain with, you know, a mailbox provider, or with a e email platform, they’re gonna ask you to put a text record because that proves you own the domain. So if we take that, if you own the domain and you can adjust the DNS records, you can publish an SPF record which says, hey.

These services, which ultimately boil down to the IP addresses of the servers involved, but there’s a variety of different ways of reference in them. But, honestly, SPF can be one of the most difficult to get right. Like, it it can be very complicated, especially one thing I’ve seen that’s really changed since I got in the game early on, to now is you can have, like, a small to medium sized sender, you know, somebody just in the low tens of thousands, 100 of thousands of messages that have, you know, 5, 6, or more services that need to authenticate and send on behalf of their dome of their domain. And then you gotta cram all that into 1 SPF record, which is why I think, like, subdomain strategy is so important. Like, splitting out your mail streams and making it easier.

So that’s SPF is very simply I call it the guest list, the allow list. It’s the these folks are authorized to represent my sending domain in the email channel. DKIM is a bit more complicated in that it uses, essentially, secures your messages against, man in the middle attacks. You know, I remember early on in the days of ecommerce, one of the big worries people would have is like, oh, no. What if I, you know, click a link and it turns out it’s to a spoof site or, you know, somebody injected a malicious link and then I put my payment in on that, then I’ve been scammed.

Right? DKIM helps protect against that. It makes sure the mail has not been tampered in transit, and it uses public private key encryption. So the private key at the server zips it up, signs it with and and now the requirement is to sign it with, you know, a custom domain that is aligned with your sending domain. So if you’re sending from domain you know, if you’re sending from inbox army.com, your DKIM signature needs to either be on you know, your DKIM signing domain that is stamped in the message by the MTA needs to either be, a subdomain of inbox army.com or inboxarmy.com proper.

And it honestly doesn’t generally matter, unless you’ve configured the next one, DMARC, differently. So DMARC is a bit a bit different than because it’s a little less about securing, and it’s more about well, it protects your domain against spoofing. It allows you to publish a policy and give instructions to mailbox providers. So I’ve always been a big fan of DMARC since it really started catching you know, since it really started coming on several years ago because I think it gets senders a really precious source of information, which is data directly from the mailbox providers. And there are precious few of those sources.

Like, I mean, Google, we’ve got Google Postmaster Tools, but it doesn’t tell you the volumes. So I really like DMARC for tracking the volumes. But, basically, DMARC just lets you specify, say, hey. If you put a DMARC policy on your domain, which Google now requires if you are a bulk sender, that, you know, it says, hey. If I don’t have my if if the send’s coming out, they need to be they need to pass either SPF or DKIM, and they also need to be aligned, Which means, you know, in the technical headers of the mail, that DKIM signature that DKIM signing domain needs to align with whatever domain you’re sending from is the big thing.

And that’s what jumping ahead to, Demark, that’s what Demark does. And you publish reporting addresses, for the love of everything, please route it into a reasonable reporting tool that is gonna give you, the ability to parse through the data because it it’s not it’s not really possible to just, like, go through it by hand. Trust me. I’ve tried. It it’s not you know, it’s it’s more valuable when it’s aggregated and collated versus all

Scott Cohen: It’s just it’s just XML files. Right? And it’s a whole bunch of, I mean yeah. It’s it’s like feedback loops on steroids. It’s it’s yeah.

LB Blair: Yeah. And it it’s, I mean, and I’ve seen I was just looking at something today. So for, like, one sender, I mean, they were only sending, like, a few tens of 1,000 per day. And, And, I mean, they they had over 5,000 reports for, like, less than 30 days worth of cents. So you get a lot.

Because you’re gonna get one you know, if you send on the 1st March and you send to Google and Yahoo and Hotmail, and Comcast, you’re gonna get reports back from each of them. You’re gonna get at least one report back from each of them, if not more.

Scott Cohen: Wow. Well and and so there’s levels of demark too. Right? Because I think the minimum requirement right now is to set it to none, which is like the base level. And then there’s quarantine and there’s reject.

What’s that all about? What are the differences?

LB Blair: Totally. So DMARC, you know, was designed by a working group, that that is involved with, I believe, the Internet engineering task force. They’re the fine folks that have given us I mean, that have codified basically all of the pro the protocols by which, like, the modern Internet works. And they will publish, you know, documents that are like, hey. Here’s how this thing works.

They’re often called RFCs or request for comments. But, yeah, they’re the ones that publish, hey. This is how SPF works. This is how you technically implement it. This is how DKIM works, you know, etcetera.

So, you know, the different policy they designed this to work for senders of all sizes. Because if you’re a really large sender, you don’t just wanna put your demark policy to reject. What the different policies are is none, quarantine oh, where’s my hand? There we go. 1, none, quarantine, and reject.

And they are you’re designed to kind of step through them, but I’ll say in the majority of cases, that’s not necessary. It really depends. I think quarantine is only situationally very useful. Whereas none is saying, hey, mailbox provider. If my message fails, DMARC, I don’t want you to do anything different about it.

I still just want you to send me the reports. Recently on a webinar, we’re both, you know, Marcel from Yahoo and also the product lead for anti abuse at Google, showed up and said, you know, really that, that basically, you know, none policy is what we call reporting mode. So, you know, he did say if you have your policy set to none, that’s telling them you’re focusing on the r in DMARC, which stands for reporting. So you need to have an RUA, an aggregate, you know, reporting address configured in there and highly recommend it routing into, an account or into a platform that is going to, like, make that make that information human readable versus just machine readable for you. And then the quarantine mode is basically saying, hey.

If I send you a mess if you receive a message from my domain and it fails, what I want you to do is put it in the quarantine folder, which could be you know, at Google, that could be more like they’re gonna put it in spam. The the spam and quarantine folder might be synonymous. But with business mailbox providers, they they actually have quarantine folders that, like, kind of only the IT team has access to. And it’s before it even gets to the user’s individual mailbox. This is the reason I don’t like quarantine mode.

This is my soapbox, because I feel like it gets you no information. Because your mail provider, your your, you know, your email platform will tell you, yep. That mail successfully delivered. It was accepted. But then the user might be like, well, I never got it in my the recipient will be like, I never got it in my mailbox.

That’s because it’s chilling in the quarantine folder that only the IT team has access to, only the spam filter admin. And I could tell you as someone who started on the IT side internal IT side of the house, we never check those things pretty much. So the the the likelihood any message that lands in quarantine is ever released is pretty low. And then reject is telling the mailbox providers, hey. If a message is not authenticated properly, it does not have the necessary alignment to pass DMARC.

I want you to bounce it back. And I’m a big fan of this. What I like to typically do for demark deployments, we do a lot of them, and I’ve been doing lots of them for years, is start in the none mode. Just focus on getting the reporting. And this and the reporting, when you have it routed into a platform and you’re able to analyze it, you can identify mail streams that are possibly, you know, out of alignment.

It’s like maybe they’re passing. It is a platform that you use. I’ll say, send her, you know, ecommerce. Like, I’ve we both have done a lot of work there. I know.

I mean, I I’ve seen small businesses that on top of Shopify using Klaviyo, but also with a bunch of kind of add ons, like to manage other things like shipping and, you know, customer support and, get you know, generating you user generated content reviews, things like that. You know, sometimes maybe those don’t those miss getting set up for authenticate you know, for custom DKIM signing to be DMARC compliant, and then DMARC reporting will let you identify those and then go identify the platform and be like, okay. Let me contact this platform and correct my authentication. And then once you’re properly hardened, you’ve got everything down, you’ve got a process, and everybody knows, hey. If you wanna onboard a new email sending platform, anything that might send email on behalf of our domain, you gotta go to IT because they have DNS access.

They functionally own the domain, and you gotta get them to set up the DNS records to do custom DKIM signing or SPF or both.

Garin Hobbs: Excellent. So it sounds like there are sort of varied levels of complexity from one level of authentication to the next. But most importantly, what I’m hearing from you is that the most critical factors to make sure when setting up, you’re doing it absolutely correctly and, sort of, you know, no typos, no mistakes. Everything is exactly as it should be. So I guess, you know, for the curious out there, where do folks go to set this up?

What is actually managed by their ESP, their email service provider, and what is managed by their IT team? What’s the division of labor and task ownership there?

LB Blair: Gotcha. Totally. So as we were talking earlier about what happens when I press send, so what you know, your email service provider, they will provide if they want to be able to send on behalf of your domain and represent you and be demark compliant, they’re going to need to hand you some DNS records. Typically, these are text records. They can also be c name records.

Both ways of doing this are valid, and have their advantages and disadvantages. Though I I see the c name method of ESP authentication really picking up. I think that’s been very heavily pushed, or very heavily, like, pioneered kind of by SendGrid, or at least that’s where I’ve seen kind of the most of it. And that that gives the that allows the service provider to manage things more seamlessly for you. So if anything changes on their end, you don’t have to make changes on yours.

They can just update the reference. But, typically, your, you know, as a your email team your IT team is gonna be the one to deploy the DNS records. Now there are there are exceptions to this, but typically if you wanna authorize a platform to send mail on your behalf, definitely gonna have to have your IT team deploy some DNS records. And it’s just you know, honestly, it’s generally really pretty quick. I like, I like you I like just copy pasting.

Because like you said, it’s super important to not make any typos or mistakes or anything. So big fan of copy paste. Like, don’t don’t try to hand type anything because some of this stuff can get really, like there’s, oh, man. There’s this, like, 2 care 2 letters and, like, 4 random numbers and, like, don’t don’t stress yourself out. But also always check your work.

It’s really easy, to check your work. I mean, what I always do, the the easiest way to check it is I will send myself to my Google mail Gmail box, and then Gmail has on desktop only, doesn’t work on mobile. But on desktop, you can go into the 3 dots menu and go down to the option that says show original, and they have a nice little grid that will show SPF passed with this IP address, DKIM passed with this domain, demark passed or failed. It and it’ll give you the readout, like, right there. It’s, like, super easy, and then you can just be like, boom.

It it’s it’s done. So while it’s important not to make mistakes, it it doesn’t have to be catastrophic, as long as you’re properly implementing, like, IT change management because it is you know, there are, you know, changing the DNS. If you aren’t certain what you’re doing, or if it’s improperly managed, can can there are some risks to that. You know? There are definitely some risks, but they’re easily managed.

Scott Cohen: Another reason to copy paste. Another reason to copy paste. So you go, I IT goes, what do you need? Oh, it’s this. You just copy and paste it over.

Right? You don’t.

Garin Hobbs: Yep.

Scott Cohen: Yeah. It’s

Garin Hobbs: Yeah.

Scott Cohen: I’ll just I’ll just say it to you, and they’ll be like, no. Don’t you just just just type it.

LB Blair: Just type it.

Garin Hobbs: No. No. No.

Scott Cohen: Copy paste. Yeah.

LB Blair: Yeah. And we’re we’re seeing some cool solutions in the marketplace pop up too that are are streamlining this even further. That honestly something that I I I’ve been working with recently, but I don’t I don’t wanna well, let’s save that for, like, the update podcast because I haven’t

Garin Hobbs: got it.

LB Blair: I haven’t got all my, code done yet. So

Scott Cohen: Well, I’ll definitely have to come back to that for sure. Alright. So we talked about technical stuff. Let’s talk about the term that I’ve heard for I mean, I’ve had to do email 1 on ones where I had tried to explain this to people that had no clue about it. Sender reputation.

What is sender reputation and what goes into it?

LB Blair: So I I mean, frankly, sender reputation is I I would say it’s really the best way I can describe it is with an analogy, which is it’s very similar to, like, consumer credit scoring. Right? So with your you have what’s very I mean, all of us pretty much have a credit score here in the US, and that is a rating of our creditworthiness, essentially. How likely how risky is it to, how risky is it to blend money to this individual? The the the way this works in email with sender reputation is how risky is it to accept mail from this sender, from this IP address, from this domain, to accept this particular piece of content, and and serve it up to the user.

It’s basically, again, risk. It’s it’s a you know, if you’re sending from IPs that have a really low sender score, that indicates that, you know, the mailbox providers, involved with that data partnership think that those IEPs are risky to accept mail from. So they’ve started probably rejecting a lot of it. And the same if Google and Google postmaster tools, if you look and you have a bad domain reputation, that’s an indication Google thinks it’s risky to accept any mail from your domain. And the difficult part, I think it was when it comes to credit limit or how much mail you can inbox.

Because there’s definitely this is why we have to do warm ups is essentially to expand your credit limit at Google, how at Yahoo, at Hotmail. How much mail do they think you’re good to inbox per day? And that’s basically a function of your historical send volume and behaviors. You know? Do you generate a lot of spam complaints?

That makes you look risky. Do you bounce a lot of mail? Do you, you know, try a lot of addresses that are that just frankly don’t exist, or does it look like you’re guessing someone’s address? Right? All all of these things bake in to essentially deliver an invisible, in most cases, assessment of your sendworthiness, rather than creditworthiness, into various different receiving mail systems.

Garin Hobbs: If someone has garnered a negative or disfavorable sender reputation, you know, obviously, remediation, that’s we could do an entirely different or entirely separate podcast on that one alone. But what I what I often see or sometimes see with clients is their immediate sort of method of remediation is to leave their current ISP and spin up new IP addresses with a new, ESP. What are what what’s what’s the typical result there that that that you see most often, LB, when people are sort of taking those types of shortcuts?

LB Blair: So, I mean, typically, what I’ve seen recently is those shortcuts are just not working anymore. Because the thing you have to understand, really, the spam filters are most concerned with screening out the worst of the worst. Right? Like, the the really actively malicious content. So if you engage in any behaviors that senders trying to inbox malicious content have done, like snowshoeing, I e, oh, well, these IP stopped working, so I’m just gonna change them.

Or this domain stopped working, I’m just gonna change it. That inherently makes you look similar to malicious actors, and it will get you treated as such. So what I’ll see is either just an entire depending on how many times they’ve tried this trick, I’ll see just a complete failure to launch, or I’ll see, I’ll see, you know, like, it’ll it’ll work for a little minute, and then it’ll stop. Because if you don’t solve the root problem of whatever tanked the reputation in the first place, it’s just gonna keep cropping back up. And, you know, they’re especially with, I mean, how advanced machine learning is getting and how much data Google has.

I estimate they have approximately half more than half of probably all the web data in the world and email data in the world, because, I mean, with all the sites they index with Google search and all the mail they receive and even the mail they bounce, They got a lot of data points and a lot of intelligence baked into that. So what I’ve seen is you’ll just get identified more and more quickly. Google, this is this has been my thing. Google and the mailbox providers, the spam filters, they don’t have to make it impossible to game the system. They just have to make it unprofitable.

They just have to make it more trouble than it’s worth to try to go around the filter. But, I mean, I can almost guarantee anything that anybody, you know, any business person can kind of think of off the top of their dome to, get around a spam filter has already been tried by hackers en masse. Like, it’s been hackers have probably already tried it and ruined it for everyone.

Scott Cohen: Oh, for sure. Yeah. Well, let’s so and you talk about just making it nonprofitable and just, you know, the goalposts keep moving. Right? And the the the thresholds get tighter, especially now with spam complaints.

Yeah. What what you know, the the complaints I’ve heard, you know, it was a 0.1% is kind of like, hey, watch out, and 0.3 is you’re in trouble. Now, obviously, if it happens once, they’re not gonna throw you in jail, but it’s about consistency. Right? Like, reputation is the same way.

It’s all about consistency. But what what are the Yeah. What are you seeing in terms of enforcement? I mean, it it’s still early. This is, you know, end of February or early March when we’re recording this, so it’s still early.

But what are you seeing in terms of enforcement?

LB Blair: So the interesting thing is, Google actually jumped the gun on enforcement, about a week prior to February. We actually started seeing, bounce backs, referring to demark alignment as early as, January 25th that we’re saying. And, really, it’s just a partial block. Right now, they’re blocking or they’re they’re soft bouncing, a temporary bouncing, a portion of your traffic that is unaligned. What I have also seen, is a new bounce at Google that references spammy content.

That’s also a new error, in Google postmaster tools that I had not seen before that says, you know, like, delivery error, spammy content. And I did unfortunately have a sender, an ESP client recently that I was assisting that they got a new sender, and, yeah, everything got blocked at Google. So, basically, if you build up a content fingerprint with, or or yeah. If you build up a content fingerprint with that is known for generating a high spam complaint rate, even if you switch platforms, Google’s gonna see it, and they’re gonna block it. They’re gonna be like, I I don’t wanna receive that.

Now in this particular case, the issue has been getting resolved. It turns out there was just an insecure link in the email. So I think that’s honestly, I I think kind of what’s going on at Google and Yahoo is really they’re cleaning noise out of the dataset. They basically said, yo, DMARC has been in the wild for several several years now. It’s a best practice.

It helps centralize control of the domain with IT so that, you know, changes all have to be duly authorized and go through change management to be put into place. And it’s so they’re basically I’ve seen Google in the past inbox mail that was failing every authentication parameter right in the primary tab because they knew they’re like, well, we just know this sender just hasn’t set the system up to authenticate properly, but these are actually their transactional mails. And we know LB really wants to get, you know, this password reset or this one time passcode or this, you know, discount code for the ecom site she’s shopping on currently. Right? So they would inbox that.

They’re not gonna do that anymore. So the first, they’re bringing down the hammer on authentication, and that cleans a lot of the noise out of the dataset so that they can focus on user behavior more. Like, for the mail they’re accepting, what is truly desired, what tab should it go in, and, like, what you know, whether or should we even accept it or not. And I I think that’s really the the actually, the really cool thing from the webinar, with Google and Yahoo, what that mail gun put on was, they said it’s actually not a change as far as the spam complaint rates. It’s actually them just being more transparent about what has kind of been the law of the land for a while now.

And the way I I the way I like to think about it, because I think I think 0.1%, 0.3%, I think those are so, like, academic. I think we say that, and we don’t even conceptualize it really. The way I like to look at it is 1 per 1,000. Think about that. If 1 per 1,000 people is marking your message as marking or marking your messages as spam, that’s kind of a lot if you think about it really, especially if you’re sending millions and millions of messages.

And and the same with point 3, that’s 3 per 1,000. I mean, you gotta think about it. If you had a 1% complaint rate, that’s 10 people per 1,000 that are like, yo. I hate this. Why did you send me this?

Like, it it so that’s that’s kind of you know, I think that’s

Scott Cohen: the thing. And the big thing, you know, I

LB Blair: should also point out, and I’ve seen this for years is, you know, what kind of spam rate at least Google will tolerate from your mail streams is dependent on a couple of things. A, the scale, because the vigorous scale you’re at, the larger of a risk you are. You’re just because you’re inboxing, you’re shipping a lot more mail into their platform. You’re you’re a bigger risk. And, the, the other thing they look at is the positive engagement you’re generating.

So I’ve because I’ve seen senders, like, who have really crazy good positive engagement. Maybe they’re getting primary tab placement. I see this with a lot of newsletters I’ve worked with. Also, sometimes, like, welcome emails from ecommerce just because the engagement is so fire. People want that discount, you know, that they got that that the attentive pop up told them they was gonna they were gonna get.

And those will hit the primary tab, but primary tab placement typically does come with higher complaint and unsubscribe rates for sure. So that’s really you know? But if you’re generating crazy good engagement, you got, like, a 50, 60 percent open rate, you got high click rates, Google might say, yeah. I’ll tolerate it. It just depends.

But, again, depends on your scale. You know? If you’re Yep. A if you’re in the millions or they you’re a super sender doing, like, a1000000000 plus a month, they’re they’re not gonna tolerate as much nonsense. And and typically, those senders that I’ve worked with, the real big dogs, they’re at, like, one complaint per 10,000, like, or less in most cases.

Garin Hobbs: It’ll be given the threshold for spam is so low, the 0.1%, academic or otherwise. Right? I think about an unfortunate yet prevalent fact about human behavior, and that’s that many of us are lazy. And, I’ve seen many, many instances, and I’ve been guilty of it myself in the past Rather than go through what may be a multi multi click on subscribe process, I might be tempted to just click the report as spam button. Right?

Apply a little Occam’s razor there. How can we encourage marketers to put in place any type of method or what tactics can they use to sort of negate that or at least, minimize the risk of folks sort of unsubscribing through spam complaints, if that makes sense.

LB Blair: Oh, abs I mean, honestly, make it easy to unsubscribe. This has been the best practice, like, forever. Scott, I think I swear, I think I saw one of your presentations once where you’re talking about this, like, years ago. You know, it make it easy to unsubscribe, make it intuitive. And this is also being mandated now by Google, a part of the and Yahoo.

Part of the changes are you have to have a one click unsubscribe, which is the list unsubscribe, list dash unsubscribe, header. And it needs to be HTTPS, Very important. That is a secure link. And also very important, it is a one click unsubscribe. And that is what gets utilized by Google to power their their unsubscribe button in the platform, Apple as well.

I believe Yahoo has it, as well. So it’s really that one click, on so really the the it has but it has to be one click is a requirement of the list header unsubscribe, and that’s not visible. Typically, you know, most people, that’s something your ESP is gonna manage for you. They’re they’re gonna construct that, and you should just ask them, you know, if you’re RFPing or if you have any questions, reach out to your ESP and ask them, hey. Is this something you’re putting in?

Is the one click, you know, unsubscribe button? Is the link secure, and, you know, functional, basically. But I I think that’s really it. That that’s a good way because, you know, I’ve heard people before say, oh, put the unsubscribe at the top, but I I think that of the mail body, I think that can be a little off putting in a lot of cases. And I think it’s not all way I I think it’s not always necessary, but also make it very clear at the bottom, you know, the footer of the email that’s kind of the standard.

Make sure you have the unsubscribe link also in the body of the email, but that one is not mandated to be a one click. But I think that’s also where you really have to go. Well, if I’m having a spam complaint problem and I don’t have a one click unsubscribe in the body of the email, Maybe I should test that. That’s the best way to know anything in email is to test it.

Scott Cohen: Agreed.

Garin Hobbs: Absolutely.

Scott Cohen: Well, let’s talk about the future. The future, Conan? Sorry. Shows my shows my nerdom a little bit. Next 12 to 24.

Exactly.

Garin Hobbs: In the year 2000.

Scott Cohen: What’s coming in the next 12 to 24 months? You know what I mean obviously the the Gmail and Yahoo stuff’s kind of the big thing even though it’s really not a big thing it’s just again it’s the the flashing light is over over deliverability at the moment but what what is coming what what do you see you know both good bad ugly whatever it might be what what is coming down the pipe for us?

LB Blair: Absolutely. I’ve kind of alluded to this a little. I I think, you know, the mailbox the major mailbox providers dropping the kind of authentication hammer on a larger swath of senders because singular large senders, you know, the Home Depots and Fords and Toyotas of the world and stuff like that, they’ve they’ve had this buttoned down for years. They’ve got it. They got big IT teams.

They’ve got this all buttoned down. Right? Their DMARC and their change management process and onboarding new sender, you know, sending platforms, things like that. But they don’t as, you know, as as pointed out on the the Google and Yahoo webinar, that’s only, like, 20% of all traffic or something like that. You know?

It so there’s still a lot of small, medium senders out there that this now applies to. So I think it is kind of a big thing. And it’s basically saying, no. You really need to have this if you want us to take you serious, like, from the jump. You need to start with your mail properly authenticated.

And I think that is allowing them to focus more on content filtering. I have absolutely seen a rise in content filtering, and I think it’s a response to what Garan said as far as, oh, what if a sender they’re they just change their IPs, they change their domain, you know, whatever. I think the content the increased focus on content filtering, is due is due to that, to be able to identify where the same or similar content is being sent, from numerous different platforms, domains, and IPs, and being able to identify that content and blocking it. Consequently, I I have significant concerns about, AI being able to break that content fingerprinting. Because if you think about it with AI, you can generate novel content, for every user in a 1,000,000 person list possibly.

You could you could have AI, you know, say, hey. Give me a a a 1000000 different ways to say this one thing. Or, you know, here are the data points I have on this subscriber. Make the most convincing email possible to ask, you know, to get them to buy whatever, you know, my new product offering is as a business. And with all those really novel contents flying around and and they’re very may possibly distinct from each other, I think that’s gonna make the content filtering more, more difficult in some ways.

Now there are other things that a lot of people don’t think about. They for can spam compliance. You have to put your physical business address in the footer. Well, that can be pattern matched with software. Like, that’s, you know, a regular pattern.

Have heaven forbid I I invoke the the specter of regular expressions. I had to work I’ve had to work at regex a few times, and I’ve hated it every time. But, you know, there’s I mean, essentially, I think there are biases in the spam filters based on what they’re most easily able to identify and filter. URLs. URLs are huge for content filtering.

I probably bring this up every time I say content filtering, but, Vittis, has a really Vittis m, and I’m not gonna try to kill his last name, has a really good article on LinkedIn that was published years ago, but it’s still super relevant called Content Isn’t King, It’s the Vazir of Email. And it talks about but it goes really in-depth to, about how URLs matter so much in content filtering. And I’ve absolutely across, you know, tons of tests, inbox placement tests, and data points. I’ve seen this to be true. So, really, the reputation of whatever websites you you link into the body of the email, you could be just fine.

But if you put a bit.ly link in there, well, bit.ly has been used, you know, for a long time to hide viruses behind it because you don’t know what’s behind the link. It’s a public link shortener. So link shorteners inherently aren’t bad, but public ones are because anybody can use that domain and put anything behind it. So I think that’s I I but I think the other thing is we’re gonna see I’ve seen a real rise. You know, I’ve been helping with a lot a lot of ESPs with deliverability architecture, email architecture, and advisory lately, and I’ve seen lots of, niche ESPs that handle a particular mail stream or a particular, industry type of mail that are often powered by AI to take lift off of to take, you know, effort off of email marketing teams.

Because I don’t think I’ve ever met an email marketer who said they weren’t busy. Every email marketer I know is typically about you know, the clock is, like, 5 it’s 5 minutes to midnight. You know? They’ve got 80,000,000 things they’re trying to get done, in not nearly enough time. And I think you know, so we’re seeing a lot of these niche, ESPs pop up and leverage AI.

And I think that’s I think it’s a natural evolution, and I think these kind of almost expert systems, for sending mails, I would call them, are are going to help with contextualization and kind of personalization of the mail in a lot of ways. But I think it’s gonna be interesting to see how kind of the increased focus, the lens on content filtering interacts with these AI generated emails. I think it’s gonna be really that’s gonna be something we’re gonna have to see how that plays out.

Scott Cohen: Yeah. For sure. I mean, there’s, every whenever I get asked about AI, my concern is, at least right now, my concern is mediocrity. The curse of good enough. Like, you know, the 5 minutes to midnight, you just have to get something out the door.

So is it good enough to get out the door? And so there’s there’s always I think at least for now, there’s certainly gonna always gonna be a human element. There should be anyway. Oh. But we’re it’s like you you think about 99% of email doesn’t get delivered.

The 1% that does get delivered is a huge amount, so you’re competing against everything anyway. And it’s just it’s just hard. It’s just hard. Let’s just face

LB Blair: it. It’s hard. E email is hard because there’s there’s so much that has to there’s so much that has to go right. And kind of one of the things when I’m talking to, you know, EFPs that I’m helping them make decisions on how to use, like, the underlying MTAs or email platforms they’re relying on. It’s like, there’s unfortunately not a lot.

There’s, like, there’s not a right answer on how to do something. There’s like, well, it really depends based on what you’re trying to achieve, what your app functionality is, etcetera. There’s a lot of wrong answers. There’s a lot of ways to mess up an email and cause like I said, you could do everything right. You can have all your authentication, but maybe you put your links in.

The the links are HTTP instead of HTTPS. But I I think really what we’re seeing with Google and Yahoo and and the this big push for authentication is an increased focus on security, because email has just again, it just it as you said, 99% gets rejected. Still a lot of it’s very malicious traffic. There’s lots of infected documents, all kinds of scams and ways to try to, you know, get around that. I’ve seen people leverage Google Docs, emails to try to, you know, inbox malicious content, Google Calendar, notifications out of office bounce backs.

I mean, there’s, like, so many ways that malicious actors are trying to get these, you know, virus laden emails kinda in over the eaves.

Scott Cohen: So I I would say all this is all these changes are good. Right? Would you say all these changes are good? Like, you know, it’s I mean, obviously, we’ve had a little bit of an influx in turn like, we’ve seen it, and you guys have seen it too. I would imagine if, oh my god.

I gotta get D mark set up, but it’s it’s all good. Right?

LB Blair: Oh, yeah. I I I think ultimately is great for the email ecosystem as a whole because that’s what maintains email’s relevance as a communication channel. If you think about it, if email as a whole was just super unreliable and you were really likely you know, you’re half as likely to get a virus versus a discount on any email that you open. Email would not be relied upon because look at what’s happening with SMS and telecom. Like, we get all these spam calls.

I don’t know anybody anymore that just picks up their phone. Everybody I know screens all their calls, and that’s that’s a spam filter. That’s like a spam filter, and it’s a very manual spam filter. And the same with SMS. Like, SMS doesn’t have tabs.

It just goes. It dings your phone. And, there’s not as much filtering, so it can be very noisy and intrusive. But I think really that the filtering is what it I think improved filtering and improved security protections especially because getting getting hacked is a real bad experience. And, like, that is something that’s gonna stick in someone’s mind forever.

So, you know, really protecting them against that is what maintains emails relevance as a channel. And the great thing is it’s an order of magnitude cheaper than just about anything else, any other push communication medium you could, you know, engage in.

Scott Cohen: Well, I think that’s a great spot to stop because we could go for another hour or 2 hours.

Garin Hobbs: Oh, gotcha.

Scott Cohen: I mean, it’s you’re we’re we’re just we’re just touching the the nerdom, so we could we could totally go go deeper. But you know what? LB, where can people find out more about you and about email industries?

LB Blair: Yeah. Hit us up on LinkedIn. I’m on LinkedIn as l b Blair, email ecosystem expert, Email Industries. We’re on LinkedIn. Also, our website, you know, you can come through there.

I also hang out in the Email Geeks deliverability channel. So, you know, feel free to hit me up and be like, I summon you. I’m happy to answer questions and help out where I can. Going to inbox expo, I’ll be, presenting there an update on what we’re seeing at a data level from, Google and Yahoo. Also, the deliverability summit in Amsterdam, really looking forward to that.

And, actually just added to the slate, I will be teaching a master class on the email ecosystem, with the email roadshow in Atlanta, at likely my my university, Georgia State. So I’m super pleased, about being able to teach a class without having a math without without having gotten a master’s degree yet. So

Scott Cohen: Very nice. Well, thank you for joining us, LB, and thanks to you listeners and watchers for tuning in. If you’d like to learn more about us at Inbox Army, check us out at inboxarmy.com. Till next time, be safe and be well.

This Episode’s Featured Guest

LB-Blair

LB Blair

Head of Deliverability and Managing Partner
Email Industries

LB Blair has a wealth of experience working with numerous Fortune 100 brands, some sending over one billion email messages monthly.Her expertise includes Gmail reputation remediation, IP/domain warming, data analysis, custom tool development, email authentication, security, and more. LB has a passion for elegantly solving the toughest problems the email industry can throw at her, and she isn’t close to being done yet!

Our Hosts

Chief Executive Officer

Winner of the ANA Email Experience Council’s 2021 Stefan Pollard Email Marketer of the Year Award, Scott is a proven email marketing veteran with 20 years of experience as a brand-side marketer and agency executive. He’s run the email programs at Purple, 1-800 Contacts, and more.

Experienced Martech Expert

With a career spanning across ESPs, agencies, and technology providers, Garin is recognized for growing email impact and revenue, launching new programs and products, and developing the strategies and thought leadership to support them.

Interested In Working with InboxArmy?

Get in touch today!

Enter your information below to request a free, no-obligation consultation.






    Yes

    (InboxArmy doesn't work or provide email list buying or rental service.)

    I searched through a number of forums and word of mouth on the web, and their name consistently came up. They have been in business longer than any email marketing company that I can remember talking with.

    Our company needed to revamp our entire email system for our main brand of bicycles, Sixthreezero. We hired InboxArmy to build out new automated flows, post purchase email flows, marketing campaigns, and anything else we could come up with to stimulate our sales. I worked with the director and his designers to develop the emails that would connect with our target market. InboxArmy managed me, I literally had to keep up with how fast they work.

    Immediate increase in revenues, our return customer conversion rate increased by roughly 50%, and our open to click rates all increased. The ROI was about 26 to 1. Zero complaints, our resources were not wasted hiring InboxArmy.

    Andrew Bowman
    E-Commerce B2C Director