Email Authentication

Important Email Update! New requirements from Gmail and Yahoo Mail effective February 2024. 𝐄𝐦𝐚𝐢𝐥 𝐬𝐞𝐧𝐝𝐢𝐧𝐠 𝐛𝐞𝐬𝐭 𝐩𝐫𝐚𝐜𝐭𝐢𝐜𝐞𝐬: As part of their ongoing commitment to enhance email security and protect user inboxes, Gmail and Yahoo Mail have announced a set of new requirements for email senders, effective February 2024. The new requirements include long-standing best practices that all email senders should follow in order to achieve good deliverability with mailbox providers. What's new is that Gmail, Yahoo Mail, and other mailbox providers will require alignment with these best practices for those who send bulk messages over 5000 per day or if a significant number of recipients indicate the mail as spam. 𝐑𝐞𝐪𝐮𝐢𝐫𝐞𝐦𝐞𝐧𝐭𝐬: - SPF (Sender Policy Framework) is a domain-based way to determine what IPs are allowed to send email on somebody's behalf. - DKIM (Domain Keys Identified Mail) is a message-based signature that uses asymmetric cryptography to sign email and verify that a message was not altered in transit. - DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on top of SPF and DKIM and instructs receivers to approve, quarantine, or reject email messages. 𝐖𝐡𝐲 𝐢𝐭 𝐦𝐚𝐭𝐭𝐞𝐫𝐬: For senders of bulk messages, meeting these requirements is crucial to maintaining good deliverability and ensuring that your emails reach the intended recipients' inboxes. Failure to comply may result in emails being marked as spam or rejected by mailbox providers. 𝐖𝐡𝐚𝐭 𝐲𝐨𝐮 𝐬𝐡𝐨𝐮𝐥𝐝 𝐝𝐨: Review your current email sending practices to ensure alignment with SPF, DKIM, and DMARC. If necessary, update your SPF, DKIM, and DMARC configurations to comply with the new requirements. Check the diagram showing how SPF and DKIM work together with your DMARC policy. #EmailSecurity #GmailUpdate #YahooMail #SPF #DKIM #DMARC #Authentication #CyberSecurity #EmailBestPractices

It’s official: email best practices are no longer best — they’re required. Here’s why... Microsoft recently announced new bulk sender requirements that mirror the ones Google and Yahoo rolled out last year. And they aren’t just doing this for fun, promise. They’re doing it because too many senders ignored best practices when they were optional. So, now they’re mandatory. ¯\_(ツ)_/¯ Starting May 5th, if you’re sending more than 5,000 emails a day and not following the rules, Microsoft’s going to start rejecting your mail. Not junking it. Rejecting it. And I wanna be clear here: this isn’t coming out of nowhere. The writing’s been on the wall for a while... and mail has been silently filtered away from the inbox all this time. Now it's just that the rules aren't written in invisible ink! So, what are these rules I speak of? 💌 Authentication (SPF, DKIM, DMARC) Yes, we’re still talkin’ about this… get used to it. Microsoft wants the same setup Google and Yahoo asked for. If your domains aren’t properly authenticated and aligned, your deliverability will suffer. 💌 Valid “From” and “Reply-To” Addresses Microsoft wants to make sure that when someone replies to your message, there’s someone on the other end. No more sending from a “noreply@brand.com” black hole. 💌 One-Click Unsubscribe (RFC 8058) They’re cracking down on bad unsubscribe flows. Make it easy. No weird hoops or loops or “oops, we need 10 days to process your request.” Just a simple unsubscribe option that actually works. If you’re already sending it right (ahem, compliant with Google and Yahoo’s requirements), this is mostly a “cool, cool, carry on” moment. But you’ll need a whole lotta margaritas and tacos to overcome your sorrow if you’ve been dragging your feet. May 5th (ahem, cinco de mayo!) is not the day to find out Microsoft doesn’t play. What happens if you’re not ready? If you need help figuring out where you stand, here are a few fast checks: ✅ SPF, DKIM, and DMARC passing in headers? ✅ “Reply-To” address monitored and functioning? ✅ One-click unsubscribe live and working? ✅ Lists clean and bounce/spam complaint rates under control? If not, now’s the time to fix it. Not next week. Not next quarter. Now. TLDR: if you’re not sending responsibly, you’re not sending at all. Because come Monday — yes, THIS Monday — non-compliant mail will be rejected at the door. No inbox. No spam folder. Just blocked. So, get it together, you (not so) filthy animals! LinkedIn says I’m outta characters, but if you need tool recommendations or a second set of eyes on your setup, I'm happy to help. Reach out, email scout. 💌

I burned through $15K perfecting cold email copy. Here's what I learned when I focused on deliverability instead. While I was obsessing over subject lines and CTAs, most of my emails were landing in spam folders. I had killer copy that nobody ever saw. But here's what happened when I fixed the infrastructure piece first… I went from ignored emails to 800,000+ monthly sends at ColdIQ. If your cold emails aren't working, deliverability beats copy every single time. WHY DELIVERABILITY IS EVERYTHING: 1. Perfect copy means nothing in spam. You can have killer targeting, perfect messaging, incredible offers... but if your email lands in spam? Game over. 2. It compounds everything else. Once your domain reputation is down, even your transactional emails start getting flagged and won't get delivered anymore. So how do you make your email in the primary? 1. Protect your main domain. Never send cold emails from your primary domain. We use 70+ secondary domains to keep our brand safe and our main inbox clean. 2. Distribute volume across multiple mailboxes. Set up 140+ mailboxes across those domains. Keep it under 50 sends per day per domain. High volume too early = instant red flag. 3. Get your technical foundation bulletproof. Set up SPF, DKIM, and DMARC authentication. Without proper technical set-up, you're flagged as suspicious by default. 4. Warm up. Send nothing for 2 weeks. Use premium warm-up tools to build trust gradually with ESPs. Ramp slowly to avoid triggering their spam filters. Patience here pays dividends later. 5. Natural variation. Use Spintax or tools like Twain to introduce variations in your messaging. Even small variations help you avoid the repetition triggers that scream "mass email blast" to spam filters. Remember, list quality plus message still matter most. Even with perfect infrastructure, if your list is off and your message is weak, you'll still land in spam. Deliverability gets you to the inbox, but the relevance keeps you there. Monitor everything rigorously. Use tools to track your sender reputation across all ESPs. We check deliverability rates daily (it's that critical). Infrastructure gets you to the inbox, but your targeting plus messaging determines what happens next. I've put together a 7-day GTM crash course that includes our exact setup, authentication templates, and the monitoring systems we use to protect the campaigns of our 70 clients. Reply with "SETUP" if you want access before your next campaign goes live.

We send 800k+ emails a month, and I have spent the last 2 years understanding every reason for emails landing in spam. Today, I am sharing all the good resources I found during this journey! Most emails don’t get blocked because you’re a spammer. They get blocked because you missed one tiny config buried in a 20-year-old spec. Email delivery feels a little like a black box! Old docs, conflicting advice, and invisible rules. So sharing the list I wish I had when we started. 1. LearnDMARC (learndmarc.com) - An interactive visualizer that makes SPF, DKIM, and DMARC simple and easy to understand. 2. Postmark’s “Why Emails Go to Spam.” - The clearest explanation of sender reputation, content filters, and engagement signals. 3. MXToolbox - Debug SPF/DKIM/DNS issues 4. Mail-tester.com - Send a test email, get a deliverability score. My go-to before every big template change. 5. Google Postmaster Tools - Gmail’s own dashboard for domain reputation. No more guessing. 6. RFC 5321 (SMTP spec) - Yes, this feels intimidating. But even skimming it gave me massive clarity on how email really works. 7. Spamhaus blog: Word to the Wise - Insights on sender reputation straight from the people who run the biggest blocklists. This is one of the best blogs I have found on the internet! Email isn't glamorous. But it’s critical infrastructure. And most of the knowledge is scattered across forums and old blog posts. If you’re building anything that sends email, save this! It’ll save you a loooot of time debugging!

Before copy, before offers, before personalization… your emails need to land in the inbox If you're doing [X] - sending emails straight from a fresh domain without setup Switch to warming and proper infrastructure first, because inbox providers will flag you immediately. 1. Disable Tracking Links Tracking pixels and link tracking often trigger spam filters. They add extra redirects → suspicious behavior They signal “mass outreach tool” What works: Use plain links or no links at all in the first email. Focus on getting a reply, not a click. 2. Use Multiple Mailboxes per Domain One inbox blasting emails = high risk. Spread volume across 2–3 inboxes per domain Example: john@ mike@ Why it matters: Lower activity per inbox = more natural sending pattern. 3. Mix Google and Outlook Accounts Email providers watch patterns. If all your emails come from one ecosystem, it’s easier to detect. Better approach: 50% Google Workspace 50% Outlook This creates diversity and reduces risk signals. 4. Warm Up Your Domains (Minimum 2 Weeks) New domains have zero trust. If you're doing [X] sending emails immediately after setup - switch to warming first, because cold domains get flagged fast. Simple process: Start with 5–10 emails/day Gradually increase Use real conversations or warm-up tools Goal: build history that looks human. 5. Use Separate Domains for Outreach Never send cold emails from your main domain. Why: Protect your brand domain reputation Avoid affecting your core business emails Example: Main: yourcompany.com Outreach: yourcompany.co / getyourcompany.com 6. Set Up SPF, DKIM, and DMARC Properly Skip this and your emails won’t be trusted. These are your authentication signals: SPF → confirms sender DKIM → verifies message integrity DMARC → tells servers how to handle failures No setup = low deliverability, even with great copy 7. Keep Volume Low (Max ~20 Emails/Day per Inbox) More volume doesn’t mean more results. Among outbound campaigns, accounts sending lower daily volume tend to last longer and perform better. What works: 10–20 emails per inbox per day Scale by adding inboxes, not volume That's it!

If you’re still sending email from an onmicrosoft.com address, Microsoft is tightening the rules. This matters because your messages could start getting throttled or blocked, which means invoices, password resets, and customer updates might never arrive. Microsoft’s goal is to stop spammers who spin up fresh tenants and abuse the shared onmicrosoft.com domain. But the side effect is real organizations will see lower deliverability and limits on bulk or automated sends until they move to a proper, verified domain. What’s changing? Microsoft is putting sending limits and stricter checks on any email that leaves an onmicrosoft.com address. Because it’s a shared domain used by millions, one bad actor can hurt the reputation for everyone. The fix is simple but urgent: switch to your own branded domain and set up modern email authentication (SPF, DKIM, and DMARC). That tells receiving mail systems, “Yes, this is really us,” and helps keep your mail out of spam and off block lists. What should you do now? Audit where onmicrosoft.com shows up—service accounts, no-reply inboxes, ticketing tools, scanners, CRM alerts, and scripts. Register or connect your custom domain, add the DNS records, and rotate apps and automations over to the new addresses. Test mail flow, watch for bounce backs, and update address books, forms, and templates. Train your team so they know which sender addresses are approved going forward. A little cleanup today will save a lot of missed messages tomorrow. #Microsoft365 #EmailSecurity #ITAdmin #ChangeYourPassword Follow me for regular updates on Microsoft 365 changes, security tips, and clean-up checklists that keep your org’s email flowing.

🚨 BREAKING: Shopify just fixed one of Flow’s quietest trust issues. And yes, this one matters more than it sounds. Until now, emails sent via Shopify Flow showed up as coming from: flow@shopify.com Not your brand. Not your domain. Not you. That’s changing. Shopify has updated the Send internal email action so emails now display your store’s sender email address in the From field. At first glance, this looks cosmetic. It’s not. This change hits deliverability, trust, and operational clarity all at once. Here’s why it matters 👇 When emails come from a generic system address: - They’re more likely to be flagged as spam - They’re harder to recognize internally - They break brand consistency - And they quietly reduce response rates With this update, Flow emails now behave like real operational emails, not system noise. What’s new: • New Flow configurations already use your sender email • Existing workflows will be updated automatically • Emails align with your store identity and domain But there’s a catch ⚠️ You need to do one thing to avoid issues. 👉 Go to Settings → Notifications in your Shopify admin 👉 Make sure your sender email is properly configured 👉 If you’re using a custom domain, authenticate it Otherwise: - Emails may land in spam - Internal teams may miss alerts - Automated workflows lose their value One more subtle impact: If your team had filters or forwarding rules for flow@shopify.com, they’ll need updating. This update isn’t about features. It’s about infrastructure maturity. Automation only works when messages are trusted. And trust starts with identity. Classic Shopify move: Less friction, more signal, better ops at scale. #Shopify #Ecommerce #Automation #ShopifyFlow #EmailDeliverability #RetailOps #CX #OpsEngineering

Using HubSpot for marketing emails? When's the last time you verified your domain authentication on HubSpot? I can't tell you how many times I've seen this overlooked. I consistently find it not authenticated in accounts. Here's what happens when your domain isn't properly authenticated: • Your deliverability tanks • Emails hit spam folders instead of inboxes • Your sender reputation takes a hit • You're burning budget on emails nobody sees The fix takes minutes. Go to Settings → Content → Domains & URLs Check for these three things: 1. SPF record (green checkmark) 2. DKIM record (green checkmark) 3. DMARC policy (configured) If you see red X's or warnings, fix them today. Your IT team can help if you're not sure how to update DNS records. HubSpot's documentation walks through it step by step. Don't let a simple technical oversight kill your email performance. Check it now. Your campaigns will thank you.

𝐘𝐨𝐮𝐫 𝐝𝐨𝐦𝐚𝐢𝐧 𝐜𝐚𝐧 𝐛𝐞 𝐮𝐬𝐞𝐝 𝐭𝐨 𝐬𝐜𝐚𝐦 𝐩𝐞𝐨𝐩𝐥𝐞… and you might 𝐧𝐞𝐯𝐞𝐫 𝐤𝐧𝐨𝐰. 𝐇𝐞𝐫𝐞’𝐬 𝐡𝐨𝐰 𝐢𝐭 𝐚𝐜𝐭𝐮𝐚𝐥𝐥𝐲 𝐡𝐚𝐩𝐩𝐞𝐧𝐬 👇 That’s the scary part. No breach. No malware. No alerts. Just someone sending emails as you. If your setup is weak, it’s easy. That’s where 𝐒𝐏𝐅, 𝐃𝐊𝐈𝐌, 𝐚𝐧𝐝 𝐃𝐌𝐀𝐑𝐂 come in. Let’s break it down simply: ➤ SPF (Who can send) Think of it like a guest list It tells the internet: “These servers are allowed to send emails from us” If a server is not on the list → something’s off ➤ DKIM (Was it changed?) This is your digital signature Every email gets “signed” before it leaves If someone edits the message → signature breaks So receivers know: “This email is real and untouched” ➤ DMARC (What to do next) The rulebook If checks fail → you decide: -Ignore -Send to spam -Block it Plus, you get reports on everything Without them? Your domain becomes an easy target for spoofing and fraud. If you take ONE thing from this: Email security isn’t about tools. It’s about trust. And trust starts with proper configuration. 𝐇𝐚𝐯𝐞 𝐲𝐨𝐮 𝐚𝐜𝐭𝐮𝐚𝐥𝐥𝐲 𝐜𝐡𝐞𝐜𝐤𝐞𝐝 𝐲𝐨𝐮𝐫 𝐃𝐌𝐀𝐑𝐂 𝐩𝐨𝐥𝐢𝐜𝐲… 𝐨𝐫 𝐣𝐮𝐬𝐭 𝐚𝐬𝐬𝐮𝐦𝐞𝐝 𝐢𝐭’𝐬 𝐬𝐞𝐭? ---- Hi, I’m Harris D. Schwartz, 𝐅𝐫𝐚𝐜𝐭𝐢𝐨𝐧𝐚𝐥 𝐂𝐈𝐒𝐎 & 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐋𝐞𝐚𝐝𝐞𝐫. I help CEOs and executive teams strengthen their security posture and build resilient, compliant organizations. With deep expertise across 𝐍𝐈𝐒𝐓, 𝐈𝐒𝐎, 𝐏𝐂𝐈, 𝐚𝐧𝐝 𝐆𝐃𝐏𝐑, I focus on making security a business enabler, not just a control function. If you’re planning how your security program should evolve in 2026, this is the right time to start the conversation. #CyberSecurity #EmailSecurity #DMARC #SPF #DKIM #InfoSec #SecurityAwareness #DataSecurity #CyberRisk #TechLeadership #ITSecurity #DigitalTrust #InfosecCommunity

Stop using your company's primary domain for cold outreach. Here's why that's killing your deliverability (and your brand): Your main domain is your reputation. It's where your team communicates. Where customers email you. Where partners reach out. One bad cold email campaign can torch that reputation. Forever. When you cold email from your main domain: → Every bounce damages sender reputation. → Every spam complaint hurts your primary domain. → Every risky campaign puts your whole company email at risk. Then one day, your CEO's emails start landing in spam. Your support team's responses get filtered. Your invoices disappear. All because you tried to save $12/year on a separate domain. The better approach is to buy a secondary domain for cold outreach. Similar to your main domain, but slightly different. • Main: company.com → Cold: getcompany.com • Main: acme.com → Cold: acmeteam.com • Main: brand.com → Cold: trybrand.com Keep them related but separate. → Your main domain stays clean. If something goes wrong with cold email, your primary communications are protected. → You can test aggressively. Try new campaigns. Scale quickly. Without risking your core business operations. If a cold domain gets flagged, you can switch to a new one without touching your main brand. "But people won't trust emails from a domain they don't recognize!" If your cold email is good, they won't care. They care about the value you're offering, not whether you're using .com or .io. And if they do care that much, they weren't going to respond anyway. The setup: 1️⃣ Buy a secondary domain ($12-15/year) 2️⃣ Set up proper DNS records (SPF, DKIM, DMARC) 3️⃣ Warm it up for 2-3 weeks before sending 4️⃣ Keep your sending volume conservative 5️⃣ Monitor deliverability separately from your main domain The cost of not doing this: One bad campaign. One blacklist. One spam complaint spiral. Your entire company's email reputation destroyed. Is that worth saving $12/year? Separate your domains. Protect your brand. Are you using a separate domain for cold outreach? Or risking your main domain?