Blogging with Lesli Peterson

Navigating the New Google & Yahoo Email Authentication Maze Before the Deadline!

Lesli Peterson

Send us a text

In this episode, we dive deep into the significant policy changes enforced by email giants Google and Yahoo. We explore how these changes will influence email deliverability and what steps individuals and businesses must take to avoid their emails being relegated to the spam folder.

Main Themes:

  1. Stricter Email Delivery Standards: Google and Yahoo are tightening the reins on email deliverability to combat spam. We discuss what this means for the future of email marketing and communication.
  2. The Role of SPF, DKIM, and DMARC: We break down these three crucial acronyms—SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance)—and explain how they contribute to a more secure email ecosystem.
  3. Implementation Challenges: Implementing these new security measures can be daunting. We offer insights into the complexities of setting up SPF, which requires a single DNS record, and DKIM, which is more intricate with its public and private keys.
  4. Impact on Email Marketing: The shift requires businesses to adapt by sending mass emails from their own domains rather than through third-party platforms. We examine the potential impact on services like Drip and MailChimp.
  5. Urgency Due to Deadlines: With a February 1st deadline looming, we discuss the urgency for compliance and what risks non-compliant senders face.
  6. Technical Troubles: Setting up multiple DNS records and managing long character strings can lead to issues. Our episode provides tips for navigating these technical waters.
  7. Complexity for Multiple Domains: For those with multiple domains or separate email marketing accounts, the changes are even more complex. We discuss strategies to manage these complexities effectively.
  8. Importance of Prompt Action: Taking swift action is essential to maintaining proper email delivery. We emphasize the importance of setting up DKIM in particular and what steps to take immediately.

We provide guidance, demystify the technical jargon, and offer actionable advice to ensure your emails continue to reach their intended inboxes.



Grab ALL the freebies I mention on the podcast PLUS so much more. All FREE! Grab it all here.


===== FOLLOW ME =====

FB: https://www.facebook.com/groups/leslipeterson

Podcast: https://podcast.leslipeterson.com/


** Sometimes I link to additional resources, and they may or may not include affiliate links. I'll never link you to anything I don't use myself!

Happy Monday, everybody. Today, we're going to talk about Google and Yahoo's new email delivery standards. A little break in our regular series here, and that's because the deadline for handling that is upon us. You've got to have this issue settled by February 1st. So that's why I want to talk to you today. And I've got a special guest here. It's a very handsome man. He's my husband, guys. Dan, while he does many, many things in all of our businesses, he is specifically the technical backbone to everything we do. So welcome, Dan. Hey, I know you. Yes, so I'm glad you're here to decipher some of this for us. So, you know, there is a lot of buzz going on about these new email standards. Can you tell us what it's all about? Yeah, sure. So first of all, it's important to keep in mind that these standards aren't just about email marketing. They really impact any email that you send from your domain. Oh, like even if I just email to my girlfriend? Yeah, you ever have an email you send to somebody they don't reply in a while, and then you find out it went to spam, or you look in your own spam folder and see stuff wind up in there. These policies we'll talk about should help improve that. Not saying it's gonna completely stop stuff from going to spam that you don't want to, but that's what it's really all about. Yahoo and Google are saying we're gonna really... and they've done some of this in the past. They're just getting more stringent about it. We're gonna look for these certain email policies, they're called, and we'll talk about what those are later. But we're gonna look for these three different policies, and we're gonna use that to a greater effect to decide whether something goes to spam or not. That's what it's really all about. So when you talk about an email marketing system, it gets even more complicated, because most people using email marketing systems like Drip or ActiveCampaign or something like that are using the the EMS's domain as a sender. So that email is really not coming from you when you send out these mass emails. It's coming from their domains, and that affects the policy as well. And that's what... I mean, it doesn't have to, right? If you're special, you can make it come from your own domain. Yeah. And we had an episode a while back where I was saying, like, we don't do that. Like, it's a really good idea to... Before February 1st, before this came about, it was kind of a good idea to just depend on your EMS's domain. Yeah, it was, because you can think about your domain email deliverability standards like a domain authority rating. So, yeah, so they would, you know, use that to say... So most people would go, I'm not really sure. It's not something you could look up, like domain authority. I'm not really sure what mine is. So we know that Drip is a really trusted sender, so we're just gonna use Drip's, you know, deliverability. MailChimp, not so sure about them either way, but yeah. But they're, like, the ones that most larger businesses use would have been okay, like Constant Contact or, you know. For sure, yeah. But what this new policy means, and then this was a bit confusing to me at first, and I had to talk to a couple different vendors to get a handle on it. There's a couple things happening with the policy. First of all, as we talked about, Google and Yahoo are looking for these three particular policies that we'll talk about in a second. But second of all, as it was explained to me by Drip, they're doing something else. They're saying, we're gonna check the email that comes out, and we're gonna say, who is the from address in that email? So, you know... Like, mine would be leslie at leslie peterson dot com. Exactly. They're gonna check that address, that domain, and compare it with the actual sending domain. So what they would do is check leslie at leslie peterson dot com against, if we were using Drip, Drip's sender domain, those don't match. There is a greater, much greater likelihood in that case of that going to spam. So this is a big change for some people, because they're gonna have to not only put these policies in place first, but they're gonna have to switch to their own sending domain. It's called a custom sending domain, using your own domain to send out emails, rather than Drip's or MailChimp's or whatever it is you may be using. Okay, so... Why the hell are they doing this? I think it's a... I mean, I think overall, the more I look at it, it is kind of a good policy. It's, you know, we've all dealt with tons of spam, and it's getting, you know, kind of flooded out there. And I think this will improve things. I don't like, as usual, the timing of this and the communication. I think some of these things, like what I just mentioned, using a custom sending domain, some of it's a bit of speculation right now on the part of the email marketing systems. We're saying with our business, with our email marketing business, we recommend you take these steps. Use a custom sending domain and put the policies in place. Gotcha. Okay, you keep alluding to these email policies. You said you're gonna talk to us about them. So tell us what they are, what they do, what's up with that? Yeah, I won't get too much into the weeds here, but there's three different policies that really, frankly, whether you're doing email marketing or not, you should have in place for your domain. So what we're talking about here is a domain like LesliePeterson.com where you are able to send somebody an email from that particular domain. People do this lots of different ways. We use Google Workspace for this. You could use GoDaddy. You could use CloudFlare. You could use, if you're on a hosting like WP Engine or Big Scoots, they would do this for you. But most people that have larger blogs are gonna have this custom sending domain already. What this is talking about is putting these policies in place on that domain. And again, the policies really are to prevent spoofing. So they're to prevent somebody from coming in and being able to send an email that looks like it's coming from your domain. Not just looks like, but really like it's impossible to fool. So they could really spoof people pretty badly if you don't have any of these policies in place. So that's what the policies do. The policies are about security. The standards that came out are Google and Yahoo wanting to enforce these policies and using the policies to determine if somebody is really a valid sending domain. Gotcha. So there's these rules in place that are good for us to follow. Those are the policies. Yeah, we may or may not follow them. It's probably a good idea to follow them. But now the Google Yahoo police are saying we're buckling down. Correct, right. So here's the different policies. I'll go through them pretty quickly. But the first is a lowest level of security. It's called SPF. It stands for Sender Policy Framework. Okay, write that down people. We're gonna give you some acronyms. It's gonna sound like alphabet soup. Write it down. The first one is SPF. We're not talking about sunscreen. And this is the lowest level of security. It's also the easiest to implement. It involves just adding a single DNS record to your domain. So, you know, wherever you're managing your DNS records, whether that be GoDaddy or somewhere else, you'd add this and then bam, it's in place. That's the first level of security. And again, I won't go into too much detail, but it's meant to prevent spoofing. So when we have to learn what it is we put in our DNS record for that, we have to go to our email. Who's ever hosting our email? Like for us, it was Google Workspace. That's where we find this information. Correct. You would find it there. Yes, but it's easier. There's no authentication involved. It's just adding that record. It is, again, the lowest level of security here. The next one is called DKIM, which stands for Domain Keys Identified Mail. And you could think of DKIM, it's a much higher level of security. You could think of DKIM like SSL for email marketing. So it is actually using keys, public and private keys, to do its thing. And it takes a little bit more setup because not only do you have to add some records to your DNS, which you would get from your email marketing supplier, but you don't have to validate that. So you simply put the record into the DNS, and then you click validate in whatever it may be. And it could take anywhere from 24 to like 72 hours to make this happen for them to go in and validate this. So this is the most complicated thing, I would say. People have issues with it because they cut and paste. It's a very long string of characters into their DNS. And sometimes there's a carriage return that gets stuck in there when you cut and paste. And so that's something to keep an eye out for that and make sure that it's, you know, you don't have any special characters or anything in when you cut and paste. But if you're able to add things to your DNS record, you can make this happen pretty quickly, you know, as well. And you would recommend this over the SPF, obviously. Yeah, well, yes. You want to have all three of these. Oh, okay. And you know, if The reason is that Google and Yahoo are looking for all three. Okay. I would say if it wasn't for the Google and Yahoo thing, you could get away with not having SPF and just DKIM. But it doesn't hurt to have all three. Okay. Okay. So we talked about SPF. That's the That's just the DNS record. We talked about DKIM. That's the DNS record that's validated. Yeah, and it's more of a shared key type of thing. So it's a certificate. It's like SSL, right? Yeah, and then the next one is the word we keep hearing everywhere, DMARC, right? Yeah, DMARC is, and that's a big one that these places are looking for. So, so first of all, you want to have the SPF and DKIM in place and working before you do DMARC. You want to have all that done. Oh, geez, it's a good thing we're talking about this now. So DMARC is pretty simple. So DMARC is, you guessed it, another DNS record that you have to add. But this record contains an email address or a list of email addresses. And what that's doing is saying, okay, the email marketing tool, whatever, has flagged something as being spam or flagged something that violated one of those SPF or DKIM policies. What administrator do I now email to say there's a problem? Okay, so you're basically putting your own email address in there. You put your own email address, but the other thing that happens a lot, like if you're using, like, let's say Cloudflare for your DNS, the tools like that have analytics. And so you could put their email address in as well, a special email address they give you, and that would, they would use that and take the logs coming in through email, basically, to compile analytics where you could look at on the screen without having to reading through logs or reading through emails. You could look at the screen and figure out what's going on. So that's called DMARC. And that's, again, they are, again, Google and Yahoo are looking for these policies to be in place to decide whether your email goes into somebody's spam or not. Okay, so forgive me for asking this. Three policies, SPF, DKIM, DMARC, D-M-A-R-C, we didn't say what it stands for, Domain Based Message Authentication, for all you nerds out there. But each one of those, you talked about a DNS record. Is it three DNS records, or is it one DNS record you're doing all this with? Yeah, it's actually more than three because SPF would probably have one record, DKIM would likely have more than one record, and DMARC, you know, would have one record. So it could be, could be more than three, is what I'm saying, depending on what they tell you to set up. Now, that's the policies. Remember, you started out talking about email marketing and using what's called a custom sending domain. So this is the big change for a lot of folks. Okay, so setting those up, setting those three things, policies up, is just step one. Just step one. You want to do that, again, whether you're using email marketing or not, you're going to want to set up those three policies. Okay. Now, if you're using an email marketing system like Drip that we use. You guys better be using an email marketing system. Yeah. They are requiring that you use a custom sending domain. That means. So this is step two now. Step two. Instead of using Drip as our sender, we would now be using LesliePeterson.com as the sender. So that involves, you guessed it, adding even more DNS records. This is where it could be two or three records. So, you know, whatever the system may be, they'll give you whatever those DNS records are. You put them into your DNS. And then in that tool, like we did it in Drip, in Drip, you'd think you'd click authenticate. Drip would go out and look for those DNS records, authenticate them. Bam. Now, you're able to use your own domain to send out the bulk emails. And that domain should have all three of those policies in place. Right. As you did that first. So you should be good to go. So I think it's a good change. I just don't like, as usual, the timing of all this. So we have a lot of clients. It can be complex. Takes a little bit of time. We have lots of people just really confused about it all. They don't even know where to start. And they could have, like, kind of given people some more warning, I think. Right. I mean, the policy effectively came out last October. It started gaining traction with the email marketing tools later. I think that's because they started to realize that custom sending domains are now necessary. Oh, they thought that because, because, for example, we use Drip. Drip has a DMARC record. So they thought, oh, OK, well, we're OK. Yeah. And that's where it gets a little hazy. But yeah, the feeling is that Google and Yahoo are also going to check to see that it's coming from your own custom sending domain and check for those three policies. So that's really the big change. OK. So one other question. When we send emails, we send emails, like I send the people on our podcast an email from lesliepeterson.com. You send emails from our Sunset Digital Marketing business. I have emails going out from 365 Atlanta Traveler and sometimes 365 Traveler. So we have four domains that we send emails from. So what the heck? Yeah, I mean, it depends. So for some of those, we have separate email marketing accounts. And that kind of, you know, keeps all those separate. But if you're sending, if you're sending emails from one email marketing system and you're using a couple of domains, you want to add those two domains as custom sending domains. So two different domains to send from. But furthermore, you're really going to want to make sure when you send out a bulk email that you're sending it where the custom sending domain matches the from email address that you're sending from, which should be the case anyway, you know, because you don't want to confuse people. But if you're if, for instance, if we had lesliepeterson.com and Sunset Digital Marketing on the same drip account, we would want to add both those custom sending domains and whatever email goes out, you're going to want to make sure that they match like the lesliepeterson emails match the lesliepeterson.com domain. Right, so make sure I'm changing the from address. Yeah, which you should be doing anyway. But but yeah, that's another key point there. Crazy. Okay, step one, set up the three policies. Step two. So instead of the three policies, you're going to have to talk to whomever manages your email stuff. Again, for us, that's Google Workspace. You said some other places that manage it would be like GoDaddy does it, WP Engine does it, Cloudflare do these things. Yeah. Okay. And I know there's some of you out there who have an email address like 365 Atlanta family at gmail.com, for example. So yeah, usually, usually the EMS system wouldn't have let you send from that Gmail account anyway. But you're if you want to do email marketing, and friend, you want to do email marketing, you need to to get an email where the domain matches your URL. For sure. Yeah, right. Okay, so then contact the company that you're doing that with. Get those three policies set up. And then so you might need their help to figure out what to do. So let me clarify some of that. It's really only the DKIM that you need their help on. Oh, really? Okay, that's because that's the one that's like SSL and it gets it has to be validated. So SPF and DMARC are simply adding DNS records to your account. Now, you could they'll tell you what those records should be, right? Okay, yeah. So that's that's an important part of it. And then you can go into your own EMS system and set up your custom sending domain when that's done. Correct. And then when February 1st rolls around, we just see. But there and again, the thing is nobody is 100% clear. Right. As usual. Yes. With Google. But we're, I would, what do you think Dan, 80% confident that this is that it will hurt you if you don't do this? Yeah. And again, forget about email marketing for a second. I mean, you don't want your messages going to spam wherever you send them from. So it's important to do these things. I think that I think the ambiguity lies again in are they going to make sure that you have to have a custom sending domain? And we're just saying, yeah, go ahead and have a custom sending domain now, because that all signs point in that direction. And if we're right, by means of all the experts that you've been talking with are right. Yeah. And the way they've interpreted this new thing, then after February 1st, the implication is that many, many more of your sends will be going into spam for people, right? Do you think they'll even be like, maybe not delivered? Or just go to spam? Do you think that's, yeah, I think there's balances that could happen as well because of that. Yep. They, there's, there's a couple of different options there. They could go to spam or they could just be undelivered completely. Interesting. Okay. Okay, friends. So get to work on that and we'll keep you posted if we learn anything else. But this is, you know, this is really important guys. And because of that, you know, 24 to 72 hour timeframe for getting validation, if you don't have the DKIM set up already, you're going to want to get started on this now so that you have time to get all that set up. Okay. Thanks, Dan. I'm so, I liked having you on the podcast. I'll have to have you on more often. Sure. Okay, everybody. Thanks again. Sorry for the interruption of the series, but I think this is really important and look forward to hearing about how it's going for you. Bye.

People on this episode