Email Authentication

Starting from February 1st, Gmail and Yahoo are making some big changes to their policy. But the no.1 requirement is one too technical for most marketers: “Authenticate outgoing emails setting up SPF, DKIM, and DMARC” Here’s what all those terms means, and what you need to do to make sure your emails continue to reach your users: What email clients want is for a way to check the “authenticity” of your emails. So they ask you to set up these authentication techniques: 1. SPF allows a domain to specify which IP addresses can send that mail. It’s like specifying which ‘postman’ is allowed to deliver the mail. 2. DKIM is like a digital signature. Imagine a seal on the envelope telling you its contents were not altered. 3. DMARC is a policy that decides what to do with the mail if both SPF and DKIM fail. *** How can you check if your email is authenticated as a sender?  1. Open an email in your desktop  2. Click the three dots on top right  3. Click “Show original”  4. Should show PASS for SPF/DKIM/DMARC *** Besides having these in place, here are some other recommendations in the recent updates by Gmail & Yahoo: 1. DMARC policy of p=none is enough for now. DMARC policies can be of different types. In ‘p=none’, you don’t take any action against emails that have failing SPF/DKIM. But you receive reports to keep an eye. But if your brand has already seen phishing emails being sent in your name, it’s better to switch to p=reject/quarantine.  2. Separate email types by IP or DKIM domain I.e., don’t send marketing emails and transactional emails from the same source. It ensures that any negative response to a marketing campaign doesn’t also lead to your important transactional emails to land in spam. *** None of these requirements are new. They were just more often called ‘best practices.’ If you need any other questions about these changes, ask away in the comments below

Your inbox warm-up is training providers to distrust you. (I'm talking about warming up new sending domains / inboxes for cold or outbound email — not newsletters.) Agency owners tell me this weekly: → "We warmed it up for 3 weeks" → "Open rates still tanked" → "Outlook keeps flagging us" Their warm-up did exactly what it was designed to do. The problem? It was designed without real deliverability infrastructure. This is where tools like Warmy.io - Email channel. Reliable. come in — not as a growth hack, but as the control layer between your domains and inbox providers. Reality #1: Volume ramp ≠ reputation engineering → Day 1: Send 10 → Day 7: Send 25 → Day 14: Send 50 → Day 21: Still flagged That's not warm-up. That's guessing with your domain. Reality #2: Generic warm-up creates generic signals Most inbox warm-up fails because it produces: → Shallow engagement patterns providers learn to discount → Repetitive behavior that looks automated at scale → No provider-specific logic (Gmail ≠ Outlook ≠ Yahoo) → No monitoring. No alerts. No guardrails. Inbox providers don't reward activity. They reward believable, consistent behavior over time. Reality #3: Authentication ≠ inbox placement I've audited sending domains with: → SPF / DKIM / DMARC valid ✓ → Domain health marked "high" ✓ → Inbox placement above 90% ✓ Still landing in spam. The difference between inboxes that recover and inboxes that burn? Controls. Monitoring. Observability. Not copy. Not timing. Not subject lines. What real inbox warm-up infrastructure looks like (how I use Warmy): → Provider-weighted logic (Gmail tolerance ≠ Outlook tolerance) → Continuous domain + inbox reputation monitoring (catches drift before damage) → Inbox placement testing by provider (not averages) → Dynamic warm-up control (auto slow-down when signals dip) → Real-time alerts (before domains get burned) → Seed lists designed for realistic engagement Cold email doesn't fail at send time. It fails weeks earlier — during warm-up. The fix isn't "write better emails." The fix is treating deliverability like infrastructure. 🔗 Try it yourself 👉 Explore Warmy here: https://lnkd.in/gGZzMhv6 Free 7-day trial — see inbox placement by provider before you scale outbound.

Attackers can send emails that look like they’re from your company without ever touching your systems. They spoof your domain, impersonate your executives, and target your customers. This can turn into real financial loss. Customers pay fake invoices. Vendors update payment details based on a fraudulent message. Employees get pulled into credential or payment scams that look legitimate. For a small business, that can mean lost revenue, recovery costs, and operational disruption. Email authentication helps reduce this risk. SPF and DKIM verify sending systems. DMARC ties it together and tells receiving servers how to handle messages that fail checks. When configured and enforced, many spoofed emails can be filtered or blocked before they reach inboxes. It also gives you visibility into who is trying to use your domain. It’s worth checking where you stand: Ask your MSP or IT team if SPF, DKIM, and DMARC are configured and actively monitored. Confirm your DMARC policy is enforced, not just set to monitor. Make sure you can review and act on DMARC reports. This is basic protection that’s easy to put in place, inexpensive to maintain, and can make a meaningful difference, especially given how much business communication and payments still rely on email. Learn more here: ➢ FTC: "How to Stop a Would-Be Business Impersonator" https://lnkd.in/gfjq6eEu ➢ FTC: "Email Authentication" https://lnkd.in/gmZuyxFj #Cybersecurity #EmailSecurity #EmailAuthentication #SmallBusiness #BusinessRisk

1. SPF (Sender Policy Framework) 🔹 Purpose: Prevents spammers from sending messages on behalf of your domain. 🔹 How it works: The domain owner publishes a list of IP addresses (in DNS) allowed to send emails from that domain. Receiving servers check if the email’s sending server is on the list. 🔹 Pass/Fail Decision: If it’s not on the list, SPF fails. ✅ Good for: Detecting forged sender addresses in the envelope. 2. DKIM (DomainKeys Identified Mail) 🔹 Purpose: Ensures that the content of the email hasn’t been altered. 🔹 How it works: The sender’s server adds a digital signature (private key) to email headers. The receiver verifies the signature using a public key stored in DNS. 🔹 Pass/Fail Decision: If the signature matches, the email is valid. ✅ Good for: Verifying message integrity and authenticity. 3. DMARC (Domain-based Message Authentication, Reporting, and Conformance) 🔹 Purpose: Combines SPF and DKIM to enforce domain policies. 🔹 How it works: Domain owners publish a policy in DNS (e.g., reject/quarantine unauthenticated emails). DMARC checks if the email passes SPF or DKIM and if the domain in the "From" address aligns. 🔹 Reports: Domain owners get reports on who is sending mail on their behalf. ✅ Good for: Domain protection and visibility into email spoofing attempts.

I thought great copy was the secret to cold email. Then I realized 80% of my emails were landing in spam. Here’s what we found: 1️⃣ Domain protection is the #1 lever for deliverability → Most teams burn their main domain without realising it. Once a domain is flagged, everything gets filtered (even normal emails). We run 100+ secondary domains to protect our brand and reduce risk. Tool stack: Google Workspace, Namecheap, Warmup tools Next step: Move every outbound sequence off your primary domain. 2️⃣ Safe volume beats high volume → Sending 500 emails/day from one domain is the fastest path to spam. Deliverability collapses instantly. We spread volume across hundreds of mailboxes and stay under 40/day for each. Impact: Fewer red flags, higher trust, better inbox placement. Next step: Audit how many sends each domain is doing right now. 3️⃣ Authentication is non-negotiable → SPF, DKIM, and DMARC are the foundation ESPs check before letting anything through. Without proper authentication, you look suspicious by default. Tools: dmarcian, Google Admin, Cloudflare Next step: Run a deliverability test and fix whatever shows up in red. 4️⃣ Warm-up → Most domains get burned because people start sending too early. ESPs need time to trust you. We warm each domain for two full weeks before sending anything. Why it works: Slow ramp-up = better deliverability. If you just bought a domain, don’t touch it for 14 days. 5️⃣ Natural variation reduces spam triggers → Sending the same message repeatedly creates patterns that ESPs flag. You need micro-variation to look human. We use subtle spintax + a few message versions per campaign. Tools: Instantly.ai, Smartlead Next step: Add small variations to your first lines and CTAs. 6️⃣ Clean tracking protects your domain reputation → Tracking links are an instant red flag. Most agencies don’t realize this. We use custom tracking domains or disable tracking entirely for key campaigns. Next step: Replace all generic tracking links. The results: → 500,000+ emails/month reaching real decision-makers → Higher inbox placement across every ESP → Predictable revenue for ColdIQ clients → Stable domain health across all mailboxes Deliverability isn’t the flashy part of outbound, but it’s the part everything else depends on. If you want our 7-day GTM deliverability setup (domains, warm-up, templates, monitoring tools)... drop me a message, happy to help.

It’s official: email best practices are no longer best — they’re required. Here’s why... Microsoft recently announced new bulk sender requirements that mirror the ones Google and Yahoo rolled out last year. And they aren’t just doing this for fun, promise. They’re doing it because too many senders ignored best practices when they were optional. So, now they’re mandatory. ¯\_(ツ)_/¯ Starting May 5th, if you’re sending more than 5,000 emails a day and not following the rules, Microsoft’s going to start rejecting your mail. Not junking it. Rejecting it. And I wanna be clear here: this isn’t coming out of nowhere. The writing’s been on the wall for a while... and mail has been silently filtered away from the inbox all this time. Now it's just that the rules aren't written in invisible ink! So, what are these rules I speak of? 💌 Authentication (SPF, DKIM, DMARC) Yes, we’re still talkin’ about this… get used to it. Microsoft wants the same setup Google and Yahoo asked for. If your domains aren’t properly authenticated and aligned, your deliverability will suffer. 💌 Valid “From” and “Reply-To” Addresses Microsoft wants to make sure that when someone replies to your message, there’s someone on the other end. No more sending from a “noreply@brand.com” black hole. 💌 One-Click Unsubscribe (RFC 8058) They’re cracking down on bad unsubscribe flows. Make it easy. No weird hoops or loops or “oops, we need 10 days to process your request.” Just a simple unsubscribe option that actually works. If you’re already sending it right (ahem, compliant with Google and Yahoo’s requirements), this is mostly a “cool, cool, carry on” moment. But you’ll need a whole lotta margaritas and tacos to overcome your sorrow if you’ve been dragging your feet. May 5th (ahem, cinco de mayo!) is not the day to find out Microsoft doesn’t play. What happens if you’re not ready? If you need help figuring out where you stand, here are a few fast checks: ✅ SPF, DKIM, and DMARC passing in headers? ✅ “Reply-To” address monitored and functioning? ✅ One-click unsubscribe live and working? ✅ Lists clean and bounce/spam complaint rates under control? If not, now’s the time to fix it. Not next week. Not next quarter. Now. TLDR: if you’re not sending responsibly, you’re not sending at all. Because come Monday — yes, THIS Monday — non-compliant mail will be rejected at the door. No inbox. No spam folder. Just blocked. So, get it together, you (not so) filthy animals! LinkedIn says I’m outta characters, but if you need tool recommendations or a second set of eyes on your setup, I'm happy to help. Reach out, email scout. 💌

We send 800k+ emails a month, and I have spent the last 2 years understanding every reason for emails landing in spam. Today, I am sharing all the good resources I found during this journey! Most emails don’t get blocked because you’re a spammer. They get blocked because you missed one tiny config buried in a 20-year-old spec. Email delivery feels a little like a black box! Old docs, conflicting advice, and invisible rules. So sharing the list I wish I had when we started. 1. LearnDMARC (learndmarc.com) - An interactive visualizer that makes SPF, DKIM, and DMARC simple and easy to understand. 2. Postmark’s “Why Emails Go to Spam.” - The clearest explanation of sender reputation, content filters, and engagement signals. 3. MXToolbox - Debug SPF/DKIM/DNS issues 4. Mail-tester.com - Send a test email, get a deliverability score. My go-to before every big template change. 5. Google Postmaster Tools - Gmail’s own dashboard for domain reputation. No more guessing. 6. RFC 5321 (SMTP spec) - Yes, this feels intimidating. But even skimming it gave me massive clarity on how email really works. 7. Spamhaus blog: Word to the Wise - Insights on sender reputation straight from the people who run the biggest blocklists. This is one of the best blogs I have found on the internet! Email isn't glamorous. But it’s critical infrastructure. And most of the knowledge is scattered across forums and old blog posts. If you’re building anything that sends email, save this! It’ll save you a loooot of time debugging!

Before copy, before offers, before personalization… your emails need to land in the inbox If you're doing [X] - sending emails straight from a fresh domain without setup Switch to warming and proper infrastructure first, because inbox providers will flag you immediately. 1. Disable Tracking Links Tracking pixels and link tracking often trigger spam filters. They add extra redirects → suspicious behavior They signal “mass outreach tool” What works: Use plain links or no links at all in the first email. Focus on getting a reply, not a click. 2. Use Multiple Mailboxes per Domain One inbox blasting emails = high risk. Spread volume across 2–3 inboxes per domain Example: john@ mike@ Why it matters: Lower activity per inbox = more natural sending pattern. 3. Mix Google and Outlook Accounts Email providers watch patterns. If all your emails come from one ecosystem, it’s easier to detect. Better approach: 50% Google Workspace 50% Outlook This creates diversity and reduces risk signals. 4. Warm Up Your Domains (Minimum 2 Weeks) New domains have zero trust. If you're doing [X] sending emails immediately after setup - switch to warming first, because cold domains get flagged fast. Simple process: Start with 5–10 emails/day Gradually increase Use real conversations or warm-up tools Goal: build history that looks human. 5. Use Separate Domains for Outreach Never send cold emails from your main domain. Why: Protect your brand domain reputation Avoid affecting your core business emails Example: Main: yourcompany.com Outreach: yourcompany.co / getyourcompany.com 6. Set Up SPF, DKIM, and DMARC Properly Skip this and your emails won’t be trusted. These are your authentication signals: SPF → confirms sender DKIM → verifies message integrity DMARC → tells servers how to handle failures No setup = low deliverability, even with great copy 7. Keep Volume Low (Max ~20 Emails/Day per Inbox) More volume doesn’t mean more results. Among outbound campaigns, accounts sending lower daily volume tend to last longer and perform better. What works: 10–20 emails per inbox per day Scale by adding inboxes, not volume That's it!

Your emails are going to spam because of your DNS records, even with SPF, DKIM, and DMARC configured You did everything right. — SPF? ✅ Passed. — DKIM? ✅ Passed. — DMARC? ✅ Configured. Yet, your emails are still landing in spam. What’s going on? 🔎 Alignment Google (and other providers) don’t just check if SPF and DKIM pass They check if they’re aligned with your “From” address If they’re not? Your email looks spoofed Even if it’s 100% legit 📌 Look at the screenshot. — SPF ✅ — DKIM ✅ — Alignment ❌ → Google throws a warning. DMARC is only fully effective when SPF or DKIM aligns with the “From” domain. If they don’t match? Spam. This is why so many emails fail silently—they pass authentication but still get filtered. How to Fix It? — Make sure your sending domain is consistent across SPF, DKIM, and “From.” — Use strict alignment in your DMARC (aspf=s; adkim=s) if you want real protection. — Check your email headers. Gmail → “Show Original” → Look for domain mismatches. Most people think just setting up SPF, DKIM, and DMARC is enough Or worse, they *think* they're aligned. It’s not. Alignment is the missing piece Fix it. Get out of spam because of technicalities If you need help figuring out if your DNS records are aligned, drop me a comment and I'll do a quick audit for you :D

If you’re still sending email from an onmicrosoft.com address, Microsoft is tightening the rules. This matters because your messages could start getting throttled or blocked, which means invoices, password resets, and customer updates might never arrive. Microsoft’s goal is to stop spammers who spin up fresh tenants and abuse the shared onmicrosoft.com domain. But the side effect is real organizations will see lower deliverability and limits on bulk or automated sends until they move to a proper, verified domain. What’s changing? Microsoft is putting sending limits and stricter checks on any email that leaves an onmicrosoft.com address. Because it’s a shared domain used by millions, one bad actor can hurt the reputation for everyone. The fix is simple but urgent: switch to your own branded domain and set up modern email authentication (SPF, DKIM, and DMARC). That tells receiving mail systems, “Yes, this is really us,” and helps keep your mail out of spam and off block lists. What should you do now? Audit where onmicrosoft.com shows up—service accounts, no-reply inboxes, ticketing tools, scanners, CRM alerts, and scripts. Register or connect your custom domain, add the DNS records, and rotate apps and automations over to the new addresses. Test mail flow, watch for bounce backs, and update address books, forms, and templates. Train your team so they know which sender addresses are approved going forward. A little cleanup today will save a lot of missed messages tomorrow. #Microsoft365 #EmailSecurity #ITAdmin #ChangeYourPassword Follow me for regular updates on Microsoft 365 changes, security tips, and clean-up checklists that keep your org’s email flowing.