Get pro WordPress tips or your money back!

SPF, DMARC, and DKIM Oh My! Our Top Tips to Keep Your Email Out of the Spam Folder

Today we’re going to show you how to keep your email out of the spam folder. A constant frustration that our customers deal with is building a solid email list, sending out a campaign, and getting crickets in return.

Eventually they find that a bunch of the people they’re sending to aren’t even receiving their emails. This isn’t a problem like not having their SMTP Settings configured correctly. Emails travel just fine, but they get filtered out by those dreaded spam filters.

It’s frustrating for sure, but it’s a winnable battle. Today I’m going to show you how to keep your email out of the spam folder for good. We’ll go through the reasons the spam filter is catching your emails, and what you can do to make sure it doesn’t happen again.

Why are your emails getting marked as spam?

screen shot of spam folder in an email client
I wish I only had this much spam

The first thing we need to dive into, is why your beautifully written and well-designed emails land in the spam folder in the first place.

I don’t want to go into too much detail here, but we’ll do a quick crash course on how spam filters work. If you want to learn more about some of the specifics, this article from mailchimp is a good breakdown.

How spam filters work

coffee filter on top of coffee pot
That’s the bad stuff. We don’t wanna drink that.

Think of your spam filter like you would a coffee filter. Believe it or not, coffee filters don’t only filter out things that would be unpleasant to drink, they filter out oils that can be harmful to your health too.

Spam filters do essentially the same thing. Anything that can potentially do damage to your computer, your eyeballs, or your soul is filtered into an isolated area that’s meant to never be seen again.

Spam filters use a variety of variables to give the emails that you’re sending a spam score. Then, based on that spam score, they either allow the email into the inbox, or filter it away into a separate folder.

Key indicators that will increase your spam score

Here are some of the key factors that a spam filter looks at when it’s receiving inbound messages:

  • Are you using their real name in the TO: field?
  • Is your email address in their contacts list?
  • Are your recipients opting in to your email correspondence? Or are you sending without their permission?
  • Is your server IP address trusted? Or is it questionable?
  • Are you sending to a private domain name, or something like @gmail.com or @outlook.com?
  • Are you sending from a “verified domain”? We’ll talk more about what that means in a minute.
  • Are you using shortened links in your email campaigns?
  • Is the code in your emails sloppy?

There are a number of other variables that come into play as well, but these tend to be the biggest factors. Being able to keep all of these items in check will almost always ensure your emails land where you want them to, in your customer’s inbox.

What happens if I don’t comply?

Because it’s important, I want to take just a minute and tell you what happens if you don’t keep tight control of your list, validate your domain, or verify your recipients actually want to be receiving your email.

Eventually you’ll end up on the internet’s version of the FBI most wanted list; a spam blacklist.

How spam blacklists work

Email slot on old door
Your email isn’t getting through here

A spam blacklist is an index of IP addresses that are known for spamming. Large ISPs use spam blacklists like SpamCop, Spamhaus, and URIBL. Spam filters check incoming mail against those lists, and if there are any matches, they flag the mail as spam and filter it away from the inbox.

You don’t have to be part of a Romanian hacker group to end up on these lists. Simply being careless with your email list can land you on the same blacklist, and getting removed isn’t a fun process. We’ve helped lots of clients who have great email lists get back into good graces with these blacklists. The clients weren’t doing anything malicious, they just got flagged one too many times and ended up in a situation where all their emails ended up as spam.

CAN-SPAM Act

Not this kind of can spam
Not this kind of can spam

Beyond all of the technical reasons your emails may get marked as spam, this seems like a really fitting place to mention the CAN-SPAM act. If you’re in the United States, you must comply with FTC regulations when sending any kind of commercial email. You can read through the full regulation here, but this is the basic gist is to be a nice person and respectful of your email recipients. Not that hard, right?

Here are a few key points:

  • Don’t intentionally misidentify yourself
  • Don’t use deceptive subject lines
  • If the message is an ad, identity it as such. There are a lot of different ways to go about that, but it is a requirement.
  • Your message must include a valid physical address for where you’re located
  • Tell recipients how to opt out of receiving future emails
  • Honor those requests quickly – We all love seeing the “it may take 28 business days for you to be fully removed from our system. Bleh.
  • If you outsource, keep tabs on the company mailing in your behalf

That’s pretty much it. It basically boils down to “don’t be a jerk.” The good news is that I know none of your are jerks, so we can move past this now.

P.S. You’re not off the hook if you’re in Canada or Europe. Both places have similar laws in effect.

Tips to Keep Your Email Out of the Spam Folder

OK, we’ve done all of our homework, and we know the problem we’re solving, so now we can get to fixing. As promised in the headline, here are our top tips to keep your email out of the spam folder.

Get to know the people you’re sending to

You don’t have to become BFFs with every person who subscribes to your email list, but the more information you can collect, the better.

At a bare minimum knowing the first and last name of each person who subscribes to your email list will be a huge help in making sure your messages aren’t filtered into oblivion.

I remember reading a blog post from Brad Tousenard of Delicious Brains. In it, he talks about how when he was first starting out he’d manually gather the names of people he was sending to, and match it to their email addresses. I’m sure it was an incredible amount of work, but the end result is that I get a nice, personalized email from Brad every time they publish a new article.

screenshot of a nice email
Isn’t this a nice experience?

In his own words:

On April 16 we launched, and I very carefully crafted an email that I sent out to our subscribers. We had 400 subscribers. Which is not a lot, so you really have to value those. I went through every one that had a missing first name and I tried to discern what their first name was. So, I could say “Hi Joe” or whatever that is. I think it’s “Joao”.

Not only does knowing who you’re sending to create a better overall experience, it also verifies to spam filters that you have a connection with the recipient when you’re using their name in the TO: field.

Content Formatting Matters

Screenshot of visual editor
Image courtesy of mailchimp

Are you copying and pasting your email newsletters from a Word Document? If you are, please stop doing that. It jumbles up all of your code, and increases your email’s spam score. If you’re pasting content from Google Docs you should be ok.

I could get into a lot of the technical details, but generally speaking, create your emails using valid HTML, and if you don’t know how to code, be sure to use the visual editor provided by your email provider (Mailchimp, MadMimi, etc).

They build their editors in a way that generates beautiful templates that shouldn’t increase the risk of any of your email campaigns.

Get recipients to add you to their contacts

Unfortunately there isn’t a quick way to get recipients to do add you to their contact list. It’s going to require some work on their end.

A few things that might help boost that conversion would be to link them to relevant resources. For example, here are a few videos showing people how to add contacts in some of the more popular email services and clients.

Or you could even create a cool gif that you can drop right into the email’s your sending. I created the one below using RecordIt (it’s free).

add-to-contacts

And just for good measure, here are a few articles on the subject that you can send to your customers so they know how to easily get you into their contacts book.

Be sure to have senders opt in to your email lists

Gif of Patrick Steward saying "Go Away"
Patrick Stewart really hates spam

I’m sure most of you know this already, but don’t buy emails and spam blast unsuspecting recipients. There’s nothing people like less than being blindsided by a promotional email from a company they know absolutely nothing about.

Email recipients should opt in to your newsletter, not opt out once they’ve been thoroughly annoyed.

While the obvious reasons of annoyance should be enough to deter you from the spray & pray email sending approach, there are also business reasons. The more people you have marking your correspondence as spam, the quicker you’re going to end up on a spam blacklist.

It seems obvious, but we still see it a lot more than we should be in 2016.

Know who is sending email in your behalf

Screenshot of mxtoolbox.com blacklist tool
Everything is in the clear!

Most of us use trusted third parties to send our email for us. When I say trusted third party, I mean a service like MailChimp, SendGrid, Sparkpost, Amazon SES, etc. All of these services have entire teams working to verify that the servers that are sending out emails in our behalf, aren’t blacklisted, or even gray listed.

We use MailChimp for our marketing campaigns, and Sparkpost for all of the transactional email on our website (delivering leads, responding to comment threads, etc). We’re really happy with both.

If you’re sending email from a server that you own, or using some other method, I’d strongly recommend moving to one of these other services. Not only because they simplify the entire sending process and are going to save you time, but also because they go out of their way to stay in good graces with spam black lists.

If you suspect your sending email servers may be blacklisted, you can check to see if your domain, or server (you’ll need the IP address) are found on any blacklists.

Use this tool from MXToolbox to see if any of your email servers are blacklisted. It checks against all of the biggest black lists and verifies your domain is in the clear with a green checkbox. Go figure.

Bulletproof your sending domain by getting verified

This is where we get into the nitty gritty. We’re going to go through and verify your domain using SPF, DKIM, and DMARC. Every one of these fancy acronyms adds another level of authentication to your domain, and does wonders for keeping your emails out of spam folders.

Each layer of authentication is another step closer to a very low spam score, and drastically reduces your risk of missing the inbox. If for whatever reason you can’t implement all of the different verification methods we’re going to cover, definitely implement the ones that you can. This isn’t an all or nothing game. You can implement two out of three and be much better off than when you started.

If you can implement all three you get a gold star, and my personal guarantee that you most likely, probably, won’t get any of your emails marked as spam. Now let’s get to work!

Implementing Sender Policy Framework

counterfeit passport being made
We don’t want people putting their faces on our domain

Sender Policy Framework, or SPF has been around for quite a while. It’s designed to protect senders against address forgery.

Forgery is exactly what it sounds like. Basically, a hacker or some kind of malicious bot can attempt to spoof your domain name to make recipients believe the email is coming from you, even when it isn’t. Large brands and government agencies are especially susceptible to this. People are going to be much more trusting of an email coming from healthcare.gov than they are from healthcareluv4u.ru.

SPF is a technical standard that allows you to specify which domains can, and which domains cannot send email in your behalf.

Setup and Configuration of SPF

For example, at WP Site Care we allow a few external services to send email in our behalf. Google Apps, Help Scout, SparkPost, and BidSketch are all approved senders, so we’ve added the following as a TXT record to our domain.

"v=spf1 include:_spf.google.com include:helpscoutemail.com include:_spf.bidsketch.com include:sparkpostmail.com ~all"

Essentially this says that any of those domains can send email in our behalf, and no one else can.

Generating SPF records when you have multiple approved senders can get a little bit tricky. If you get stuck at any point, you can use a tool like the SPF wizard to help you know which TXT record to add to your domain.

Here are a few additional resources for adding SPF records to allow popular third party services to send email in your behalf.

DKIM Authentication

Man sitting in front of a computer
Fancy code things photo because I’m gonna mention cryptography

DKIM, or DomainKeys Identified Mail is a little bit like SPF, in that it prevents spoofing and misuse of a company’s domain. However, it’s a little more sophisticated, and uses signatures and cryptography to create a handshake between the message that’s being sent, and the domain that it’s coming from.

This handshake or authentication happens every time that an email is sent from a server, ensuring that the authorization is still valid, and thus keeping your spam score down.

Pretty much every major organization and protocol supports the DKIM standard. It’s setup is very similar to the setup we used for SPF. We add support for DKIM by adding a new TXT record and a new CNAME record to our domain. The service that you’re authenticating should provide you with a domain key.

The main difference between SPF and DKIM from an implementation standpoint, is twofold

  1. You’re adding two domain records instead of one (CNAME and TXT)
  2. Every service will provide you with a unique domain key, instead of combining them all into one entry like we did with SPF.

Here’s an example of a domain key set:

_domainkey.yoursite.com TXT "t=y; o=~;"
200608._domainkey.yoursite.com TXT
k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGoQCNwAQdJBy23MrShs1EuHqK/dtDC33QrTqgWd9CJmtM3CK2ZiTYugkhcxnkEtGbzg+IJqcDRNkZHyoRezTf6QbinBB2dbyANEuwKI5DVRBFowQOj9zvM3IvxAEboMlb0szUjAoML94HOkKuGuCkdZ1gbVEi3GcVwrIQphal1QIDAQAB;

Note: These are just samples. Every domain will have a unique set of keys. These keys will do nothing to help you implement DKIM.

You can check to make sure you have DKIM setup correctly at MXToolbox.

Setting up DMARC

DMARC is a newer standard than SPF or DKIM, and it’s quite a bit more effective. DMARC is a system where providers talk to each other to keep tabs on whether or not a domain is “clean” or not.

Believe it or not the DMARC project was initially spearheaded in 2007 by PayPal. They were having all sorts of trouble having their emails filtered out by Google and Yahoo, even though they were already using the SPF and DKIM technologies, so they started working on DMARC.

chart showing DMARC sending flow
Image courtesy of DMARC

Can you believe that all of these things are happening just for an email to go from one location to another? And even more wild is that it all happens pretty much instantaneously.

As more and more emails are sent using DMARC, more reporting becomes available. Entities like AOL, Google, Yahoo, and Microsoft are able to compare data and measure more accurately whether or not emails coming from a certain domain should be considered spam.

Be sure to have SPF and DKIM in place before implementing DMARC

DMARC is one of the authentications we rarely see used, and can potentially bring the most benefit in terms of showing that all emails from your domain should be freely permitted. To implement DMARC we just add another TXT record to our domain.

"v=DMARC1; p=none; rua=mailto:abuse@wpsitecare.com "

As you probably guess our DNS records are a little bit out of control at this point. We’re using DNSMadeEasy for all of our DNS record management, and it’s really awesome. Records propagate pretty much instantly, and it’s only $30 per year.

Our implementation of DMARC is super basic, but it does the trick. You can see what each of the different options and flags in that TXT record do on the DMARC Overview page.

Never Send a Spam Message Again!

60% of the time it works every time
It just works

I’m very pleased to say that the deliverability rates on our email campaigns, and all outgoing email for that matter, are much higher than the effectiveness rate of Sex Panther.

Most of all, we see very few bounced messages in our email campaigns. Our customers are rarely, if ever, reporting emails from us going to their spam folders.

Follow along with all the steps in this article and you’ll never deliver a message to spam again. (Or at the very least you’ll have a success rate of much higher than 60%).

Are you using email sending best practices and using authentication in your outgoing emails? I’d love to hear from you in the comments!

Get pro WordPress tips or your money back

4 Comments

  1. maria

    Hi eveyone! Very interesting article! I would recommend Zero Bounce https://www.zerobounce.net because I use it and it’s the best tool email verification. It has spam trap detection and eliminates invalid emails. There are many sofwares that can do this for you but Zero Bounce is the best well develop system. I am using the 150 k package for 100k emails and for this reason, my email is well manage. If you want to test it, you can do it for free because Zero Bounce offers free trial to check 100 emails.
    In short I use Zero bounce for : Email Spam Trap Detection
    Email Abuse Detection
    Email Bounce Detection
    Disposable Email Detection
    Toxic Domain Detection

  2. bestwritingadvisor

    Good explanations! These things really help and it’s good for even less-technical people to have some idea of how things fit together. Thank you for sharing 🙂

  3. Amit Panishap

    Excellent write-up Ryan.

    Unfortunately, DKIM does not seem to work in Google Apps for Work. It results in an error #1000. Tried to use different browsers, clear cookies, etc. but still same error. Raised this with Google Apps for Work support team but they do not have any timeline when this will be resolved.

    Need your help. Do you know if there is any external resource using which we can generate the DKIM record?

Leave a Reply

You have to agree to the comment policy.