EcommerceBytes-Update, Number 363 - July 20, 2014 - ISSN 1528-6703     4 of 6

Why Your Buyers May Not Be Getting Your Emails

Email This Story to a Friend

Your customer service and marketing email messages may not be getting to your buyers and prospects thanks to anti-phishing initiatives on the part of large players. The culprit is Sender Policy Framework (SPF), and unless you know how to make it work for you, it could be working against you.

Many online sellers knew about the problem of phishing before the general population thanks to the popularity of eBay and PayPal with scammers. We've warned readers for years, don't click on a link in an email - visit the site and log in as you normally would, and check for messages there. That's because scam emails made to look like they're coming from legitimate businesses trick you into signing in to a spoof site, thereby revealing your user name and password.

Industry players have tried to devise ways to make legitimate emails phish-proof, and one that could be having a negative impact on you without your knowledge comes from DMARC.

EcommerceBytes spoke to Bob Sybydlo, Director of Market Intelligence and Deliverability at email solutions provider YesMail, to earn how online sellers could make sure their emails are getting delivered, with a focus on Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC).

He says merchants should get whoever is responsible for deploying emails on their behalf to authenticate their email, whether it's your email service provider or your web-hosting company.

And he recommends merchants not send email through services like Yahoo - merchants should purchase a domain and be proactive about authentication.

EcommerceBytes: Companies like AOL, Gmail, Hotmail, and Yahoo are using anti-phishing standards, can you explain what they're doing?

Bob Sybydlo: The Big Four ISPs are looking for several types of authentication from senders: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). Essentially, these types of authentication identify the sender as who they claim they are and which mail servers are permitted to send email on behalf of your domain.

For SPF authentication, let's use eBay as an example. SPF ensures that eBay has the right to send from the IP address associated with that email and that eBay's name is associated with the IP address from which the email originates. These methods are in place to help ensure that phishing emails don't reach the inbox, but also to avoid more innocent types of deception or spam.

DKIM contains encrypted information at the domain level and ensures that a given domain can send to another given domain ( to, for example). This method of authentication allows senders to "sign" (a digital John Hancock) their emails to prove that the message really did come from them.

DMARC helps to increase consistency of authentication. DMARC means that senders can indicate that their emails are compliant with both SPF and DKIM. It also allows senders to dictate what a receiver should do if their emails are missing SPF or DKIM authentication (spam, trash, etc.).

EcommerceBytes: What do you think of standards like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), and are they effective?

Bob Sybydlo: SPF is the most standard type of authentication and is fairly effective. DKIM in particular has strengthened encryption in years past. When Gmail was caught using weak 512-bit encryption in 2012, it quickly stepped up to the 1024-bid DKIM standard. Gmail now accepts 2056-bit authentication. DMARC is also helping to protect consumers from those who tried to exploit the major ISP's rule that emails from the same ISP would automatically be delivered to the inbox.

EcommerceBytes: What should merchants with their own websites do to ensure they comply with standards and don't get caught in anti-phishing traps?

Bob Sybydlo: Make sure you're authenticating email correctly. There are a lot of websites available where you can check email to ensure that authentication is working. In addition, set up test accounts for the four major ISPs to ensure deliverability. Testing authentication is a relatively simple process, and it's fairly easy to run tests through the major authentication providers.

EcommerceBytes: What about merchants who use their ISPs (such as Verizon, Comcast, etc.) to send messages to customers - will their emails get delivered?

Bob Sybydlo: Individual senders and domain owners are responsible for the authentication process. If you send from a Comcast account, Comcast is responsible for ensuring authentication of outgoing emails. If you work for Amazon and send from an account, Amazon or their ESP is responsible for ensuring authentication.

DMARC regulations, however, mean that brands can no longer send bulk business emails from a Yahoo or AOL account. These ISPs are generally tipped off by an unsubscribe link and are notified of any bulk send activity. For example, now only Yahoo themselves can send marketing messages from a Yahoo account.

EcommerceBytes: Are small merchants and sellers at a disadvantage when it comes to email authentication systems such as SPF and DKIM?

Bob Sybydlo: Not really. Small businesses have to go through the same checks as large companies to ensure authentication. Email could be authenticated by the email service provider or the web hosting company - whoever is responsible for deploying emails on behalf of your brand.

The receiving ISP checks for risk. Whether your email will go to spam is not necessarily black-and-white. A lack of authentication is a risk factor, however, and places the brand and its email in a gray area. Fundamentally, authentication is about protecting your brand.

EcommerceBytes: How can merchants check to see if their emails are getting delivered? And how do they check to see if emails sent using list-hosting services are getting delivered?

Bob Sybydlo: This depends on your business model. If you're using an email service provider like Yesmail, it can provide deliverability reports. Tracking mechanisms must be part of emails for that to happen. Smaller senders might not have tracking methods in place. Working with an ESP is always preferred as a result, as they track delivery and deliverability with every deployment.

Some ESPs cater to small businesses, while Google Analytics is a way for smaller businesses to track clicks back to the website.

EcommerceBytes: I found this SPF checker on Microsoft. It shows Amazon has an SPF, but eBay does not. Is this a valid checker, and why wouldn't it show eBay's?

Bob Sybydlo: There are several different checkers to evaluate whether a program is working. What's likely happening here is eBay's email probably originates from a different domain, such as instead of

EcommerceBytes: In April, Yahoo got stricter about its practices. PC World said this was breaking some lists. Does this remain a problem?

Bob Sybydlo: DMARC was actually driving the change. Essentially, the DMARC change stopped senders from using AOL and Yahoo accounts as their sender names – when the messages where not acutally coming from AOL or Yahoo. If a small business is sending marketing emails from a Yahoo account, it's now more likely to go to spam thanks to the DMARC change. This issue has an easy fix, however: obtaining a unique domain or collaborating with an ESP.

This again relates to DMARC, which isn't going away. Because of DMARC regulations, a marketing email from a Yahoo address to a Yahoo address will no longer go through, even if the emails are sent through an ESP. To small businesses, I recommend purchasing a domain and being proactive about authentication.

About the author:

Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to

You may quote up to 50 words of any article on the condition that you attribute the article to and either link to the original article or to
All other use is prohibited.