Are you using your ESP’s email authentication? If not, you probably should be!
Note: if you’d like a refresher on email authentication first, check out this guide courtesy of MailChimp.
FreshAddress uses MailChimp for our marketing emails and I noticed one set-up option is to “authenticate” emails. I’ve never thought much about this choice, simply assuming, “Yeah sure, sounds great if MailChimp will handle authentication for me.” This option is selected by default and MailChimp strongly encourages users to leave it that way. I also noticed that our emails are deployed from a not-so-pretty email address that reads “on behalf of” FreshAddress. This was the only downside I’d considered.
A few months ago, though, our web hosting provider (and email configuration guru) sent me an email that made me think more about it. He recently implemented several aggressive anti-spam measures. To make sure honest mail is delivered, he developed a list of domains that he “trusts” from an email perspective. Email from trusted domains gets to bypass most of his filtering. He noticed that our newsletter deployments from freshaddress.com were DKIM signed, but with mcdlv.net’s DKIM selector. He didn’t know or trust mcdlv.net. Turns out, mcdlv.net is MailChimp’s mail servers domain. He suggested it would be better from a “trust” perspective for our emails (or any emails) to be DKIM signed with a selector whose domain matches the sending domain.
He offered, “I know and trust FreshAddress. I like you guys (even if you weren’t my customer) and want to continue to get your emails. I don’t know or trust mcdlv.net. Further, I’m not going to give preferential treatment to all emails from a bulk mailing organization because I don’t know all their customers. But I would give preferential treatment to emails from an organization I know and trust (you guys) even if they come from a bulk mailing organization. The only way I can do that is if they send your email from your domain with authorization (DKIM, SPF) from your domain.”
That all sounded good. Was it possible? I could easily edit my DNS entry to configure SPF by including MailChimp’s mail servers, but I couldn’t do anything with DKIM. If I turned off MailChimp’s authentication, it would get rid of the “on behalf of” and only show freshaddress.com, but MailChimp did NOT recommend this. They said, “ISP’s prefer to see authentication if we’re sending on behalf of another domain.”
A MailChimp blog post describes the SPF situation nicely in a blog post, “Basically, when you send an email using MailChimp, but your reply-to address is “yourcompany.com” it kind of looks suspicious to ISPs. So a receiving ISP would ask, “Why does it say it’s from “yourcompany.com” when I can tell it came from MailChimp’s servers (mcsv1.net, mcsv2.net, mcsv3.net…etc)” But so long as your email isn’t very spammy, it’s usually okay, and you have nothing to worry about. They’ll just let it slide. But ISPs are increasingly checking for SenderID authentication now. So when you send your email campaign and put “yourcompany.com” in the reply-to, a receiving ISP will go to “yourcompany.com” and ask if MailChimp is an impostor, or if we’re truly authorized to send emails on your behalf. Adding that line of code tells ISPs, “Yeah, MailChimp’s cool. You can trust him.”
Great, but that blog post is a few years old. What about DKIM authentication? Does it matter now to ISPs, or just my on-top-of-his-game email hosting provider? Is it worth turning off MailChimp authentication?
I decided there was only one way to determine how MailChimp’s authentication was affecting our deliverability – by actually testing it out. During last month’s newsletter deployment, I did an A/B test on a select portion of our list. The results were overwhelming.
|Part A (authenticated by MailChimp)||Part B (no authentication by MailChimp)|
As you can see, the authenticated campaign outperformed the one with no authentication with significantly higher open and click rates. It’s also interesting to see that the delivery rates were the same. This may suggest that the Part B deployment would be more likely to end up in the Spam folder.
Ideally, ESPs should allow users to configure all forms of authentication so sending domains match the DKIM selector. I’m only familiar with MailChimp’s options, but I suspect that ESPs that service large corporations have more capabilities. Regardless, you should review your ESP’s advice on how to best configure authentication for sending emails!