Deliverability: killing false best practices

On the web there are a lot of articles more or less recent that talk about good emailing practices influence the deliverability of emailings and newsletters.

Spammers' techniques have evolved over the years, as have anti-spam filters. Is what was good or bad practice yesterday still so today? In 2023, what are practices that really wake up spam filters ? What are the specific features of different ISPs and webmails? Are there any precautions to be taken depending on the recipient's country?

During 2 lives (12/05/23 and 15/06/23), Marion Duchatelet tried to demystify all this by questioning Anne-Sophie Marshdeliverability consultant at Iterable (an American marketing campaign management tool). Here's what was said during the discussions.
Is there a text-image ratio ? Is there a list of spam words? Can I use emojis in subject lines, or acronyms like "%, €"? Does email weight have an impact?
Can shortcut links be included in emails? Is it really necessary to send a TEXT AND HTML version? Is it really necessary to ensure the same volume and frequency of mailings every week? Is it really true that ISPs/webmails remember HTML code? Do you have to be Return Path certified or similar to deliver correctly? Is it really necessary to fill in SPF, DKIM and DMARC signatures? Is it necessary to fill in the List-unsubscribe on routing tools? Is it possible to have a different deliverability rate from one sending platform to another?

The recording of episode 1 is available in replay

Please watch in low definition!

The audio recording of episode 1 is available

Text transcript of live episode 1

Marion Duchatelet, Badsender
The question that comes up most often is: is there a famous list of spam words?

Anne-Sophie Marsh, Iterable
This list of spamwords is a bit like the unicorn of the deliverability world that comes up regularly. In fact, at the beginning, in the 2000s, anti-spam filters were much more basic. The content of the emails, including the words used in the emails, had much more weight in the filtering. But now the filtering techniques have become much more complex. Spam filters are adapting to the techniques of spammers who are always looking for new ways to get into inboxes. So it's a bit of a cat and mouse game. And the good practices of the 2000's have not clearly disappeared, but a lot of other layers have been added and it has become much more complex. Today, if you look at the major ISPs and webmails (so Gmail, Yahoo, Microsoft: which usually make up at least half of the bases), they're going to put a lot more emphasis on how their users interact with a brand's emails over time.

Marion Duchatelet, Badsender
So they don't care about spamwords?

Anne-Sophie Marsh, Iterable
That's it, minus the spam words per se. But if you use words in your email that generate few opens and more complaints, it's going to impact the deliverability on the major ISPs. Because they look at whether their users interact, whether they open the emails, whether they read them, whether they complain, whether they delete the emails without opening them. So effectively, if you use words that are a little bit spammy that don't generate a lot of interaction, it's going to impact deliverability.

Marion Duchatelet, Badsender
So it's rather the overall content of the email that generates few interactions rather than a specific spamword, at least for the main ISPs/webmails?

Anne-Sophie Marsh, Iterable
Yeah, that's it. After that, the smaller ISPs or corporate domains use techniques that are a little less complex. With them, certain word associations can be a little more problematic. You will have corporate domains that will still use very precise filters on certain words. In general, it's the word combinations that will make you go into the spam box.

Marion Duchatelet, Badsender
So if I summarize, with American webmails (Microsoft, Gmail, Yahoo) it is rather the openings, the clicks that will be analyzed. So, to the participant's question, which is " can we put "free" in an object if we have an average 40% opening rate?" We can answer him that the word "free" will not put him in spam. On the other hand, there are many local ISPs (in France, for example, we have orange.fr or laposte.net) that will not analyze behaviors because they simply can't legally. In France, we don't have the right to track behavior once the email has arrived in the mailbox, unlike American webmails which can check if the email is deleted before being read, if it is opened, if it is clicked. So local ISPs are going to focus a little bit more on word associations. And these word associations are not so much a fixed list of spam words. It's more like groups of words that evolve over time and over time. During the Covid for example, we had a lot of campaigns sent to lists of inactive emails using the words "covid", and well the ISPs/webmails adapted and added "Covid" or an association of words including Covid-19 in the spamwords. Am I about right?

Anne-Sophie Marsh, Iterable
Yes, the word itself is not necessarily going to be a problem. But if it is used in spam campaigns, it will increase the risk. And if you're already a sender that doesn't have a great reputation and doesn't have great best practices, it's going to tip you over the edge. But, if you have campaigns that generate a great engagement rate, adding a word like "Covid" or "free" won't be a problem.

Marion Duchatelet, Badsender
We received a question from one of our blog readers who said " I'm programming a campaign to promote a band at a music festival. The band is called Viagra Boys. All the emails where their name is mentioned are going to spam. What should I do?" 

Anne-Sophie Marsh, Iterable
That's a good question. Before assuming that it's exactly this word that's causing the problem, we'd need to do an analysis to see if there are other elements that could impact deliverability and also understand which ISPs are affected. In my opinion, it shouldn't be a problem for the most important domains on a BtoC basis. There may be a smaller domain somewhere that decides to block all emails that use the word "Viagra", but it shouldn't be the majority of the base. If it's impacting major ISPs, there must be other issues with the sender. Which could be interesting for solve content-delivery problemsis to test the e-mail block by block. For example, you start routing your email with just a text version with no links, then with basic HTML content, and you add element by element until you see when it starts to cause problems. But you really need to know your base beforehand, to estimate the risks, how much time you want to spend solving a problem when in the end it may not affect the majority of your audience.

Marion Duchatelet, Badsender
We have another question: " can the size of the subject line of the email make it go to spam?" 

Anne-Sophie Marsh, Iterable
It's impossible to say that there is no risk because some filters can add this criterion to the mores at any time. Instead, you have to use your common sense and ask yourself this question: if my object is too long, will it get the opening? In general, it is said that short objects are more punchy.

Marion Duchatelet, Badsender
So it's not because your object is long that it will end up as spam? But if the object generates few interactions then in the end less interactions = spam ?

Anne-Sophie Marsh, Iterable
Yeah, on most mailboxes, that's actually going to be it.

Marion Duchatelet, Badsender
Other question: is there a famous text-image ratio to respect?

Anne-Sophie Marsh, Iterable
Again, this is a matter of common sense. There's no ratio per se. However, you have to think about how, again, users are going to interact with the emails. If you have a lot of images or images don't show up by default, users aren't really going to interact with the email. If the call to action (button) doesn't show because it's in an image, that can cause problems because there will be little interaction. Users are looking more and more at their emails on mobile, if the images take longer to load, there will be less interactions too. After that, if you send your campaign to smaller ISPs, some still use filters like SpamAssassin who will give more importance to the ratio. So again, it's a matter of knowing your base well. But, in any case, adding more text is always a good thing.

Marion Duchatelet, Badsender
Yes, doing 100 % image on some ISPs, it may not please and therefore make the emails go to spam. But in reality, it's because of the missing interactions that, in the end, it will end up in spam.

Anne-Sophie Marsh, Iterable
Exactly. Over time, if you're doing 100% image, you're getting fewer interactions, you're training the ISP algorithms to understand that your branded emails generate few interactions, so they're going to put them in spam.

Marion Duchatelet, Badsender
We have another question: Do we know the name of the spam filters on the different ISPs?

Anne-Sophie Marsh, Iterable
The major ISPs have a lot of money and they own their filters. They don't really use third party companies to manage it, they have the means to develop their own system. So those are really out there. The smaller ones tend to use third-party companies to help them with their filtering. And sometimes they'll use more than one and in different ways. If the filter says that the content looks spammy, ultimately it's the ISP that decides what to do with that information. French ISPs all use Vade. There are many who use Cloudmark.

Marion Duchatelet, Badsender
So once again, the main ISPs, which have their own filter, are the Americans. So here, we are more concerned with the opening, the click, which will influence the deliverability. And for the local ISPs that use SpamAssassin, Vadesecure and Cloudmark, we're going to be more on complaints and database quality, right?

Anne-Sophie Marsh, Iterable
The Americans will also take into account the quality of the data. If you route your campaigns to inactives or invalid addresses spamtraps (trap addresses), it will really impact your reputation. But Vade and Cloudmark really have different systems, they analyze a little bit more the content of the emails. And SpamAssassin is a little bit more basic. So it's really more content-related rules.

Marion Duchatelet, Badsender
We have a question from Geoffrey: " with ios15, how will ISP behavioral analysis evolve?" 

Anne-Sophie Marsh, Iterable
So I guess we're talking about AMPP (Apple Mail Privacy Protection). It's true that with AMMP, the opening rates are not very reliable anymore. This is an interesting question. In reality, the open rates were never actually very reliable in the first place even before Apple introduced this change. But I still watch them very closely to monitor trends in open rates by ISP. If there is one that is very low compared to the overall campaign average, logically you have a spamming problem on that ISP.

Marion Duchatelet, Badsender
Um... for me Geoffrey's question is more like: Will the behavioral filtering of ISPs evolve? Like, will they stop taking into account the opening criterion because it is no longer reliable?

Anne-Sophie Marsh, Iterable
From what I've heard from American ISPs, what they take into account is mainly email opening and email reading time. What you have to understand is that these ISPs have access to tons and tons of data. To give you an example, a Gmail will analyze thousands of different elements in their filtering algorithms. They're going to be able to see exactly if people are spending more time reading an email from this brand versus that brand. But for us, as marketers, it leaves us a little bit more in the dark about how to manage inactives, etc.

Marion Duchatelet, Badsender
Really? I really thought that these ISPs took into account clicks and now you are saying that it is more the opening and reading time?

Anne-Sophie Marsh, Iterable
Yes, this is what they have communicated in the past. Afterwards, they never give exactly their recipe. But in fact, they were talking more about open rates, read time and especially spam complaints. Spam complaints are really something that has a very, very important impact on reputation and deliverability.

Marion Duchatelet, Badsender
A question from Sébastien: " When you get blacklisted, what should you do?" 

Anne-Sophie Marsh, Iterable
There are a lot of blacklists that exist in the Internet world. Some have a very, very big impact. We are talking about SpamHasus and to a lesser extent, we will have other blacklists like SpamCop or others. On the other hand, there are hundreds of blacklists that frankly have no impact on the deliverability of emails because they are not really used by the mailbox providers. So you need to know the name of the blacklist and see if it has an impact on deliverability. I see it more as a signal that you're on spamtraps, so your data is not of good quality. And that's why you got blacklisted on those little blacklists. So it's already a small signal. And you have to correct it before it impacts bigger blacklists. If they are big blacklists, they usually have sites where you can ask to be removed. But you have to have the problem fixed before you ask. You really have to explain to them why it happened and what you did to fix the problem. In general, if you're blacklisted, it's because you have database hygiene problems, you've routed to spamtraps or email addresses that don't open, that don't click, it's because you don't clean your database enough from inactive addresses.

Marion Duchatelet, Badsender
Sébastien, asks us: " for welcome pack items, are the rules the same? Do you have any advice?" 

Anne-Sophie Marsh, Iterable
Yes. Normally welcome emails are emails that generate even more interaction since the recipients have just shown an interest in the brand. So normally they should be emails that work well. The other advantage is that these emails are automated so they are routed every day on similar volumes. There's not really any specific advice, just make sure that the first welcome email arrives fairly quickly after filling out the form, so strike while the iron is hot.

Marion Duchatelet, Badsender
I have the impression that the question behind it was rather: " when it's a welcome email, are there any tips or precautions to take so that it arrives in the main box rather than the promo box? Aren't there groups of words like "newsletter confirmation", "customer number" or "purchase number" that will influence the placement in the main box?" 

Anne-Sophie Marsh, Iterable
Indeed, if a transactional email arrives in the promo box, it is problematic. On the other hand, if a newsletter or a promotional email arrives in the promotional box, it is perfectly normal and there is nothing to be done to ensure that these massively sent emails arrive in the main box. For the transactional email that should arrive in the main box, you should really try to cut all the commercial content of the email to remain as basic as possible: make more texts, less links and cut everything that can be promotional.

Marion Duchatelet, Badsender
Ravana has a question: " Does the reputation of the root domain (main domain) impact the reputation of the subdomains and vice versa?" 

Anne-Sophie Marsh, Iterable
So to some degree, yes, because they're connected. So if the root domain or if a subdomain is going to do something really bad, it can actually impact the rest. Subdomains allow you to isolate different types of emails. ISPs prefer that we isolate to better realize the types of emails that are sent. For example: news.domain will be the newsletter, info.domain will be the notification emails, etc.

Marion Duchatelet, Badsender
It's related, but having sub-domains, does it still protect?

Anne-Sophie Marsh, Iterable
Yes, that's it, it's a little bit isolating.

Marion Duchatelet, Badsender
Ok. A question from Sebastien: "after how many blocks SpamHaus blocks us for life or for a long time?"

Anne-Sophie Marsh, Iterable
SpamHaus is the biggest blacklist in the world and it's really the only blacklist that will have a big impact on the deliverability of emails because it is used by a lot of ISPs. To be blocked by SpamHaus, you have to have already done something pretty bad. In general it's that you have routed on spamtraps. And if you are routing on spamtraps, it means that you have really bad practices at the base. You need to review your acquisition strategy. Maybe the first time, if you go to them and you say, "Look, I made a mistake, I'm explaining to you that I understood, I did these steps to try to solve the problem, please delist me." They'll say OK. But if it's repeated a few times, after a while they're not going to give you that favor anymore. You really have to take the appropriate steps to make sure it doesn't happen again.

Marion Duchatelet, Badsender
So there is no set number of times?

Anne-Sophie Marsh, Iterable
No, it's really managed by human people.

Marion Duchatelet, Badsender
If you give 100 balls, it passes? How many euros do you have to give to be delisted?laughs)

Anne-Sophie Marsh, Iterable
You laugh, but there are small blacklists that ask for money to remove but you can't trust them. The big blacklisters, what they want is to protect users from real spam and malicious emails. So if you are blacklisted by them, it means that you really need to review your acquisition strategy and your basic hygiene.

Marion Duchatelet, Badsender
Okay. We have a question from Golden Gemini: "does the implementation of BIMI have an impact on deliverability?"

Anne-Sophie Marsh, Iterable
BIMI is a system that allows brands that have implemented DMARC at the "p=quarantine" or "p=reject" level to have their logo displayed in the inbox of some ISPs. Today, the main ISPs participate in BIMI, notably Gmail, Yahoo, Apple Mail and also other ISPs in France and abroad. It's a bit of a carrot that the industry has found to motivate brands to implement DMARC. So yes, it's pretty good. I don't think there are a lot of stats that have been done on the impact yet. But I guess if the logo appears in the inbox, it gives users a little bit more confidence that it's really the real brand that's writing to them and that it's not phishing. This can only be very positive for interactions. In addition, Gmail announced last week that for brands that have implemented BIMI, they are adding a little green checkmark when the email is opened to show that it's a verified brand, etc. So all of that, it can have more of a super positive impact."

Marion Duchatelet, Badsender
It costs a lot of money, doesn't it?

Anne-Sophie Marsh, Iterable
No, it doesn't. I mean it depends on the size of your company and your marketing budget. But it's about 1?000 $ per logo per year to set up the VMC (so Verified Mark Certificate). So for most medium/large companies, in the end, it's not that big a deal. But first you have to have DMARC in place at a sufficient level to be able to implement BIMI.

Marion Duchatelet, Badsender
And setting up DMARC is a pain?

Anne-Sophie Marsh, Iterable
It depends a little bit on the complexity of the email channel in the company. To have it in place on your main domain, you really need to have a good list of all the sources that send emails from that domain. For example, you're going to have a system that sales people use to send emails, you're going to have a system for marketing emails, a system for transactional emails. You have to make sure that all of these sources are properly listed and authenticated. For large companies, that can be a very complex thing.

Marion Duchatelet, Badsender
Question from Geoffrey: "will other ISPs also implement similar protocols to authenticate senders?"

Anne-Sophie Marsh, Iterable
It's always a little hard to know what the ISPs are going to do or not do. At the industry level, they want to improve DMARC mostly. They are also working a lot on ARC (Authenticated Received Chain) which is the mechanism that allows authentication not to break even when emails are forwarded. So I think there's work being done in the industry on that. It would be for Microsoft to do BIMI as well, it's the biggest ISP that is missing for BIMI.

Marion Duchatelet, Badsender
Question by Pierre: "Does the sender's name have an impact on deliverability? Should we give the impression to the customer, who is not fooled, that the email is not automatic? Does writing "FNAC" or "Sébastien de chez FNAC" have an impact on deliverability?

Anne-Sophie Marsh, Iterable
It's not the name itself that will have an impact but rather how the recipients react. Do they open more "Sebastian from FNAC" emails or more "FNAC" emails? It's pretty cool to use the one that will generate more opens. However, you have to test it on the long term to see if it's not just a fad and if people won't end up getting bored. I think you had a question about emojis. There's a pretty interesting article that appeared not long ago on Alan Iverson's blog called SpamResource (which is a very good reference if you want to learn about deliverability) who said that you should never add emojis in the sender nameIt's really something that's going to impact deliverability, especially at Gmail, which doesn't like it.

Marion Duchatelet, Badsender
Oh yeah?

Anne-Sophie Marsh, Iterable
Yes, in fact, because there are spammers who use emojis and special characters to try to reproduce well-known brand names with emojis. So the sender name, you have to write it in text, but you don't have to add characters.

Marion Duchatelet, Badsender
Okay, but that's fine for the sender's wording? But not necessarily for the subject?

Anne-Sophie Marsh, Iterable
Not for the subject, for the sender's wording.

Marion Duchatelet, Badsender
To answer Pierre's question, when you're a company that sends at least one or two emails a week, writing "Sébastien from Fnac" is a bad idea. The other day, I was giving a lecture to students and we were talking about this very thing. We came to talk about the famous "Vianney from Back Market" and he's not very appreciated. It gets boring after a while. So why not humanize the sender, but only for customer service emails or anything related to a subscription for example.

Anne-Sophie Marsh, Iterable
Yes, it's really testing to see what works.

Marion Duchatelet, Badsender
Yes, but when you say test, you have to test on the long term. If you test once "Sebastian at Fnac", you are almost sure to have a better open rate or click rate. But in the long term, it can be annoying and end up being boring. Or you have to test over a long period of time.

Anne-Sophie Marsh, Iterable
Yes, absolutely. You really need to integrate testing into your routing strategy.

Marion Duchatelet, Badsender
We have a question from Sebastien who asks: "what are the tools to recommend for cleaning its base?"

Anne-Sophie Marsh, Iterable
That's an interesting question. There are actually quite a few companies that specialize in basic cleaning. The beaba is to make sure that your routing platform handles bounces well. When you receive an error that tells you that this email address is invalid, you must of course delete it immediately and not re-route it. This is a hard bounce. After that, there are many other types of bounces that we call soft bounces. For example: the inbox is full, the domain is not set up, the domain is not set to receive emails, etc.. These addresses, if over time they are still categorized as soft bounces, they should be deactivated. So you have to set up these mechanisms already if it's not done automatically by your routing platform. Then the other thing, which is really super important these days, is to absolutely secure those online registration forms that. It's really super important because we have a lot of attacks from bots that use unsecured forms to inject lots of bad addresses into the databases. So there is a real issue here.

Marion Duchatelet, Badsender
Apart from setting up a big recaptcha what can you do?

Anne-Sophie Marsh, Iterable
So there is the recaptcha technique indeed, and there is another technique called the honeypot fieldThis means putting an extra checkbox in your form that is invisible to the naked eye. The bots, when they access your form, will automatically check this checkbox. But a human won't see it and won't check the box. So if that additional checkbox has been checked, you know it was generated by a bot. You can clear the address. That's a very good technique to use. It's a second technique to prevent bad addresses from entering your database. Then, you have to try to put a validation when someone tries to enter their email address: for example "Yahoo" with three "o", you have to be able to tell them right away that they made a mistake so that this bad email address does not enter the database. This is very important. There are solutions like "Kickbox that allow for basic batch validations. I have examples of clients who have really improved their delivery rate thanks to a big database cleanup. This is especially true for old email addresses. But, beware of companies that promise to remove all spam from your list because it's not possible. So if they promise you that, it's not very legit.

Marion Duchatelet, Badsender
Okay. Jonathan tells us to stop here, even if there are still many questions. We'll do another live if you agree, Anne-Sophie.

Anne-Sophie Marsh, Iterable
Yes, there are still a lot of subjects to be dealt with.

Marion Duchatelet, Badsender
Thanks a lot Anne-Sophie, it's a pleasure to welcome you. Our next live is on June 1?? to talk about the Mediapart's emailing carbon footprint. Thanks to everyone for your participation and your questions. Have a nice day!

Anne-Sophie Marsh, Iterable
Goodbye.

Live: Délivrabilité, tuons les fausses bonnes pratiques (Episode 2))

Please watch in low definition!

The audio recording of episode 2 is now available

Text transcript of live episode 2

Marion Duchatelet - Badsender
Hi Anne Sophie.

Anne-Sophie Marsh - Iterable
Hi Marion.

Marion Duchatelet - Badsender
It's cool that you came back to see us for episode number two of "Killing False Beliefs in Deliverability". Thanks for taking the time for this. Last time, we raised a lot of questions together. For those of you who haven't seen episode one, please go to our blog or directly to Badsender's YouTube channel to listen to this episode again. We discussed the famous spamwords, the text-image ratio, etc... Above all, we answered all the audience's questions, and it was really very interesting. We've decided to do a second episode, because there are a lot of questions we didn't have time to answer. So I'm going to ask them today.

Marion Duchatelet - Badsender
Is it true that you need to make sure you have the same volume of mailings and the same frequency of mailings every week or month, so as not to wake up the anti-spam filters?

Anne-Sophie Marsh - Iterable
Indeed, the frequency of mailings is very, very important for ISPs. Their anti-spam filters use algorithms that analyze all e-mails coming from different IPs and domains. In fact, what they like is for everything to be very predictable, very regular. If you like, I always use the analogy of friendship, of human relationships. You'd rather deal with someone who behaves more or less the same way all the time. ISPs are a bit like that. For them to trust you, they want you to behave in a regular way, especially in terms of frequency and volume. This doesn't mean that you have to route on exactly the same days every week and in exactly the same volumes. On the other hand, you should try to adopt a rhythm that is really regular over a period of the last 30 - 60 days. To give you an example, I work with a customer who routes 20,000 addresses every day. On the other hand, once a month, they'll route to their entire base of one million contacts. And there's no problem because they'll have this volume coming back once a month.

Marion Duchatelet - Badsender
Okay, so there's no need to worry about sending a weekly newsletter to your entire base, for example. And the week after, a product email to a specific segment. And again the following week, re on your entire base. There are no constraints or pressures.

Anne-Sophie Marsh - Iterable
As long as you really get into a regular rhythm, stick to it and try not to change too much. On the other hand, when you've got the end-of-year promotions coming up and you're planning to route larger volumes or change your rhythm a little. In that case, you need to do it gradually. Don't start increasing your daily volumes all at once. You really need to increase it gradually, to teach your ISP algorithms that your volume is growing. But not all at once, otherwise it'll scare them off. You really need to stay regular.

Marion Duchatelet - Badsender
And what does progressive mean? With each shipment, do you add plus 10% or plus 15 %?

Anne-Sophie Marsh - Iterable
In general, I start with less than 25 % increase from one shipment to the next.

Marion Duchatelet - Badsender
Ok. I have another question. Is it really true that ISPs and webmails remember HTML code? There's a lot of talk about HTML fingerprinting in deliverability circles. Is it true that an ISP or webmail can remember the HTML code or even the content and words used?

Anne-Sophie Marsh - Iterable
In fact, there are anti-spam solutions, such as Cloud Mark, that are really based on this notion of HTML fingerprinting. For example, if you have a block of content that comes back every time, which tends to generate more complaints, they'll be able to identify that this block of content is associated with spammy content. This allows them to detect if you're doing affiliate marketing and you're sending the same content via different routers, different IPs, etc. They'll be able to identify that the content is spammy. They'll be able to identify that it's the same block, the same type of content being sent, even if it's from completely different routers.

Marion Duchatelet - Badsender
Okay. So what this means is that when you're a marketer with a fairly important acquisition strategy, it's better not to send the same HTML code to an affiliate agency, which will itself send via different sending infrastructures that you don't really master. These emails are likely to generate lower click-through rates and certainly more unsubscribes and complaints. So it's better to send two different HTML codes, one for your "own" prospects and customers, and another HTML content for your acquisition strategy.

Anne-Sophie Marsh - Iterable
Yes, you have to be careful about that. After that, there are other elements that come into play. They can also attribute a reputation to your domain, to other elements of the email. It's a bit difficult to completely isolate because, over time, your brand is still present in your domain, it's still going to be present in the content. But at the end of the day, they'll be able to detect if there's content that generates a lot of complaints and is routed via different sources. They'll be able to get a global view and stop this kind of campaign more easily.

Marion Duchatelet - Badsender
Okay. And you, have you ever had concrete cases where the HTML code hadn't been changed, where it had been routed on affiliate platforms and that impacted the deliverability, let's say, of a loyalty strategy, of a cleaner strategy?

Anne-Sophie Marsh - Iterable
Yes, it's happened to me. I've had to deal with it before. In the recent case I've worked on, the campaigns we route are pretty clean. But in some cases, you can see that the brand is doing affiliate marketing, it has its content routed through various other platforms. And that's a bit of a warning sign that they may be having problems with certain ISPs.

Marion Duchatelet - Badsender
All right.

Marion Duchatelet - Badsender
We're going to come to questions with beliefs, but they're not beliefs; we're going to say with good practices that are a little more technical. We talk a lot about SPF, DKIM and DMARC signatures and authentication. Can you just remind us what SPF, DKIM and DMARC are for, in layman's terms? And above all, my question is what is the role of the router, the advertiser and potentially anyone else in informing these signatures?

Anne-Sophie Marsh - Iterable
Yes, of course. In fact, SPF, DKIM and DMARC are email authentication methods that have been put in place over time to provide a little security, to prevent brands from being personified by other external elements, other external organizations. In the beginning, there was nothing. In the 2000s, there wasn't much in place, and some brands were really taken advantage of. SPF was set up to link IPs to a domain name. You could say "My domain name, it has the right to send from such and such an IP." Spammers have managed to abuse this system. DKIM was then implemented on top of it. DKIM is a signature method using a public and a private key to ensure that the content of an e-mail has not been modified during transmission. So, you publish a key on the DNS, which is public, and in the header of your email, in the header of your email, you put a private key.

Anne-Sophie Marsh - Iterable
ISPs can decode the trick a little when they receive your email and see that your email is really from you. Once again, spammers have found ways to abuse this system, and DMARC was introduced more recently to link SPF and DKIM and put a level of authentication above them. And when you set up a DMARC policy, you can say to ISPs, "If you receive an e-mail that seems to come from my domain name, but is not authenticated with SPF or DKIM, either do nothing, put it in spam, or block it". So you have three levels of DMARC policy. "None" is effectively "Do nothing". "Quarantine" means "Spam it" and "Reject" means block the unauthenticated e-mail.

Marion Duchatelet - Badsender
Okay. But then, if I understand correctly, at some point, spammers will know how to counteract that, so there'll be something else?

Anne-Sophie Marsh - Iterable
Indeed, if a spammer registers a domain name that's very similar to your own... There are still mechanisms that allow them to bypass it, but it's already a big help. And indeed, DMARC is something that brands should now try to implement. It's not a deliverability tool as such, because it's more a technical solution for securing your brand and your domain name. But some ISPs have indicated that it's still a plus to have a DMARC policy in place, as long as it's quarantine and reject. A trademark policy of none is useless.

Marion Duchatelet - Badsender
There's no point.

Anne-Sophie Marsh - Iterable
Not much.

Marion Duchatelet - Badsender
I get the impression that SPF and DKaM - I guess you could say SPF and DKIM - are pretty well implemented by advertisers? Because, in fact, it's the routers who have to set this up, don't we agree? That's the role of the routers for SPF and DKIM?

Anne-Sophie Marsh - Iterable
Yes, in general, if you use a professional router that's good quality, SPF and DKIM are really the basics. As soon as you get in touch with this router, it will help you set it up from the start. DMARC, on the other hand, is really the brand's responsibility. It's all very well to set up DMARC, but you have to understand that it's not necessarily super-easy either. Especially if you're part of a large organization that uses different email channels. For example, you use different routers, your sales team uses yet another system, you send emails via partners, and so on. It can be a little more complex to set up a DMARC policy to ensure that all your legitimate emails are authenticated with SPF and DKIM.

Marion Duchatelet - Badsender
With SPF and DKIM, you also have to perform this inspection role, saying "All emails that send from these IPs and send from these infrastructures, Sengrid, Mailjet...". You can also align several routers. You've already done this work when you set up SPF and DKIM, haven't you?

Anne-Sophie Marsh - Iterable
Listen, in general, when it comes to really big structures, companies often realize that somewhere there may be a source of email that's legitimate, but not properly authenticated. That's why, in general, when you set up a brand policy, you start with a none policy. You look at the reports you receive from ISPs, and make sure that all your legitimate e-mails are properly authenticated. And once you've checked that, you can move on to Quarantine and eventually Reject.

Marion Duchatelet - Badsender
So it's a very gradual process. And the passage to none is to check that everything that should be legitimate is indeed legitimate, that there isn't one that's been overlooked. Is that it?

Anne-Sophie Marsh - Iterable
Yes, that's right. On the other hand, one of the things we often see is that brands put a policy in place and then, in fact, they keep their anone policy and don't evolve. It's important to understand that the anone policy is useful at the outset, but afterwards, you really have to look at the DMARC reports received by ISPs. These reports are not easy to read. Often, brands use a third-party company that will take these reports sent by ISPs, make pretty graphs, and make them a little more readable. You have to make sure you take a good look at these reports, and then you really do have a bit of a roadmap for evolving your DMARC policy all the way to Rejection.

Marion Duchatelet - Badsender
So, you're talking about a third-party company, neither the router nor the advertiser, who is it?

Anne-Sophie Marsh - Iterable
There are a lot of companies offering this type of solution now, to analyze these DMARC reports and make them readable, make pretty graphs, etc. For example, those who use Validity, ex Return Path, have their own DMARC solution. For example, those who use Validity, such as Return Path, have their own DMARC solution. There are lots of other boxes like Redshift, DMARC Advisor, Dmarcian. I think maybe Jonathan can put some links in the chat, but yes, there are a lot of solutions on the market.

Marion Duchatelet - Badsender
Ok. I did deliverability training on Tuesday. I was asked a question, which isn't stupid at all, but which has more to do with team organization. When you hear all this, and moreover, when I see that every time you say "the spammers have understood, so we've set up something else", it's a real job. Does that mean you think advertisers should have a deliverability manager?

Anne-Sophie Marsh - Iterable
I think most professional routers have deliverability teams. So after that, it remains to be seen whether they have someone competent who has the time to monitor and keep an eye on things in their team. It doesn't have to be every day, but at least once in a while, to keep an eye on campaigns, Google Postmaster reputation, Microsoft SNDS, campaign results by ISP to see if everything's going well. After that, if deliverability is really something that's a bit more of a problem, or if you're a larger organization with a bigger budget, calling on your router's deliverability team might be a good idea too. A little more follow-up...

Marion Duchatelet - Badsender
My impression is that in large structures where email is a significant source of revenue, there may be a person in charge of... I don't know if you'd call it a deliverability manager, but in any case someone who is 100% on email and who also deals with these subjects and who has a technical profile.

Anne-Sophie Marsh - Iterable
Yes, there are a lot of big companies that have someone specialized in this area.

Marion Duchatelet - Badsender
So, basically, DMARC is an authentication tool that enables brands to prove the legitimacy of their mailings and thus thwart identity theft by spammers.

Marion Duchatelet - Badsender
This brings me to BIMI, which is yet another acronym in the world of deliverability. BIMI, there's nothing technical about it, it's just, you tell me if I'm wrong, something that's been invented. It's the fact of having your logo next to your sender when you look at your mailbox. It was invented to motivate brands to implement DMARC.

Anne-Sophie Marsh - Iterable
Yeah, it was a bit of a carrot for marketers, because DMARC is more of a technical solution that's often managed by brand technical teams or IT security teams. BIMI is a bit more fun for marketers. If you have a DMARC policy in place that's at quarantine or reject level on your domain... Really your main domain, yeah. At that point, you can start looking at Bimi. Bimi, again, is basically just a TXT entry that you put on your DNS that points to a logo that's going to show up in inboxes. However, if you want it to work with Apple and Gmail in particular, this logo needs to be certified by a third-party entity. There are two entities at the moment, Digicert and Entrust, who deal with this, who really validate that this logo belongs to you and that it's your logo that's registered for your brand.

Marion Duchatelet - Badsender
Don't you have to pay for that?

Anne-Sophie Marsh - Iterable
Yes, you do. If you actually want to have this certificate, from memory, it depends a bit on the size of your organization in terms of budget, but it's about $1,000 a year, per brand.

Marion Duchatelet - Badsender
I had 1500 euros in mind.

Anne-Sophie Marsh - Iterable
It may have gone up. It's pretty much in that ballpark. After that, it obviously depends. If you're a small structure, it's a big budget, if you're a bigger structure, it's not really a big deal and it's worth setting up.

Marion Duchatelet - Badsender
Let me summarize. To get your logo, you have to have DMARC set up and your DMARC has to be set to Reject or Quarantine? Doesn't "None" work?

Anne-Sophie Marsh - Iterable
No.

Marion Duchatelet - Badsender
Ok. You need to have a DMARC at "Reject or Quarantine". So you can't set up BIMI if you haven't done the work on DMARC beforehand. BIMI is your little logo that you put in your DNS, in the TXT of your DNS, right?

Anne-Sophie Marsh - Iterable
Yes.

Marion Duchatelet - Badsender
It's displayed everywhere, on every e-mail system except Apple and Gmail. And Apple and Gmail, you have to certify your logo for it to be displayed.

Anne-Sophie Marsh - Iterable
Not all ISPs use BIMI. For example, our friends at Microsoft, they don't use BIMI at all at the moment. There's a site, maybe Jonathan can put the link in the chat too, there's a site, I think it's Bimi.org that really has all the information on it. They have a page that shows exactly which ISPs are participating in BIMI at the moment, and which ones are going to consider it. There are more and more of them, so it's great to see that it's being adopted more and more. And then, as far as the logo is concerned, it's nice to have it because it boosts user confidence. They can see that your logo is there and that the emails are really sent by you. Gmail too, they've set up a little... I think it's just a little blue sign that appears in addition, which really shows that it's been verified and that it's really your logo, your brand, and so on. So yeah, it's kind of the icing on the cake if you've got the right branding in place to boost the engagement you've got on your emails.

Marion Duchatelet - Badsender
I can understand an advertiser's motivation. But in reality, do you think the average person thinks, "Okay, there's the advertiser's logo, and what's more, there's the check, so I'll read the email"?

Anne-Sophie Marsh - Iterable
No, but then it's also about brand visibility, having your logo there is always a reminder of your brand. And also, as there aren't that many brands using BIMI yet, it allows your emails to stand out in an inbox.

Marion Duchatelet - Badsender
There's something I'm having a bit of trouble understanding, so I'll ask again, I'm sorry. The logo doesn't depend on the mail system, it depends on the opening environment, doesn't it? Right now, I'm in my Apple application, Apple Mail on my smartphone. I have my Gmail and Outlook inbox at the same time, so Outlook for B2C. I don't see any logo.

Anne-Sophie Marsh - Iterable
Yes, it depends on the ISP AND the environment in which you're viewing the email.

Marion Duchatelet - Badsender
Okay, it's all very, very simple... (laughs) We're going to move on to another topic because we're going to lose everyone if we don't. Can you tell us a little about the necessity or otherwise of filling in the unsubscribe list in routing tools? Maybe start by reminding us what the unsubscribe list is and why it's important for email deliverability?

Anne-Sophie Marsh - Iterable
So, the unsubscribe list is something that is normally set up by the router, which will be included in the email header and which will include a MailTo that explains where the unsubscribe request can be made. So it's not visible to the naked eye. On the other hand, some ISPs, for example, will sometimes display a little message at the very top of the email, like: "Are you receiving too many emails from such and such brands? Click here to unsubscribe". This is a link that you didn't include in your html, but which will automatically appear at the very top and is included by the ISP. What's important to note is that, at Gmail for example, this "unsubscribe list" message will appear for brands with a good reputation. If you see it appearing on your emails, that means it's good, Gmail thinks you have a good reputation and you're entitled to have this list unsubscribe message appearing all the time.

Marion Duchatelet - Badsender
All right. Do you have to be on dedicated IPs or not?

Anne-Sophie Marsh - Iterable
Good question. I don't think it has anything to do with the type of IP. At Gmail, they're more interested in the reputation of your sending domain, less in the reputation of the IPs. It's more based on your domain reputation at Gmail, anyway. As far as I can see on our platform, it's something we routers set up automatically. It's not something that our customers can remove. And indeed, it should be seen as a good thing. Often, as deliverability experts, we say "Make the unsubscribe link visible enough sometimes, put it at the top of the email." That's exactly right. It's better for users to unsubscribe than to complain. It's annoying to have people unsubscribe when you're a brand and you'd like everyone to keep getting your emails. But there are always people who want to unsubscribe, so it's better to let them go. This has no impact on reputation. Rather than people getting upset, not finding the unsubscribe link, making a complaint. That, on the other hand, will really impact your reputation and deliverability.

Marion Duchatelet - Badsender
This means that, as a router, you automatically take over the unsubscribe link found in the classic email footer. Oh no, it's a MailTo?

Anne-Sophie Marsh - Iterable
Yeah, it's a MailTo. It's not the unsubscribe link in the email, it's something that we manage, on our side, that's really done automatically. What's interesting, to check whether your router does it or not, when you receive one of your emails, is to look at the header, search for "list unsubscribe" and somewhere, there, you should see it.

Marion Duchatelet - Badsender
Yes, so to display the SMTP header of an email, you click on the three little dots and at some point you get "message source" or something like that.

Anne-Sophie Marsh - Iterable
Yes, that's it.

Marion Duchatelet - Badsender
Ok. Here's a question. I remember when I worked at Cabestan in 2005, 2010, we were pushing Return Path certification. And we used to say that it was to show a white coat to ISPs, to be whitelisted. And I have the impression that we don't hear about it anymore, that it's getting lost. Is it still useful to be Return Path or SenderScore certified? Is it still necessary to be certified today?

Anne-Sophie Marsh - Iterable
In fact, Validity's certification is called Senderscore. It's true that there was a time in the 2000s - there was also Goodmail, which doesn't exist anymore - when white lists were really the idea: you paid and you got better deliverability on the various ISPs that participated. That's still the big question. To be part of this white list, you already have to show your credentials. You have to have very good emailing practices. They don't accept just anyone, so you need to demonstrate that you have very good mailing practices. After that, the question is, if you have very good mailing practices, logically you shouldn't need them!
It's always a bit of a question: what's the level of profit compared to the level of money you're putting in? After that, it's quite interesting on certain levels. For example, for SenderScore certification, it helps with Microsoft, that's for sure. If your practices are good, but you're still having a bit of trouble with Microsoft, and it's a big part of your base and ... Microsoft is difficult anyway. A Senderscore certification, in fact, generally helps a lot. What's more, the other benefit is that in the Return Path, Validity and other interfaces, you'll have access to all kinds of data from the various ISPs participating in Senderscore, including Microsoft, which will show you the number of complaints you've received. This kind of data is very interesting for tracking the evolution of your reputation. Then, if your practices become a little more problematic, you can be temporarily released from certification too. Just because you're certified doesn't mean you'll stay certified forever. You have to maintain your good practices.

Marion Duchatelet - Badsender
But if everything's green, if your best practices are hot, I don't really see the point.

Anne-Sophie Marsh - Iterable
Yes, it is. After that, it's really just a security measure, as I said, if you really have little concerns and you want to have better visibility or more security. Another certification is CSA, Certified Standards Alliance, which is an organization based in Germany. They have ISPs, obviously German, but also large international ISPs who are part of this certification. Here, the entry criteria are even more drastic than Senderscore, because it's governed by German laws, etc. And there, once again, it's the only way to be certified. So, once again, if you have very good practices in this area, you shouldn't have any problems. On the other hand, if you're a router that... I mean, if you're a brand that sends a lot to Germany, this certification will enable you to send faster, to have less detection in terms of sending volume to certain German ISPs.

Marion Duchatelet - Badsender
Yeah, so it's not just the delivery, it's also the speed and the additional information you can get via their reports. All these certifications don't happen overnight, it takes quite a long time? DMARC, it's the same thing, it takes a long time. What do I prioritize? DMARC or a certification?

Anne-Sophie Marsh - Iterable
If I had DMARC in place, it would really be my priority, because it's more than just for deliverability, it's really about protecting your domain, your brand. It gives you great visibility on malicious activities that can take place and that you really have no visibility on if you don't have DMARC in place. So DMARC is really something you should try to put in place today, if possible.

Marion Duchatelet - Badsender
Still, I have the impression that certifications are being lost.

Anne-Sophie Marsh - Iterable
It's true that I see it less. It's true that in the 2000s it was more noticeable.

Marion Duchatelet - Badsender
Do you still have customers who are certified?

Anne-Sophie Marsh - Iterable
I see a few from time to time, actually, who still have it... Yeah, yeah.

Marion Duchatelet - Badsender
I agree. Is it harder to deliver in France, the US, Germany or the UK? Are there countries where it's more or less complicated?

Anne-Sophie Marsh - Iterable
That's an interesting question. First of all, I think it's important to note that nowadays, on B2C lists all over the world, generally speaking, the biggest ISP is going to be Gmail. It's the same everywhere. In general, if you take Gmail, Yahoo and Microsoft, that's a big chunk of the B2C base in any given country. In fact, in countries like Germany, France or Russia, you have local ISPs that will have a fairly large proportion of your audience. It's an interesting question because you also have different laws. For example, in Germany, the laws are very strict when it comes to respecting privacy. Double opt-in is much more encouraged in Germany. So, on the one hand, your lists are going to be much more qualified. And what I generally see with my clients in Germany is that the audience is going to be almost a little more... They're going to expect more quality from the brands. We know American ISPs well, they communicate quite well. If you've got problems, you've got very clear channels through which to make requests.
Then, in different countries, you may have smaller ISPs whose practices you know a little less about. In France, we're lucky. Orange and Laposte have an abuse unit that's very open if you have any problems. They have teams who respond well to requests.

Marion Duchatelet - Badsender
I have the impression that it also depends a lot on the local population. If you're strict, you absolutely want double opt-in, your habit is to unsubscribe, etc., I think that in another country, it's a little less true. That's as far as it goes. It's not necessarily the ISP or the webmail, it goes right down to the citizen's behavior.

Anne-Sophie Marsh - Iterable
Yes, and that's really something I see with Germany, for example, where people are more likely to unsubscribe if they're not happy. They wait longer than in other countries. I work with customers who route to countries where there's much less legislation, such as certain Eastern European countries and so on. Here, it's a bit more like the Wild West. People react less on the eMail channel, they may have fewer expectations. In France, Germany, etc., I think there's more of an expectation of quality.

Marion Duchatelet - Badsender
I have one last question. Is it possible to have a different deliverability rate from one platform to another? From one router to another?

Anne-Sophie Marsh - Iterable
Yes, that's right. A question that often comes up is "But why has my open rate changed compared to my old router?" It's clear that ISPs take a lot of factors into account when filtering emails, especially if you've been on a router for ten years or so, and you've had a good number of years, and you've really built up a reputation with your IPs, your domain name, you change and your new router, you start again from scratch, you rebuild your reputation. So, of course, deliverability is going to be a little more fragile on the new router at first, while you really rebuild your reputation. There's that. And then when you route on different platforms, it's never going to be exactly the same people.

Marion Duchatelet - Badsender
Small variations are to be expected, but that's usually a matter of a few weeks, I imagine, until things stabilize and we get the warm-up phase right, etc.?

Anne-Sophie Marsh - Iterable
In general, ISPs start with at least a 30-day period of e-mail history. In general, I'd say it takes a few months.

Marion Duchatelet - Badsender
OK. Thank you very much, Anne Sophie.

Anne-Sophie Marsh - Iterable
Thank you very much.

The participants