Book a Call


Why are my emails going into junk?

You will need to send users emails – so how can you dodge the spam filter?

Running a website project, business or shop online usually means sending email from the website and from your own computer using the website domain. Often, emails are generated by the website automatically when a user signs up to a service or makes a purchase. It’s important then, that these emails are delivered quickly and successfully to the user’s inbox. 

Unfortunately, perfectly good, legitimate email will sometimes end up in a user’s junk folder. Email sent by you, or your website must find its way through a complex array of content filters and network security before it reaches it’s intended target, and a poorly configured domain will mean that all important user registration email may well end up in a junk box, or never reach the user’s email client at all.

So, what’s going on, and why does your genuine email, which has effectively been requested by the user, end up going astray. To understand it all a bit better, let’s go back to the beginning.

Email was invented in 1971 by Ray Tomlinson using software called SNDMSG. Not long after it was invented, in 1978, Gary Thuerk sent an email marketing message to multiple ARPANET users and claims to have made almost $13 million dollars sending spam and phishing emails, giving him the title ‘The Father of Spam’.

Since its creation, email has evolved into a system used by almost 4 billion of us worldwide to send and receive information in the form of messages, documents, images, videos and unfortunately, a huge amount of SPAM or unsolicited email. As Gary Thuerk claimed, there is money to be made in SPAM. With such huge volumes of users, email quickly became the new frontline for scammers to reach into people’s pockets, and as data becomes more and more valuable, so the spammers get more and more creative and devious.

To combat the fraudsters, several security protocols have been developed that help genuine email users validate their email so mail servers are able to confirm the identity of the sender and deliver the mail to the inbox.

It all starts with your domain. Every domain name has a set of DNS records which are mainly IP addresses of servers on the internet, each which handle a particular service. Email is one of those services, and every domain that handles email will at the very least have something called an MX or mail exchanger record, which tells mail traffic where to go to reach a mail server and be routed to an address inbox. 

There are several other important records that need to be added in DNS to help with email deliverability. The idea is that these records can be used to validate your domain and show that your email is legit.

So, let’s look at what we can do to improve our email legitimacy

1 – Authentication. 

In the same way caller ID helps screen unwanted phone calls, there are methods for email that can help you show spam filters that your email is trustworthy

SPF – Sender Policy Framework.

What is SPF? Email SPF is an authentication standard that protects organisations against someone or something impersonating it. The biggest threat to an organisations email security is a bad actor using your domain and brand name to send emails which are fake, to trick the recipient into giving up data or security details about themselves. 

Faking a domain and email address is called Spoofing, and this method is used in phishing emails which are now so convincing that users may not be able to tell the difference and could innocently give away passwords, bank details, account numbers or other sensitive data.

So how does SPF help protect you and validate the emails you send?

SPF prevents an attacker from using your domain by publishing details of the mail servers that are authorised to send emails from your domain. For example, your website will reside on a hosting server, and that server will have an IP address. In the DNS record of your domain, the address of that server would be published as an SPF record, showing that the server is authorised to send email. Emails that arrive from any other servers would simply be blocked.

SPF is supported by all the major email service providers such as Google, Microsoft etc.

OK that’s a good start, but we can go much further.

DKIM – DomainKey Identified Mail

DKIM is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.

Once the receiver (or receiving system) determines that an email is signed with a valid DKIM signature, it’s certain that parts of the email among which the message body and attachments haven’t been modified. Usually, DKIM signatures are not visible to end-users, the validation is done on a server level.

All leading ISP’s (like Google, Microsoft and Yahoo) check incoming mail for DKIM signatures.

DMARC – Domain Based Message Authentication, Reporting and Conformance

DMARC requires that you already have SPF and DKIM verification in place. The history of DMARC goes back as far as 2012. At the time, there were no established protocols for authenticating email—so it was pretty much up to each company to determine how best to protect their brands from being spoofed.

As email marketing became more popular with businesses, many companies started using fake email addresses to send out spam marketing pitches or phishing attempts—and this led to a lot of problems for legitimate marketers who were trying to reach their customers.

DMARC works by checking when a message is sent from an authorized server to the DMARC-compliant domain’s SPF record and/or DKIM signature, which are stored at the DNS level. If either check passes, the message is delivered; if both fail, the message is rejected and returned as undeliverable (since it didn’t meet SPF or DKIM requirements).

If you don’t have these policies in place, your email will almost certainly end up in a junk folder.

BIMI stands for Brand Indicators for Message Identification. It’s a standard that attaches your company’s logo to your authenticated emails so your recipients can easily recognise and trust the messages sent from you or your website.

BIMI requires that your DMARC policy is a bit stricter in that you can only choose the quarantine or reject options. You will also need your company logo on your web server in .svg format, and a record in dns that identifies it. Using BIMI helps identify your brand to users by putting your logo at the side of any emails you send, another way of validating and instilling trust in the email.

2 – Your sender information

In addition to passing all the authentication methods above, it is important to ensure that the email address you are sending from matches the sender and the authentication methods you have in place. That is the from address must match that which is authorised and your “reply to” address should also be the same as the sender.

Another often overlooked requirement is your business or project’s registered address. The FTC (Federal Trade Commission) in the US requires that all emails have a physical address in the footer, so it’s good practice to add it to emails even if you aren’t sending or dealing with emails to and from the US.

3 – Email Content

What is in your email? Are you using words that might flag up on a spam filter? Have you typed any words in CAPS? Do you use emojis? Lots of exclamation marks are bad, along with poor spelling and bad grammar. Another big flag for Spam Assassin is the ratio of images to text. Spammers often try to get around word filtering by including images with text in them, so ensure if you are using images, that you have plenty of good quality text to accompany it.

Of course, this is tricky with password reset or user registration emails which often have very little text.

Broken links or dodgy will absolutely get you into trouble, so make sure to check and double check any hyperlinks you send. Ensure the link text (www.google.co.uk) matches the hyperlink and ensure the sites you are linking to aren’t infringing copyright or promoting something illegal. URL Shortening will also flag up on spam filters as they disguise the actual website address in the action of shortening it, which is really for character limited posts.

4 – Using Mailing Lists

If you buy a mailshot list, you will almost certainly be breaching GDPR regulations, so our recommendation here is avoid, avoid, avoid.

If you send to a list of your own subscribers, you must ensure your email contains an unsubscribe link. 

Be vigilant with bounces or delivery failures and purge any mail addresses that are bouncing.

Keep your content good and fresh, low engagement (low open rates) will say to spam filters that your emails aren’t interesting, or worse, unwanted.

OK So you have added all the records and validation, to see how your email stands up to scrutiny you can use a simple tool like mail-tester.com. Copy the email address from the website and send an email from your website to it. Once the mail-tester.com website receives your email, it provides a detailed assessment of your content, validation status and general deliverability.

If you would like help with getting your website email delivered, why not give us a call today.