Chapter 2

Email Delivery, Security, & Spam Advancements

DMARC Policy Changes at Yahoo Mail + AOL Mail

We’ve all received phishing emails—the majority are clearly fraudulent, but on occasion there are some believable ones. For example, receiving an email from a friend with a link in it, or one of your favorite brands asking you to update your information.

If you’ve looked closely at these emails, you’ll notice that these messages don’t actually come from your friend or your brand, but rather they’ve been spoofed. While the spammer is sending from their own server, it looks as if they are sending from an email address that you trust. DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is an authentication protocol that helps reduce these types of emails.

In an effort to stop fraudulent and spoofed emails coming from and addresses, Yahoo Mail and AOL Mail made changes their DMARC policy. With this update, emails that claim to come from a or address, but actually originate from other servers will be rejected by DMARC-compliant mail receivers, like Yahoo, Gmail, AOL, and (formerly Hotmail).

As a result, if you’re sending an email from a or address from your Email Service Provider (ESP), your email will be rejected by all of your subscribers that are using DMARC-compliant receivers as their email client. This negatively affects your deliverability and increases your chances of your email bouncing or being marked as spam.

Action item: Ensuring Delivery in the DMARC Age

Canadian Anti-Spam Law Goes Into Effect

On July 1, 2014, the Canadian Anti-Spam Law (CASL) went into effect. While there are many different aspects to this law, we’ll provide a brief overview. Though, it’s important to note that we’re not lawyers—this is simply our take on the law and recommendations on how to react to it. To learn more about CASL, please visit

If your organization or ESP is based in Canada, or if you have any recipients that live in Canada, then CASL applies to you. CASL applies to most marketing messages, but transactional emails, warranty/safety notices, and purely informational messages are exempt.

CASL is essentially an opt-in law—subscribers must consent to receive your emails before you can message them. According to CASL, consent falls into two categories: express and implied.

Express vs. implied consent

With express content, subscribers have specifically opted-in to receive emails from you. In order to obtain this type of consent, subscribers must enter their email address, as well as check as box requesting to be subscribed to the emails (a pre-checked box doesn’t count!), and then click submit. You must also include the following information during sign up:

If a subscriber has provided express content, then you can continue to email them as long as they do not unsubscribe.

When it comes to implied consent, subscribers must have an existing relationship with your company within the past 24 months. While you can seek express consent during this 24-month period, implied consent expires after two years. There is currently a transition period until July 1, 2017 in which you can continue to send to subscribers who have implied consent (unless, of course, they unsubscribe). Starting July 1, 2017, you must follow the 24-month implied consent rule.

Email + unsubscribe requirements

If you’re sending a CASL-compliant email, there are certain attributes which must be present in your email. Not only must you clearly identify yourself (or your client) as the sender, but you must include a method for your subscribers to be able to contact the sender. A physical mailing address must be included, as well as your phone number, email address, or website address.

In addition, you must include a working unsubscribe method, which must be active for 60 days after you send an email. While your unsubscribe can link to a preference center, subscribers cannot be required to login to unsubscribe. All unsubscribes must be processed within 10 days.

Keep records

To remain compliant with CASL, it is vital to keep records of your subscribers’ express and implied consents. You’ll want to note the date and time of consent, as well as which type of consent they have given—express or implied. In addition, you’ll want to know the source of consent (ie. from a specific form or URL). While it’s not required, the IP address of your subscriber is useful as well. Keeping records is crucial in the event that a subscriber complains about your email.


If you fail to comply with CASL, there are some major penalties! Fines of $1 million to $10 million per violation are possible. And, starting July 1, 2017, subscribers can sue a sender if they believe they have received spam.

Action item: Complying with CASL