DMARC Policy Changes at Yahoo Mail + AOL Mail
We’ve all received phishing emails—the majority are clearly fraudulent, but on occasion there are some believable ones. For example, receiving an email from a friend with a link in it, or one of your favorite brands asking you to update your information.
If you’ve looked closely at these emails, you’ll notice that these messages don’t actually come from your friend or your brand, but rather they’ve been spoofed. While the spammer is sending from their own server, it looks as if they are sending from an email address that you trust. DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, is an authentication protocol that helps reduce these types of emails.
In an effort to stop fraudulent and spoofed emails coming from @yahoo.com and @aol.com addresses, Yahoo Mail and AOL Mail made changes their DMARC policy. With this update, emails that claim to come from a @yahoo.com or @aol.com address, but actually originate from other servers will be rejected by DMARC-compliant mail receivers, like Yahoo, Gmail, AOL, and Outlook.com (formerly Hotmail).
As a result, if you’re sending an email from a @yahoo.com or @aol.com address from your Email Service Provider (ESP), your email will be rejected by all of your subscribers that are using DMARC-compliant receivers as their email client. This negatively affects your deliverability and increases your chances of your email bouncing or being marked as spam.
Action item: Ensuring Delivery in the DMARC Age
Send emails from a private domain
Luckily, there is a simple fix! If you are using a @yahoo.com or @aol.com as your from address when sending through your ESP, you’ll need to change the email address you’re sending from.
While other webmail providers, like Gmail, haven’t yet made changes to their DMARC policies, they likely will in the near future. As a result, we recommend using a private domain from a domain you control—for example, we send from @email.litmus.com. Sending from a private domain can also help prevent future deliverability issues caused by changes like this.
Canadian Anti-Spam Law Goes Into Effect
On July 1, 2014, the Canadian Anti-Spam Law (CASL) went into effect. While there are many different aspects to this law, we’ll provide a brief overview. Though, it’s important to note that we’re not lawyers—this is simply our take on the law and recommendations on how to react to it. To learn more about CASL, please visit fightspam.gc.ca.
If your organization or ESP is based in Canada, or if you have any recipients that live in Canada, then CASL applies to you. CASL applies to most marketing messages, but transactional emails, warranty/safety notices, and purely informational messages are exempt.
CASL is essentially an opt-in law—subscribers must consent to receive your emails before you can message them. According to CASL, consent falls into two categories: express and implied.
Express vs. implied consent
With express content, subscribers have specifically opted-in to receive emails from you. In order to obtain this type of consent, subscribers must enter their email address, as well as check as box requesting to be subscribed to the emails (a pre-checked box doesn’t count!), and then click submit. You must also include the following information during sign up:
- A clear statement about what the subscriber can expect to receive from you after signing up for your emails.
- Information about the sender (you or your client)—include the company name, as well as at least one piece of contact information, which can be a physical address, website address, or email address.
- A clear statement that the subscriber can unsubscribe from your emails at any point.
If a subscriber has provided express content, then you can continue to email them as long as they do not unsubscribe.
When it comes to implied consent, subscribers must have an existing relationship with your company within the past 24 months. While you can seek express consent during this 24-month period, implied consent expires after two years. There is currently a transition period until July 1, 2017 in which you can continue to send to subscribers who have implied consent (unless, of course, they unsubscribe). Starting July 1, 2017, you must follow the 24-month implied consent rule.
Email + unsubscribe requirements
If you’re sending a CASL-compliant email, there are certain attributes which must be present in your email. Not only must you clearly identify yourself (or your client) as the sender, but you must include a method for your subscribers to be able to contact the sender. A physical mailing address must be included, as well as your phone number, email address, or website address.
In addition, you must include a working unsubscribe method, which must be active for 60 days after you send an email. While your unsubscribe can link to a preference center, subscribers cannot be required to login to unsubscribe. All unsubscribes must be processed within 10 days.
To remain compliant with CASL, it is vital to keep records of your subscribers’ express and implied consents. You’ll want to note the date and time of consent, as well as which type of consent they have given—express or implied. In addition, you’ll want to know the source of consent (ie. from a specific form or URL). While it’s not required, the IP address of your subscriber is useful as well. Keeping records is crucial in the event that a subscriber complains about your email.
If you fail to comply with CASL, there are some major penalties! Fines of $1 million to $10 million per violation are possible. And, starting July 1, 2017, subscribers can sue a sender if they believe they have received spam.
Action item: Complying with CASL
Only send opt-in emails to comply with CASL
If you are located in Canada—or sending emails to Canadian residents—and are sending the types of marketing messages covered by the law, then you must comply with CASL. Hopefully, you’ve been sending opt-in emails from the start! If that’s the case, becoming (and staying) CASL-compliant shouldn’t be too difficult.
For starters, take a look at your lists—what type of consent did you receive from subscribers (express or implied)? If you have received express commit prior to July 1, 2014, then you can continue to email those subscribers as-is (unless, of course, they unsubscribe). If you have received express commit post-CASL, then you must ensure that your sign up and messages have adhered to all of CASL’s requirements (ie. using a clear name and including contact information).
If you have received implied consent prior to July 1, 2014, then you may continue to send to those subscribers until July 1, 2017 during the transition period. However, after July 1, 2017 you must adhere to the 24-month implied consent rule. Consider sending these subscribers an email asking them to provide express consent.
Are you unable to identify how your subscribers opted in to your emails? If you’ve ever purchased or rented a list, we recommend removing those subscribers from your mailing list, as they never opted-in to receive emails from you. Also, consider using subscriber inactivity as another indication that it might be time to cut your losses and prune your list.
Once you’ve completed these steps, you may want to send a re-opt-in request to your subscribers. While you may lose a number of subscribers, it’s worth the risk. Not only will your subscribers likely be more engaged with your emails, but you will be in full compliance with CASL.
Moving forward it’s important to establish a process for identifying which type of consent you received from a subscribers, as well as how and when the consent took place. Be sure to keep records of consent in case of any legal issues.