How to make DMARC easier with Brian Westnedge of Red Sift

00:00:00

Eric Trinidad: Welcome to Emails Not Dead. My name is Eric, and my cousin from another dozen is Jonathan. Welcome back, sir.

00:00:07

Jonathan Torres: Yeah, thanks.

00:00:09

Eric Trinidad: We're here with you live with a few new faces, actually some old friends as well. So just want to take some time to introduce everybody and welcome everybody back to Emails Not Dead. We have Brian Westnedge from Red Sift, the VP of Alliance and Partnerships. Brian, welcome back, sir. Thanks, good to you guys. Great to have you, great to have you. And long time listener, first time joiner, Peter Trinder. He's the VP, oh I'm sorry, not the VP, I gave you a promotion there. He's the Principal Product Manager at Mailgun. Hey Peter, how are you sir?

00:00:42

Peter Trinder: Hey Eric, I'm doing well. I'd like that promotion, but.

00:00:46

Eric Trinidad: Well you're a VP in my eyes.

00:00:47

Jonathan Torres: That's what counts. That's what really counts.

00:00:49

Eric Trinidad: Yeah. And now we're coming at you live. Now you can get to see us. I'm your resident Lumberjack email associate here. So I'm glad to be with y'all. So definitely now, you know, what's going on in our backgrounds. So, yeah, but we're not here to talk about that. We're here to talk about. What are we here to talk about, Jonathan?

00:01:06

Jonathan Torres: We're going to talk about DMARC. The fun topic of 2024, it feels like through 2025 now. So it's just continuing the conversation. And not that we haven't been talking about it longer than that, because we definitely have been talking about it for so long now. It's just, you know, every day it's more relevant every day. It's a bigger and bigger thing. Great. Let's do it. Let's talk about it. Let's make sure that we're in the right spot. But I think the big development is that, you know, within the Mailgun product suite of things it's expanding and developing. So why don't we jump into that here pretty quick? And then we'll kind of, we'll kind of backtrack and see, you know, kind of the importance of why we're doing that. But Peter, are you ready to give us a quick rundown of what's going on?

00:01:44

Peter Trinder: Yeah. So we're adding a DMARC integration into Mailgun and we're doing this in partnership with Red Sift. Now, the reason for this partnership is that, you know, Red Sift are DMARC experts. And DMARC, you know, on the surface level, it appears to be a really simple solution. But there, once you get into the details, there's a lot of complexity there that if Mailgun were to put out an MVP, we wouldn't fully solve. And so by partnering with someone like Red Sift, we get things like BIMI, SPF flattening, and all this cool other functionality. But yeah, we're going to be the first ESP that has a, you know, a single page where you can set up your SPF, DKIM, DMARC all in one place. If you just copy what's on the screen there into your DNS records, it's going to work no problem. So I'm really excited about that and just increasing adoption of DMARC for Mailgun users.

00:02:37

Eric Trinidad: It's awesome. And make it easy. That's what it counts. You know, and then you did it with Brian too which Brian's awesome because we've talked to him a bunch. I mean, the last time we spoke with him was in regards to BIMI, which, you know, the little checkbox that you got to do before that is get DMARC set up. So excited to be partners with, you now, Brian.  

00:02:54

Brian Westnedge: Yeah, couldn't be more excited. And I think Mailgun is making a real step forward in this area. You're going to be the largest mail platform monitoring DMARC on behalf of all your customers and making results available to them. It's really is a giant step forward. I'm a total email geek and a DMARC geek, you know, and it's really exciting to see Mailgun put this in place for customers. It's going to be hugely beneficial. I think we've all heard a lot about DMARC over the last year. The last time I talked to you guys. There was nothing, none of us had heard the term yahoogle, right? So it's there's been a lot going on. So your timing is impeccable.

00:03:29

Eric Trinidad: Yeah. I think it's now like on birthday cards and stuff. So it's definitely making its way around.  

00:03:36

Jonathan Torres: Well, it's definitely one of those things that, yeah, it's, I feel it's a subject we've talked about and talked about and talked about and talked about, and it's just going to be one of those things that continues to be talked about because the requirements authentication. Being a big thing, right? Like being a forefront for a lot of the email providers, just wanting to make sure that you are who you say you are. And this has been a thing since the beginning of email that, you know, it wasn't a problem back in the day. It was kind of trying to be a little bit better. And you know, as things got worse, as people started, you know, more abuse started going out more, the landscape changed and it's not what it used to be. And because of that, it's more important now than ever to do that. And to make sure that the people sending are who they say they are. And how do we do that? DMARC is a great step to get there and. Because it's such a big thing because there's so many other pieces and other components to authentication in and of itself, we've got to simplify. And I think that's the beautiful thing that what we're talking about today is because let's make it easy. Let's make it consumable. Let's make it so that everybody has availability to do that. And the more we do it. The more secure things get, the easier it is for even platforms themselves to start enforcing and really pushing that piece. And it takes away that, that barrier of entry of it being super complex or things breaking along the way. We feel like we need to talk about exactly what DMARC is. We can do a brief overview of what it is. So simply put, it's just a text record, a TXT record that's going to go into your DNS settings. Not that simple. When you look at the high level view, you're definitely talking about a couple of other records. So we always want to make sure SPF records are going to be there. So SPF records is another TXT record, which we're going to talk about a lot. The TXT record, that's going to identify what phone number you're calling from. I guess, you know, that's kind of like the caller ID, if you will, you know, it's basically to say these are the locations that are allowed to send as me. You know, very simply put, I don't want to get too complex and we don't need to get to the technical details, at least not yet, unless we need to, but that's what the SPF record does. The DKIM record is the other piece that's going to be the signature for it. So as an email is going out, you can encrypt some of that email. You can send that encryption along. You have a key that's set up publicly, and that's what you're going to put in your DKIM record. And then the provider, whenever they receive that message, you're just going to check it to make sure that. Hey, this is the person that sent the message. Nothing is changed about this message. So we can receive it with confidence that this person actually sent this message. And when you combine those pieces, that's when you know, you get the DMARC beauty of it being fully authenticated now you can check against both of those and then. Me as a sender, as an owner of a domain, as an owner of a business, in whatever way I can say, Hey, look at my SPF, look at my DKIM, if it doesn't pass, if it isn't secure, if it doesn't look like it's me, don't accept it. You know, put it in quarantine you know, in the spam folder and you know, do various other things that I now have some control over. So I know it's a quick rundown. Very simple, very simplified and not a whole lot of technical detail, but that's the beauty of these records. That's really going to help toward that piece. Yeah. And I know right now, I'm sorry for monologuing. We're going to get through this real quick. But the next big piece is we have seen certain providers. Really push for this and start this whole Yahoo! Google apocalypse. And as you can guess by the names, Yahoo and Google are the ones who really set this forth and set this in motion for senders really, to adopt this and make this a priority for them to set up on their bulk emails, whatever they're sending that's in high volume. So is that it, is that where it stops? I know I've heard rumors, Brian, do you have any insight that you can share about, you know, stuff that possibly may be in the pipeline?

00:07:07

Brian Westnedge: All of us have heard Microsoft in particular over the last several months have stated hey, We're going to implement our own sender requirements. They're coming, you know, they're going to be at least as strict as Google and Yahoo. So I think marketers should probably be aware that's going to happen. Do we know exactly when Microsoft is going to do that? We probably don't. My best guess is in the first half of this year. It's been over a year now that Google and Yahoo have had their requirements out and Microsoft tends to fall suit, you know, let the other be the leaders in the market and then they'll fall suit. So I do expect that to happen in the first half of this year. So it's something. Marketers should be aware. The good news is if you've prepared for the Yahoogle requirements, you know and you're sure you're conforming with them for now. I think you'll be fine with whatever microsoft puts out you know, it's just obviously i'm prognosticating but you know that would be my best guess their requirements will be similar Can we see google and yahoo then ratchet down their requirements a little further potentially right? Right now they require a DMARC record with a policy of none, there's no requirement to send your DMARC reports anywhere. For instance, could we see them start to require hey, you've got to send the DMARC report somewhere, whether it's to a vendor like Red Sift or to an internal mailbox. So somebody at least is looking at this data, which we would obviously recommend. You know, if you're a Mailgun customer soon, you'll be able to access, you know, DMARC results on your Mailgun traffic from Mailgun, which would be great. But a lot of marketers will use many platforms to send mail or their organizations may use many other cloud services to send mail. So it's always in your best interest to monitor DMARC reports, right?

00:08:40

Eric Trinidad: Oh, yeah, absolutely.

00:08:42

Brian Westnedge: Again, hopefully this time next year when we're talking, Microsoft will be in the rear view mirror, they'll have implemented their sender requirements, and we'll be moving forward from there.

00:08:50

Eric Trinidad: Yeah, I was gonna ask do you think that Microsoft would go in and just do reject right away, or would they be just like none.

00:08:58

Brian Westnedge: I don't think so. My guess is they'll take a staged approach and I would never recommend anybody by the way that you ever start with a policy other than none You got to start with none to get the visibility to fix any issues you might have so we do see customers that start with a policy of reject because reject is what you want to be eventually and they're like, oh, this is a great thing and hey, we'll put a reject policy in place. What could go wrong? Well, what could go wrong is all of your other email traffic, like Mailgun you're probably authenticating your Mailgun traffic, but what about your Salesforce traffic and your Zendesk traffic and, you know, your marketing automation traffic, all these other cloud services that nobody might be even looking at or be aware of the authentication results for, you know, you might block legitimate mail inadvertently. While you're trying to block the bad stuff. So yeah, never recommend anybody start with anything other than policy and none. But if I'm on Google and Yahoo, I'm probably thinking, Hey, Microsoft's going to put their sender requirements out more than likely it'll be start with a policy of none, but they might be saying, okay, we're going to give folks some time to conform to that. If for some reason they haven't conformed to our requirements and then maybe we'll ratchet things down. So, yeah, we're speculating again but Microsoft tends, you know, it took them a while to send DMARC reports from office 365 and, you know, they kind of followed the market there. I expect them to follow here shortly. They let the others take the arrows and then they come along and clean things up.  

00:10:26

Jonathan Torres: Yeah. And we've definitely, you know, we've seen a few different things, right? So we do know that Microsoft has expressed interest in doing this kind of thing also. And that's nice to see. We do know hearing it from Marcel Becker himself over on the Yahoo side that he would love to, you know, implement a higher level of requirement so that it's not just a p=none. But we've been talking about p=none, I think a little bit. And I think that's the next technical aspect that we should dive into is what exactly p=none means. And then on top of that, the whole, where is this report going to? Is this report you know, we keep talking about reporting. What is the report? Where is it going? What does it do? Like, how do you get it out there? So I don't know, Brian, if you'd be willing to talk about that a little bit, like the different levels of enforcement with the policy and then also like the reporting, like why is that important? And like, how does that all work?  

00:11:13

Brian Westnedge: Great. Yes. So reporting is the R in the DMARC acronym, if you will. Domain Based Message Authentication Reporting and Conformance. It's quite a mouthful, but yeah, the R is the key because SPF and DKIM have been around forever. They don't have a reporting mechanism, right? Other than you sending a message and then looking at a header of a message to see, Hey, did my message authenticate properly? So the R in DMARC is really critical to give you the visibility into your mail streams. A DMARC report itself is a it's an XML file. If you publish a DMARC record in DNS. For your domain, you can stipulate where you want those reports sent. You can send them to an internal mailbox, or you can send them to a provider like Red Sift. And those reports just say, hey, for this domain, it sent a message, did it pass SPF and did it pass DKIM, essentially, is what it says. That visibility is going to inform what issues you need to correct as a domain owner. So, if you're a very large company, you might have a lot of email services that send on behalf of your top level domain. You might have, you know, Mailgun. You certainly have some sort of corporate email system, Office 365, Google Workspace.

00:12:30

Brian Westnedge: You might use a email gateway, you know, commercial email gateway from a provider. So there's definitely that mail stream. You can have marketing clouds. You can have service clouds. You can have all of these other things. So that reporting way without the reporting layer, you as a domain owner are relying on your users giving you feedback, right? Are you doing all these testing, you know, to seed lists and things. So the DMARC report can kind of short circuit that process and give you visibility into issues you need to fix. If you're not sending reports anywhere, you just have a DMARC record with a policy of none. You're just saying, I'm conforming to the bare minimum requirements of that Yahoogle has said, I have to have a DMARC record without reporting addresses in my mind is not very effective unless you have a non sending domain, you know, this domain doesn't send email, you could publish a reject policy for that domain because you don't really care, you know, it doesn't send any email and if you publish reject policy, it just means no one can impersonate that domain, nobody can send email traffic as a domain. So there's three policy settings to DMARC. None, which is where you start just allows you to monitor your email traffic from your domain. And then the next policy setting is quarantine, which. You as a domain owner, you're telling a receiving mail gateway, Hey, if you get a message from my domain, and it doesn't authenticate properly and pass DMARC, put it in the junk folder. And then finally, the strictest policy setting is reject, where you're telling a receiving mail gateway, Hey, if you get a message claiming to be from my domain, doesn't pass DMARC, then block it. So, as we mentioned at the start, the risk is, if you're not sure you've authenticated all your legitimate mail before you move to those stricter policy settings, you could impact legitimate mail at the same time you impact malicious mail, because DMARC doesn't know or care what content you send. All it looks at is, hey, does this message authenticate properly for the domain it claims to be from? And if it doesn't, then get rid of it. So, it's a very, it's a blunt instrument, you know, it's kind of, you know, in today's world it's very, it's pretty binary. A message either authenticates properly or it doesn't, if it doesn't do this to it. Based on your policy set.  

00:14:44

Jonathan Torres: Yeah. And I mean, and that's, I think definitely the beauty of putting something out there for those things, like getting those reports through, like allowing all that stuff to happen. It's something that I don't think people think about in the sense of like the benefits of it. Like people think Oh, the reporting is going to have to come through somewhere. What am I going to do with it? I know for myself, like I've been working with customers for quite a while.

00:15:04

Jonathan Torres: And you know, they're always like, well, I can just send the reports to, you know, X mailbox and that'll be fine. And they can just sit there and live there. And that's great. But what is it doing for you? What are you actually going to be able to do with that? And a lot of times the answer is nothing. It's just that it's going to be there. It's part of the DMARC record. So we're going to set it up and that's where it's going to go. Yahoo and Google. Again, like you just mentioned, Brian, like they didn't even require that. They were like, Oh, you can just put a policy of none, no reporting going anywhere. Like totally fine. But it's not what's good and beneficial for the actual sender where they can see that going. And I mean, I know because I've done it where you can just send it to a mailbox, get that XML file, throw it into a reader, and then try to get some of that information back out of what exactly is happening, but it's never as good as when you can really organize it and see on a day to day basis, like what is happening with your email, and a lot of times, I mean, there's things that are even discovered in there, like how many people are forwarding your email have we ever looked at that, right? If you're sending over to a business or a school and you realize that, Hey, all these emails are actually being forwarded to a different location. This is just almost like a domain that's there for the sake of having a domain, that's going to be a customized mailbox, but really all the emails then going off to Yahoo and Google and everywhere else, like that's super informational and that's good to know. So, you know, as somebody who would be sending a lot of email, I would want to know that. So, you know set it up if you do it to what the spirit of the rule is and not the letter of the rule. I think it's so much more helpful and having that mailbox, having something where you can go and actually read those reports. Super, super helpful. And again, we keep talking about it. I'm sure we'll mention it again. p=none. The nothing policy that does absolutely nothing great start getting those reports, building those reports, but that should be a stepping stone to a much stricter requirement. So, and I mean, and kind of getting into the reporting side of it. And I know Peter, I kind of want to throw this over to you. I know it's been a thing where people have requested this. I know I've gotten that request. Like, where do we go? Where do we do it? Like, how's it going to do it? And I'm always like, not me. So if you want to talk a little bit about how that helps us or how you envision that kind of happening there.

00:17:02

Peter Trinder: Yeah, I mean, this has been the top requested feature on Mailgun for a very long time. It's always been such a large undertaking, which is why, again, we partnered with Red Sift to achieve this. But we also, with Yahoo and Google, there's more customer demand for it, but it's also like for the greater good. We're not actually charging for this feature. Everyone is able to generate a DMARC record on setup. So we want everyone to have a DMARC record. It's really for the greater good. It's good for us. It's good for the mailbox providers and it's good for our customers sending email. There's the only people that don't like this or the people that are trying to spoof your domains, right? This is good for everyone. We provide aggregate reporting to all customers on a paid plan. That's the one caveat. If you have a free Mailgun account, you do get the DMARC record to set it up, but you don't get access to the aggregate report. If you pay for any level on Mailgun, then you get the aggregate reports. And those are Those reports are going to be good enough for a majority of people. There are also forensic reports with which we're not integrating with. We'd refer you over to Red Sift if you have need of more complex functionality like that. But we really wanted to simplify things within the Mailgun interface and make it so that a self service user can get in there look at a chart. Quite frankly, it's a green good, red bad, right? We really try to make it simple and easy to understand. And for a majority of users, that should be all you need. 

00:18:27

Jonathan Torres: I like it. I mean, why not? You know, if it's there, the functionality is there. If you're going to have availability to it people should be doing that. I keep saying we need it, but it's more, you know, you as a sender, like you really want it.

00:18:37

Eric Trinidad: Oh, I was going to say now that we have this visual format, we should have done like some type of Hey, here's kind of what it looks like. Sorry. That was an idea just to

00:18:45

Jonathan Torres: bring in the charts. I mean, there's people still listening on audio, so, you know, you can't rely. Yeah.

00:18:50

Brian Westnedge: It's going to be amazing. Let me tell you, it's who doesn't want to see their SPF pass rates and their DKIM pass rates? Are you aligned? Are you sending aligned SPF and aligned DKIM? You know.

00:19:03

Eric Trinidad: I think that gamifies it a lot. Cause I feel like if I want everything to be green, like I got to make sure that everything's set up correctly and configured properly. And it's the OCD in me when I see oh, DMARC's failing for this reason, or, you know, I'm like, oh, come on, you know? So. At least that's what I see it as.

00:19:20

Brian Westnedge: Good point. It could be failing for a legitimate reason like we talked about forwarding, right? That happens. I see that a lot with really big B2C companies who send mail to people with college EDU addresses, right? Those always forward to a Gmail account or Yahoo account. And, you know, a lot of times that will break DMARC. So it's good for you to be able to see that and be like, Oh yeah, I realize that, or Hey, I can't align SPF for whatever reason, but I know I'm sending a line DKIM, so great, I'm still going to pass DMARC, but I shouldn't stress because I couldn't change my SPF domain to align or whatever the case may be. So yeah there's some good reasons why. Hey, it might be red in this case, but you know, three quarters of everything is green now, one quarter's red, but that's okay.

00:20:03

Jonathan Torres: It's good to understand like why, you know, it's informational, which is always the key. And it's always fun to see when, you know, people realize that somebody's sending email as them and they had no idea that. Anybody who was sending email as them from a different part of the same company. It's fun, you know, I'm not going to say we've experienced that at an email company, but maybe we have.

00:20:23

Brian Westnedge: In 15 years of working in the DMARC space, I've never run into a company that says, Hey, we got an email governance manager and email governance function or business, you know, right. I mean, email is usually siloed Hey, marketing is using Mailgun and, you know, customer services using Zendesk. And you know, inside sales uses Marketo or whatever, you know, always email is siloed. So DMARC, even if you don't have a person whose task is email governance, it will give you the information you need to, as an organization to govern everything. And if some intern like is Hey, I'm going to spin up a free instance of Mailgun and send a newsletter, like they'll be able to see that right away and say, Hey, maybe. You don't want to do that or at least give them that visibility. Like you said before, whereas before you would not know that shadow IT was going on, right. That I decided to, there would be a great idea to send a new year's greeting, you know, from my company, but happens all the time. And especially as the larger, the company. Yeah, the more siloed it gets, right, and the more mail it sends. So DMARC really can lock it down. And frankly, once your domain is at reject, like you can block anything you don't want to send as you, whether it's spoofing, which obviously you wanna block, but you can also stop unauthorized folks from internally sending as your domain. So it really gives control. To, you know, various business units, whether it's marketing or IT or security, it really locks down your environment.  

00:21:52

Jonathan Torres: It's funny. I don't think I've ever even thought of it that way. Because I've never run across it to somebody who's like a governance for email who's ultimately in control. It's just, it's the wild west still. I like it. We should have a czar of email at every company. I think that's the right level. I think it's definitely eye opening whenever you start getting those reports. So like I encourage anybody who's curious if you're doing it, the product is coming on the Mailgun side. I know we have a lot of listeners who use Mailgun and. You know, but even if you don't like, if you have a provider thats doing stuff like look into those reports. Like I can't push that enough. It's going to be just something that's really good for you to just at least have some insight on. The next part that we want to talk about too is the whole BIMI aspect of this, right? Like we've already mentioned it a little bit in, in brief, you know, what does that mean for, you know, setting up DMARC and then the next steps above that and how that's going to continue to evolve and I know Brian, you have some things to say about it. 

00:22:46

Brian Westnedge: Yeah when I was last on Email's Not Dead you know, BIMI was the carrot that Google and Yahoo were using to get folks to adopt DMARC. Hey, get your domain enforcement and we'll give you this pretty thing, which is logo display with a verified tick box, which is really cool. Right. But it was a carrot you know, it was up to a really enterprising marketer, you know, to say, Hey, We want this, it's going to help my email stand out and I'm going to enlist IT to help me authenticate all of my non marketing email. So that, that was the carrot, but now there's actually a really big stick to DMARC, which is Yahoogle requirements and soon, Microsoft, right? So now they're like, Hey, sorry. You know, yes, right now it's just a DMARC policy of none, but we know where that will go eventually. And they are going to require enforcement. So we're going to see an uptick in, I think BIMI adoption because people have gotten their domains in order for Yahoogle compliance, you know, not to steal thunder from future guests, but I know you'll be getting deep into BIMI with the BIMI group soon, which will be awesome. But just very generally speaking, with the Yahoogle requirements, we've seen an increase in adoption of BIMI by new providers, you know, either regionally and in certain parts of the world just saw on LinkedIn recently that Comcast has started to test BIMI, which is really exciting for those of us in the US right. So expect to see them do it. Microsoft is still kind of the laggard on BIMI as well. Haven't heard anything about their BIMI plans. I wish I could say yes, I have, but my guess is sender requirements come first and then BIMI. It's not trivial, you know, for the mailbox providers, you know, to give them credit. A lot of times they do have to do some UI work to you know, display either the logo or a verified tick box like Yahoo and and Google do, you know, there might be work that they have to do on their mobile apps. So I don't think it's not a trivial thing to just say. Hey, we're going to turn on BIMI. You know, they got to do the BIMI check. They got to look up the BIMI record, you know, and DNS. So it's definitely there's work, right? And this is a free service for senders, essentially who mail into their environments, but it does make their environments better for their users too, because mailbox providers always want a good user user experience. For them, it's Hey, if the domain owner takes the time to authenticate their mail and gets their domain to enforcement, then we are going to give them this benefit that will allow them to stand out in the inbox, which is BIMI. So I would expect to see BIMI adoption ramp up. You know, as DMARC adoption ramps up and I know you'll be getting deep into that with the BIMI working group, but there's exciting things on the horizon with marks certificates that don't require trademark, for instance. So they'll be able to tell you a little bit more about that. BIMI will become, I think, more accessible to more organizations. And today, anybody can put a BIMI record in place. Once their domains at enforcement, they can test it at places like Yahoo that don't require, you know, any sort of mark certificate, you know, it's no cost for the sender So hey, my advice is anybody's listening If your domain is a quarantine or reject and you send enough volume to Yahoo put a BIMI record in place and test it and check your response. You can't hurt anything. There's no downside to it in my mind. So give it a shot.  

00:26:00

Eric Trinidad: Oh, yeah, I think Jonathan and I from way back in our early deliverability days would always tell folks that we're having hard times at Gmail get DMARC set up, you know, get that going, and that'll help, you know, it's legitimate messages you're trying to get through build your reputation that way.

00:26:15

Brian Westnedge: My friend Todd Herr always says DMARC gives you the deliverability you deserve or the delivery you deserve. So authentication is just one piece of email delivery, right? Overall do you send mail that people want, that's gonna drive your delivery more than anything. But of course. Got to send well authenticated email, you got to honor unsubscribes, got to keep your spam complaints low, you got to keep your list clean, You know, Got to have list unsubscribe headers etc. There's all these things. Yes, authentication is a big piece of it. But it's only one piece, right? Doesn't absolve you from doing all the other good things that you should be doing for good email deliverability. But it is an important piece and , if you don't authenticate your mail, you're allowing other people to claim to be you, which you don't want to do. So yeah.

00:26:59

Eric Trinidad: Stealing your rep. Yeah. Brian, as long as you've been in email have you found that silver bullet? I think we get that question so much.

00:27:06

Brian Westnedge: Oh man, the silver bullet, send email that people want to receive. It's so easy, isn't it? Yeah, we've all been around email so long, like I started into deliverability before I got into DMARC. It's been the question that marketers have always been looking for. Man, what's the silver bullet? It's like the silver bullet to stop spam on the other side of things is like people are always looking for a silver bullet to stop phishing and spoofing. And the reality is you need a layered approach. You need an email gateway, you need maybe an anti phishing solution. You need DMARC, you need all these different layers. You can't just buy one thing. If anybody ever tells you, Hey, I got the ultimate solution, email delivery, email marketing, email spoofing, you know, you can just totally stop listening to that person because it just doesn't.

00:27:47

Eric Trinidad: Yeah no, that's a great point. I think as we get older, you know, usually the answer is always, it depends, you know. Our customers hate that, don't they? When we say that. Yeah, they're like, just give me a for sure answer. Well, what are you doing?  

00:28:01

Brian Westnedge: Fifty Shades of Grey in email, right? There's part art, part science. The science is, hey. Got to have a good email platform, right? Like Mailgun, you got to have authentication. Oh there's some nuts and bolts. List unsubscribed. The art is how do you send mail that people don't complain about? How do you make your email relevant? Yeah. It's like, how do you keep your content fresh? Right. How do you keep your...  

00:28:24

Jonathan Torres: Keep an audience engaged you know?

00:28:27

Brian Westnedge: Right. In this day and age, in our short attention span lives . That's the art, which is why, you know, good email marketing managers worth you know, a ton of money in my mind.

00:28:36

Peter Trinder: We were just talking about DMARC and saying, you know, spammers are actually the best of at having proper DMARC records set up, right? Because it's such an easy thing for them to do. You're spinning up a spam domain. You set up a DMARC record p=reject no problem. At all. So yeah, definitely not a silver bullet, but it stops them from doing that to you.

00:28:56

Jonathan Torres: And to kind of come full circle on that, when we talk about the BIMI piece I think that's just one of those things that right now we're seeing some of the early adopters, right? Like those are the ones that are really doing something with it right now. And to me, it calls out my attention and that's for sure. Because you know, I mean I'm going to call myself out. I'm Apple fan boy. And I'm one of those people that uses Apple mail for their primary everything. Like it just feeds into one spot. And I mean, they've started to even implement the logo system within there, you know, so you can see who's coming through and they always try to categorize things also, where it's you know, you get the little building for what they think is a business. And, you know, if it's an airline, they're going to put a little airplane next to it. But then when you see the actual logo for, you know, who that sender is that's above and beyond. You're like, I know exactly who that is. I know exactly what they're sending to me. I know it's actually them. And that calls it out even more. So even from, you know, someone like me who works in email, like when I see that, it's I'm going to click on that one. I know what that is.

00:29:45

Peter Trinder: It gives me confidence as a consumer that it's not a phishing email, right? That logo means that it's a hundred percent legit and that I can trust the content.  

00:29:53

Thomas Knierien: I know we have BIMI group coming on soon with Matt V our old homie, but it's so cool now, if you go into Apple mail. To see when you click on like a verified logo now, especially from target or whatever, anything from that's got a BIMI record. Apple will give you a description of what BIMI is now, if you click on it. And I think that is the coolest thing. It's cause okay, now you're finally like educating viewers, users, and consumers, like what this is. Creating, you know, better receivers for email. Now for people to be like, okay, this is legit. Now we're creating better viewers essentially. And knowing okay, that was a phishing email. That was a spoof. Okay, now I know what's legit. What's not legit. So that's something that I'm loving right now, but I had to bring that up it's so cool.

00:30:38

Brian Westnedge: And BIMI built into the new Apple mail on your iPhone, right? If you check your mail with a .mac address or .icloud or .Me, you'll see BIMI logos in your inbox as you're scrolling just native Apple mail. It's so cool.  

00:30:52

Jonathan Torres: Yeah, I love it. I love it because I'm spiritually the old man of the group, I feel. And I mean, I'll just get in there and if I've let my inbox get out of control, I can just do a fast scroll, look for the little USPS icon and see what mail is coming into my mailbox that day for snail mail. So that's all I'm looking for, but it's nice to see that they have it. They're doing it and snail, while catching up with email.

00:31:13

Eric Trinidad: Finally, it's about time.

00:31:14

Jonathan Torres: But it is about time. It's nice. The best of both worlds.

00:31:18

Brian Westnedge: And we'll catch up with social, right? Our social platforms have had the verified concept for a long time and now it's coming to email. So like I said, it's about time.

00:31:28

Peter Trinder: DMARC everyone should implement it, it's for the greater good where, you know, Mailgun isn't releasing DMARC for monetary reasons, we want everyone to use it and we want it as cheap and accessible as possible, so please, if you don't have a DMARC record, set it up, it's just. Good for everyone involved.

00:31:46

Eric Trinidad: And Peter, if you don't mind saying when when we'll be able to see a lot of these changes in Mailgun

00:31:51

Peter Trinder: It should all be out by the end of March 2025.

00:31:55

Eric Trinidad: And Brian, anything from the Duke of DMARC?

00:31:58

Brian Westnedge: Yeah. Oh I think like Peter said, DMARC makes the email ecosystem better, right? It helps ensure trust in legitimate mail, gets rid of bad mail makes the world a little better, reduces the number of calls we get from our friends and family asking us if this message is legit or not. And you know, we still might not be able to explain BIMI and DMARC to our families, but at least we can kind of say, Hey, we work in a ecosystem that keeps fake email out of your inboxes and make sure you get the email you want. So I think that's what all of us know one ultimately is like, Hey, let's have a good experience for both the people that send email and a good experience for people that receive email from us.

00:32:38

Eric Trinidad: Yeah, absolutely. I mean, that's what we try to do here. Yeah, like we try to inform people how to be better citizens of the internet. So yeah, absolutely. If anybody has questions or wants to reach out to either of you, Brian, where can they reach out to you at?  

00:32:52

Brian Westnedge: brian.westnedge@redsift.Io redsift.com/bimi if you want to check your domain and see if it's using BIMI or using DMARC, that's a really easy way to do it. And soon login to Mailgun, check it out.

00:33:07

Eric Trinidad: Nice, right on. Peter, if anybody wants to reach out to you or get your feedback or talk about how to build an engine?

00:33:13

Peter Trinder: Well, yeah, we can talk about Miatas later, but we monitor all of the feedback on feedback.mailgun.com. So if you leave any responses there, We'll see them, we'll respond if you're nice, if you're not nice, which is very often. We may still respond, but yeah. Yeah, we incorporate feedback from that site all the time. So anything within the UI, there's a link to it from within the Mailgun UI, but feedback.mailgun.com is a bit easier to remember and get to.

00:33:44

Eric Trinidad: Nice. And Thomas, if anybody wants to find us and find out more about us, where can they find us? 

00:33:49

Thomas Knierien: Yeah, you can definitely go over to Mailgun.com/resources/podcasts and you can find this season opener for season six of Email's Not Dead and also this is our inaugural video episode so we have gone video and viral y'all look at our beautiful faces . Now you can see us we're definitely bringing this over to the video side of the world so you can also go to Mailgun's YouTube just give us a Google and you should be able to find us to be the first one, but yeah. And make sure you go check out redsift.Com for all these updates with these DMARC integrations and Mailgun.com as well. Yeah.

00:34:26

Eric Trinidad: Right on. From me in your ears and now on your eyes. Be excellent to each other, folks. Take care. Till next time.