DEV Community: MariiaHlumilina

Sending Emails in WooCommerce

MariiaHlumilina — Tue, 14 Mar 2023 13:05:45 +0000

In 2022, WooCommerce had a market share of 36.68%, making it the leading e-commerce platform worldwide. Online stores use transactional emails to send notifications to their customers, such as receipts or order confirmations. So, WooCommerce also needs a working email-sending functionality.

As a WordPress plugin, WooCommerce uses the native wp_mail()function to send emails, which is far from ideal. This means that emails addressed to your customers might not get sent or delivered to the inbox. They might even get discarded by the receiving mail servers.

Transactional emails in WooCommerce: definition, importance, examples

Transactional emails are emails that are triggered when a user takes a specific action.

For example, when you forget your super difficult password (mydogmax111) for the 100th time and request a reset, you’ll receive an email with a password reset link. That would be a transactional email.

Such emails are important as they provide users with necessary information about further steps, confirm their action, or let them know if something was unsuccessful. Refer to this article to learn more about WordPress transactional emails.

By default, WooCommerce includes certain types of transactional emails that can be modified to match your needs. These are usually WooCommerce order emails:

New order – sent to site administrators
Canceled order – sent to site administrators
Failed order – sent to site administrators
Order on hold – sent to customers
Processing order – sent to customers
Completed order – sent to customers
Refunded order – sent to customers
Customer invoice / Order details – sent to customers
Customer note – sent to customers
Reset password – sent to customers
New account – sent to customers

These templates are available in plain text, HTML, or multipart formats. You can use them as they are or change their color or banner image. For that, you’d need to access WooCommerce email settings and scroll down to the ‘Email template’ section.

It’s also possible to change a particular template, for example, processing order. Simply press the ‘Manage’ button across the template. Fill in the empty fields, such as email subject, heading, additional content, and choose the email type (text, HTML, or multipart). Finally, hit ‘Save changes’.

If that’s not enough and you need more tweaks, just copy the template file below those fields by pressing ‘Copy file to theme’.
Navigate to the ‘Appearance’ tab in the WordPress dashboard and choose ‘Theme file editor’. You’ll see the ‘Theme files’ tab on the right portion of the screen. Scroll down to find ‘WooCommerce’. Expand it and press ‘emails’ which will open the menu with the list of templates you copied.

Choose the template you want to tweak and start coding.

Note: it’s recommended to create a child theme and make changes there to avoid losing all the customizations in the parent theme.

WooCommerce’s default customization options are limited, but there are multiple plugins that can help with that (more on that below).

Though plugins enable you to customize the design, you still have to come up with the content yourself or use templates. Here’s an order confirmation template from Mailtrap:

Subject: Your [SERVICE] order confirmation

Your order is confirmed!

[NAME], thanks for shopping with us. Here are your order details:

[orderID]

[product + picture]

[quantity/other customizations]

[price_paid + payment method] // if payment by card, the last four digits should be used

[shipping + billing address]

We estimate that your order will arrive in 2-3 business days. Click the button below to track it.

TRACK YOUR ORDER

Forgot to add something? Here are the items our clients frequently buy together with [PRODUCT]. Get them within the next 24 hours, and we’ll ship everything together.

[FAQs]

Need any support? Send a reply to this message or contact us right away [link].

Thanks for your order and we hope you enjoy!

How to send emails in WooCommerce with the WP Mail SMTP plugin

As mentioned above, it’s possible to send emails programmatically from WooCommerce with the WordPress wp_mail() function. It calls PHP’s mail()function, which in turn connects with the local host to send emails. Check out this blog post to find more information about sending emails in WordPress.

Without header authentication, PHP’s mail() function is often blocked by WordPress hosting providers. Email servers don’t tolerate this function either, putting incoming emails in the spam folder.

But that’s not the only issue. WooCommerce emails might not be sent or delivered for other reasons as well (refer to the troubleshooting section below for more details).

WP Mail SMTP plugin (or any other SMTP plugin, for that matter) solves those problems by overriding the mail() function and allowing users to configure WordPress SMTP settings.

This plugin connects Gmail SMTP or third-party SMTP service. By doing so, it enables you to send multiple emails from your WooCommerce store regardless of your web host.

Sending custom emails

You’ll have to send custom emails if you want to send after-purchase emails from WooCommerce.

Surprisingly enough, you can’t send email after order to your customers by default. The new order, canceled order, and failed order are all addressed to site administrators.

The native way of sending custom emails is a bit complicated. You’ll need to create an email manager class, extend WC_Email classes, and then build a custom template in plain text and HTML formats. That way, you’ll be able to send HTML email when it’s supported. If not, the email will be displayed in plain text format.

When the custom order emails are created, they will appear in Woocommerce settings.

You can also use ready-made WooCommerce templates and modify them.

If you prefer to use a plugin, you’ll need a premium Follow-Ups plugin. It will help you notify your customers when you’re updating orders (or any other event) or send emails to vendors directly from WooCommerce.

You can find more info on how to send emails with WooCommerce on the Mailtrap Blog.

Email Marketing KPIs You Can or Can’t Do Without

MariiaHlumilina — Wed, 15 Feb 2023 18:37:52 +0000

MUST-HAVE email metrics

Must-have KPIs are crucial for analyzing the performance of any email campaign. We’ve singled out five top-priority metrics:

Open rate
Bounce rate
Unsubscribe rate
Spam complaint rate
Click rate

Open rate

Description:
Open rate denotes how many recipients of the entire mail list opened the email campaign. For this to happen, the email has to be delivered successfully first. Then other factors come into play, such as the email subject line. The better engagement it provides, the higher the open rate will be. Therefore, always check the subject line of your email campaign with respective email testing tools. But, of course, you should not separate subject line as a key factor. The sender name is also viable. Emails sent from “Support team” and “Olga from Mailtrap” are likely to have different open rates.

Which folder an email gets put in, the so-called inbox placement, is a huge deal as well. For example, Gmail may sort incoming emails into Primary, Promotions, Social, and others. Some users open emails mostly from the Primary and Social inboxes, while the Promotions can be neglected completely.

Aspects such as brand recognition and email history also play an important role in the open rate.

Formula: Open rate = (total unique opens ÷ total recipients) × 100

Benchmark:
There are different opinions on the optimum open rate. It depends on the industry, purpose of the email, time of delivery, and so on. But most marketing experts concur that an open rate of <20% is a failure.

How often you should track it:
Every week

Bounce rate

Description:
Bounce rate denotes a ratio of bounced emails to all email addresses in the mail list. A bounced email is an email that failed to be delivered. There are two types of email delivery failure:

soft bounce – which comes from a temporary failure, such as the recipient’s mailbox being full
hard bounce – which comes from a permanent failure, such as an invalid email address

Formula: Bounce rate = (all bounced emails ÷ total email recipients) × 100

Benchmark:
If less than 2% of your emails failed to end up in the recipients’ inboxes, that’s fine. Once you’ve stepped over this threshold, you need to invest effort in raising your delivery rate (the metric that is opposite to bounce rate). A double-digit value of email bounce rate is an alert signal – your sender reputation is at risk.

How often you should track it:
Every month

Unsubscribe rate

Description:
Unsubscribe rate is the ratio of the recipients who clicked Unsubscribe to the total number of emails delivered. As a rule, this metric shows how many subscribers lost interest in your product or service. At the same time, the reasons that lead to opting out may include:

misleading subject lines
emailing too frequently
ineffective offer
and many more

Unsubscribe rate can point out how to fine-tune your email campaigns and filter out irrelevant subscribers. Segmenting subscribers will also help you reduce unsubscribe rates.

Formula: Unsubscribe rate = (total unsubscribes ÷ total emails delivered)

Benchmark:
A threshold value of unsubscribe rate is 0.5% per email campaign. This means that of 100 emails delivered, you may have up to 5 unsubscribes.

How often you should track it:
Every week

Spam complaint rate

Description:
Spam rate denotes the ratio of the recipients who marked your email as spam to the total number of emails delivered. This is the most critical metric for your domain reputation and deliverability in general.

Do not confuse this metric with the Spam score, which does not depend on the recipient’s attitude to your email. The spam score is sort of a ticket for your email campaign to pass through spam filters. If your email has a high spam score, it will go into the spam folder automatically. In the blog post Why Emails Going to Spam and How to Prevent It, you’ll find more on this.

With the spam complaint rate, the destiny of your email is totally in the recipient’s hands. They can click “Mark as spam” for different reasons, such as:

emailing too frequently
irrelevant content
no opt-out option
the recipient did not give consent for emailing

The last two points are especially important in terms of GDPR compliance. For more on this topic, read our blog post about GDPR for email marketing.

Formula: Spam complaint rate = (total “marked as spam” ÷ total emails delivered) × 100

Benchmark:
The optimum spam complaint rate is below 0.1%. If it’s higher, your email marketing either targets false recipients or delivers poor value.

How often you should track it:
Every week

Click rate

Description:
Click rate, also known as click-through rate (CTR) defines how many recipients clicked on the links in your email. This metric depends on a few factors:

credible and compelling content
email formatting
anchor text on the link
link location in the email body
total number of links

All this should convince a recipient to take an action and click the link. If the click rate is poor, this means that you failed to deliver your CTA or idea to subscribers.

Formula: Click rate = (total unique clicks ÷ total emails delivered) × 100

Benchmark:
There is no maximum optimum click rate. The values differ by industries. For example, according to Constant Contact’s Knowledge Base, the average CTR in the transportation industry in September 2019 was 16.61%. Meanwhile, the average CTR in the travel and tourism industry was only 5.92%.

How often you should track it:
Every week

Thanks for reading the Mailtrap guide about email marketing metrics. You can check more useful info by following the link.

Emails and GDPR - Questions to Answer

MariiaHlumilina — Mon, 13 Feb 2023 17:54:50 +0000

On May 25, 2018, the General Data Protection Regulation (GDPR) took effect in the EU. Before this, there were many concerns as to the impact GDPR would have on email marketing. Some predicted adverse consequences and total disruption of existing marketing strategies. The rules have changed de facto, and you’ll have to pay daunting fines for their violation. But the devil is not as black as he is painted. Therefore, we collected the 10 most asked questions for GDPR email compliance and answered them.

What is GDPR all about?

Personal data protection is what the GDPR focuses on. Personal data is any information that can explicitly or implicitly identify an individual. This may include:

name
location
addresses (mail, email, IP, etc.)
bank details
gender
religious beliefs
ethnicity
political opinion
biometric data
web cookies
contacts
device IDs
and pseudonymous data

GDPR lays out rules and principles of personal data protection. It’s aimed at the way companies collect, store, or use the data. There is no direct emphasis on email or email marketing. However, the mailbox of a company contains lots of data that can be deemed personal: names, email addresses, conversations, and much more. Therefore, an email is a valuable asset that must be in compliance with GDPR requirements. This includes email marketing, antispam activities, as well as email encryption and safety.

Question #1 – What is the biggest headache for an email marketer under the GDPR?

Short answer: Email consent
Where in the GDPR is this covered: Article 6, 7
Long answer:

According to the EU Data Protection Directive (Directive 95/46/EC), data should not be disclosed without the data subject’s consent. GDPR expanded this statement and elaborated requirements for collection and storage of users’ consent. Details are laid out in Article 6, but the key points are the following:

Your request for the user’s consent must be understandable and clearly distinguished
The provided consent must be freely given by an individual for a specific purpose without any ambiguous representation
The provided consent can be withdrawn by an individual at any time
Email consent must be separated from other options or services, such as privacy notices, terms and conditions, and so on. You can request consent for a particular purpose and specify this explicitly.
An opt-out option is a MUST. You are to provide a free and convenient way for users to withdraw consent – unsubscribe. In this aspect, GDPR is similar to the CAN-SPAM act.

Question #2 – To send, or not to send emails to the existing email list

Short answer: Send if you can prove there is email consent
Where in the GDPR is this covered: Article 4, 6, 7, 9, 22
Long answer:

Mailtrap began to take measures to ensure full compliance with GDPR far before it came into effect. Before GDPR, our customer base included over 300K email addresses. These were users who signed up for Mailtrap services and agreed to receive transactional emails like product updates, changes in billing plans, and other important notes. We did not, however, request explicit consent to send marketing emails to them. So, shall we reconfirm or can we send emails without it?

First, GDPR applies to all signups no matter when they provided their personal data. If you can prove that you have an unambiguous consent record of the existing email list, then you are GDPR-compliant.
Second, make sure that the consent applies to both transactional and marketing emails. This really matters because the GDPR is aimed at preventing users from receiving unwanted marketing emails. Using transactional emails for marketing purposes is also a dead-end. Sooner or later, some of your customers may report this to the data protection authority. If they conclude that your transactional emails look more like marketing ones, you’ll be fined.

In the case of Mailtrap, we had consent for sending transactional emails only. So, sending marketing emails without re-engaging our email list would be a violation of the GDPR.

Question #3 – Email retention policy – what is it for?

Short answer: To protect against possible break-in of employee mailboxes
Where in the GDPR is this covered: Article 5, 17
Long answer:

Data erasure is one of the main data protection principles laid out in GDPR. The essence of this is that companies can store personal data of individuals no longer than it is necessary. The storage period should be set up according to the reason why the data is needed for processing. For example, you’re processing CVs while looking for candidates for a certain position. Once the candidate has been found, you don’t have to get rid of all the processed CVs at once. On the other hand, storing personal data (from CVs) for 5+ years without any update would be irrelevant.

There are exclusions for when companies can keep the data for a longer period. Those include archiving or scientific purposes, law restrictions, and other reasons. In these cases, the appropriate data security measures are obligatory.

In terms of GDPR and emails, the companies have to focus on the amount of data their employees’ store in their mailboxes. For this purpose, they need to establish an email retention policy that will regulate frequency, volume, and other aspects of email data erasure. The idea is to minimize the adverse consequences of a data breach in the case of a mailbox break-in.

Question #4 – Did the GDPR get rid of spam and doom email marketing?

Short answer: No, it did not
Where in the GDPR is this covered: Article 5, 6, 13
Long answer:

Someone expected significant changes after May 25, 2018. There were predictions for the demise of spam. GDPR was introduced as a hero that beats outlaws spreading malicious emails. But the hard-driving requirements were meant to protect personal data rather than combat spammers. You can see the outcome by yourself – our spam folders have not emptied. Maybe, we should wait till the email consent-centered regulation will help. Who knows?

Another prediction referred to the sunset of email marketers. Oppositionists introduced GDPR as an anti-email marketing document. However, it’s only meant to facilitate a customer’s email experience. Yes, GDPR stimulates companies to be more attentive to how they work with data. Those who are OK with that, survive; others don’t.

Question #5 – Will I get penalized for poor email safety measures?

Short answer: GDPR non-compliance may be a costly mistake
Where in the GDPR is this covered: Article 82, 83
Long answer:

Let’s say, you’ve experienced a data breach because of your employee’s negligence, mailbox break-in, or anything else. Mostly, this happens due to the lack of security measures and policies that could have prevented a data breach. GDPR is not aimed at punishing anyone for poor email safety measures alone. A penalty for GDPR non-compliance will be a result of many internal problems with security and a lack of understanding of GDPR principles.

The GDPR established the following fines for violation of the rules:

€10 ($11.2) million, or 2% of global revenue, whichever is higher. This fine covers the less severe infringements regulated by the following Articles: 8, 11, 25-39, 41-43.
€20 ($22.3) million or 4 percent of global revenue, whichever is higher. This fine covers the more serious infringements regulated by the following Articles: 5, 6, 7, 9, 12-22, 44-49.

In both cases, you’ll have to pay compensation for damages.
At the same time, the threshold of €20 ($22.3) million is not ultimate. At the beginning of 2019, the French data privacy body, CNIL, imposed a €50 million ($57 million) penalty to Google. The official reason was “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

Data protection regulators in each EU country are entitled to administer fines themselves. That’s why the UK Information Commissioner’s Office could penalize British Airways for £183 ($230) million. The reason was the 2018 data breach that compromised 500K consumers.

For more tips about GDPR email encryption requirements, check the initial Mailtrap article.

Email Analytics

MariiaHlumilina — Sat, 04 Feb 2023 23:40:50 +0000

What to track in your emails

Email campaigns can be different. Do you think that metrics should vary from one campaign type to another? For example, should the analysis of email newsletters differ from order confirmation analytics? To figure this out, we will inspect the main email metrics.

Email delivery
This is the ultimate metric required for campaigns of all types. Whether you are sending notifications about new comments to the blog post or a limited time offer for your special products, you need to know whether they were delivered. Otherwise, what sense does it make to send emails at all? You should be able to track soft and hard bounces and monitor your spam rate. The latter is not an easy task because none of the existing tools is able to report whether your message landed in the main inbox folder or went to spam.

Open rate
Some resources claim that an open rate should be considered to be unreliable. From one perspective, if your recipients open your messages, it doesn’t mean that they read them. But from the other, monitoring the open rate and reviewing its historical data can help you to understand if something went wrong. For instance, users almost stopped opening password reset messages. Are they going to spam folders?

Click tracking
It’s hard to imagine that you haven’t included any links in your email. It’s good to know what attracts recipients in your messages, notwithstanding the email type. If it’s a short notification with a link to more details that requires some actions, you can understand if your message is clear enough.

Unsubscribe rate
The number of recipients who unsubscribe from your campaign is also quite a popular metric to track. In most cases, it is used for marketing emails like newsletters, promotions, etc. If you follow all the data protection rules, you have to put unsubscribe links in all the campaigns you send, including transactional emails.

Conversion Rate
This is actually the main thing you should track. When you send emails, you need to understand whether they are bringing you good results. Usually, by “conversion” we mean “purchases”, but in fact, your emailing goals might be different. Depending on the aim of your email campaign, the conversion rate might be calculated as the ratio between the number of delivered emails and completed goals (sign-ups, purchases, responses, etc.).

Email tracking vs email analytics

When you start exploring this topic and looking for tools for email analytics, you will see a variety of options for email tracking. From the first glance, these two concepts look similar but in fact, they collect different metrics and have different purposes.

Email tracking tools like Mailtrack, Docsify, or the more advanced Bananatag platform, notify you when your email was opened, whether the recipient clicked the link in your message, downloaded an attachment, etc. (the list of options varies from app to app). Mostly, they work as plugins for Gmail and Outlook and help you monitor email conversations rather than email campaigns.

There is another type of tool that is also called email analytics – email analytics for Gmail, like EmailAnalytics and Email Meter. The main app in this category is EmailAnalytics, and it is designed to analyze the usage of your Gmail account. It provides you with statistics of sent and received emails, overall email traffic, email categories, etc.

Free email analytics tools

Your choice of free email analytics tools is quite limited. Data analytics is a complicated and sometimes sensitive task, so, there are almost no tools with a free plan available.

The first thing you can do to analyze your email campaigns for free is to use an email sending platform like Mailjet, SendPulse, Sparkpost (or any other featuring a free tier).

Every dedicated email sending platform provides its own analytics. If you use email marketing automation software or CRM like Hubspot, Salesforce, or Zoho you get quite a powerful toolset.

Google Analytics and emails

If you have a website and link your emails to it, then you can track and analyze your messages with the help of Google Analytics (GA). There are several ways to do this.

Tracking can be performed with the help of a pixel, which you should insert as an image tag to your HTML email code. However, it doesn’t work for Gmail and Yahoo email clients.

The other way to connect your email to GA is to use UTM tags for your links. UTM tags are special marks that instruct GA how to interpret the link source. You can create them manually or with the free Campaign URL Builder tool by Google. Then you will find the related data in the Acquisition report for your website (add email as a segment to view an instant report on email campaigns performance).

Email analytics tools can help you a lot, but it is always better to send test email first.

Thanks a lot for reading a piece from the guide about email analytics tools by the Mailtrap Blog! You can find more tips for begginers in email marketing there.

DKIM Explained

MariiaHlumilina — Fri, 13 Jan 2023 14:07:42 +0000

DKIM signature, along with other methods, such as SPF or DMARC, is one of the most common methods of authenticating yourself as the sender of an email message. Below, we explain why you should use it and how it actually works. Let’s get started!

What is DKIM?

DomainKeys Identified Mail (DKIM) is a digital signature added to every email sent from a given email address. It’s not a typical signature you’d expect to see on the bottom of a corporate email. As a matter of fact, normally, you don’t even see the DKIM. It’s a seemingly random set of characters hidden in an email’s source code — a place where people don’t usually look, but servers accepting incoming emails definitely do.

After all, DKIM is an industry standard for email authentication. Of course, adding a DKIM signature doesn’t guarantee delivery, but it significantly boosts the odds of a positive outcome.

Why use DKIM?

Imagine the following scenario. You’re sending a quick follow-up message to a potential investor after a meeting, “Yvonne, let me know if you would like to proceed with what we discussed earlier.” Some time goes by, and you never got a reply from Yvonne but you bump into her in another meeting and discreetly mention that email. Puzzled, Yvonne says, “Mark, I never heard from you back.”

There are many potential reasons for poor deliverability, but, as it turned out, Mark forgot to set up DKIM authentication for his email account. As a result, Yvonne’s server wasn’t quite sure if it was really Mark emailing her and discarded the message.

The main purpose of DKIM is to prevent spoofing. Email spoofing is changing the original message’s content and sending it from an alternative sender that looks like a trusted source. This type of cyber attack is widely used for fraud — for example, someone sending payment request messages from an email address that looks like yours (mark@whatevercompany.io vs. mark@whatever-company.io).

How does DKIM work?

DKIM signing and receiving happens in three steps:

The sender decides what to include in a DKIM record

As a sender, you can limit yourself to only certain parts of header fields (“From”, “To”, “Cc”, “Subject”, etc.), and can also go as far as including the entire header and body in DKIM. You can also choose to add some or all of the optional fields mentioned above.

Technically, the more specific details are included, the more reliable authentication will be. But you need to be careful with this too as even the tiniest details changed by your SMTP email server will lead to a failed DKIM authentication on the receiving side.

The DKIM is created and a message including it is sent

Once the server knows what to include in the DKIM and email sending is initiated, it starts hashing the content. You have already seen how “b” and “bh” tags looked in our example.

A message is received, and the server validates the DKIM signatures

Within seconds, a message is received by the receiving mail server, and it needs to make an important decision — whether to allow the email in or not. When it sees that a DKIM is included with the message, it immediately starts the validation process.

How do you add DKIM signature to your emails?

Adding DKIM requires changing some details of your DNS records. Many email clients cover the process in detail (Mailtrap Email API, MailChimp,SendGrid, Sendinblue, Mailjet, AWeber, Gmail, Outlook & Office365).

If your email client doesn’t offer any help on implementing DKIM, or you’re setting up your own infrastructure, check out DKIM’s official documentation. With Mailtrap Email API, you get DKIM records with a quarterly automated rotation that helps keep your email infrastructure secure.

How can you test whether DKIM was configured properly?

Once DKIM is added, make sure that you validate it with an online DKIM analyzer. Use, for example, MXToolbox or Mail-tester.com — the latter can be used to check SPF records simultaneously.

You can also just send a test email to your Gmail or Yahoo account and verify whether a message arrived with your DKIM signature yourself.

Once the message arrives, expand the email header with the triangle icon below the sender’s name. If the sender’s domain appears for both “mailed-by” and “signed-by”, the message was verified successfully with DKIM.

Three major misconceptions about DKIM

DKIM encrypts your mail

It doesn’t. DKIM’s primary concern is to verify and confirm that the message is intact. The hashes under “bh” and “b” tags offer protection from message modification and replay, including partial protection from identity theft and forgery. A passed DKIM verification test basically means that the email sent has permission to be sent from this domain and that the message content was not altered while in transit.

A DKIM signature can be forged since its details are available in DNS records

No it cannot be forged. DKIM is based on PKI (Public key infrastructure), which means a pair of keys is involved. One public and one private. While it is true that the public key is published in the DNS records (and is available for everyone to retrieve), the private key is kept only on the email service provider server. The private key stays secret and is used to sign messages. The public key cannot sign messages and is used only for verification.

DKIM saves you from spam once and for all

We wish. As DKIM digital signature only allows proving that the sender is authorized to send messages from the domain, and the message was not meddled with on the way, DKIM only lowers the chances of spammers using forged or stolen email addresses.

However, nothing stops them from buying a domain, setting up a DKIM record, and continuing with their spamming activities. In fact, this might even, in a certain way, legitimize spam.

Nevertheless, using a real domain name instead of a forged one can most likely minimize phishing attacks like when you receive a forged email from your “bank” asking you to confirm your credit card details.

DKIM key rotation: keep your DKIM security up-to-date

Although DKIM public 1024-bits keys are hard to crack and 2048-bit keys are almost impossible they are still published in the DNS records and thus might become a target of attack. Private keys (signing key) could also be stolen if the system where it is stored is hacked.

To mitigate the risks of compromising DKIM keys, you need to minimize the time they are actively used. The process of systematic replacement of the old DKIM pair of keys with the new one is called DKIM key rotation.

In general, the recommended key rotation period is from quarterly replacement up to every six months. The frequency of key rotation should be established by the organization individually, but most definitely, it’s a must in the workflow.

The process of key rotation can become quite complicated within companies that have multiple email streams, delegated subdomains, or streams sent on their behalf by third parties. Thus, to keep your email flow secure, the DKIM key rotation process should be planned ahead.

Thanks for reading the article! To know more about the DKIM you can follow the link to the original information from the Mailtrap Blog.

An ultimate guide to email infrastructure

MariiaHlumilina — Thu, 12 Jan 2023 15:43:03 +0000

While sending emails is a straightforward process for individuals, organizations don’t have that luxury. They must put a lot of thought into this process to avoid security threats and ensure all of their emails get to recipients’ inboxes. That’s where email infrastructure comes into play.

Though it operates behind the scenes, it combines all the components that are responsible for sending and delivering emails. Today, we’ll break down what email infrastructure is, how it works, and what can be done to boost its performance.

What is email infrastructure?

Email infrastructure is the set of software and hardware components that are triggered as soon as you write an email and hit the send button. It combines mail servers, agents, and IP addresses – basically everything that you’d need for the successful delivery of email campaigns.

Think of it as a postal system that combines postal offices, staff who sort through mail, in-house or third-party delivery services, and postal carriers who bring mail to your doorstep.

Even though emails are written and sent through the internet, the structure of the infrastructure is rather similar to real-life postal services (excluding all the servers and authentication protocols, of course).

Why would you care about email infrastructure?

Let’s say you have a paper invitation to deliver to your colleague. You drop the letter in the mailbox, but it doesn’t get picked up on time. While you’re waiting for the mail carrier, someone breaks into the mailbox, changes the letter’s content, and disappears.

The letter gets delivered to the recipient eventually, but instead of containing an invitation to the New Year’s Party, it asks your colleague to donate money to the swindler’s bank account.

That’s exactly how phishing attacks are executed in the world of electronic mail. Weak email infrastructure becomes an easy target, allowing attackers to hijack reputable email addresses, forge the content of emails, and deceive recipients. Such attacks are not only harmful for the recipient, but they also have dire consequences in terms of data privacy and protection.

Another point to remember here is that poorly-executed email infrastructure can have a direct impact on sender reputation, causing the recipient’s email client to think that your domain isn’t secure and mark it as spam, reducing the deliverability rate of your transactional emails.

Email infrastructure architecture

Email infrastructure consists of the following elements: mail agents, mail servers, authentication protocols, IP addresses, and feedback loops.

Mail agents
Mail agents are vital components of email infrastructure as they take care of the whole process from sending to transferring to delivering the emails and showing them to the recipient. Typically, four types of mail agents are used to send emails: MUA, MSA, MTA, and MDA.

Mail User Agent (MUA)
Mail user agent, otherwise known as email client, is a web-based or desktop application that users use to retrieve, read, send, or receive emails. They also make it possible to delete unwanted messages or flag them as spam. The most common MUAs include Google Gmail, Microsoft Outlook, and Mozilla Thunderbird, among others.

In real life, an MUA would be a local post office or mailbox to which you submit the mail you’re willing to send.

Mail Submission Agent (MSA)
Mail submission agent acts as an intermediary between the mail user agent (MUA) and the mail transfer agent (MTA). It receives the message from the email client, checks it for errors, and, if everything’s okay, transmits it to MTA.

Think of MSA as a post office counter clerk who checks whether your and your recipient’s addresses are indicated correctly on the envelope.

Mail Transfer Agent (MTA)
After receiving the message from MSA, mail transfer agent or email relay transmits messages to another computer. If the recipient’s email address is on the same server, the email will proceed to the next step in the delivery process.

However, most of the addresses aren’t. In that case, email relay or SMTP relay comes into play: MTA looks up the recipient’s domain and, if there’s a match, transfers the message to another MTA.

If we circle back to the paper mail, MTA would be the mail processing plant where the letters are sorted depending on which neighborhood they are addressed to. If the recipient’s address is in the same city, the letter will be delivered right away. If not, it might be sent to another mail processing plant or MTA closer to the recipient’s address.

MTA is also a crucial component in email queuing while sending emails in bulk. Email queuing is the process of holding off emails on the SMTP server and putting them in a sort of buffer until the recipient is ready to receive them. Email queuing is a natural process that makes it possible to prioritize certain emails (e.g., password change confirmation) over others (e.g., weekly newsletter).

Message Delivery Agent (MDA)
Once the message goes through all the MTAs, it is passed to the message delivery agent, which converts received messages into the appropriate format and transfers them to the recipient’s MUA. In the best-case scenario, messages will end up in the recipient’s inbox. However, if the sender’s domain reputation is low or the authentication fails, messages will go to the spam folder or get discarded.

MDA would be the mail carrier who picks up mail from the recipient’s post office and delivers it to their mailbox (MUA).

Mail servers
It’s virtually impossible to send an email without email servers. There’s only one outgoing server called SMTP server, and two inbound servers: IMAP and POP3.

SMTP server receives the messages from MUA and conducts authentication checks through DNS records to verify the recipient’s email address. If any of the checks fail, the email will bounce back or end up on the blacklist (if the email reputation is low).

If the authentication is successful, emails are delivered through mail agents to the recipient’s inbound mail server, either IMAP or POP3, depending on which one is set up.

IMAP stores received messages on the server and downloads them once the recipient retrieves them from the inbox, saving the copy within the server. This is the option most email clients incorporate into their email infrastructure.

POP3 also stores messages on its servers, but it deletes them as soon as the recipient retrieves their emails. It’s less dependent on an internet connection since the messages are downloaded at once and can be accessed even offline.

IP address
An IP address, otherwise known as an Internet Protocol address, is a combination of numbers (or numbers and symbols in the case of new addresses) that locates and identifies nodes within the computer. It’s a numerical address of the domain, determined by Domain Name System (DNS).

Thanks to DNS, alphabetical names of domains (mailtrap.io, google.com, etc.) can be translated into numerical IP addresses (192.158.1.38.) in seconds. IPs are essential for communication and data sharing between networks and computers i.e. they are vital to internet operation.

There are two main types of IPs: shared and dedicated.

Shared IP is an IP address that is used by multiple domains at once. It’s usually provided by the Internet Service Provider (ISP). It is mostly suitable for individual users or small businesses that send small amounts of emails. Those who use shared IPs are more vulnerable to the other users’ actions as those could be spammers who don’t follow email sending protocols, affecting email sender reputation negatively.

A dedicated IP is an IP address that is allocated to a particular website domain. It’s a more secure option and is widely used by larger organizations that send thousands of emails daily.

Dedicated IPs are more likely to pass spam filters, maintaining a good sender reputation and improving email deliverability, particularly in corporate email infrastructure.

However, to achieve all those results, it’s necessary to use IP warming. IP warming is the process of building trust among email service providers. Once the dedicated IP is created, the user should start sending small batches of emails in a specific schedule, increasing the amount slowly. That way, the IP will gradually warm up, and the domain reputation won’t be compromised.

Authentication protocols
Email authentication protocols are ‘defense mechanisms’ used by the recipients’ servers. They ensure that the message wasn’t hijacked, altered, or forged before getting delivered. To validate the accuracy and authenticity, most modern servers use the following protocols:

SPF: a basic protocol that is used to check if the sender’s IP is authorized. SPF has a TXT format and is stored in DNS records. The recipient’s server will scan DNS to check if the IP belongs to the list of authorized IPs. If so, the email will be delivered. If the authentication fails, the message will be either flagged or rejected.
DKIM: a type of digital signature that is included in the email’s source code to check if the sender’s domain is authorized and verify that the contents of the email weren’t altered. DKIM utilizes a set of tags and characters to create a hashed private key. Once the email gets to the receiving server, it searches for the corresponding public key. If there’s a match between public and private keys, the authentication will be successful.
DMARC: a more advanced authentication method that utilizes either or both SPF and DKIM. While setting up DMARC, the domain owner can choose which of these protocols will be used for authentication and how ‘strict’ the validation process will be (whether the domains should be the exact match or subdomains are also allowed). DMARC protocol enables domain owners to improve their sender reputation gradually by instructing the receiving server on what to do if authentication fails (quarantine, reject, or nothing). It sends reports of each failed authentication and allows for a quick response in case the sender domain gets spoofed.
BIMI: the newest of the authentication protocols that uses DMARC but adds another layer of security by validating brands’ logos. If BIMI is set up, DNS will include the TXT record with information about the brand’s logo. The recipient will see that logo when they receive the email from that brand. BIMI isn’t widely adopted yet as it’s still being tested by email providers.

While setting up your email infrastructure, it’s necessary to decide which authentication protocols will be used for domain verification. Remember that only one protocol might not be enough it’s better to implement the combination of all of them to protect your domain and IP reputation.

Feedback loop
Email feedback loop (FBL) is another important component of email infrastructure. It enables organizations to receive data about users’ spam complaints from email service providers (ESPs).

By doing so, senders get the chance to remove clients who are no longer interested in their content from their email list. Spam complaints are a nightmare for any email marketing campaign as they affect sender reputation and cause deliverability issues.

However, not every user is eligible for FBL registration. It’s not provided by every Internet Service Provider (ISP) either.

What are the types of email infrastructure, and how to choose the most appropriate one?

The most common types of email infrastructure are cloud-based, on-premise, and hybrid:

Cloud-based or hosted email infrastructure means that the entire email infrastructure operates on the cloud with dedicated sending and receiving servers. It makes it possible to easily manage the users, take care of the maintenance, use provided technical support, incorporate additional features, and access the data through existing email service providers;
On-premise MTA or commercially-licensed email infrastructure is a secure hardware solution that provides complete control over email infrastructure design, sending threshold, campaign tracking, security, data privacy, and so forth;
Hybrid email infrastructure combines the features of on-premises and cloud-based infrastructure. It uses on-site hardware, while also storing data and operating on the cloud.

Choosing the right infrastructure
The types of email infrastructure could be compared by various criteria, including pricing, scalability, technical capacity, accessibility, etc. We decided to compare them in terms of security as it’s one of the main concerns for developers while selecting the infrastructure. We won’t reiterate the importance of email security – we’re pretty sure you already know that by now.

Go for cloud-based if you need email infrastructure for a small, medium, or large business, such as a clothing brand or local coffee shop. Opt for an on-premise or hybrid infrastructure if you need it for a military or healthcare organization that stores top-secret confidential data.

Try Mailtrap for Free

Mailtrap Email API is widely used to send bulk emails to the recipients’ inboxes. It enables users to store logs for 60 days and set up email categories (welcome emails, confirmation instructions, and so on) to analyze their performance in depth. Categories can be filtered depending on mailbox providers and sending domains, with color-coded charts showing the performance of each.

I hope that you understand now what is email infrastructure. Guide was originally created by Mailtrap Blog.