Ask the Expert: Marcel Vinson, Sales Director, Valimail

Ask the Expert: Marcel Vinson, Sales Director, Valimail

Countless myths abound in the world of email deliverability. That’s why there’s no one better to clear up these common misconceptions than the leading experts in the world of email. Every month, we’ll bring you a Q&A with leaders from inbox providers, spam trap networks, antispam systems, and more in our new Expert Series blog. 

In our fifth Expert Series blog, we chat with Marcel Vinson. Marcel has been working with Valimail for three years. As a leader in the DMARC space, Valimail 

Now, let’s dive in.

Ask the Expert Q&A

Q: What does your role at Valimail entail?

I’m Marcel Vinson, and I’ve been the Sales Director for Mid-market at Valimail for three years. It’s an exciting time in DMARC so I appreciate the opportunity to connect with the Twilio SendGrid audience. In the past two years, we have watched the market drive towards mass adoption – 26% → 64% of US enterprise companies have adopted DMARC. Getting to DMARC at enforcement is no longer a ‘good to have’, but a necessity for companies who are serious about brand trust and email authentication. 

Q: What are the main benefits of setting up a DMARC policy?

Overall, it’s about having peace of mind. Assurance that you’ve done all you can to protect your brand, customers, and employees from spoofing attacks in which bad actors attempt to send malicious emails by impersonating your domain(s). Setting up a DMARC policy (DMARC at enforcement) is about authenticating every sender within your domain. This means getting to p=reject, where no email can be sent from your domain(s) without your approval. Main benefits include: 

• Full visibility and control of your domain(s) 

  • Identify all the ‘unknowns’ within your ecosystem to lockdown your domain(s). Brand and Reputation Protection 

  • Eliminate risk of becoming a headline. 89% of phishing attacks could be prevented by getting to DMARC at enforcement.

• Boost Email Deliverability 

  • Don’t risk getting your emails stuck in the spam folder. 

Q: What are the common misunderstandings around DMARC?

The most common misunderstandings around DMARC is that they don’t need it because:

1. They have an SEG (Secure Email Gateway) 

   1. This is a common misconception because DMARC (email authentication) and SEG are both designed to ensure that emails that get delivered are safe for the end user. However, to achieve this goal, they use two separate techniques. An SEG filters messages based on content, while email authentication identifies and verifies the sender.

2. They are already at DMARC enforcement (when at a p=none)

   1. This misconception is critical because simply getting a DMARC record or buying into a DMARC vendor alone does not get you to enforcement. If your DMARC policy is still at p=none, you are requesting no action to take place on email that fails DMARC authentication and alignment. This is the equivalent of investing in a steel door to secure your home but always leaving the door unlocked or wide open for intruders. 

Q: What information is available within a DMARC report?

A DMARC report includes information on origination of emails from an outbound perspective as well as IP addresses and sending domain (via RUA report).

Q: Can you explain the function behind some of the primary elements of a DMARC record? (Policy,  pct, rua/ruf record)

• Policy - This refers to your actual DMARC policy. There are three different policies (None, Quarantine, and Reject)

• PCT - This is the percentage of email that will follow your policy. For example, PCT at 50% means that if you were at a quarantine policy, 50% of those failing emails would be quarantined.

• RUA - Aggregate information provided from the email providers.

Q: What is the difference between aggregate and forensic data in relation to DMARC?

• Aggregate data: The general report of available information on who is sending on behalf of your domain(s).

• Forensic data: Comprehensive report that includes a deeper analysis on who is sending on your behalf. Valimail does not collect Forensic information as this can expose PII. 

Q: How does domain alignment play a role in DMARC?

Domain authentication and alignment is the originating methodology of DMARC. Domain authentication validates what the machine sees, while domain alignment ensures what is authenticated matches what is displayed to a user. The combination of these checks and balances ensure you are protected from fraud. 

Q: Valimail has a feature that involves automating authentication records. Can you explain what this does?

We have intelligent workflows to help guide you through an efficient process to set up your records autonomously. Our intuitive interface allows you to keep tabs on all your SPF, DKIM, and DMARC actions for your entire environment. Hard to believe, but once you point your records to us, you will have full control over your domains by simply following a to-do checklist from your dashboard. Did I mention this is all without having to touch any DNS? 

Q: Why do many companies struggle to get to DMARC enforcement? 

We get it, DMARC is very complex. Companies also run into SPF limitations due to the amount of third party services that an organization uses internally. Also organizations are sometimes unaware of the actual services that they use internally.

Q: Once a company gets to DMARC enforcement, should they continue monitoring DMARC reports? Is it a ‘set it and forget it’ approach?

I would say yes and no. Even after you’ve reached DMARC enforcement, we recommend that you continue to monitor your email ecosystem to ensure that you’re in total control of your domain. Monitoring will help you know whether you’re having issues with email delivery or authentication, and consequently, better secure your emails, data, and brand. However, Valimail will notify you when there are changes to your DMARC policy or if there are issues with your existing DMARC record. With our alert capability, you don't have to monitor every day—we do what we do best, so you can focus on things that really matter for your business.

Q: How does DMARC play a role in BIMI?

As we all know by now, DMARC plays a critical role in your brand's email security and deliverability strategy. BIMI is the visual confirmation that builds on the foundation of DMARC.  As marketers, DMARC has a valuable brand reputation impact. It increases deliverability, it can improve your reputation score as an email sender. So when you come to IT and you can say, "Let's do this DMARC project, because we can use it to enable a revenue-boosting customer experience enhancing project like BIMI," the participation of marketing and IT and security all together suddenly make DMARC a much higher priority and much easier to accomplish.

Q: What are the main benefits of BIMI? 

You can see BIMI as the carrot for completing a DMARC project in which you can produce real ROI. It provides a richer inbox experience for your customers. It gives your brand visual differentiation, driving engagement, and helps amplify and underscore that cohesive brand identity, enhancing the customer experience. Studies have shown that you can get a 10% increase in email deliverability from DMARC enforcement.

So you combine DMARC's 10% deliverability improvement with BIMI's 10% open rate enforcement, and you get a multiplier effect. With BIMI, you put your brand where it matters so people can see it, so that the people who actually want to connect with you do. And this yields really, really meaningful results.

As of July 12, 2021, Google has rolled out general support in Gmail, making it easier for brands to display their authenticated logos in roughly 2 billion inboxes around the globe. Also, Apple recently joined Yahoo, Fastmail, and La Poste to extend the BIMI Standard to reach hundreds of millions more inboxes. I believe Apple’s support for BIMI is critical for the growth of the ecosystem, and will only increase the incentive for other mailbox providers also to implement BIMI in the near future. 

Q: What is the process a company must go through in order to enable BIMI? 

To get started with BIMI, you first need to make sure that DMARC, as well as SPF and DKIM, are configured for your organization's main domain, and DMARC needs to be configured to a policy of enforcement. The major benefit of BIMI is the inclusion of your brand logo in inboxes, so you need to supply it in a specific, secure ve

ctor format, in the correct size and shape. It's important to note that key participating mailbox providers also require a trademarked logo and get a Verified Mark Certificate (VMC) from a certificate authority like DigiCert or Entrust. Lastly, publish a BIMI record for your domain in DNS, and your logo will show in participating mailbox providers within minutes.

Q: There’s talk that the BIMI group is working to lower the cost of domain verification certificates. Is there any validity to this?

Although the AuthIndicators Working Group has no influence on the price of Verified Mark Certificates (VMC) as it’s controlled by certificate authorities like Digicert or Entrust, the BIMI group is currently in discussions with mail providers like Gmail on lifting the requirement of trademarked logos.

Ultimately, our goal is to encourage secure email best practices, and we will continue exploring the best path toward expanding the criteria beyond trademarks. While companies with trademarks can apply for a VMC now, we also encourage those without registered trademarks to start BIMI-ready as we are working hard to expand features and support for BIMI.

Q: Anything else you want to share with us? 

Yes, I’m excited to share that we’ve just released the newest evolution of Enforce. We listened to our best customers and elevated our solution to make it easier to not only get to DMARC enforcement, but enable continuous protection.

With these updates, you can now achieve continuous DMARC enforcement in as little as 60 days, saving you hundreds of thousands of dollars in costs typically spent on employees configuring and managing DMARC manually. 

Thanks to Marcel! And be sure to stay tuned each month, as we’ll chat with another expert in the world of email marketing to provide you with further insight into the ins and outs of email deliverability. 

Until next time, check out Twilio SendGrid’s Email Deliverability Services packages to get started, or contact our Sales team to learn more about improving your email deliverability.