A lot of fun stuff to talk about today in regard to demark reporting it can be a bit of a jungle out there and figuring out what are the best tools and how to read things and some tools it's a mess and others it makes more sense so should be good. Hey Jerry, welcome from Euston just about to get these captions set up and working
right captions should now be connected for everybody. Welcome, welcome. Hey Stacy.
All right. We are now about five minutes away from getting started officially Everybody welcome Stacy Clements forum. What am I trying to say here? I've lost all the words they're all gone.
Nathan speed speechless. I
am. I am. So Stacy is also a member of solid Academy and she is great for her. She has been gracious to share her knowledge of all that she's learned about demark reporting over the last several weeks. Really glad to have her with us. We'll be getting started in four minutes from now. Get my brain right. I've lost all my words. It's really weird. Yeah. Interesting. Like I need a report of what's happening in my head at this moment, or maybe some more coffee would be good. This has been one of those weeks. Where every morning after the time change every morning. There's just not enough coffee at all in the world. So yeah. All right. Welcome, everybody. Attendee count is ticking up as you come on into zoom open up the chat and say hello, let me hear from you in the chat. Give yourself a one to 10 rating. How well do you understand demark reporting give us a one to 10 one meaning never done it. I don't know anything about it. 10 being I could do this training myself. So let us hear from you there in the chat. One to 10 Sound off on your proficiency with demark reporting. So yeah, mostly. Yeah, three, four or less many ones. So yeah, this is about
a six, I think.
Yeah, so Stacy's done a lot of work researching the different tools and she's gonna give us her what she's learned in that whole process and maybe how we can pick up some of those things and use them ourselves. So again, if you're just joining us, the slide link is now in the chat. You can download the slide deck that has a bunch of good screenshots. Also in that link bundle is the invitation to join us next week for disaster week. That is coming Tuesday and Wednesday of next week, two hours each day, where we have some really good conversations about WordPress security, that a great panel of security experts that are going to be involved in one of those hours. So if you've not yet signed up for the free disaster week, next week, make sure you do that. It is going to be a great, some great information. So we're just now about two and a half minutes away from getting started. Welcome. If you're just joining us in zoom, checking question today, give us a one to 10 How would you rate your understanding of demark reporting from one at the lowest attend at the highest? We'd love to hear from you about that in the chat. Also just say hi, tell us where you're logging in from Hey class. Got a lot of interesting and very practical information to cover today. And very grateful that Stacy is willing to share all the stuff that she's learned with us.
Yeah, still in there. Not
many above five Stacy. It's all bye Thanks, Sadie is four and a half. So that's about the highest rating we've seen so far. So if you are a regular solid Academy attendee you probably recognize Stacey from the chats and so greet her. Yeah, she's going to have fun. Have fun. So about a minute and a half to go before we get started. Let me drop in the link bundle one more time for those of you that are just coming in, you can download the slide deck and also the link there the invitation to join us for disaster week. Next week. Check that event information out we've got some really good topics to cover next week with some world class WordPress security experts. It'd be a lot of fun. Yeah, Sherry. Hey, Barb, good to see everybody. One more final check in give us your self rating. How would you self evaluate your understanding of demark reporting right now give us a one to 10 one to 10 one being what is demark reporting 10 Being I know all about it. So mostly It has been five or less four and a half or less. Yeah. Hey, Thomas. Welcome. Doug is an overconfident eight.
Oh, that's great. Hey Thomas, you you help me with questions?
Yeah, there plenty of good questions. Good time for q&a at the end. Thomas. Just by the way, you're chatting to only hosts and panelists. If you want everybody else to see just flip that little blue dropdown around in your chat there. It defaults to that, for some reason. I'm not sure why. I wish there was something we could do on our end to change that. Just about ready to start counting down the last couple of seconds. You ready to go Stacy?
I'm ready. All right. Here we go.
Well, good afternoon. Good morning. Good evening. wherever you happen to be around the world. Welcome to another solid Academy livestream. My name is Nathan Ingram. I'm the host here at solid Academy and I'm joined by Stacey Clements. Stacy has been a member of solid Academy I iThemes Training web design.com all the iterations of what we've been over the years. Stacey, thanks for being here with us today. How are you?
I'm good. I appreciate you asking me to do this. So I was telling Nathan beforehand. I'm famous now. He said WordPress famous. That's more exciting than B is more exciting than speaking at a word camp.
Yeah, so Stacy we actually met was that 2019 18
before COVID Yeah,
at a pre COVID word camp Birmingham. Stacy came down here to the Southland to speak and did a great job talking about WordPress security. And so the evolution of this is Stacy, you do WordPress work with clients and you have an agency called milepost 42 where you do WordPress stuff with clients. And as a result of a lot of the news in the recent months about Google and Yahoo requiring demark in many cases, you start to do a deep dive into this right.
Yeah, actually, I've been doing that. Stuff before the Google Yahoo things i My My background is kind of kind of techie. So I started digging into it a little bit beforehand. But yeah, the so many tools out there now when Google and Yahoo started their you know, announcements as like, Okay. People are going to need to know about this. So I dug into it a little bit more. And then as people were starting to ask questions in groups, I'm like, Okay, I know that or oh, I don't know, know that question. And let me go dig it out. So I researched a lot. Yeah, very good.
And so the genesis of this webinar was in a members only office hours, lot of questions were coming up about demark reporting and Stacey was she had all the answers. So we were like, hey, Stacy, why don't you just come on and talk about it, and there was some major arm twisting that occurred in that live stream. But Stacey is gracious to come and share her knowledge. So Stacy, you actually have a background in the Air Force. Is that right?
Yes, yes, I was a communications what they call now cyber officer in the Air Force.
Very cool. Well, thanks for your service there and that that just kind of talks all about your that's who you are right like you dig into things. You figure things out and you find the solution.
Yeah, my, my, when I introduce myself at things like they tell that story and my boss, one of my commanders call me, the fixer, the problem solver in the pit bull. So I embrace that and I really that's what I do. I don't like stuff that doesn't work. And fix it, try to solve problems and you know, just make things better.
Yeah, very good. Well, a couple of housekeeping note Stacy will turn it over to you. There is a we are recording this event. There will be a replay. I just saw that question in the chat. All of our live streams. are recorded and available there at Academy dot solid wp.com. It'll be there in the the the past events section, and the direct link is there in the chat if you want to go back and rewatch this or share it out with someone else. You can also find there in the link bundle in the chat today. slide deck. If you're watching this on the replay, it's down below the video. You can download the slides. And one more mention of disaster week coming next week. That is Tuesday and Wednesday from 1pm to 3pm. Each day, we've got a great panel of security experts who will be talking all about the big issues in WordPress security. So join us for that free live stream next week. I'll also be wrapping that up with a conversation about how do we talk to clients about security? How can we sell security as a service and use this knowledge that we're acquiring to further our recurring income goals which is always a good thing. One last bit. We are you're obviously welcome to chat with each other. They're in the webinar chat but if you have a question, please use the zoom q&a. It's actually handy to have that open as we go here in the live stream. And as folks have questions that that appear there, you can ask your question at any time. And if you see a question that you also have, just click the thumbs up icon under the question, and we'll take those questions in the order of upvotes at the end. So with that, I'm done. Stacy, let's get into demark reporting.
All right. Well, thank you all for coming out. I will do my best to answer questions. But I want to first start off with kind of what why are we talking about this anyway, why do we need to use demark and they you know, Google and Yahoo said so right. And that's not really the only reason although I know that's a reason why a lot of people are giving it attention right now. But but really, a little bit history, the demark has actually been around for about 10 years or so. It was developed. Because well let me back up a little bit. SPF and DKM had been around about 10 years before that. And the reason these protocols came about is because email itself is is not secure. And you know, as we know, you know, you get phishing emails, you get emails that are like, I don't know where that came from. So the powers that be started developing things to try to make email a little bit more secure. And what happened is you had SPF and decam and so you could, you know, shut down emails, but the people who were sending him had no no idea whether what they were doing was having any effect. So demark came into being because people needed a way to see that their email authentication setups were working before demark and still sometimes but the email receiver like if I you know, I sent emails to Gmail, they just decided what they were going to do with that email. demark lets me tell them, hey, if this doesn't pass my authentication checks. Here's what I would like you to do with it, you know, either let it go through, quarantine it or don't send it at all. Now, caveat there, Google Yahoo. email providers still kind of decide what they're going to do. But these, the more gives you a chance to at least let them know what you would like to do. And another important thing, part of what this webinar is about is that there wasn't a reporting mechanism. And so demark actually lets you see the effectiveness of your email authentication. You can set up email or demark without reporting and you've seen there's there's actually a lot of email service providers, I think that are telling people Hey, just put in this record that's you know, demark people's non, you're good at technique. Technically, I believe with the Google and Yahoo requirements. That is true. If you just want to meet the other minimum, but really, P equals nine doesn't do anything for you. It doesn't help your email and what you're what you're doing is telling an email receiver. Even if somebody's spoofing my email, I don't care let it go through. I am not thinking that that's going to work for very long I highly suspect that Google Yahoo, I think outlook already does it are going to change that in the next you know, few months or years or so they're they're just ramping people up to get them used to having the records in there and then eventually, I would expect them to want at least the quarantine. But But really, if you know if you're gonna set up demark anyway, why why wouldn't you want to know whether it's working on also if you're if you're going to do it, right, you want to you want to ramp up go from P equals nine you've been monitored that for a while. Then move up to quarantine and emails that don't pass the authentication and ideally eventually what you want to do is go to a reject policy, but you want to do you want to do that slowly, you want to ramp that up? And demark monitoring or reporting helps you see when is a good time to start that ramping up. And even after your ACT reject reporting can help you monitor for for issues from for most of us. You know our clients probably, you know, they got their email, they maybe have an email marketing thing. It's probably not as big a deal but anybody ever had a client that changed something without telling you? Yes, me. So one of the one of the common things that I've seen is somebody decides to switch from MailChimp to Active Campaign or something. If they don't tell you and they have rejects in their demark all those emails are not going to go through. So monitoring helps you fix those problems. If you have mistakes, you know something, something changes in a record, if you rotate your DKM keys, which yes you should be doing. There's a the order they their messaging malware anti abuse group recommends you rotate DKM keys every six months. If you're doing that by hand, which you probably are if you're setting up postmark for example. And you make a mistake, you know your your emails are gonna fail and you want to know that. And so you know, the last thing you want is all your emails to be quarantined and you and you don't know about it. And that does happen. I actually saw I want to say it was in a Slack group. A couple of weeks ago somebody had I think it was an IT department had set everything to quarantine and had no reporting. And all they were going crazy trying to figure out why, you know, marketing emails weren't going through. And sometimes you might have a domain that shouldn't be sending email at all. And you actually want to set that up and monitor it as well. So like I have a domain that's my name Stacy clements.com that someday I might do something with you know, I have a client with a domain that she might rebrand to someday. Right now it's just forwarding to her main domain but we don't want emails being sent from those domains. And if we don't set up demark and monitor it, that domain reputation might be screwed up, because we're not watching it and somebody's you know, a spammer is using it. So, what do you do then? So obviously, you have to have a demark record set up and I'm not gonna go into that right now. If you're haven't done that you need some information on it. There was a an excellent webinar by Matt Pritchett a couple weeks ago and I put the link here and actually did a lead magnet on no 10 steps to authenticating your email and you can you can click there and you sign up or if you want to sign up to my email list, just email me I'll send it to you just tell me if it's useful and you know if it helps, but basically you're putting in your your demark record after you get your SPF and DKM you'll see that you want to start with p equals nine and then you have this rule a tag and that is the email where you want aggregate reports to go and if you put your email in there, you'll get reports and they'll look something like that. Which you can go through that and decipher it if you want. Personally, I don't have time for that. There. If you have a few you know maybe you're just testing it out. There's some services where you can take that XML and upload it you get a nice little chart. But if you're trying to do that with all the reports you're giving you get a different email from each reporter. So you'd have to load them all and copy them together and see what's going on. There's actually ways that you can roll your own demark reporting service I there's a Python utility out there that will analyze it. I'm going to do that someday, but I don't have time right now. So what you really want to do ideally, is set up a demark analyzing service and there's a lot of options out there. I'm gonna go through some of them, not all of them, but there's actually some really good free options. So we like free. Talk about those first. So the first one is Cloudflare and I know a lot of us use Cloudflare for other things, it's constantly amazed at how much they offer for for free on Cloudflare this is just kind of a screenshot of what it looks like. That this is you know it's a really good option for for a free option gives a gives a pretty good amount of information. It doesn't give all the pretty charts. Some of the other one does but it gives you what you need. You can give access to clients if you need to do the Cloudflare members option. The The one caveat with that and that they don't care for as you can't just give them an access to the demark report. They can see everything else so if you don't want to see in the records or other kind of rules it's not not the best and it doesn't look like they limit it was I'm unable to find anything the the number of emails that are going through some some services do the some of the things I didn't like about it. The the user interface is a little frustrating to me. The big thing it's irritating to me is when I'm looking at something, it defaults to seven days. If I want to dig into something and I end up digging back to 14 days and then I click to dig in. It defaults back to seven days and have to switch it and it's annoying.
You only get 30 days access to information and that's probably enough I would say that's the minimum you want to have because you want you want to monitor things what's going on. Monthly seems to be a good set time for most people. But it this is going to drive your you know your review schedule if you're not monitoring it, you know, if you're trying to do it once a quarter this isn't going to work for you. And of course one of the big things is the domain has to be on Cloudflare if you got clients or you know for some reason you don't want to manage the domain with Cloudflare this this one won't work for you. But it's a it's a it's a really great option if you're already using Cloudflare to manage your domains and you want to be able to monitor for yourself or your clients for free or provide them something for free. All right, next one postmark and a lot of us love postmark. I love it. I use it for transactional email. And they have a paid option I'll talk about later, but they actually have a free option. What it does is sends a weekly email looks kind of like this, showing your demark compliance status so it's what I liked about it. It's gives you the basic info it's easy to read easy to say gives you a little bit of explanation on you know a what, what might be your issue here, and it doesn't require you to have a postmark account anybody can can sign up for this. However, all you get is the weekly email. You don't have a way to get information on demand. You just get the the email digests once a week. So you only have seven days of information at a time you can you can save it lacks some of the detail info that I would like particularly reporter info you can't see if a particular provider like Gmail for example is is not receiving or not processing your emails. And it's it's only available for one person you know you put in an email that person gets the email so if you're trying to monitor this for clients, you can see it or they can but they they can't see a pretty report and you interpret it for him. I found a another option through obviously it was a Reddit group. And it's called Vala mail. I actually kinda like this one. It's it used to be a paid thing is from Microsoft, but they have a basic free version that that anybody can use you don't have to be on office 365 And it's it's pretty good. It gives you kind of a quick overall look to see if there's a issue. You can have several domains even in the even in the free plan Cloudflare like that, but not so much like postmark you get a visual look at the status. It holds 90 days of data so you can you can go back or you can monitor once a quarter instead of once a month if you want. You can add teams and members so somebody else can see the reports. And they also don't seem to have a limit on the emails. The biggest things I don't like about it. They abstract the data and I make it pretty easy to understand. And but I think they've abstracted some things out that I want when I'm when I'm investigating. So it's you know, I it may be there and I haven't been able to find it but again if you can't find the report or can't find the IP it tells me the service but sometimes I want to check the IP myself it's got pretty charged but when you're if you've got a problem and you're investigating it I don't think it's that intuitive to work through Cloudflare you kind of click through this one. Oh, I click that it didn't give me what I wanted. You know, gave me something else and you can get there but it's the the flow isn't intuitive to me. But I think it's it's a good option. If you have multiple data domains you want to look at. You want to have pretty charts, you know, for your for your clients, if you like charts and you like the abstracted data better than kind of the table you get with something like Cloudflare and one other thing. My understanding is if you do use Office 365 or Microsoft email me if your clients are set up on that, you can actually get their premium version called elemental and force for free on that domain, the domain you have that email on and it has some other features that help you automate your your demark monitoring and it fixes SPF lookup issue. If anybody's run into that. You can only have 10 lookups domain lookups on your SPF record. So that's uh that's one thing I can't verify that because I don't have anybody on Office 365 right now but that is my understanding. And demark report. This is one that's been an app sumo do several times they actually have a free version if you want to check it out. Oh, it's it's got, you know, easy charts. You can drill down into the data. You can export it to Excel if you wanted to. It's it offers little widgets that you can put you know if you're if you have somebody paying for this and you want to show him, you know, pretty a pretty thing on their own webpage. You can do that. So that's that's kind of cool. The free plan though, only offers you one domain, you can add additional domains. That could be good if you want to set up separate ones for each client, but I like something that I can sort of monitor everybody at once. In the free plan only has 30 days of information. And one kind of kicker on this. If you had a client with a lot of you know, big email list or something. They are only limited you to 10,000 compliant messages a month. And what that is is the they're processing all the emails that are going through anything that that does get validated with demark gets counted. And most of you know most of my clients are really small and they will don't hit that I've got one with an ecommerce store and you know, fair list and I think she would probably come close to that limit anyway. So that's just a few bugs with the options out there. There's a lot of the paid services that do have a free tier you just kind of need to watch for the limitations they have. Sometimes they're free tiers specifies it's personal only not for business. And those limits on the messages is something you want to keep an eye out for too alright, so there's there's free options out there and good ones. So why why might you want a paid option? For most of us if you just want basic demark reporting not a lot of frills. You use Cloudflare if you you know you have if you don't don't have things on Cloudflare you use valid mail, but if you're doing this for clients, you know people paying you or you have more complex email setups, you're dealing with or large amounts of email traffic. You might want something that's a little bit more robust. A lot of the paid plans have additional features that are kind of handy. offerings for the SPF flattening that 10 That 10 lookups issue that can be nice if you if you've got somebody set up who's more complex and they're running against that limit. Solid that will just say another issue. A lot of the paid services are starting they'll host what's called the MTA STS and its mail, Transport Authority mail transfer authority, secure transport service, it's another email security protocol and what that one does is verify that email server to server are sent with TLS. It's kind of like having the HTTPS for your website. And by the way, using a TLS connection for transmitting email is another one of those Google Yahoo requirements. One of those it's kind of buried and nobody talks about. So that is something I like a few of them also allow you to host Bimi brand indicators for message identification, I think is what that stands for. And if you haven't heard about that one, it's a it's I think it's less of a security thing and more of a marketing thing. But it's the thing if you if you're getting email from like a big brand and they got their logo in the in the email, that's that's what they mean. Does it let you send emails with your logo? So you know, theoretically the person getting it knows it's from you.
I think it works right now. It's it's not widely integrated. What you what you really have to do is you're supposed to have a certificate and they cost $1,000 or something he is supposed to be trademark law though. That's not being enforced right now. I probably will soon but most of us that's not going to be a big deal. But if you do have some some larger clients and are really branding and marketing that that may be something to look at. So let's look at some of these paid options. And first one is a demark report. This is the one that I use actually talked about the free version, but the pay version offers you more. You get the pretty reports and the widgets. You can set up teams you can set up team members and you can provide view to your to your clients. If they're interested. You can get optional digests your email so kind of like the the postmark free version, you can get an email showing you what's going on. And but then you also have the ability to have the information on demand. You can white label this which is kind of nice. And the mark report does support in VSTS. And they the paid version gives you 90 days of retention on the records. The issue without this one is the next level up from free is 100 bucks a month. So that's a that's a pretty hefty jump from free. A Congress 25 domain. So if you've got clients that are paying you it's not too bad, but they don't have any intermediate level in there. You know, it'd be nice if they had okay, I can do you know, two domains for 20 bucks a month or something the good thing though demark report. If you're interested in it keep an eye on App Sumo. They have run a number of deals and it's a good deal if you can get it they're just kind of keep an eye on what deal you're getting is the last one I saw they they limited the domains and how many emails it covered. That deal the mark reports when I'm using it honestly, I'm using it because I got a lifetime deal. But I have unlimited domains and 175,000 messages a month so I'm covered with the people that are paying me anyway. Good option if you got several paying clients or you get a good deal on it, you know? Easy demark is another one. So there's a little screenshot of what it looks like. I love their interface it is easily my favorite of all ones I've looked at. The dashboard has the all the information you need. It's easy to find it's easy to drill down. They got the pretty charts and an easy way to find the underlying data. The premium level includes they're offering a call easy SPF which helps that SPF lookup limitation includes MTA STS and it gives you alerts if there's something going on. And depending on the level you get you get 90 days or one year of history on the on the flip side is expensive. It's starts at 3599 a month to domains. And if you want you want the good stuff like the easy SPF and the MTA SDS, it's, you know, upwards of 70 bucks a month in it that includes four domains and what they call pro level the mark assistance which I think means you can email somebody if you have questions. If you want the super high tier you get a dedicated demark expert. I can almost feel like if you're if you're paying at that level you probably have an IT department that you can go to but it's a good option if you if you can afford it if you got somebody paying paying you, you know a bigger, more robust client that is paying you and needs the additional features something complex. Particularly you have that you know somebody with a lot of senders and has the SPF woke up issue can be a good choice for you. Look at the mark digests and this is Active Campaign slash poll Mark postmarks, they're paid offering you can get the you know the Email Digest but this is their their paid one. It's it's good it gives you gives you nice charts. gives you kind of a little bit more in depth explanation of what's going on with the emails they do a little a little flow chart kinda that that shows you what's going on tells you hey, SPF didn't align here. You know, here's what you need to do to fix it. They they make the sources easy to identify which I liked the categories that for you and to its best they can tell from your records what you're known sources, excuse me, your unknown sources and forwarded sources which is a big kicker. Sometimes some of the other ones you'll see a fail. And like why did why did this fail? And what it is is because somebody forwarded the email which is always going to fail your your SPF alignment and pull in this postmark version kind of gets that information says hey, we think this is a forwarded email so your gives you a starting point to look at. You can get the non domain info and you can also get still the excuse me, the the emails sent to you so you don't have to log in every time. So you have the option of both and their pricing is clear and flat and understandable. It's 10 bucks a month per domain one thing I don't like they all the information they give you and they don't give you the reporting the reporter for for it and I I don't know why or if I just haven't been able to find it but and I you don't necessarily need it but I like to know because I'd like to know if it's like all the Google people aren't getting my email. They only give you 60 days reporting. I put that as a con it's it's enough. It's just low compared to the other paid services. They doesn't seem to be a way if you want to share the reports. You can invite people but you know you can't invite them only to certain reports. It's like the whole account. So if you if you wanted to share this with clients, it might not work very well. And at this, this has nothing to do with the demark reporting or whatever, but they don't offer two factor authentication for their login. And that gripes me being kind of a security person so I had had to add that in. It. It it kind of throws me for not wanting to use them to be honest. It but it's a good option that gives you gives you good reports gives you good information. It's it's simple. To clear it just it's seems a little bit limited for what you get compared to the other paid options. On the other hand, it's you're not paying you know, 70 bucks a month for four domains. If you need four you can get you get the four it's 10 bucks a month and have one more here I don't have a screenshot I haven't actually signed up for it yet. But I do it on my free trials and I want to I want to test them before I run out on my dime. But this one I'm going to watch i i like it I'm favorably disposed toward them because the creators of this one are also the people that did learn D mark.com. And if you haven't seen that is it's an excellent tool. It's an online tool helps you kind of learn the market and I have been using it for testing kind of extensively. What happens if you if you go there, you can gives you a an email. It's kind of like if you've ever done mail test or gives you like a long string of email, you send an email to it and it will actually walk you through and show you a you know the server is asking the server you know hey, I want to send an email to you. Oh, I see that you have an SPF record here and it walks you through everything that's happening. And it's really cool. Check it out. What I have seen so like I haven't validated these myself but here's here's their sales page. One of the things that they offer that is fairly unique among any of the other ones I've seen, is they they have specific alerts that you can set not just you know your your generic, here's your notification, but one example of an alert that I would say if I had a big increase of emails that are going through because if I'm, you know, I know somebody's normally sending about so many emails and their marketing emails once a week and all of a sudden there's 5000 emails going it probably tells me they they might be under attack. And I might not look at that if I'm only monitoring it once a month, but I can send an alert with this one to tell me
they they also kind of lumped in website monitoring as well which is a sort of cool if you're already doing that. Why not get both and they'll they'll monitor network errors and Content Security Policy for you. And their pricing is pretty competitive. They do have $1 A month one that's supposed to be preferred personal only that you can check it out with but depending on what the features you want, it's like $5 $10 a month for five domains $25 a month for 25 domains. We get paired demark report gives you you know 25 domains but it cost you 100 bucks. The things they don't like is the only give you 30 days of retention until you get to the kind of expensive tier and the team access you have to pay more for as well. Okay. You got your reporting setup, really. What's the best? What works for you? It's kind of you know, pick pick one that you like the interface gives you the the amount of information you need covers the amount of emails that are being sent. If you have a large large client and there's there's a lot of good options out there and just pick one you like and go with it. But when you got to set up, well, what do you what do you do with that? Oh, I'm going to you know what, what you're really looking for. The bottom line is are the emails that are supposed to be getting through getting through in our emails that are not supposed to be getting through not getting through and you want to monitor for anything you know new sending sources or one that accidentally got overlooked or one that somebody added and suddenly the emails aren't getting through. You probably want to look at if you had a significant amount of messages that are that are failing demark and when you first set it up and you're at p nine you know that that might happen. Because the center got left out. You start to get the quarantine especially get to get to reject and you have a you know a big bunch. What you kind of want to do is set a baseline rate. It should be pretty small and you don't want to go to reject until you're like 98 99% of your emails are getting through. Once you set that baseline and all of a sudden you see you know 20% of my emails are failing demark Yeah, look at that. Did somebody add a new sender? or is somebody doing a spam attack? Is if you if you've got a lot of emails that are not passing authentication and you know it's not a new sender, then it's possible that that organization is under attack in the company might want to actually consider sending out a notification to their customers warning them that there there might be phishing going on with their domain. The problem is, even if you got set to reject sometimes, Google Yahoo outlook whoever sent those emails anyway. All right. So live demo this is we'll see. All right, I'm gonna I'm gonna try this Nathan do it do any stop in there there questions? That I should.
I would say let's press on. There's several questions stacked up but let's do the live demo and then we'll get into questions.
Okay. Get this over here. Now let's see if I can. All right. See my screen. Yep, you're good to go. Okay. All right. So what I did is I logged in at a time into some of my accounts to show you what I'm going to show you right now is is what Cloudflare looks like. So this is my domain under Cloudflare. I don't send a ton of emails. So sorry. It's what I've got. I did I did find a couple I logged in yesterday to see you know, make sure I had some information to show and I have a couple of interesting things I think to show you. Not so much Cloudflare I just did this one so you can see what it looks like. So, you see they give you kind of a table gives you gives you get information. So what I'm looking at here is here's here's the sources that are that are sending you off for me I know what these are. This is this postmark so oh is my email. I also use that for my invoices. So these are either emails I've sent to people or seven days is hasn't been my invoices. But if I pull up my last 30 You can see here's where all my invoices went out. So what I want to look at there is what what do I maybe not recognize? And I actually know what all these are, except this SendGrid one. And I'll show you I'll show you the frustration I have so see here's here's I have 30 days, but if I click on SendGrid because I want to dig into it and like Wait, what happened? It defaulted back to seven days. I gotta go back to 30 All right, and I I actually think that what is is is a website that might using anymore somewhere that I had set up and same grid and I have it set to fail. I just haven't figured it out yet. But it's not if there's somebody spoofing me they're not going through so I'm not too worried. about it. But really, that's that's what I'm looking at. Who's sending okay, I know this is postmark are they all getting through? Yes. Oh, okay. So oh here might be an issue. Okay, so most of them are getting through well, they're getting through with the marking see the 100% but let me look, I know what this is. So some of my emails from Zoho are not aligned with SPF and I know what that is. They send it through another service called Trans mail. In that doesn't the it gets into a kind of a technical explanation. The the envelope from domain doesn't match my domain, but I'm not. I'm not worried about it because it's passing the mark with the cam. I just am aware if that can becomes a problem. All right. I'm gonna show another one here. This is demark report. This is actually an issue that I have a concern about this. This is one of my clients. Found this this domain is one that just redirects to her main domain and she uses it to send like emails from Google is pretty much it. I wish she wouldn't know if she just use her main one. But, but she does, but I have this set up. I'm ready to I was ready to take it to quarantine. And then I saw this, like what on earth is happening here? And like okay, oh, sorry, Becca. I didn't say this was demark report. This is what I mainly use for my clients. So I'm looking and I'm like, What are these things? And I don't know what they are. She's got now okay, show yeah, I'm looking at I'm looking at the noncompliant emails which has been where am I never problem. This one. Yeah, I don't know who that is. That's that isn't something associated with her. Those aren't passing. demark good. They shouldn't be. This one. I'm not sure about. These are coming from Google. But I don't think they're coming from her Google. I am and this is what I need to know is she suddenly using this domain on her Google workspace which is set up for the other domain to send emails is there and I hadn't gone to quarantine yet. So these emails went through but if I went ahead and pop quarantine on here, and she was using this to communicate with your clients, for some reason, they wouldn't be getting through. So I had to contact her and say, Hey, did you start using something with Google on this and I'm actually waiting for her to tell me before before I do this, but I'm gonna have to keep an eye on this. If it works. Well. Hopefully she'll she'll answer me soon. She's I think she's actually on vacation right now. But if I find out that she's like, Nope, I you know, I haven't seen it, then I'm not worried about it. This is somebody trying to spoofer if she says Oh yeah. I was I was sending. I wanted to use that domain. Now to send my emails I need to go back and adjust. The the SPF indeed came for this particular domain. And the zoom thing is covering my other window. So when you get to real quick, go here's another one. That's another one of my clients. So it's it's pretty good. I look at it. Okay. Mostly the market plan. I got a couple that are. Let me take a look. at that. See what's going on the timeline non compliance. Okay. I move that Oh, okay. Outlook. Well, she doesn't use Outlook she uses she uses Gmail because I set that up for her so I'm looking in here and I thought so here's some emails that are sending from Outlook using her domain. I know she doesn't use Outlook, she set up on Google workspace. Could these be they might be forwarded. But if they forwarded they're not passing demark so they're not getting where they need to go. So that might be an issue. Possibly she's using an outlook. Why No, that wouldn't. That wouldn't work either. Well, let me look at this. This IP here Oops
What I'm gonna do here sorry about that. I can't and it realizes zoom. is going to cover my ever my window
what I'm doing here, which you'll see in a minute, is I'm going to a place I'm going to look up that IP
Here we go. So this is one of the things I use for researching.
i It's it's a place in which you can do is check that IP that I'm seeing now. I get that IP jeans
Okay, in this particular case, okay, this IP has been reported for abuse, um, maybe, maybe not. Sometimes you'll see, you know, we're, we think it's, it's fine even though it's in our database. I kind of look at this, it's, it's been reported several times, sometimes you'll see it's been reported, you know, 2700 times and our confidence of abuse is you know, 40% then I'm then I don't worry about it too much. This one I'm kind of gonna look at because it has been reported as a spammer. I can look a little bit about what it is so there's somebody reported I'm not certain that spam so I'm, you know, I'm not gonna report it but, but keep an eye on that one. Just to see what might happen. So, so what what I will personally do is, is look back in a week to see if I see that IP popping up again. Yeah, sometimes it's just a little bit of, you know, dig, investigate, see if there's an issue. I I know this person she she's a personal friend of mine as well. So I'll go to her and say hey, did you maybe know that some of your emails didn't get through? You know, you want to be sort of proactive with it with with clients. If you if you saw being too I'm not too worried. About if it was 100. I would, you know, I would go like I went to the one client say, hey, there might be a big issue. So sometimes it's just you know, just kind of digging through and digging it up okay. I went to I had a couple of examples on here just in case something did go wrong. So there's no screenshots on here. This is an example of am not worried about it. You know, my domain, hit send emails. I know all the centers. I don't care. I threw in one that was an example I use mailer light, which I used to use for my mailing I sent one deliberately not not SPF aligned so you could could see what it looked like. And then an example of emails that I don't recognize, I don't know what jocularity mammoth swipe is. They should not be sending from my domain. They trying but they're not getting through. So I don't care. Okay. Now, that's pretty much it, if y'all have any questions, but no more awesome, please.
Thanks, Stacy. This has been very informative. I particularly appreciate the thought process of looking at the results of these reports and then what do I do with this? That was really, really good. I really appreciate your insight. So we have a bunch of questions stacked up, which is awesome. But before I do this, let me just ask you, Stacy, are you for hire on helping people set up or deal with dT d mark things we didn't talk about this ahead of time. So I'm putting you on the spot?
Yes, I do. I I have a service that I set up. It's on my book, book book like a boss page. Because I realized that like people need this and they'll pay. Yeah, I started it for my clients who I sent out a thing and I was like, Oh, I better have something for them to pay me. So I put it out there. I've actually had a few people refer it to me as well. So So yeah, if you're if you're interested. Well, I guess you can look book that Stacy clements.com Is my page and it's on there. And let me know if you add. I'm taking. I wasn't prepared for this one. But yeah, if you're interested, let me know. I'll cut you a deal.
Yeah, good. So you see Stacy's email address right there on her slide. I'm going to drop in your book link. Okay, looking link there in the chat. But just reach out to Stacey if you want some additional help on this. And you don't want to start from scratch.
Yeah, if you got if you guys got questions, so you can find me there's my email, my LinkedIn and my Twitter. I'm on. I'm on the slack group. So yeah, just you know, you got a question. Shoot it in there. I reserve the right to take your question and put it on my blog post where I'm collecting questions for people though.
There you go. All right. Well, let's get started with with several questions here. And again, if you have a question you'd like to ask, just pop up in the zoom q&a and ask it also, real quick, folks, just review the questions that have been asked. And if you also have that question, click the thumbs up icon and that will upload it and we'll take it sooner. All right, first from Ben Bradley for non compliant emails, Stacy, what would you do? He says I can see the country of origin is not the USA for where the client is based. Well, these spoof emails stop over time. Should you care about that?
Um, if they're, if they're being stopped, I wouldn't worry too much about it, because it's going to happen. I mean, I was shocked when I when I started doing this because I thought you know, my little clients my little site and nobody goes, nobody goes to my site. I mean, like, there's two people who spoof in my email, and I, and I'm guessing it's just like everything else, but he's finding some random domain out there. And seeing if they can send it, right. Yeah. So yeah, if you're getting, you know, onesie twosies and, and they're being blocked by demark. You know, when you, you know, get to quarantine or reject. I wouldn't worry about the one z two Z's if it's a bunch, that's where I would start to look you know, maybe send out a warning to people who would be expecting to get emails from me Okay, saying those are slipping through and dig, dig into those IPS especially if they're if it's coming from a single IP, go to that abuse BB out a.org and report it you got a site and get a sign up to be able to report. There's that or spam.org And yeah, if you if you're, you know, sure somebody's trying to spoof you report it you could look up the IP the the who is on the IP and maybe report it to whoever owns it. Whether anything ever happens with that and maybe maybe not but at least you you know, we should try it. Yeah,
for sure. It really good. And this by the way, there's a ton of helpful links in the chat. So if you're watching this on the replay, this is a good live stream to open up that chat log that's down below the video. There are a lot of great links here. All the things we've talked about are there in the chat log. Next question is from Brian Stacey, how do you explain the very small business website owner? Why demark is important. Or maybe if they're not doing regular emails through a service like MailChimp Do they not need to worry? How do you talk to clients
about this? Well, it's kind of it is going to be hard with small clients I mean I do you if they're not in if they're not sending emails what what got everybody interested of course was the Google Yahoo hate for sending marketing emails, you better do this. And then you can bring in the it's a good idea. To do anyway. It's part of layered security. Really, like I said, even even your little small domain, it could be getting spooked and you don't know if you're if you're not checking it, you have no idea so when we need to you you know set up a free tool and see and do it but you don't want to probably do that for clients because you can spend a lot of a lot of time on Senate you know, if you're not getting paid. You know, do you do you want to do it the may just you know, talk to him it is like you do with other security things and disaster week I'm really looking forward to I always love it. But But yeah, it's like how why? Why should you do you know, two factor authentication Why should you do this? Why should you secure your email? Because your emails part of your reputation and do you want people to be able to send from Stacey clements.com and sending phishing emails? Yeah. And it's their choice. I mean, business owners get to accept or mitigate their risk. Hope
that Yeah, and that's great answer and I think you know, anytime you're talking to a client about anything, you whatever, you know, we as as I mean, I'm, I would definitely describe myself as a geek, probably everybody or many people on the live stream right now what is well, and we're just interested in this stuff, but for a client who doesn't share our affinity for the things like this. Why should they care? And Ben Anderson has a great word there in the chat, which is reputation. Do you hate spam? Yes, I do too. What if people were sending spam under your like it's a protection for your business. And demark is the tool that the industry has created to stop that stuff from happening. So yeah, it's hard. It's hard to unless it, it's hard to figure out how do I align what a client will care about with the importance of this thing that I'm trying to show them? If you can figure out how to connect the clients need to what this tool does, then you can have a decent conversation
bands, right? It is it basically comes down to reputation if they're, if they're marketing and branding, they care yeah.
Stacey, we're right at to Central. Can you go a few more minutes just to do some questions? Oh, yeah, I'm good. Okay, awesome. So next question is from Ben Anderson. What's a good way to build recurring revenue around this? How much should you charge and for what if he thought that through yet
I'm in the middle of faking it through actually because what I figured is you know, I have that home if people are gonna pay for this. Well, you know, part part of it I looked at my my website clients already. And my, my, my maintenance plans. I'm going to, I'm going to add it as an extra thing. I actually kind of gave it to some of my long term clients, mostly, you know, to see and Is it is it helpful, how much work is it? Because sometimes it's not a lot of work, but you get one you got to dig into. Yeah, it's some work. Not a ton. I mean, I'm thinking about, you know, 10 bucks a month or something, something like that, figuring it all even out across the months that there's not nothing to do. I, I was actually toying with the idea of, of actually offering it, sort of, I have the setup service and then I what I say is I'll monitor it for for 90 days to get get people to reject but I can send them up and they can monitor themselves or I can do it for them. I don't I don't have a good price point right now. So I'm gonna
it's really tough to that. You know, for me where I'm at on this issue is, this feels a lot like it work. To me.
It is, yeah.
So that and that's where, I don't know if like, for me, for me as an agency owner, I don't know that I want to be involved in dealing with demark reports. So I don't know it could be an opportunity. For someone who is, you know, interested in more of the IT side of things like you Stacy to come in. And here's a service that we create or if you in your web development agency, you enjoy the more it aspect. You know, that this could be something that you that you that you create and offer to your clients.
That's that's actually what I'm saying because I do I like the techy things more, probably than actual way, way design stuff. So yeah,
it clearly the ideal clients for our larger clients. We have a big mailing list. who have a vested interest in their email reputation. And, you know, most of us probably have some client that might fit that description perhaps.
So who knows?
All right, next question from Thomas. I've been monitoring my demark reports with easy demark for a month or so I've set p equals quarantine. All non compliant and threat unknown or being 100% delivered to spam. Is it safe to switch to reject now?
It should be if you're monitoring for a while and you're it's more are the are the ones getting through that that should so if you've been monitoring it for a little bit, you you've probably identified all your senders. You don't have any getting rejected because you know somebody forgot to tell you or or something's misaligned. So usually what I do and kind of the best practice from know that on the IT side is be kind of be a little cautious go into reject. But when you're ready to do that start with what I do is I start with like 10% So I'll set reject but the percent to 10 and monitor that for a little bit and then and then kind of slowly ramp it up. Because once you hit reject I mean they won't go at all it ideally if if the center so it won't even be looking at your spam folder for it. So the best practices kind of ramp it up with it with a small percent monitor for a little bit and go but if truthfully, if it's if it's somebody small with not a lot, you've identified all the cinders you're you're probably good. Yeah. Good.
Next question from Devon, when you're adding your domain to the reporting services do you use the sending domain like the example that Devin gave is m g.website.com. It's like a male a male gun, or do you just add the root domain?
Yes, yes. So that's where it gets a little hairy you you actually want to add you want to add your your domain because you don't want people sending from the you know my case, you know, milepost 40 two.com I don't want people sending from there, but I used to have Mailgun. So I had mg marbles 40 two.com. You want to you want the root domain, but you need to have your record set up properly to cover that subdomain if that makes sense. It's it that's where it gets a little complicated and that's a good practice actually, to if there's a big sender to have a subdomain doing it, but but you're actually monitoring your root domain.
Make soaps. So are you saying add both or just the route
you should just you should just be able to add the route where you want to deal with the subdomain is in your records and your SPF are
in the SPF record. That makes a lot of sense. Sherry would like to know can you for the reports that get emailed to you can you add those into Cloudflare to be viewed?
I'm not sure that I'm following that. So
if you're getting emails with that really nasty XML, that just the raw XML file that okay, add those into Cloudflare for viewing, um,
I don't think you I am not sure if Cloudflare does that. But there's other ones that do like, like easy the market. So the one I use, they have a tool. I mean, it's free. Yeah, you just go and they'll have like a It's upload demark there's a tool on there where you could upload the XML report and put it in a chart, right? I'm not certain if Cloudflare does that but MX toolbox does. It's ugly, but it gives you the information demark report does I don't know if you have an AMA account. But yeah, there's several places just just look for, you know, one of the demark tools and they'll it'll have something on there that you can upload an XML report it'll do the one thing with easy D mark. It gives you a beautiful report but you can only upload at once. If you try it again. It says, Oh, this reports already been uploaded, which is frustrating. Oh, there's a
great tool that Nick just dropped in the chat de Marchionne XML to human converter.
Yes, the market has been around for a while. That's a good one. It's great.
Thank you. For that Nick. Great resource. All right. Ben Anderson would like to know what can happen in bad cases if you set up demark with quarantine reject. They have to get DNS access to my domain to do anything really bad. Is that correct?
Not quite sure how to answer that. I. I think what you're asking is, is if I have if I have on my demark stuff set up and somebody's trying to spoof me, then they would have to get get access to my domain to Yeah,
I think that's it. So let me let me rearrange the question. If, if I have, like I've got everything dialed in, and I've moved my demark to reject because I'm pretty pretty confident that everything is set. If people try to spam me in anything bad happen. domain to send spam. Yeah,
because yeah, there's security.
Not honestly, I'm not quite sure. No, no, I mean, that's what the mark is. There are SPF and DKIM really are for is to keep you from from doing that. I think probably so the risk would be are people spamming when in those large numbers. And then, you know, some of them are getting through just because Google decides to let them through that day. Yeah, that would be the big thing that yeah, if somebody gets access to your DNS, that's a whole that's a whole different story in that and yeah, that's that's not good. Yeah. And so if
you set your demark up record and you've moved them over to quarantine or reject, you've done what you're supposed to do. Yes. And theoretically, that should stop the delivery of spam being sent under your domain name.
Yes.
That's the intent. That's yeah. And then at that point, it's up to the individual mail, incoming mail servers to follow the demark policy that's been set up, right,
right. Yeah, yeah. Hey, there's, for our purposes, I mean, if you you know, there's an IT department and there's email, you know, Guru people out there. There's, there's more to it. For what they're doing, but, but yeah, for for our purposes, that's, you know, that's what we can do.
Yeah. Awesome. And one final question. You touched on this earlier, Stacey, but I think this is a really good takeaway to end up with from Ben when you see something bad. And you see an IP address or whatever, you've identified that as these people are definitely spamming me. Then go back through one more time quickly. What do you do you go to the abuse, that there was a spam.org? I think that hit
spam.org is one and then abuse DB IP I can ever remember. Abuse IP db.com is one that I use.
Yeah, so both of those URLs had been in the chat. And that's that yeah, those are your resources.
Yeah, you that and you know, you can try who is on the IP and see if you can figure out who wants that and report, report it to them. Just kind of your normal I think a lot of times those go in the black hole or you don't get feedback on whether anybody did anything with it. But yeah, report report spam you know, you can report spam emails when you when you get them and right. You know, that's one of the best ways to reduce it. I don't know that we'll ever stop it completely. They'll find ways around it. Somebody will find a way around the market, SPF and Deacon and then we'll have to have some other
things. There'll be another acronym that comes into play. Right. All right. All right, folks. Well, that's gonna that brings our questions to an end and Stacey, this has been really, really informative. Thanks so much for your time here. Any final thought as we're wrapping up?
Um, thank you for for letting me come on. And I sit and try to help people with this because it's we're talking about web agency people you know, yeah. Like you said, this is this is it work and you know, this has been it work a lot of these things have been very best practices for for years. But now it's just kind of dripping over into, you know, the the other stuff and the habit. How do you do this? How do you talk to your clients about it? How, you know, what do we need to do? You know, web, web focused people to help our clients with this and, and if we don't know what we're looking at, we can't really help them. You know, to some of them, need a lot of it now, you know, set it up and go technically Well, one of the things this isn't really a set and forget, it's gonna be for your smaller clients, but people who are really concerned with their reputation stuff that they do need that this needs to be monitored needs to be checked. You know, not not every week necessarily in every month, but but kind of regulated just to make sure that everything's going through, and it's just, it's one more tool to help make the world a better place, I guess. Absolutely.
Well, thanks again, Stacey. And thank you all for being with us as well. Great questions throughout that's gonna wrap it up for us today. We'll have the replay up and about an hour from now if you want to go back and rewatch or share this with somebody who wasn't able to attend a lot of good information here. So please share this along. I'm back tomorrow for office hours for solid Academy members. That's of course at one o'clock Central here on solid Academy, where we go further together.