Sending Email Safely
Email marketing can be a complex beast with several common pitfalls. This article aims to provide several security-related recommendations for sustainable email marketing.
1. Set up DMARC and monitor email usage reports
We recommend setting up DMARC ("Domain-based Message Authentication Reporting and Conformance") for your domain to enable you to control and monitor its usage.
Malicious actors may impersonate your domain in their spam or phishing emails. Having a restrictive DMARC policy reduces their ability to do so and improves your deliverability at the same time.
If you have never used DMARC for your domain, we recommend starting with a neutral policy:
v=DMARC1; p=none; fo=1; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org
Once you ensure that all desirable emails pass DMARC (e.g. after a few weeks of monitoring DMARC reports), you can switch to a more restrictive policy:
v=DMARC1; p=quarantine; fo=1; rua=mailto:email@example.com; ruf=mailto:firstname.lastname@example.org
"rua=" specifies addresses where aggregate usage reports should be sent, while "ruf=" specifies addresses that should receive forensic reports.
This will allow you to see who uses your domain to send emails, whether authorized or unauthorized by you.
Tools like Dmarcian can make it easier to collect, process and visualize such reports for you.
Once you have DMARC set up, if you also use MailPoet's Sending Service to deliver emails, you'll want to set up DKIM for your Sender Domain as well.
2. Secure your site
Having a secure site is important, as most online sites these days experience ongoing attack attempts.
If your site is breached, it may not be obvious if it happened, and your site may end up being abused, leading to reduced deliverability.
2.1. General site security
While it is a lengthy guide, the official Hardening WordPress security guide offers the most complete overview on WordPress security. You may not be able to take every precaution, but try to cover as many as you can.
You can also set up security products like Jetpack Security, WordFence or Sucuri as all-in-one security solutions for your WordPress site to provide more formidable defense, including active vulnerability and malware scanning.
2.2. Secure your forms
Bots tend to attack various online forms, e.g. guessing login credentials, trying to send spam or create fraudulent accounts and subscriptions, so it is important to ensure your forms are resistant to such attacks.
MailPoet's forms are pretty secure, and you can further secure them by adding a CAPTCHA to your MailPoet subscription forms.
2.3. Update site's software
WordPress core, most plugins and themes continuously release security updates as new vulnerabilities are discovered and fixed.
It is crucial to keep your site updated to latest WordPress, plugin and theme versions available to ensure known vulnerabilities could not be exploited to breach your site.
Of course, site security is not limited just to WordPress. Consult with your host to ensure your site uses the latest secure PHP, MySQL, web server versions as well.
3. Follow good sender practices
Having good security is paramount, but it is only one part of the story.
Follow our recommended sender best practices to ensure that you follow best email marketing practices and stay out of trouble.