How to Email Whitelisting


Whether you’re an email marketer who wants your campaigns to reliably land in your subscribers’ inboxes or an email recipient who wants to ensure your favorite emails don’t get junked, you need to understand how to whitelist email addresses.

These days, with email clients like Gmail creating tabs to sort your inbox automatically, whitelisting your favorite email addresses becomes more important than ever for anyone using email — which is pretty much everyone.

Have you ever waited on an email, get frustrated when you couldn’t find it, just to realize that it wound up sorted into the wrong tab? While email clients rework their algorithms frequently and use artificial intelligence to constantly improve the function of their tabs, they don’t work perfectly. That’s where whitelisting comes in.

For marketers, getting subscribers to whitelist the email address you use for email marketing can mean the difference between your hard work languishing away in an unseen corner of their inbox or yielding results.

Whichever camp you fall into—whether email marketer or email recipient—knowing how to whitelist your favorite email addresses is a handy inbox hack that will make your inbox more efficient.

And who doesn’t need that?

What is an email whitelist?

To whitelist an email address just means you add them to your approved sender’s list. This tells your email client that you know this sender and trusts them, which will keep emails from this contact at the top of your inbox and out of the junk folder.

Understanding email whitelisting best practices can be useful to both email marketers and email subscribers since it will boost the efficiency of anyone’s inbox.

On the other hand, email blacklisting is really only relevant to email marketers. Your server or domain can get blacklisted when your deliverability and sender score drops so much that internet service providers think you’re spam. If you wind up on an email blacklist, your email will get flagged by spam filters and your message won’t get through to your subscribers at all.

Why should you and your subscribers whitelist email senders?

Don’t be afraid to ask your subscribers to whitelist your email address. Plenty of people don’t even realize they have this ability and making a friendly request—and even including a link to these instructions—can position your brand as helpful.

Here are a few reasons you should make a straightforward suggestion for your subscribers to whitelist your email address into your welcome email:

  • Whitelisting leads to improved deliverability.
  • Your subscribers won’t miss an email. After all, they subscribed to your email marketing because they know you deliver value straight to their inbox and they don’t want to miss out.
  • Your emails will land in the inbox every time. More eyes on your email mean better results for your email marketing campaigns.

Check out this example from Scott’s Cheap Flights. This welcome email not only asks subscribers to whitelist Scott’s email address—you’ll see they don’t actually use the term whitelist, but use more universal language—but this email also clearly defines which email address will be added to the subscriber’s contacts list and even includes a link to instructions on how to do it.

Scott's Cheap Flights welcome email whitelist example

Whitelisting is a simple way to make sure you’re doing the most to get your emails in front of your dedicated subscribers. After all the work you put into crafting effective email campaigns, why wouldn’t you take this last step to improve your email marketing metrics?

How do you whitelist?

Whitelisting is a quick, one-time-only task to ensure the sender of an email gets added to the recipient’s address book or safe senders list.

Usually, all you need to do is open an email message and verify the sender can be trusted:

AOL whitelist email example

Here are simple instructions on how to ensure that future emails get delivered straight to the inbox, in some of the most popular email clients:

Apple Mail Whitelisting (OS X and iOS devices)

Both Apple Mail on OSX and Mail on iOS devices have a similar process for adding senders to Contacts. By selecting the From, or Reply-to on an email message, you can choose to “Add to Contacts” or “Add to VIPs.”

Apple Mail 6


apple mail whitelist example

The advantage of “Add to VIPs” is that future emails from this sender will be added to a special VIP mailbox in iOS Mail.

Outlook 20XX Whitelisting

When opening an email from a sender, an alert at the header of the message, “Click here to download pictures…” should display. Click this and select, “Add Sender to Safe Senders list:”

Outlook whitelist / safe sender example Whitelisting

After opening an email message, an alert message should display with, “Parts of this message have been blocked for your safety.” Beneath this, click the link with, “I trust Always show content:”

Yahoo email whitelist example

Yahoo! Mail Whitelisting

When opening an email message, a “+” symbol should display next to From: and the sender’s name. Select this and an “Add to contacts” pop-up should appear. Select “Save:”

Yahoo! Mail

Gmail Whitelisting (Webmail and mobile)

Getting all future emails from a sender to appear in the “Primary” tab (instead of “Promotions”, or elsewhere) is a quick, two-step process.

First of all, drag-and-drop the email message from beneath the tab it’s currently filed under, to the “Primary” tab:

Gmail whitelist example

Once done, a message alert will appear with, “This conversation has been moved to Primary. Do this for all future messages from” Select “Yes:”

Gmail safe sender email example

Gmail on mobile devices doesn’t provide a way to prioritize messages. However, touching “Show images” then “Always show images from Sender” will ensure that images always display in the inbox:

Gmail for iOS primary email example

Android Whitelisting (Default client)

On Android devices, open the email message and touch the picture of the sender that displays before the message. Tap “Add to Contacts.”

Windows Live Desktop Whitelisting

After opening an email message in Windows Live Desktop, an alert in the preview pane with, “Some images in this message are not shown.” will display. Select the link, “Add to Safe Senders list.”

Windows Live whitelist example

AOL Mail Whitelisting

In the preview pane for an opened email message in AOL Mail, select the sender’s From name under the email’s subject line and select “Add Contact” from the drop-down menu:

AOL Mail whitelist example

Knowing how to whitelist your favorite email addresses is a handy inbox hack that will make email more efficient.

Link to these instructions

Many email senders link to whitelist instructions from their email campaigns—and specifically their welcome emails—just like Scott’s Cheap Flights. This ensures your campaigns get delivered straight to the inbox for as many recipients as possible.

A common approach is to add a short message to your email content, like, “To keep receiving emails from us, please add us to your address book.” It’s direct but not pushy. Remember, your subscribers want to hear from you—they did have to double opt-in to receive your emails, after all—so they’ll appreciate the suggestion.

Wrap up

Hopefully, we’ve addressed any hesitation you might have when it comes to whitelisting your favorite contacts or asking your subscribers to do the same. Truthfully, there’s no real reason not to whitelist.

Even if your deliverability rates remain stellar, spam filters can still grab your email before it reaches your subscriber’s inbox. Sometimes, things just happen. And when the only constant regarding algorithms is how frequently they change, you never know when you’ll suddenly see a shift in your deliverability and wind up missing out on opportunities to connect with your dedicated fans.

Sending your email marketing from a verified sender means you get to transcend all those worries. Regardless of any unexpected updates from Gmail or Apple mail—or any other clients that might emerge in the future—you can rest easy knowing your email marketing will always land in the right place.

When the only constant regarding algorithms is how frequently they change, whitelisting ensures you never miss a connection.


How to Add Read More for WordPress

It’s important to remember that the Read More element available on most WordPress editors only works for POSTS and not for Content or Pages.

To add the Read more button to your WordPress content do the following.

Download the plugin  READMORE click here

Install and create a new Readmore

This is a copy of the code to be added to the content.

Read more

Add this line first   

Read more

Make your life simple. Remember this works for content. Do NOT use it for posts. Use the built-in More tag.

How Pay Per lead is beating Google Ads

Right under our noses, the Internet’s most-used website has been getting worse
Think about getting a 5G
iPhone more as future-proofing.
New cameras on Apple’s new iPhone 12 may prove more useful than new, hyped 5G capabilities.

Let’s Google together. Open a Web browser and search for T-shirts. I’ll wait.

Is the first thing you see a search result? I’m not talking about the stuff labeled Ads or Maps. On my screen, the actual result is not in the first, second, third, fourth, fifth, sixth, seventh, or even eighth row of stuff. It’s buried on row nine.

Googling didn’t use to require so much … scrolling. On some searches, it’s like Where’s Waldo but for information.

Without us even realizing it, the Internet’s most-used website has been getting worse. On too many queries, Google is more interested in making search lucrative than a better product for us.

There’s one reason it gets away with this, according to a recent congressional investigation: Google is so darn big. An impending antitrust lawsuit from the U.S. Justice Department is expected to make a similar point.


How does Google’s alleged monopoly hurt you? Today, 88 percent of all searches happen on Google, in part because contracts make it the default on computers and phones. But whether Google is actually fetching you good information can be hard to see. First, Googling is easy and free, which blinds everyone a bit. Second, we don’t have a great alternative for broad Web searches — Microsoft’s rival Bing doesn’t have enough data to compete well. (This is the problem of monopolies in the information age.)

Help Desk: Ask our tech columnist a question

Over the last two decades, Google has made changes in drips rather than big makeovers. To see how search results have changed, what you’d need is a time machine. Good news: We have one of those!

The Internet Archive’s Wayback Machine stored some Google search results over the years. When we look back, a picture emerges of how Google increasingly fails us. There’s more space dedicated to ads that look like search results. More results start with answer “snippets” — sometimes incorrect — ripped from other sites. And increasingly, results point you back to Google’s own properties such as Maps and YouTube, where it can show more ads and gather more of your data.


There are lots of times Google is still darn useful. I believe the company when it says it makes over 3,000 improvements every year, such as searching with your camera or just humming to find a song. But it’s also true that Google can bury better results when doing so helps it make money or prioritize another Google service. It can act like a bad personal shopper who organizes your wardrobe by whatever T-shirts earn the highest commission.

Google disputes my review. “Comparing the experience you get with Google today to the quality of Google in 1999 is like comparing high-speed WiFi to dial-up Internet,” emailed spokeswoman Lara Levin. She said it’s incorrect to define results as unpaid “blue links” to other websites. “What has changed is how we organize the information, in a way that’s more modern and that hundreds of thousands of tests each year tell us that people find useful.”

Members of Congress, regulators, and legal experts will battle in the weeks ahead over the nuances of antitrust law. Fortunately, to see for yourself how Google puts profits over people, all you have to do is join me on three eye-opening searches.

Versus 2000, Google searches for “T-shirts” in 2020 require scrolling six times as far down the page to find an unpaid result that links to another site. Archival results from the Wayback Machine. (Geoffrey A. Fowler/The Washington Post)
Versus 2000, Google searches for “T-shirts” in 2020 require scrolling six times as far down the page to find an unpaid result that links to another site. Archival results from the Wayback Machine. (Geoffrey A. Fowler/The Washington Post)
Search 1: “T-shirts”
Google is, quite literally, a bad personal shopper. Here, side by side, are Google results for T-shirts from the Wayback Machine in 2000 and 2013 alongside what I see in 2020. (These are desktop Web results; yours may differ depending on your location, the time of day, and if you’re using a smartphone.)


We all know Google has ads. But back when Google first won us over, it had fewer ads, and they were generally marked with a colorful background. Today, my T-shirts result is buried under four ads, as well as nine shopping ad results over on the right side. There’s also a giant map with links — we’ll talk about the proliferation of this kind of stuff in a moment.

Relative to 2000, today you have to scroll six times as far down the page to get to the first real, unpaid link to an outside website.

T-shirts aren’t the only search that requires excessive scrolling. Cognitive psychologist Pete Meyers, who analyzes Google results for marketing company Moz, studied 10,000 different searches to see how far down the page blue-link search results inland. In 2013, the average real search result link began at 375 pixels down the page. In 2020, it had dropped down to 616 pixels because of ads and all the other info Google puts on top of its “organic” links to other sites.

The reality is, whatever’s on top is most likely to be the business that thrives — and that business will have to pass along to us, its customers, the cost of the Google ads that put it on top.

It’s true that back in 2000, Google’s actual search results for T-shirts weren’t as good — CDNow and even Apple (the computer company) were among the sites that made it to the top five. But remember: shopping-related searches were less common in 2000. And that doesn’t excuse Google making it so hard to get to its actual results today.

With a time machine, we can also see how Google keeps making ads harder to spot. Ginny Marvin, the editor of the trade publication Search Engine Land, has been keeping tabs for years over what she calls the “blurring of ads and organic listings.” According to her archive, first ads had color backgrounds and labels, then they shifted to white with color labels. Google did remove text-based ads on the right side of results in 2016. But today, Google places up to four ads on top of desktop Web searches, using a small black “Ad” label that disappears in the context of a busy page.

Over the last 20 years, Google has significantly changed how it labels the ads on top of search results. These archival shots are from Search Engine Land and The Wayback Machine.
Over the last 20 years, Google has significantly changed how it labels the ads on top of search results. These archival shots are from Search Engine Land and The Wayback Machine.
“Squint or you’ll click it,” is how Silicon Valley publication TechCrunch described Google’s latest labeling shift, earlier this year, which removed a green box around the word Ad and shifted it up.

Levin said Google changed the design “to avoid clutter” and that in its own studies, people were better able to distinguish ads and results with the new design.

Believe it or not, Google also thinks we don’t mind the ads — and that they’re actually useful. Said Levin: “We have an incentive to only show ads when it’s valuable to people.” She didn’t answer when I asked what percent of queries now have ads, and what percent of the search results they take up.

Good luck if you just wanted to search for the most popular T-shirts. Google is working harder to make sure it gets paid for whatever T-shirt you might eventually buy.

Until it was changed in September, this is how Google answered queries about “question one Nevada,” a voter proposition on the 2020 ballot.
Until it was changed in September, this is how Google answered queries about “question one Nevada,” a voter proposition on the 2020 ballot. (Elliot Anderson )
Search 2: “question one Nevada”
This search result, you won’t actually find now, because it was so egregious Google fixed it in September.

Question One is an initiative on the November ballot that would change how Nevada manages higher education. A few weeks ago Elliot Anderson, a former state lawmaker who helped get Question One on the ballot, noticed that Googling “question one Nevada” generated a box at the top of the results that began: “Vote ‘no’ on Question 1.”


How on earth did Google’s results end up telling people how to vote?

Google has been shifting away from what co-founder Larry Page said was its mission back when it went public in 2004: “to get you out of Google and to the right place as fast as possible.” Now, instead of providing ten blue links to sources of information, Google wants to give what it calls direct answers, which it says are more convenient.

This information often comes in the form of “featured snippets,” which are chosen by its software and borrowed from sources it thinks are authoritative.

Sometimes when you search, you do just want an answer — especially when you’re using a smart speaker. But who died and made Google the ultimate arbiter of knowledge? Google doesn’t always snip correctly, like with Question One. “The information was accurate and came from an official website, but the snipped portion of the page only represented one side of a civic topic, so we took action under our relevant policy to remove that snippet,” said Levin.


(Anderson, for one, said he flagged the error repeatedly using the “feedback” link on the page and heard nothing. Google fixed it after it was flagged to a Google employee on Twitter.)

Goodbye, Chrome: Google’s Web browser has become spy software

It’s not hard to find other examples where Google snips strangely or borrows from not-so-authoritative sources. Search for “How do I check my Krispy Kreme Gift Card balance,” and you get information from a site selling gift cards, rather than Krispy Kreme’s own site, which has the real answer and a useful link.

Other direct answers that just point you back to Google are also pushing the normal blue-link results down the page. These days, search results can also start with YouTube videos, other suggested searches — or, in cases like our earlier T-shirts search, a big Google Map.

A recent study by investigative nonprofit The Markup found that of 15,000 recent popular queries, Google devoted 41 percent of the first page of mobile search results to Google itself, including its own sites and direct answers. (Levin told The Markup that its study was built on a “nonrepresentative sample of searches.”)

There are times I find a Google Map or YouTube video at the top of a search to be helpful. The problem is, Google also has a financial motivation to keep us from clicking away to other sources. The Markup pointed out, Google makes five times as much revenue from ads on its own properties as it does on ads it places elsewhere.

The Google search result for pediatricians starts with its own map and three Google reviews for doctors’ offices that aren’t necessarily the most highly rated (or even most-reviewed) according to other reviews sites. (Geoffrey A. Fowler/The Washington Post)
The Google search result for pediatricians starts with its own map and three Google reviews for doctors’ offices that aren’t necessarily the most highly rated (or even most-reviewed) according to other reviews sites. (Geoffrey A. Fowler/The Washington Post)
Search 3: “pediatricians Arlington VA”
Google’s conflict of interest can lead us to make bad choices. When you search for pediatricians, Google tops the results with a big Google Map.


On my map, Google calls out three doctors’ offices. Are these the best, or most popular ones in the area? Look closer: Two of them get a sub-4-star rating and have fewer than 20 reviews.

If I scroll down the Google results page and click on reviews site Zocdoc, I find listings for a lot more pediatricians, some of whom have more than 200 reviews — and much higher ratings. Online reviews on any site can sometimes be fake, but why is Google always putting its own first?

Searching for a doctor is a higher-stakes version of a problem that afflicts Google searches for flights, translations, restaurants, and other local information. Even our T-shirts search popped up a Google Map with listings for local stores (where I couldn’t actually buy T-shirts online) ahead of links to other websites.

The technical term for this is search “preferencing.” How well would Google’s mediocre doctor reviews do in search results where Google doesn’t have its thumb on the scale?

Google says people make more than 20 million contributions per day to its Maps reviews. I left one last year after my dentist’s office begged me to do so, in the hopes it would finally show up in Google search.

It’s the middle of the night. Do you know who your iPhone is talking to?

Levin said Google results are “designed to return the most relevant and helpful results for a given query across many dimensions. Assuming that a site with more reviews or listings is automatically better is a flawed premise.”

Congress said Google’s practice is dangerous, writing on page 188 of its report that it has “the effect of privileging Google’s own inferior services while demoting competitors’ offerings.”

Google’s ability to push its own products has quietly reshaped swaths of the economy. As my colleague Rachel Lerman recently wrote, since launching Google Flights and Google Hotels nearly a decade ago, Google has come to command the online travel market. Never mind that Google’s travel search, like its listings for pediatricians, isn’t considered tops: It didn’t even make Frommers’ 2020 list of the best airfare search sites.

That’s how monopolies extract their price. Google is playing fast and loose with the whole idea of a search engine, making sure the simplest and easiest-to-access results are either paid ads or information that keeps you on Google. Either way, Google wins — and, more often than we realize, we lose.


How the Coronavirus (COVID-19) Pandemic Is Affecting Small Businesses & Marketers

The World Health Organization has declared the coronavirus, or COVID-19, a pandemic. It’s an uncertain time with lots of unknowns, and while we don’t have all the answers, we want to share what we do know and offer some guidance for our customers and other small businesses that may be experiencing shifts in their business.

This pandemic is affecting the health of the public, and it’s also impacting the economy. According to Google, “since the first week of February, search interest in coronavirus increased by +260% globally.” While spikes in search trends are common during events of this scale, there have also been surges in traffic for related products and topics as a direct response to the pandemic.

COVID-19 search trends

Image Source


How are Google and Facebook responding to COVID-19?

In addition to making it easier for people to learn more about symptoms, vaccine information, and travel advisories, Google is removing any content on YouTube that claims to prevent the coronavirus in place of seeking medical treatment and is also blocking all ads capitalizing on the coronavirus. Similarly, Facebook is blocking anyone running ads to exploit the situation.

COVID-19 Facebook response example

Will this affect you? The short answer is no—as long as you are not using messaging in your ad copy that makes any claims to cure, prevent, or treat COVID-19, this change will have minimal effect on your paid accounts.

Although these platform policies will not likely impact your account, the pandemic and the resulting market changes will. Here are a few recommended strategies to prepare and adjust your accounts accordingly.

Navigate the changing online advertising landscape with this free small business guide to COVID-19.

Review your accounts

It’s important to stay on top of how changing markets and trends might affect your paid search and paid social accounts, from changing click and impression volumes to changing costs.

“Paid search reflects the market; it isn’t the market itself, So if people’s search trends have gone somewhere else in the moment and that Invisalign treatment or bouquet of flowers isn’t, rightfully, on their mind anymore—that’s a reality. Check for drops in traffic—clicks, and impressions—in Google Analytics and Google Ads. Those will usually signal that something is happening and will manifest into a drop in conversions.”

Our post on Google Ads Benchmarks During COVID-19 may help you to get a more accurate picture of where you stand in terms of your metrics. You may also want to give our special COVID-19 episode of the Goal Talk Podcast a listen to better understand search trend changes.

“One of my clients, streaming service, started getting a number of queries on ‘Wuhan live streaming.’These searches aren’t good for the pandemic, and they’re not good for the account, so we added additional negatives.”

You may also need to step up your vigilance in terms of monitoring comments. “For Facebook and Instagram,” it is extremely important to monitor comments within your posts. There is a lot of misinformation being spread and certain fear-based comments can detract potential customers.”

Communicate changes

Communicating effectively and efficiently is going to be key to maintaining your customer relationships. “In all cases, advertisers should look to build trust with current and potential customers through proactive communication via email and/or information directly on their site. In cases where events or store locations need to postpone operations, businesses should consider their long-term relationship with customers and know that a refund or reschedule could be a relief point for those who may experience stress or hardship during these times.”

Communicating these changes online as soon as possible. “If your business is affected, Google recommends updating your business hours and description in your Google My Business profile. Aside from letting people know when they can stop by your business, you can also update your description to give more information regarding any additional precautions you are taking or if there are changes in services. These changes will update your business information on Google Search and Maps.”

COVID-19 hours updated

The Isabella Stewart Gardner Musem’s GMB reflects its closure for the week.

In addition to updating your profile, Holly suggests updating your ad copy and extensions to reflect any changes (see our Guide to Copywriting During COVID-19). This is especially important if you have any callout extensions stating your business hours.

Adjust your strategy

There has been a lot that has happened as a direct or indirect result of COVID-19. As people are being encouraged to wash their hands to prevent the spread of germs, there has been a shortage of hand sanitizer, bleach and cleaning wipes, and other similar products. A lot of work culture will be temporarily changed as companies start to deploy mandatory work from home policies, and travel and tourism will be affected as our government temporarily bans travel to certain places where cases of the virus are high.

A lot of these changes can be stressful, but the best thing that we can do as marketers is to look forward and to calm the nerves of consumers as best we can by having clear, concise, and accurate messaging.

Keeping your ads up to date with your stock is crucial. “If your business does sell some of the ‘hot ticket’ items that have been flying off the shelves, make sure you are not still advertising products that may be out of stock. In order to prevent this, you can temporarily exclude these products from your shopping campaigns, that way you are not at risk of showing an ad for a product that you no longer have.”

For brick-and-mortar businesses, adjusting your strategy might mean limited budgets or pausing certain campaigns. “Some clients are worried about the decline in leads or foot traffic that they are experiencing, My recommendation at this point has been to either lower budgets for or even pause non-essential campaigns at the moment for certain industries, and then to focus ad spend on branded terms due to the higher quality traffic they naturally receive. For those SMBs that have tight annual budgets, the reallocation of ad spend toward more effective marketing periods could be essential to their success.”

Keep checking in

COVID-19 has unfortunately affected the health and wellbeing of communities worldwide, and keeping communities safe should be our first priority. Many, if not most, businesses are already feeling the effects of the virus, and staying up to date with information (such as with the CARES act) is key.


How does DNSSEC work?

The domain name system (DNS) is the phone book of the Internet: it tells computers where to send and retrieve information. Unfortunately, it also accepts any address given to it, no questions asked.

Email servers use DNS to route their messages, which means they’re vulnerable to security issues in the DNS infrastructure. In September 2014 researchers at CMU found email supposed to be sent through Yahoo!, Hotmail, and Gmail servers routing instead through rogue mail servers. Attackers were exploiting a decades-old vulnerability in the Domain Name System (DNS)—it doesn’t check for credentials before accepting an answer.

DNSSec IconThe solution is a protocol called DNSSEC; it adds a layer of trust on top of DNS by providing authentication. When a DNS resolver is looking for, the .com name servers help the resolver verify the records returned for Cloudflare, and Cloudflare helps verify the records returned for the blog. The root DNS name servers help verify .com, and information published by the root is vetted by a thorough security procedure, including the Root Signing Ceremony.

A Gentle Introduction to DNSSEC

DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, CNAME, etc. By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en-route, opposed to a fake record injected in a man-in-the-middle attack.

To facilitate signature validation, DNSSEC adds a few new DNS record types:

  • RRSIG – Contains a cryptographic signature
  • DNSKEY – Contains a public signing key
  • DS – Contains the hash of a DNSKEY record
  • NSEC and NSEC3 – For explicit denial-of-existence of a DNS record
  • CDNSKEY and CDS – For a child zone requesting updates to DS record(s) in the parent zone.

The interaction between RRSIG, DNSKEY, and DS records, as well as how they add a layer of trust on top of DNS, is what we’ll be talking about in this article.


The first step towards securing a zone with DNSSEC is to group all the records with the same type into a resource record set (RRset). For example, if you have three AAAA records in your zone on the same label (i.e., they would all be bundled into a single AAAA RRset.

diagram rrsetsIt’s actually this full RRset that gets digitally signed, opposed to individual DNS records. Of course, this also means that you must request and validate all of the AAAA records from a zone with the same label instead of validating only one of them.

Zone-Signing Keys

Each zone in DNSSEC has a zone-signing key pair (ZSK): the private portion of the key digitally signs each RRset in the zone, while the public portion verifies the signature. To enable DNSSEC, a zone operator creates digital signatures for each RRset using the private ZSK and stores them in their name server as RRSIG records. This is like saying, “These are my DNS records, they come from my server, and they should look like this.”

diagram zone signing keys 1However, these RRSIG records are useless unless DNS resolvers have a way of verifying the signatures. The zone operator also needs to make their public ZSK available by adding it to their name server in a DNSKEY record.

When a DNSSEC resolver requests a particular record type (e.g., AAAA), the name server also returns the corresponding RRSIG. The resolver can then pull the DNSKEY record containing the public ZSK from the name server. Together, the RRset, RRSIG, and public ZSK can validate the response.

diagram zone signing keys 2If we trust the zone-signing key in the DNSKEY record, we can trust all the records in the zone. But, what if the zone-signing key was compromised? We need a way to validate public ZSK.

Key-Signing Keys

In addition to a zone-signing key, DNSSEC name servers also have a key-signing key (KSK). The KSK validates the DNSKEY record in exactly the same way as our ZSK secured the rest of our RRsets in the previous section: It signs the public ZSK (which is stored in a DNSKEY record), creating an RRSIG for the DNSKEY.

diagram key signing keys 1Just like the public ZSK, the name server publishes the public KSK in another DNSKEY record, which gives us the DNSKEY RRset shown above. Both the public KSK and public ZSK are signed by the private KSK. Resolvers can then use the public KSK to validate the public ZSK.

Validation for resolvers now looks like this:

  • Request the desired RRset, which also returns the corresponding RRSIG record.
  • Request the DNSKEY records containing the public ZSK and public KSK, which also returns the RRSIG for the DNSKEY RRset.
  • Verify the RRSIG of the requested RRset with the public ZSK.
  • Verify the RRSIG of the DNSKEY RRset with the public KSK.

diagram key signing keys 2Of course, the DNSKEY RRset and corresponding RRSIG records can be cached, so the DNS name servers aren’t constantly being bombarded with unnecessary requests.

Why do we use separate zone-signing keys and key-signing keys? As we’ll discuss in the next section, it’s difficult to swap out an old or compromised KSK. Changing the ZSK, on the other hand, is much easier. This allows us to use a smaller ZSK without compromising the security of the server, minimizing the amount of data that the server has to send with each response.

We’ve now established trust within our zone, but DNS is a hierarchical system, and zones rarely operate independently. Complicating things further, the key-signing key is signed by itself, which doesn’t provide any additional trust. We need a way to connect the trust in our zone with its parent zone.

Delegation Signer Records

DNSSEC introduces a delegation signer (DS) record to allow the transfer of trust from a parent zone to a child zone. A zone operator hashes the DNSKEY record containing the public KSK and gives it to the parent zone to publish as a DS record.

diagram delegation signer recordsEvery time a resolver is referred to a child zone, the parent zone also provides a DS record. This DS record is how resolvers know that the child zone is DNSSEC-enabled. To check the validity of the child zone’s public KSK, the resolver hashes it and compares it to the DS record from the parent. If they match, the resolver can assume that the public KSK hasn’t been tampered with, which means it can trust all of the records in the child zone. This is how a chain of trust is established in DNSSEC.

Note that any change in the KSK also requires a change in the parent zone’s DS record. Changing the DS record is a multi-step process that can end up breaking the zone if it’s performed incorrectly. First, the parent needs to add the new DS record, then they need to wait until the TTL for the original DS record to expire before removing it. This is why it’s much easier to swap out zone-signing keys than key-signing keys.

Explicit Denial of Existence

If you ask DNS for the IP address of a domain that doesn’t exist, it returns an empty answer—there’s no way to explicitly say, “sorry, the zone you requested doesn’t exist.” This is a problem if you want to authenticate the response since there’s no message to sign. DNSSEC fixes this by adding the NSEC and NSEC3 record types. They both allow for an authenticated denial of existence.

NSEC works by returning the “next secure” record. For example, consider a name server that defines AAAA records for API, blog, and www. If you request a record for the store, it would return an NSEC record containing www, meaning there are no AAAA records between store and www when the records are sorted alphabetically. This effectively tells you that the store doesn’t exist. And, since the NSEC record is signed, you can validate its corresponding RRSIG just like any RRset.

Unfortunately, this solution allows anybody to walk through the zone and gather every single record without knowing which ones they’re looking for. This can be a potential security threat if the zone administrator was counting on the contents of the zone being private. You can read more about this problem in DNSSEC: Complexities and Considerations, as well as Cloudflare’s unique solution in DNSSEC Done Right.

The Chain of Trust

Ok, so we have a way to establish trust within a zone and connect it to its parent zone, but how do we trust the DS record? Well, the DS record is signed just like any other RRset, which means it has a corresponding RRSIG in the parent. The whole validation process repeats until we get to the parent’s public KSK. To verify that, we need to go to that parent’s DS record, and on and on we go up the chain of trust.

diagram the chain of trustHowever, when we finally get to the root DNS zone, we have a problem: there’s no parent DS record to validate against. This is where we get to see a very human side of the global Internet.

In the Root Signing Ceremony, several selected individuals from around the world come together and sign the root DNSKEY RRset in a very public and highly audited way. The ceremony produces an RRSIG record that can be used to verify the root name server’s public KSK and ZSK. Instead of trusting the public KSK because of the parent’s DS record, we assume that it’s valid because we trust the security procedures around accessing the private KSK.

The ability to establish trust between parent and child zones is an integral part of DNSSEC. If any part of the chain is broken, we can’t trust the records we’re requesting because a man-in-the-middle could alter the records and direct us to any IP address they want.

What is the difference between a registry, registrar, and registrant?

There are three different roles that participate in the domain name registration process: The registry, registrar, and registrant. The following information breaks down each role and how they work with one another:

Registry: A domain name registry is an organization that manages top-level domain names. They create domain name extensions, set the rules for that domain name, and work with registrars to sell domain names to the public. For example, VeriSign manages the registration of .com domain names and their domain name system (DNS). To learn more about DNS, see What is DNS?

Registrar: The registrar is an accredited organization, like GoDaddy, that sells domain names to the public. Some have the ability to sell top-level domain names (TLDs) like .com, .net, and .org or country-code top-level domain names (ccTLDs) such as .us, .ca, and .eu.

Registrant: A registrant is a person or company that registers a domain name. Registrants can manage their domain name’s settings through their registrar. When changes are made to the domain, their registrar will send the information to the registry to be updated and saved in the registry’s database. When you register a domain name, you become a registrant!


Why Should I Hire A Marketing Agency For My Small Business?

Getting those customers is one of the biggest challenges that businesses face on a day to day basis. ALL businesses need to have an effective marketing plan to survive and grow. For many companies, however, this is a business truth that is easy to put on the back burner or settle for just throwing darts at a dartboard and hoping you hit something.

Nobody is going to walk into your office and ask for whatever it is that you are selling unless they know who you are, what you do, and they have confidence that you can deliver on your promises. More importantly, your prospects want to know why your product or service is of benefit to them, and how you are differentiated from your competitors.

To get those facts communicated your company needs an effective, well thought out, and executed a marketing plan. Most companies understand the need for a strategic marketing plan, but few understand what it is or how to implement one. Marketing is not the same thing as hiring a sales team; it is much more involved than that. In a nutshell, your company’s marketing plan is about generating leads that can then be turned into sales.

Elements of a Modern Marketing Strategy

The rise of the internet, indexed search (think Google), and the explosion of social media networks have changed the way that companies communicate their value proposition (the promise of value that will be delivered by your company and experienced by your customer).

Where once, legacy tactics such as yellow page advertisements or print ads drove traffic to your front door, modern consumers armed with mobile technology expect real-time access to information and make buying decisions in a matter of a few keystrokes on their devices.

This means that companies need to ensure that their branding messages are well executed, easily found on the web by sites that attract attention and convert eyeballs into leads.

Below is a list of items that make up a “modern marketing strategy”:

  • Collateral development and production
  • Content development specialists
  • Email programs
  • E-newsletters
  • Graphic artists
  • Market research
  • Marketing software
  • Metrics/data analysts
  • Mobile marketing specialists
  • PPC
  • Printing
  • PR specialists
  • SEO/keyword research
  • Social media specialists
  • Special events
  • Sponsorship
  • Website development/re-engineering

While this is a very thorough list, it should also be seen as incomplete, because as we speak new technologies, apps and disciplines are being created which makes keeping up a challenge. This rapid change in new technologies is what makes marketing in the 21st century such a challenge for small businesses.

Now that we know the elements, let’s shift gears and evaluate your options on how to execute your strategy.

Can and Should I Do This Myself?

Many entrepreneurs are ingrained with the DIY (Do-It-Yourself) ethic which refers to the ethic of self-sufficiency through completing tasks without the aid of paid specialists. As an entrepreneur that has suffered from this particular affliction, I can certainly attest to the fact an individual can, with enough time and gumption seek out the knowledge required to complete any given task.

The challenge with this mode of operation is the many different creative elements, such as writing, graphic design, computer programming that are needed to successfully carry out a modern marketing strategy. The learning curve for a busy entrepreneur with little experience is staggering, leaving the business owner with either a vastly incomplete marketing strategy missing key elements, such as blogging, social media marketing or a site filled with ugly graphics or both.

Conversely, if the owner devotes the time to learn all of these marketing elements, you have a tapped out business owner focusing all time and attention on a steep learning curve in the creative arts. For all but the smallest businesses lacking the marketing budget to hire or outsource, DIY is an unfeasible strategy. If DIY is not the right approach, then what other options are available?

Should I Hire an Employee or a Marketing Agency?

Organizations that have neither the time nor inclination to DIY are left with a choice; either hire an employee or hire an outside agency. In many instances, business owners lean towards hiring an employee because that has been the de-facto process in the past to solve an immediate need. Additionally, business owners may have the perception that an outside agency is far more expensive than hiring in-house staff. The problem with this rationale is that most of the time, owners don’t have a true basis for comparison.

Smaller businesses can have much lower costs than shown below.

marketing cost charts

How much do you think it would cost to hire a qualified marketing employee vs. hiring a marketing agency?

Most business owners don’t have a true basis for comparison and typically use a rudimentary methodology for decision making. In many cases, business owners might use a base salary versus an hourly quote for a marketing agency and thus conclude that since the hourly rate is higher it, therefore, must be the more expensive option. This is a big mistake.

Many owners fail to take into account the true costs associated with hiring and retaining an employee. As the chart below shows, not only do you have to account for base salary, but adding in fixed expenses such federal, state, and/or local taxes as well as health insurance contributions, retirement plan matches, vacation, sick days, etc., and the true cost can be as much as 1.25 to 1.4 times the base salary. Add in additional expenses such as the cost of recruiting and training and the total starts to escalate quickly.

Let’s take a closer look and see what really happens when you compare the two. Disclosures: We used the job position of Marketing Manager for the comparison. Many marketing professionals specialize in one area of marketing, like a social media marketing manager, and may not have the experience that a marketing manager could have. All the salary data is based on the National Average salary for a Marketing Manager in the USA and was taken from There are also many elements to marketing, so we chose the inbound marketing process which encompasses many of the items listed above.

While the numbers are averages and should be adjusted based on your needs, location of a business, etc. The table should give you a better understanding of the approximate costs of hiring each one.

In addition to costs in hiring the right employee, the effective execution of many marketing tasks requires extensive software applications which require lots of money……..lots of it in the form of upfront purchases and annual subscriptions of graphics programs, PPC management apps, business metrics software and a whole host of other requirements.

In addition to the pure cost factor of hiring an employee, there is one additional factor that needs to be considered. It would be exceptionally difficult to find one person that possesses each of the skills required to execute your strategy. This would most likely require your new marketing hire to outsource at least some of these tasks to outside agencies, which really blows this comparison out of the water.

As you can see after taking these factors into consideration, hiring marketing staff is no bargain.

Benefits of Working with a Marketing Agency

Although you may perceive that you are saving money on an hourly basis relative to hiring an employee or doing it yourself, hiring a marketing agency, particularly one focused on inbound marketing tactics provides substantial value. Long gone are the “Mad Men” days of nebulous budgets with hidden fees.

The pricing dynamic has shifted and many firms are now working on clearly spelled out pricing structures, and lower-fee marketing retainer agreements.

Smaller businesses can have much lower costs working with an agency.

While there is no industry standard, the going rate in most markets for an experienced inbound agency starts in the $3,000 to $5,000 range in terms of monthly spending. While that may seem like a large number, in comparison to the opportunity cost of DIY, or the pure allocation of funds towards building the internal staff, this is a relative bargain.

Among the many benefits of working with an experienced marketing firm are:

  • Expertise with your market niche
  • Experience in executing marketing plans
  • Money savings by hiring to your specific needs
  • No employee training required
  • Your marketing plan is executed immediately, the employee may need time to ramp up while the marketing firm is ready from the get-go
  • Avoid HR nightmares
  • No additional overhead
  • Tax deductions, not tax liability
  • Efficiency for short-term and urgent projects

This new paradigm allows business owners to focus on running operations and increasing the bottom line, not messing around with Facebook, Twitter, or trying to build out a website.

The big question then isn’t can I afford an experienced marketing agency, but rather how much am I costing myself in time, money, and lost opportunity by trying to do this in-house.



Generating Quality Business Leads

More than fifteen years ago, Lynn Hudson quit her nursing job to start her own business called Melody Music Studios LLC. The studio teaches piano and voice lessons in the town of Cary, NC. Shortly after opening her doors, Lynn realized that she needed a way to market her new business and generate more clients. Nothing happens very fast when you start a new business, especially marketing and new leads.

Over the next six months, Lynn considered Yellow Book marketing, website costs, and e-mailing marketing. Yellow Book was very expensive and the ad would not show up until seven months later. Website costs were less expensive but Lynn did not have the capital to start that project. Lynn looked into the SBA, but sadly they did absolutely nothing to help her.  Lynn ended up marketing her new business with business fliers, talking to as many people as possible, and word of mouth.

Then, she found ACS Web Marketing online and contracted with them. In a short amount of time, Melody Music Studios was up to 25 students and rolling. The website and lead generating software offered by ACS Web Marketing became the weapon of choice when generating new business. For every new customer who signed up, the business costs were pennies on the dollar. This unique approach was not only cost-effective but hit the nail on the head.

Today, Melody Music Studios LLC can be easily found on Google, Yahoo, and Bing search engines including keywords such as piano lessons and voice lessons. If you are a new business, spend your time doing the following:

  1. Define your business online web name.
  2. Get an unbiased quote of the costs to start a business website and not a personal website. Do-it-yourself websites are not VALID sources for true website development. Unless you’re an expert in SEO, stay clear of them if you want to succeed.
  3. Work with your webmaster to set up the right strategy and marketing. Make sure he or she is local and can meet with you one on one. Do not be deceived by cheap prices on the internet. Have enough capital saved to get your company up and running.
  4. Research your competition to find out what they are doing to get to page one.

ACS Web Marketing serves the Raleigh and all NC areas and more…

Call today at 919-302-8457 for a Free No Cost Quotation  


ORGANIC SEO vs. PPC or Pay per Click

The 64 thousand dollar question. Your long-term web marketing strategy should always include search engine optimization. The major advantage of SEO is that statistically, it brings you better quality traffic leads. In fact, many users have subconsciously trained themselves to ignore “paid results” entirely when browsing the web or searching on Google.

There are mountains of data that suggest “Natural Search” visitors to your website are far more likely to trust you, your business, and your products & services. Ranking highly in Google for a keyword or phrase is a clear sign that you are a credible source and that you are an important player in your industry.

But do NOT fool yourself into thinking that SEO is free. No matter how you look at it, SEO comes at a cost. Whether it’s your own time or hiring an outside vendor to manage your SEO strategy, SEO does come with a cost.

Pay Per Click can range from $50 dollars a month to thousands of dollars a month. After you have established your core SEO and are showing up on page one for your keywords or a long string, now would be the time to engage PPC on a limited basis. Look for a 3% return on your investment.

For every $100 dollar, you spend on PPC look to get about a $3.00 return ROI. You may do better with a service than e-commerce but you should be the judge of that and not a company… Remember you are investing in your company. Make every dollar count.

ACS Web Marketing LLC 919-302-8457