Thought Leadership

Deliverability | 6 MIN READ

OTA report findings: How retailers protect their subscribers from email phishing threats

By Vyvy Ta
Analyst, Intelligence Products

According to CyberArk, 56% of IT security professionals chose email phishing as the greatest security threat to brands and subscribers alike. A key tool for marketers to fight this threat is email authentication. Email authentication helps Internet Service Providers (ISPs) like Gmail, Outlook or Hotmail verify that an email is coming from a legitimate source, like an actual brand and not a scammer. Marketers who use proper authentication can protect both their subscribers and their brand from major threats like phishing attempts, deliverability issues, blacklistings and much more.

Analyzing the Trends Impacting Email Security and Authentication

Each year, the Online Trust Alliance (OTA) – a non-profit organization dedicated to online best practices for consumer safety and brand compliance – publishes an annual Email Marketing and Unsubscribe Audit to help brands understand the trends and best practices impacting the integrity of email – including protections like authentication.

OTA’s Audit evaluates 200 of the top North American online retailers and their online presence – from their marketing program sign-up process (including components like pop-ups, (re)CAPTCHA authentication, etc.) and overall user experience, to the unsubscribe process. Each of these components are monitored to ensure retailers comply with best practices and regulations.

Authentication Trends and Missed Opportunities

An overview of this year’s OTA Audit shows us that retailers are getting smarter about authentication, demonstrating their commitment to protecting their subscribers and ensuring messages that reach users are legitimate. Retailers are increasing their adoption of authentication practices, but there are important qualifiers that are being overlooked.

The OTA Audit revealed two promising trends in authentication:

Trend #1:

Two of the most effective practices for authenticating senders are SPF (Send Policy Framework) and DKIM (Domain Keys Identified Mail). SPF is an authentication process where the domain owner (a brand in this case) adds a DNS record specifying which servers are authorized to send emails; this allows ISPs to check against the SPF to detect forged sender addresses. DKIM provides an additional protection by embedding a key in the message that connects the email to the server thus ensuring that the message has not been changed or intercepted. The OTA Audit revealed that all of the evaluated retailers in the audit have adopted both SPF and DKIM authentication policies.

Trend #2

Almost all of the retailers in the Audit (95.7%) were using Opportunistic TLS (Transport Layer Security). This type of authentication optimizes the use of encryption. If an ISP’s mail server prefers encrypted emails, then Opportunistic TLS allows for retailers to send encrypted mailings; if the mail server does not accept encryption, then the email is sent unencrypted. Encryption helps prevent cyber criminals from eavesdropping on email communications. Opportunistic TLS is especially prominent in Gmail where a small red padlock will appear if a message is not using encryption.

Despite the universal adoption of SPF and DKIM to confirm the legitimacy of a brand’s mailings with an ISP and the increased adoption of Opportunistic TLS to improve encryption practices, these strategies alone are not enough to protect subscribers because they do not safeguard against one of the biggest online threat: phishing attempts. That’s where DMARC comes in.

Protecting against phishing with DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance), is an email authentication, policy, and reporting protocol that helps protect against direct domain spoofing. Domain spoofing is a form of phishing which occurs when an imposter uses a company’s domain to impersonate said company. The end goal of domain spoofing is to trick consumers into providing personal information or access to personal information.

Although the majority of retailers have a DMARC record, many have not defined its policy settings which is key to preventing unauthenticated emails from reaching consumers. A DMARC record has three policy settings: none, quarantine, and reject. Having ‘none’ as a setting means that despite having an authentication policy in place, if a mailing is not authenticated, it still gets through to a subscriber’s inbox without any issues. In this case all mailings are accepted by the respective ISP, regardless of whether they pass or fail authentication protocols.

A ‘quarantine’ setting for a retailer’s DMARC record notifies ISPs to treat unauthenticated mailings with more caution. With this type of setting, a phishing message will end up in a spam folder or the ISP will mark the message as potentially unsafe.

A ‘reject’ policy setting for DMARC tells ISPs that any unauthenticated mailing should be blocked and prevented from reaching a subscriber’s inbox.

The OTA Audit revealed that while 71.4% of the top 200 retailers have a DMARC policy in place, only 35.2% have set up their policy to ‘quarantine’ or ‘reject’ which highlights an urgent need for retailers to improve their DMARC policy settings. Without a ‘quarantine’ or ‘reject’ policy, any malicious sender posing as a brand could still reach a subscriber’s inbox. To protect consumers from phishing and improve trust, retailers should consider updating their DMARC settings.


Retailers are making steady improvements to their email authentication processes which can help protect consumers from growing security threats. Yet, as email scams and phishing attempts become more sophisticated in their efforts to collect consumer information, it is imperative for marketers to continually examine how they can ensure their subscribers and their brand are safe.

For more insights into the latest OTA Email Marketing and Unsubscribe Audit, please visit the OTA website HERE.

For expert guidance on all things deliverability, check out our Email Deliverability Guide and our Gmail Deliverability Report.

Analyst, Intelligence Products

Vyvy Ta

VyVy is an Intelligence Products Analyst at Yes Marketing. She attended the University of Waterloo where she earned a Communications Degree, specializing in public and digital communications. She is currently a member of the Project Management Institute and Women of Email. In her spare time, she is a food aficionado and avid traveler. Her latest adventures have led her to China, Japan, Vietnam, and South Korea. She is hoping to focus her traveling towards Europe in the future.