- Who We Are
- Success Stories
- Thought Leadership
Deliverability | 6 MIN READ
According to CyberArk, 56% of IT security professionals chose email phishing as the greatest security threat to brands and subscribers alike. A key tool for marketers to fight this threat is email authentication. Email authentication helps Internet Service Providers (ISPs) like Gmail, Outlook or Hotmail verify that an email is coming from a legitimate source, like an actual brand and not a scammer. Marketers who use proper authentication can protect both their subscribers and their brand from major threats like phishing attempts, deliverability issues, blacklistings and much more.
Each year, the Online Trust Alliance (OTA) – a non-profit organization dedicated to online best practices for consumer safety and brand compliance – publishes an annual Email Marketing and Unsubscribe Audit to help brands understand the trends and best practices impacting the integrity of email – including protections like authentication.
OTA’s Audit evaluates 200 of the top North American online retailers and their online presence – from their marketing program sign-up process (including components like pop-ups, (re)CAPTCHA authentication, etc.) and overall user experience, to the unsubscribe process. Each of these components are monitored to ensure retailers comply with best practices and regulations.
An overview of this year’s OTA Audit shows us that retailers are getting smarter about authentication, demonstrating their commitment to protecting their subscribers and ensuring messages that reach users are legitimate. Retailers are increasing their adoption of authentication practices, but there are important qualifiers that are being overlooked.
The OTA Audit revealed two promising trends in authentication:
Two of the most effective practices for authenticating senders are SPF (Send Policy Framework) and DKIM (Domain Keys Identified Mail). SPF is an authentication process where the domain owner (a brand in this case) adds a DNS record specifying which servers are authorized to send emails; this allows ISPs to check against the SPF to detect forged sender addresses. DKIM provides an additional protection by embedding a key in the message that connects the email to the server thus ensuring that the message has not been changed or intercepted. The OTA Audit revealed that all of the evaluated retailers in the audit have adopted both SPF and DKIM authentication policies.
Almost all of the retailers in the Audit (95.7%) were using Opportunistic TLS (Transport Layer Security). This type of authentication optimizes the use of encryption. If an ISP’s mail server prefers encrypted emails, then Opportunistic TLS allows for retailers to send encrypted mailings; if the mail server does not accept encryption, then the email is sent unencrypted. Encryption helps prevent cyber criminals from eavesdropping on email communications. Opportunistic TLS is especially prominent in Gmail where a small red padlock will appear if a message is not using encryption.
Despite the universal adoption of SPF and DKIM to confirm the legitimacy of a brand’s mailings with an ISP and the increased adoption of Opportunistic TLS to improve encryption practices, these strategies alone are not enough to protect subscribers because they do not safeguard against one of the biggest online threat: phishing attempts. That’s where DMARC comes in.
DMARC (Domain-based Message Authentication, Reporting & Conformance), is an email authentication, policy, and reporting protocol that helps protect against direct domain spoofing. Domain spoofing is a form of phishing which occurs when an imposter uses a company’s domain to impersonate said company. The end goal of domain spoofing is to trick consumers into providing personal information or access to personal information.
Although the majority of retailers have a DMARC record, many have not defined its policy settings which is key to preventing unauthenticated emails from reaching consumers. A DMARC record has three policy settings: none, quarantine, and reject. Having ‘none’ as a setting means that despite having an authentication policy in place, if a mailing is not authenticated, it still gets through to a subscriber’s inbox without any issues. In this case all mailings are accepted by the respective ISP, regardless of whether they pass or fail authentication protocols.
A ‘quarantine’ setting for a retailer’s DMARC record notifies ISPs to treat unauthenticated mailings with more caution. With this type of setting, a phishing message will end up in a spam folder or the ISP will mark the message as potentially unsafe.
A ‘reject’ policy setting for DMARC tells ISPs that any unauthenticated mailing should be blocked and prevented from reaching a subscriber’s inbox.
The OTA Audit revealed that while 71.4% of the top 200 retailers have a DMARC policy in place, only 35.2% have set up their policy to ‘quarantine’ or ‘reject’ which highlights an urgent need for retailers to improve their DMARC policy settings. Without a ‘quarantine’ or ‘reject’ policy, any malicious sender posing as a brand could still reach a subscriber’s inbox. To protect consumers from phishing and improve trust, retailers should consider updating their DMARC settings.
Retailers are making steady improvements to their email authentication processes which can help protect consumers from growing security threats. Yet, as email scams and phishing attempts become more sophisticated in their efforts to collect consumer information, it is imperative for marketers to continually examine how they can ensure their subscribers and their brand are safe.
For more insights into the latest OTA Email Marketing and Unsubscribe Audit, please visit the OTA website HERE.