It’s tempting to point out that email authentication can be boring to marketers. And that many believe it’s not in their job descriptions—despite all the efforts to bust down silos between departments. But all of that’s obvious. Here’s what many marketers may not realize about email authentication:
Proper email authentication not only makes sure marketers’ messages get through, but that the fakes don’t; thereby likely increasing revenue, says Sam Masiello, general manager and chief security officer at New York-based email performance management company Return Path. That’s because spam and brand spoofs can really cut down on recipients’ trust. “The more phished messages make it to the inbox, the more likely that brand’s real emails will draw complaints, contributing to a decrease in email effectiveness rates and potentially lost revenue and customers.”
To solve that problem, Return Path worked with 14 other email service and technology providers to create a mechanism that will allow authenticated email from marketers into the inbox and block out all the potential rulebreakers. Wigs and mustaches won’t work anymore, Domain-based Message Authentication, Reporting and Conformance (DMARC) will be wise to all the spammers and phishers disguised as spoofed brands, according to the Jan. 30 announcement by DMARC.org, a technical working group dedicated to “developing standards for reducing the threat of deceptive emails, such as spam and phishing.”
Masiello boils down what marketers can say once they implement DMARC: “Hey ISPs, my email is all set. Block anything that doesn’t pass SPF and DKIM.” (SPF stands for “sender policy framework” and DKIM is short for “domain keys identified mail.”)
Providing more elaboration on the marketing benefits of DMARC are Masiello and:
- Adam Dawes, product manager at Mountain View, Calif.-based Google; and
- Murray S. Kucherawy, president and CEO of The Trusted Domain Project, a non-profit dedicated to “supporting research and development of open software and open standards.”
1. Even if marketers don’t want to implement email authentication themselves, they should at least make sure someone in the organization is doing it.
According to DMARC.org, which says it’s got a solution to this situation: “Senders remain largely unaware of problems with their authentication practices because there’s no scalable way for them to indicate they want feedback and where it should be sent.”
Dawes says this is especially true at larger companies. “Mail environments can be very complex, involving many machines, multiple data centers and third-party providers (email marketing, campaign management, sales and support tools). Keeping track of this ever-changing environment is complex, and ensuring all pieces are doing the right thing [is] difficult.”
Kucherawy cautions that marketers need to know that SPF, DKIM and DMARC are in place—not just one of the email authentication tools. “DMARC, as currently designed, can’t work properly without at least one of SPF and DKIM (and preferably both) being deployed.”
Dawes says organizations can go ahead and add DMARC now: “If a domain is 100 percent sure that they are signing all of their outbound mail (SPF breaks under certain circumstances, so you don’t want to rely solely on it), you can publish a DMARC block record now and it will be observed at Gmail. Other DMARC.org members (Hotmail, Yahoo) are working on their own support.”
2. Customers touched by spammers and phishers may be once burned, twice shy.
An overly spoofed brand may find customers marking legitimate email messages as spam, Masiello says. “Phishing does not affect deliverability directly, but we have seen evidence that the legitimate messages from highly phished brands can reduce engagement and generate more user complaints (the recipient confuses the real message with the fake ones and clicks the ‘this is spam’ button). Reduced engagement, combined with increased complaint rates, will affect reputation and reduce inbox placement rates (IPR).”