Don't Wait to Authenticate

In March I wrote an article entitled, European Email Marketers; How the Phishing Phenomenon Impacts You (Even if You've Never Been Spoofed). I received some excellent feedback after publishing it and most of them said, “It’s not just European senders who are behind in their understanding of the real impact of phishing, it’s a global issue still very relevant everywhere.” Of course I knew that, but being based in Europe, I focused on what’s happening on this side of the Atlantic.

To summarize my previous article: You are impacted by the phishing phenomenon, even if you think you don’t have a phishing problem and you’ve never been spoofed.  If your mail is falsely labelled as a phishing attempt, your customers will never see it. Unlike regular spam, it doesn’t go to the spam folder where users can mark it as valid (“this is not spam”). Instead, it’s quarantined. If a Mailbox Provider’s filter just suspects that your mail might be phishing, it may still be delivered but it will also be delivered to the junk folder but flagged with a warning to your customer, “this mail might be phishing”. Either way, this is bad for your brand.

Today’s best solution is email authentication. At Return Path, we’ve written a lot about authentication: SPF and DKIM, as well as DMARC- Domain Based Message Authentication - which relies on the aforementioned SPF & DKIM. We’ve told you how to do it and why you should, so I won’t repeat what’s already been written, instead I’m writing because what should be done in regards to authentication is rapidly becoming what must be done.

While authentication isn’t mandatory yet, it’s certainly looking more and more like a requirement for those following email best practices.  Two major mailbox providers recently did something previously considered unthinkable by many: Yahoo! and AOL made waves this quarter when they both moved to “p=reject”. For the two mailbox providers the benefits outweighed the cost. This doesn’t mean that as a sender, you can’t send to Yahoo! or AOL if you’re not authenticating but it makes me wonder, will authentication eventually be mandatory? Probably not anytime in the immediate future but one has to wonder…

If you’re a sender interested in protecting your brand and customers, phishing should be the strongest impetus to authenticate your mails. The self-evident fact about phishing is that, when it comes to filtering, anti-spam filters aren’t always going to get it right. At Return Path we’ve seen obvious phishing messages circumvent ISP filters. In one case, less than 7% of the messages were caught.  If someone spoofs your brand, you can be sure that not only will some (if not many) of those messages get to the inbox, many will be read by your customers, or worse, acted-upon. Authentication should be your first line of defense against potential spoofing.

Finally, think about it from a Mailbox Provider’s perspective. Their anti-spam filters are based on the premise that nothing is to be trusted. Guilty until proven innocent, they look for a reason to mistrust a message. When you authenticate, you’re giving the Mailbox Provider a reason to trust your mail. When they know you’re a so-called ‘Good Actor’, they don’t necessarily need to subject your messages to the same stringent analysis that they would mail from an unauthenticated sender. They still subject the email to filtering but at least they can rely on regular reputation/Bayesian and content filtering to determine if messages are spam or not. Passing authentication eases the task for the anti-spam infrastructure to focus on the filtering element. The point is, the more they can trust your mail, the better you deliver.

No discussion about authentication would be complete without mentioning DMARC, More than 60% of the world’s inboxes are protected by DMARC. In Europe the number is closer to 55% but growing. There is a correlation between increase in phishing and decrease in DMARC usage and vice-versa.

DMARC can help you take your authentication to the next level. You can monitor how much of your mail passes or fails checks, tell the Receiver what to do with messages that fail and receive statistic reports.  DMARC can be adopted in stages and for a sender, having more visibility and reporting is a major benefit.

At Return Path we’ve seen how spoofing impacts a marketer’s brand and email reputation. One sender with a history of high inbox-placement rates and high reputation scores saw their inbox deliver drop by 32% in the month following a spoofing incident. A drop like this significantly reduces the ROI of a marketer’s email program.

Why risk paying the price for someone else’s crime?  Authenticate now and save yourself the trouble.