Return Path’s New Year Community Challenge: Week 3
This week’s best practice is: Authenticate
Every marketer wants to be trusted, valued and welcome in the inbox. So it is always a top priority for the industry to ensure that legitimate marketers who follow best practices are clearly differentiated from spammers and fraudsters. Deceptive and fraudulent email caused by spoofing and phishing have become the top factors affecting online trust.
This is a problem for all of us to solve together. Fortunately, there are a few steps that you can take today to protect your brand so ISPs can welcome you into the inbox and so your customers can feel safe responding to your offers. The first of these – and perhaps the most straightforward for marketers – is authentication. All that means is that you validate that email you send is actually coming from you.
This column includes the benefits of authentication, the different types and which ISPs accept them and steps to authenticate your messages.
Authentication alone will not stop spam. Spammers can authenticate email, too. But it is integral to preventing phishing and other fraud. Its wide acceptance among ISPs has contributed to the acceptance of reputation and usage of third party whitelist programs as standards that drive the future of email. As a legitimate business, authentication should be seen as essential to securing your brand and online reputation.
There are three benefits to authentication:
- Confirming your identity helps ISPs to weed out spoofing and phishing emails improving the quality and security of the email channel.
- Confirming your identity helps ISPs and other reputation assessors , like Sender Score, to differentiate you from spammers and assess your reputation based only upon your authenticated mail, and not that of spammers forging your domains in spam
- It may soon be required by some ISPs. Since spammers can, and do, authenticate, ISPs can’t rely on the mere fact that a message can be authenticated to any old domain when making filtering decisions. The reputation of that domain or IP addresses still counts, and always will. But we predict that ISPs will increasingly rely on lack of authentication to block suspicious email, putting you at real risk for blocking.
Now that you know why, let’s talk about how. This is a bit out of my own expertise, so I asked my colleague Tom Bartel, Return Path Chief Privacy Officer, to help us out.
All three leading email sender authentication technologies – Sender Policy Framework (SPF), SenderID Framework (SIDF), Domain Keys and Domain Keys Indentified Mail (DKIM) -use the Domain Name System (DNS) to publish “records” which facilitate authentication. With SPF and Sender ID, these authentication records, available through DNS to the entire Internet community, designate the specific machines that are authorized to send mail for a specific email domain. Before allowing a message into a user’s email inbox, ISPs attempt to verify that the email is coming from an authorized source by checking email authentication records. With DKIM, the record carries a public encryption key, which receivers can retrieve via DNS and use to decode the DKIM signature in a message and verify the message authenticity.
While all three seem similar on the surface, the primary difference is that they each consider a different aspect of the message to portray the identity of the sender – in other words, who sent it. This can be a very important distinction, because the “who” revealed in each case may not be what the sender – or the recipient – was expecting. There are two types of email authentication. Let’s look at the distinctions:
IP Based (Sender Policy Framework, Sender ID) – This methodology uses a path registration approach. Email messages are authenticated by comparing the IP address of the server that is sending the message to a list of IP addresses published in a DNS record for a sending domain. If the IP address is not permitted, then the message is not authenticated.
Cryptographic (Domain Keys / DKIM) – This methodology uses a message validation approach, associating a responsible identity with a message and providing a method for verifying the association. Email messages are “signed” in a way that is extremely difficult to spoof – just like a bank transaction – and thus verifies the source and content of a message.
Good practice is to implement at least one of these standards. The best practice would be to implement both, if that is practical for your business. If you are a member of the Direct Marketing Association (DMA) you are now required to implement at least one method. The DMA, in partnership with Return Path, has created a Reputation Registry for its members to check whether they are authenticated. It’s a great resource and can really help you rally internal support for authentication. [will add link here]
Implementing an authentication method is a process that should be coordinated with your IT group early in this process. They are likely to be familiar with the specifications and can help in planning the process and publishing your records once you’ve built them.
Here are a few key steps to help you along the way.
Step 1. Find the authentication scheme best suited to your needs. You can find detailed information about the three dominant schemes on the following Web sites:
Step 2. Take inventory of all systems that send your mail. Identify all machines that send mail on your behalf. Once you identify these senders, you need to determine the IP addresses (if you’re planning to use SPF or SenderID) and sending domains used for each
Step 3. Create your authentication records. There are excellent online tools available for creating valid SPF and Sender ID records. The following wizards can assist you:
Step 4. Publish your authentication records. If you are using SPF, Sender ID or Domain Keys, work with whoever manages your DNS records to publish the email authentication records you’ve collected. The actual publishing is easy — finding the responsible party who controls your DNS may be the tricky part.
Step 5. Test your authentication records. SPF, SenderID, and Domain Keys provide options to publish your records in “test” mode. This provides the opportunity for testing without risking delivery failures for mistakes in your record. Testing will ensure that the mail servers you’ve authorized are being verified by receivers and will determine if you’ve missed identifying any mail servers in your inventory. Once the records are published and tested, appoint a staff person to make sure they remain current.
Step 6. Monitor. You should regularly monitor your authenticated IP addresses and domains using SenderScore.org or the Sender Score Brand Protection Registry thereby allowing ISPs access to a complete record of your authenticated mail streams to refer to when deciding to accept or reject your messages.
Since your circumstances and sender inventories will vary, some complexities may emerge in your planning and implementation. The benefits of strengthening your company’s reputation for transparency and accountability, however, will be worth the effort.
If that sounds scary or hard, ask your IT department or ESP for help. Authentication is a relatively simple and important step that helps you and your program, and also shows your commitment to the greater good. The more legitimate senders who authenticate, the better the data that ISPs and receives have to work with and the better the email channel will be for everyone.
- Do you authenticate? If not, why not?
- What do you think would help increase authentication among legitimate companies?
- What do you think could be done to make authentication work better for the email industry?