Email Exec on Authentication, DMARC
Webmail providers like Gmail, Hotmail, and Yahoo use, essentially, two checks to determine whether to deliver an email to its intended recipients. One check is to review an email’s content and the recipients’ interaction with it. Emails with spammy content or content that is simply ignored, with few opens or clicks, will likely end up in a recipient’s spam or junk folder. In “Email Marketing in 2014: How to Avoid Spam Folders,” my previous article, I offered tips for marketers to keep their email out of spam or junk folders.
The second check from webmail providers is to determine if the sender is who it says it is, and is otherwise legitimate. This check is called “authentication.” It aims to prevent phishing (seeking information dishonestly from a recipient) and spoofing (falsely claiming to be a person or company).
In this article, I’ll focus on email authentication.
PayPal and DMARC
Perhaps no company depends more on email authentication than PayPal. Its customers use email to send money, and to request money from others. The system relies on both parties — senders and receivers — being legitimate. To address rampant phishing and spoofing, PayPal developed technical standards that authenticate emails from its platform. That was roughly 8 years ago.
PayPal’s authentication protocols worked so well that it took them to major webmail providers, such as Gmail, Yahoo, and Hotmail, asking those providers to adopt its standards, or something similar to them. This gave rise to a task force comprised of employees from Gmail, Yahoo, PayPal, and many other related companies. The task force was to adopt and publish authentication standards that the entire email industry could use.
Those standards, which are now called Domain-based Message Authentication, Reporting & Conformance — DMARC — were first adopted by webmail providers several years ago. Now, roughly 60 percent of the world’s email boxes are protected by DMARC. PayPal itself uses DMARC. The taskforce and the standards are described at DMARC.org.
Email Exec on Authentication, DMARC
One of authors of the DMARC standards is Tim Draegen. He is vice president of marketing for Message Bus, an email service provider. He is also a longtime email practitioner and Internet developer. I recently corresponded with him on DMARC, and what it means for ecommerce companies.
Carolyn Nye: What’s the point of DMARC?
Tim Draegen: Over the past 20 years, the companies that receive email [webmail providers like Yahoo and Hotmail] have been forced to figure out what’s real and what’s fake, and what recipients actually want and what they don’t want. There hasn’t been a reliable way to determine what is real. So it can be difficult for legitimate people to get their email through and be successful.
The threat is that criminals have a strong incentive to steal the identity of legitimate senders, to defraud the recipients, especially for a few isolated emails, which are very difficult for webmail receivers to detect.
Moreover, there is a thin line between the sloppiest legitimate email and expertly crafted phishing. The most sophisticated fraud gets through. Nearly anyone can write an email and pretend to be someone else. Authenticated email tries to combat the spammers and criminals claiming to be another person by making email easy for webmail providers to identify.
Nye: How does authentication work?
Draegen: Email authentication allows webmail receivers to determine the legitimacy of the sender. There have been two common methods, typically, of doing this.
- SPF (Sender Policy Framework). SPF determines the legitimacy of an email based on where it comes from. This is called “path based,” as the path the email took to get to the receiver is what is checked.
- DKIM (Domain Keys Identified Mail). DKIM determines the legitimacy of an email based on the its content. This is considered “signature based” as a cryptographic signature is inserted into email by the sender [typically, an email service provider such as Constant Contact or MailChimp], which allows webmail receivers to check.
Nye: How is DMARC different, in terms of authenticating?
Draegen: DMARC takes both DKIM and SPF and builds upon them so that companies sending email can rapidly and accurately deploy the technologies. It builds on the detection of a fundamental question: Is this email really from where it says it’s from?
DMARC does this by making domain identifiers a reality. Domain identifiers allow webmail receivers [i.e., Gmail, Yahoo, Hotmail, others] to quickly answer the question: “Does this email really come from the purported sender?” In practice, it means the following.
- Less malicious email being delivered. After implementation, PayPal customer reports of suspicious email dropped in U.S. by more than 70 percent in 2013. Outlook.com customer reports of phishing dropped more than 50 percent in 2013.
- Emails are blocked when it matters. PayPal reported that DMARC stopped over 25 million attacks during holiday buying season. Gmail saw a reduction of 5,000 percent in spoofing of a major corporation during that company’s busiest season. After 45 days of monitoring, Twitter experienced 2.5 billion spoofing emails that were all rejected.
Nye: How does this affect ecommerce merchants?
Draegen: For email marketers and ecommerce merchants using an email service provider [such as Constant Contact, MailChimp, and others], that organization should be managing the deliverability and keeping abreast of new technology, including DMARC. Unfortunately, there is no easy way to determine if an email service provider has adopted DMARC other than to ask.
For merchants that are running email on their own infrastructure, they absolutely need to make sure their emails are meeting authentication standards, as delivery systems by major webmail providers [Gmail, Yahoo, others] are adopting DMARC.
For example, this past February at the MAAWG (Messaging Anti-Abuse Working Group) Conference, the Gmail team laid out the future of email at Google, indicating that if you are going to deliver email to Gmail, it should be authenticated now and will have to be in future, or delivery issues will only increase. With Gmail claiming the highest percentage of consumer email addresses, that will have a major impact on almost every email program.