New rigid standards for email authentication mean that marketers need to adjust their tactics in order to reach potential customers' inboxes.
Many years ago I recall surprising co-workers by sending them email claiming to be from Mickey Mouse. This is trivial to do because Simple Mail Transport Protocol (SMTP) has no built-in authentication. You can quite literally send email claiming to be anyone you wish. In the early days this wasn't much of a problem. Sure, you could easily spoof email, but why would you want to? Beyond a little harmless fun there was nothing to be gained.
Today, though, it's a very different story. As the Internet has grown, so have the opportunities for nefarious behavior and criminal gain. Spammers use spoofing to avoid the repercussions of their behavior and many phishing attempts spoof their sender identity to do the same and to improve the likelihood of tricking a recipient. A message apparently sent from a friend is far more likely to get a response than one from a stranger.
Consequently, network operators have been working on email authentication and authorization systems for as long as spam has existed. Many email marketers think of those systems in terms of blocklists, spam filters, and sender reputation, but they all work through a combination of authentication and authorization. It started simple, with checking DNS and closing open relays, but over time grew to include sender IP reputation and more recently added true message-level authentication in the form of DomainKeys Identified Mail (DKIM).
Great history lesson, but so what? What's that got to do with email marketing optimization, and why write about it today?
In 2012, a group of organizations launched DMARC (Domain-Based Message Authentication, Reporting, and Conformance) to solve key questions that arise from authentication. In particular what to do when a message fails authentication. At first blush it might seem obvious that a message that fails authentication should be discarded or bounced but email is one of the oldest protocols on the Internet. It's a complex patchwork of historic solutions, kludges, and workarounds that's grown over the decades and it has a lot of baggage. Roaming users, mail forwarding, unregistered servers, even mailing lists can all cause authentication failures. DMARC makes it possible for organizations to tell each other what to do if and when email purporting to be sent by them fails authentication. Until now that typically meant "report the problem." People rely on email, really rely on it, and there are major implications when it breaks, so bouncing otherwise valid email due to an authentication failure is a big risk. But things are changing.
In April, Yahoo switched their DMARC record to "p=reject," meaning "if a message from us fails authentication, don't accept it." They did this without notice over a weekend. They've been having a major problem with phishers spoofing Yahoo users' addresses and this will make that much less common. Then last week AOL made the same change for similar reasons. These changes have two important implications for email marketers.
The first is that if you're sending out your messaging using a From address at a major ISP (especially Yahoo or AOL), you need to stop. You're spoofing those addresses and your email is increasingly going to get bounced. The same applies if you're using any system that purports to send on behalf of someone else, such as many forward-to-a-friend and sharing systems. You can no longer send on behalf of Yahoo or AOL users and the new normal is that you won't be able to send on behalf of anyone else, either.
The second is that email is moving to a mandatory authentication model where every email that fails authentication will be bounced or at least bulked. Last year 91.4 percent of non-spam email sent to Gmail was authenticated. Just one year after DMARC's release, more than 60 percent of the world's mailboxes were protected by it. Those numbers are what make it practical for ISPs like Yahoo and AOL to make this change. The remaining 8.6 percent of email is just going to have to get with the program or face the consequences.
To quote the Microsoft representative at the M3AAWG 30 meeting in February, "If you don't have your authentication in order, get it done."
Until next time.
Image via Shutterstock.
This Year's Premier Digital Marketing Event is #CZLSF
ClickZ Live San Francisco (Aug 11-14) brings together the industry's leading practitioners and marketing strategists to deliver 4 days of educational sessions and training workshops. From Data-Driven Marketing to Social, Mobile, Display, Search and Email, this year's comprehensive agenda will help you maximize your marketing efforts and ROI. Register today!
Derek Harding is the CEO and founder of Innovyx Inc., a member of the Omnicom Group and the first e-mail service provider to be wholly owned by a full-service marketing agency. A British expatriate living in Seattle, WA, Derek is a technologist by background who has been working in online marketing on both sides of the Atlantic for the last 10 years.
The Marketer's Guide to Customer Loyalty
Customer loyalty is imperative to success, but fostering and maintaining loyalty takes a lot of work. This guide is here to help marketers build, execute, and maintain a successful loyalty initiative.
The Multiplier Effect of Integrating Search & Social Advertising
Latest research reveals 68% higher revenue per conversion for marketers who integrate their search & social advertising. In addition to the research results, this whitepaper also outlines 5 strategies and 15 tactics you can use to better integrate your search and social campaigns.
August 21, 2014