email-authentication

Mandatory Email Authentication and What It Means for Marketers

  |  May 7, 2014   |  Comments

New rigid standards for email authentication mean that marketers need to adjust their tactics in order to reach potential customers' inboxes.

Many years ago I recall surprising co-workers by sending them email claiming to be from Mickey Mouse. This is trivial to do because Simple Mail Transport Protocol (SMTP) has no built-in authentication. You can quite literally send email claiming to be anyone you wish. In the early days this wasn't much of a problem. Sure, you could easily spoof email, but why would you want to? Beyond a little harmless fun there was nothing to be gained.

Today, though, it's a very different story. As the Internet has grown, so have the opportunities for nefarious behavior and criminal gain. Spammers use spoofing to avoid the repercussions of their behavior and many phishing attempts spoof their sender identity to do the same and to improve the likelihood of tricking a recipient. A message apparently sent from a friend is far more likely to get a response than one from a stranger.

Consequently, network operators have been working on email authentication and authorization systems for as long as spam has existed. Many email marketers think of those systems in terms of blocklists, spam filters, and sender reputation, but they all work through a combination of authentication and authorization. It started simple, with checking DNS and closing open relays, but over time grew to include sender IP reputation and more recently added true message-level authentication in the form of DomainKeys Identified Mail (DKIM).

Great history lesson, but so what? What's that got to do with email marketing optimization, and why write about it today?

In 2012, a group of organizations launched DMARC (Domain-Based Message Authentication, Reporting, and Conformance) to solve key questions that arise from authentication. In particular what to do when a message fails authentication. At first blush it might seem obvious that a message that fails authentication should be discarded or bounced but email is one of the oldest protocols on the Internet. It's a complex patchwork of historic solutions, kludges, and workarounds that's grown over the decades and it has a lot of baggage. Roaming users, mail forwarding, unregistered servers, even mailing lists can all cause authentication failures. DMARC makes it possible for organizations to tell each other what to do if and when email purporting to be sent by them fails authentication. Until now that typically meant "report the problem." People rely on email, really rely on it, and there are major implications when it breaks, so bouncing otherwise valid email due to an authentication failure is a big risk. But things are changing.

In April, Yahoo switched their DMARC record to "p=reject," meaning "if a message from us fails authentication, don't accept it." They did this without notice over a weekend. They've been having a major problem with phishers spoofing Yahoo users' addresses and this will make that much less common. Then last week AOL made the same change for similar reasons. These changes have two important implications for email marketers.

The first is that if you're sending out your messaging using a From address at a major ISP (especially Yahoo or AOL), you need to stop. You're spoofing those addresses and your email is increasingly going to get bounced. The same applies if you're using any system that purports to send on behalf of someone else, such as many forward-to-a-friend and sharing systems. You can no longer send on behalf of Yahoo or AOL users and the new normal is that you won't be able to send on behalf of anyone else, either.

The second is that email is moving to a mandatory authentication model where every email that fails authentication will be bounced or at least bulked. Last year 91.4 percent of non-spam email sent to Gmail was authenticated. Just one year after DMARC's release, more than 60 percent of the world's mailboxes were protected by it. Those numbers are what make it practical for ISPs like Yahoo and AOL to make this change. The remaining 8.6 percent of email is just going to have to get with the program or face the consequences.

To quote the Microsoft representative at the M3AAWG 30 meeting in February, "If you don't have your authentication in order, get it done."

Until next time.

Image via Shutterstock.

ClickZ Live Chicago Learn Digital Marketing Insights From Leading Brands!
ClickZ Live Chicago (Nov 3-6) will deliver over 50 sessions across 4 days and 10 individual tracks, including Data-Driven Marketing, Social, Mobile, Display, Search and Email. Check out the full agenda, or register and attend one of the best ClickZ events yet!

ABOUT THE AUTHOR

Derek Harding

Derek Harding is the CEO and founder of Innovyx Inc., a member of the Omnicom Group and the first e-mail service provider to be wholly owned by a full-service marketing agency. A British expatriate living in Seattle, WA, Derek is a technologist by background who has been working in online marketing on both sides of the Atlantic for the last 10 years.

COMMENTSCommenting policy

comments powered by Disqus

Get ClickZ Email newsletters delivered right to your inbox. Subscribe today!

COMMENTS

UPCOMING EVENTS

UPCOMING TRAINING

Featured White Papers

Google My Business Listings Demystified

Google My Business Listings Demystified
To help brands control how they appear online, Google has developed a new offering: Google My Business Locations. This whitepaper helps marketers understand how to use this powerful new tool.

5 Ways to Personalize Beyond the Subject Line

5 Ways to Personalize Beyond the Subject Line
82 percent of shoppers say they would buy more items from a brand if the emails they sent were more personalized. This white paper offer five tactics that will personalize your email beyond the subject line and drive real business growth.

WEBINARS

Resources

Jobs