New rigid standards for email authentication mean that marketers need to adjust their tactics in order to reach potential customers' inboxes.
Many years ago I recall surprising co-workers by sending them email claiming to be from Mickey Mouse. This is trivial to do because Simple Mail Transport Protocol (SMTP) has no built-in authentication. You can quite literally send email claiming to be anyone you wish. In the early days this wasn't much of a problem. Sure, you could easily spoof email, but why would you want to? Beyond a little harmless fun there was nothing to be gained.
Today, though, it's a very different story. As the Internet has grown, so have the opportunities for nefarious behavior and criminal gain. Spammers use spoofing to avoid the repercussions of their behavior and many phishing attempts spoof their sender identity to do the same and to improve the likelihood of tricking a recipient. A message apparently sent from a friend is far more likely to get a response than one from a stranger.
Consequently, network operators have been working on email authentication and authorization systems for as long as spam has existed. Many email marketers think of those systems in terms of blocklists, spam filters, and sender reputation, but they all work through a combination of authentication and authorization. It started simple, with checking DNS and closing open relays, but over time grew to include sender IP reputation and more recently added true message-level authentication in the form of DomainKeys Identified Mail (DKIM).
Great history lesson, but so what? What's that got to do with email marketing optimization, and why write about it today?
In 2012, a group of organizations launched DMARC (Domain-Based Message Authentication, Reporting, and Conformance) to solve key questions that arise from authentication. In particular what to do when a message fails authentication. At first blush it might seem obvious that a message that fails authentication should be discarded or bounced but email is one of the oldest protocols on the Internet. It's a complex patchwork of historic solutions, kludges, and workarounds that's grown over the decades and it has a lot of baggage. Roaming users, mail forwarding, unregistered servers, even mailing lists can all cause authentication failures. DMARC makes it possible for organizations to tell each other what to do if and when email purporting to be sent by them fails authentication. Until now that typically meant "report the problem." People rely on email, really rely on it, and there are major implications when it breaks, so bouncing otherwise valid email due to an authentication failure is a big risk. But things are changing.
In April, Yahoo switched their DMARC record to "p=reject," meaning "if a message from us fails authentication, don't accept it." They did this without notice over a weekend. They've been having a major problem with phishers spoofing Yahoo users' addresses and this will make that much less common. Then last week AOL made the same change for similar reasons. These changes have two important implications for email marketers.
The first is that if you're sending out your messaging using a From address at a major ISP (especially Yahoo or AOL), you need to stop. You're spoofing those addresses and your email is increasingly going to get bounced. The same applies if you're using any system that purports to send on behalf of someone else, such as many forward-to-a-friend and sharing systems. You can no longer send on behalf of Yahoo or AOL users and the new normal is that you won't be able to send on behalf of anyone else, either.
The second is that email is moving to a mandatory authentication model where every email that fails authentication will be bounced or at least bulked. Last year 91.4 percent of non-spam email sent to Gmail was authenticated. Just one year after DMARC's release, more than 60 percent of the world's mailboxes were protected by it. Those numbers are what make it practical for ISPs like Yahoo and AOL to make this change. The remaining 8.6 percent of email is just going to have to get with the program or face the consequences.
To quote the Microsoft representative at the M3AAWG 30 meeting in February, "If you don't have your authentication in order, get it done."
Until next time.
Image via Shutterstock.
Join the Industry's Leading eCommerce & Direct Marketing Experts in Chicago
ClickZ Live Chicago (Nov 3-6) will deliver over 50 sessions across 4 days and 10 individual tracks, including Data-Driven Marketing, Social, Mobile, Display, Search and Email. Check out the full agenda and register by Friday, Oct 3 to take advantage of Early Bird Rates!
Derek Harding is the CEO and founder of Innovyx Inc., a member of the Omnicom Group and the first e-mail service provider to be wholly owned by a full-service marketing agency. A British expatriate living in Seattle, WA, Derek is a technologist by background who has been working in online marketing on both sides of the Atlantic for the last 10 years.
IBM Social Analytics: The Science Behind Social Media Marketing
80% of internet users say they prefer to connect with brands via Facebook. 65% of social media users say they use it to learn more about brands, products and services. Learn about how to find more about customers' attitudes, preferences and buying habits from what they say on social media channels.
An Introduction to Marketing Attribution: Selecting the Right Model for Search, Display & Social Advertising
If you're considering implementing a marketing attribution model to measure and optimize your programs, this paper is a great introduction. It also includes real-life tips from marketers who have successfully implemented attribution in their organizations.
September 17, 2014
September 23, 2014
September 30, 2014
1:00pm ET/10:00am PT