A Marketer’s Take on E-mail Authentication

The time is ripe for marketers to implement e-mail authentication, but there are a few things to consider before rushing in, according to a new whitepaper from e-mail software provider Strongmail.

To those e-mail senders who have been waiting for the industry to settle on a standard, that wait is over, according to Dave Lewis, VP of alliances and market development at Strongmail. Two standards, the path-based SenderID and the crypto-based Domain Keys Identified Mail (DKIM), have become de-facto standards.

“The end game is the restoration of trust and reliability to e-mail so legitimate communication and commerce can flourish. So while e-mail authentication may not be the destination, it is a crucial starting point,” Lewis said.

SenderID verifies that the server sending e-mail for a particular domain is authorized to do so. Senders create a text file on each authorized server, and e-mail receivers check the domain from which the e-mail is received against the SPF (Sender Policy Framework) file stored on the sender’s server.

Lewis suggests that e-mail senders consider implementing SenderID on all outbound e-mail, because it is a low cost solution, it’s easy to implement, and it does not create additional load on the server.

Domain Keys Identified Mail (DKIM) is a cryptographic solution, meaning it uses an encoded key to ensure that the server a mail message was sent with is authorized to do so. It is a bit more tricky to implement, and adds a processing load to the server. For those reasons, Lewis recommends that senders implement DKIM particularly on transactional messages, where it will help stop phishing and spoofing of a brand’s e-mail.

Marketers can see particular benefits from implementing SenderID or DKIM, but they also need to take particular precautions that impact a sender’s brand image and reputation in the marketplace, Lewis said.

“A largely overlooked topic in authentication is how we as marketers should implement it in a way that supports what we do, to project our brands and maintain good reputation, Lewis said.

Every company must decide how strictly to implement authentication, he said, but from a marketer’s perspective, authentication plans should be implemented knowing that the level to which a company authenticates their e-mail will reflect on how that company’s brand and reputation are perceived, he said.

To start with, marketers, especially those in large organizations, need to perform a comprehensive audit to determine which business units are sending e-mail on the company’s behalf, and to see what level of authentication is already in place.

He suggests forming a centralized committee that meets regularly to ensure that system and policy changes in all parts of the organization do not affect the company’s e-mail authentication practices or reputation. Authentication also needs to be added to a regular “proofreading” routine, so they are not impacted unknowingly.

Marketers also need to determine if it’s in the best interests of the company to separate out transactional and marketing messages to be sent from different domain names or servers to avoid co-mingling identities and risk endangering all company e-mails for problematic practices in one class of e-mail or the other, Lewis said.

Senders can also decide to authenticate all outbound e-mail, or just certain classes of e-mail, like transactional messages or marketing messages. Senders can also notify receivers how confident they are in the authentication, suggesting to receivers that all mail that does not authenticate properly should be deleted, treated suspiciously, or allowed outright.

“Once critical mass is achieved, ISPs can begin taking more assertive action against those who don’t authenticate or do it wrong,” Lewis said.

Related reading