There is lots of talk about how e-mail authentication — the tagging of your message to validate that it is being sent from a legitimate server owned by your company — is coming soon. While not yet officially required by the likes of Yahoo, Gmail, and MSN Hotmail, authentication is still often recommended as a best practice. Most marketers don’t authenticate because it’s not mandatory. Yet authentication may be actually more useful for marketers trying to reach the corporate inbox.
“I have never seen a major ISP or receiver block B2C e-mail for not authenticating (yet), but I have seen it happen with B2B receivers,” says Tom Sather, director of deliverability consulting at my company.
“B2B system administrators are swamped, so they need strong tools and tend to lean on the side of overprotection,” Sather says. “It may be heavy-handed and cause a high number of false negatives [when messages that we want go to the junk folder], but it also keeps some spam out.”
Each corporate system administrator has a secret sauce — some combination of filtering software and services that protects users from spam, viruses, and malware. They are rewarded for keeping the bad stuff out and tend to lean on the side of overprotection. Authentication makes it easier for a receiving system to identify good senders. A sender is not good simply because of authentication; spammers can authenticate, too. Rather, the domain name is a reliable identity and makes it clear that messages with your record are truly from your company and not from some bad guy.
“Our research finds that about half (53 percent) of the Fortune 500 have published authentication records for the entire domain,” says Sam Masiello, VP of threat management at MX Logic, now part of McAfee’s security-as-a-service business unit and a provider of enterprise e-mail filtering. “However, it’s not a trivial implementation and the other half may not adopt so quickly,” he says. While most e-mail service providers will authenticate for their clients, they may not represent the full scope of bulk e-mail from that domain, according to Masiello.
Since authentication is domain-based, Masiello explains, the main hurdle is that marketers must cover the entire spectrum, including marketing/promotional, transactional, and even some enterprise e-mail. The record must be consistent across all systems — in-house and outsourced. Things like forwarding can break the record or affect other fraud protection systems, he says.
“The benefits of authentication are still about defeating spoofing and phishing,” he says. “But no B2B marketer or enterprise wants those benefits at the risk of blocking legitimate e-mail.”
Sather notes that that while large organizations may not be using authentication standards like Domain Keys Identified Mail (DKIM) or Sender ID directly, checking for authentication is automated in the major appliances (e.g., Exchange 2003/2007 and Hosted Exchange from Microsoft check for SPF/Sender ID) and open source software like the MTA Postfix (which allows for rejections in failed SPF checks). In addition, most corporate systems use filtering services like Postini (now part of Google) and Cloudmark, which are also starting to check for DKIM authentication.
Smaller organizations may outsource corporate e-mail to Yahoo or Gmail, both of which have hosted business solutions. Both follow the same rules as their Web-based e-mail and check for DKIM.
Sather notes that DKIM may be especially important if you market to small and medium-sized businesses. DKIM authentication will be required to register for feedback loops at Yahoo and others to get data on “complainers” (subscribers who click the “report spam” button) and quickly remove them from your file.
The postmasters at smaller receivers like Outblaze, which hosts more than 20,000 corporate domains, and Shaw Communications in Canada, also have indicated they will begin to check for DKIM in the next year. MX Logic hosts mail for 40,000 small businesses in North America. “Authentication is not a primary blocking factor like complaints, but it is secondary,” Masiello says.
“Authentication is hard to do and not yet required. Still take the time to do it,” he recommends. “Do both Sender ID and DKIM if you can, but if you can’t, then pick the one technology that is less burdensome.”
Sather agrees. “Ignore it and risk that your messages may be filtered to junk or go missing at a higher rate, especially if you either are a small business or have small businesses on your file. It’s just better to authenticate. It has tangible benefits and lets you be even a small part of the anti-spam movement.”
Authenticate across your entire domain, and you will see immediate benefits.
Let me know what you think by sharing any ideas or comments below.
Stephanie is off today. This column was originally published Sept. 16, 2009 on ClickZ.