Mandatory Email Authentication and What It Means for Marketers

New rigid standards for email authentication mean that marketers need to adjust their tactics in order to reach potential customers' inboxes.

Many years ago I recall surprising co-workers by sending them email claiming to be from Mickey Mouse. This is trivial to do because Simple Mail Transport Protocol (SMTP) has no built-in authentication. You can quite literally send email claiming to be anyone you wish. In the early days this wasn’t much of a problem. Sure, you could easily spoof email, but why would you want to? Beyond a little harmless fun there was nothing to be gained.

Today, though, it’s a very different story. As the Internet has grown, so have the opportunities for nefarious behavior and criminal gain. Spammers use spoofing to avoid the repercussions of their behavior and many phishing attempts spoof their sender identity to do the same and to improve the likelihood of tricking a recipient. A message apparently sent from a friend is far more likely to get a response than one from a stranger.

Consequently, network operators have been working on email authentication and authorization systems for as long as spam has existed. Many email marketers think of those systems in terms of blocklists, spam filters, and sender reputation, but they all work through a combination of authentication and authorization. It started simple, with checking DNS and closing open relays, but over time grew to include sender IP reputation and more recently added true message-level authentication in the form of DomainKeys Identified Mail (DKIM).

Great history lesson, but so what? What’s that got to do with email marketing optimization, and why write about it today?

In 2012, a group of organizations launched DMARC (Domain-Based Message Authentication, Reporting, and Conformance) to solve key questions that arise from authentication. In particular what to do when a message fails authentication. At first blush it might seem obvious that a message that fails authentication should be discarded or bounced but email is one of the oldest protocols on the Internet. It’s a complex patchwork of historic solutions, kludges, and workarounds that’s grown over the decades and it has a lot of baggage. Roaming users, mail forwarding, unregistered servers, even mailing lists can all cause authentication failures. DMARC makes it possible for organizations to tell each other what to do if and when email purporting to be sent by them fails authentication. Until now that typically meant “report the problem.” People rely on email, really rely on it, and there are major implications when it breaks, so bouncing otherwise valid email due to an authentication failure is a big risk. But things are changing.

In April, Yahoo switched their DMARC record to “p=reject,” meaning “if a message from us fails authentication, don’t accept it.” They did this without notice over a weekend. They’ve been having a major problem with phishers spoofing Yahoo users’ addresses and this will make that much less common. Then last week AOL made the same change for similar reasons. These changes have two important implications for email marketers.

The first is that if you’re sending out your messaging using a From address at a major ISP (especially Yahoo or AOL), you need to stop. You’re spoofing those addresses and your email is increasingly going to get bounced. The same applies if you’re using any system that purports to send on behalf of someone else, such as many forward-to-a-friend and sharing systems. You can no longer send on behalf of Yahoo or AOL users and the new normal is that you won’t be able to send on behalf of anyone else, either.

The second is that email is moving to a mandatory authentication model where every email that fails authentication will be bounced or at least bulked. Last year 91.4 percent of non-spam email sent to Gmail was authenticated. Just one year after DMARC’s release, more than 60 percent of the world’s mailboxes were protected by it. Those numbers are what make it practical for ISPs like Yahoo and AOL to make this change. The remaining 8.6 percent of email is just going to have to get with the program or face the consequences.

To quote the Microsoft representative at the M3AAWG 30 meeting in February, “If you don’t have your authentication in order, get it done.”

Until next time.

Image via Shutterstock.

Subscribe to get your daily business insights

Whitepapers

US Mobile Streaming Behavior
Whitepaper | Mobile

US Mobile Streaming Behavior

5y

US Mobile Streaming Behavior

Streaming has become a staple of US media-viewing habits. Streaming video, however, still comes with a variety of pesky frustrations that viewers are ...

View resource
Winning the Data Game: Digital Analytics Tactics for Media Groups
Whitepaper | Analyzing Customer Data

Winning the Data Game: Digital Analytics Tactics for Media Groups

5y

Winning the Data Game: Digital Analytics Tactics f...

Data is the lifeblood of so many companies today. You need more of it, all of which at higher quality, and all the meanwhile being compliant with data...

View resource
Learning to win the talent war: how digital marketing can develop its people
Whitepaper | Digital Marketing

Learning to win the talent war: how digital marketing can develop its peopl...

2y

Learning to win the talent war: how digital market...

This report documents the findings of a Fireside chat held by ClickZ in the first quarter of 2022. It provides expert insight on how companies can ret...

View resource
Engagement To Empowerment - Winning in Today's Experience Economy
Report | Digital Transformation

Engagement To Empowerment - Winning in Today's Experience Economy

1m

Engagement To Empowerment - Winning in Today's Exp...

Customers decide fast, influenced by only 2.5 touchpoints – globally! Make sure your brand shines in those critical moments. Read More...

View resource