E-mail Authentication: Don’t Wait

The movement’s been slow and steady, but we’re now seeing the rewards: 50 percent of legitimate e-mail is authenticated, using either SenderID (define)/SPF (define) or DomainKeys (define) Identified Mail (DKIM), according to a new study from the Authentication and Online Trust Authority (AOTA).

Have you taken the simple steps to have your e-mail and brand protected by using authentication? If not, why not? It’s simple to do, and there’s no downside if you follow all the steps correctly.

Authentication affords a win-win-win situation, benefiting all players in any e-mail exchange: senders, receivers, and recipients. Authentication’s delivery benefits have gotten the most attention, but uncertainty has generated a standoff. Many senders took a wait-and-see approach until the receivers pick a standard, while the receivers have been waiting until enough senders use authentication to make delivery decisions.

AOTA is trying to end this Catch-22 by urging senders to adopt a standard, preferably both. The call has gone out, and six months is the end game for senders and receivers to use some form of authentication.

Why Authenticate?

When you authenticate your e-mail messages, you help ISPs identify whether the message was sent by a legitimate company or an imposter, which in turn helps them determine whether to deliver the message to the recipient.

Some ISPs use trust icons for authenticated e-mail. Just by virtue of appearing in the inbox, these icons help assure your subscribers and customers they can trust you to be whom you claim to be and buy from you with confidence, whether you’re Wells Fargo, the Disney Co., Amazon, or Dell. These are just a few of the companies that took the leap to authentication.

But you don’t have to be a Fortune 500 company or a household name to see the benefits of protecting your brand with authentication. Not too long ago, I started getting legitimate-looking e-mail solicitations from a small regional start-up bank. Because I wasn’t a customer, I figured they were phony; but if I were one, I might have been taken in. Had the bank used authentication, the phony messages most likely wouldn’t have reached me in the first place.

Authentication helps protect your brand and increase customer trust in your e-mail’s legitimacy. But, don’t just authenticate your e-mail domains. Include your main brand domains as well. Phishing attacks often occur against the main brand site (the one most recognized by consumers). For the receivers to prevent this messaging from reaching recipients, you need to authenticate these domains as well.

The AOTA survey states that authentication has reached the tipping point after a five-month survey of e-mail sent by Fortune 500 companies and Internet retailers. The organization reported that authenticated e-mail was sent by 51 percent of Fortune 500 consumer brands, 52 percent of Fortune 500 financial-services brands, and 54 percent of Internet retailer’s top 300 brands. Are you part of this group?

AOTA: Authenticate by June 30

Based on its study, AOTA is urging all ISPs and brand owners who market via e-mail to adopt authentication within six months after the Jan. 31 report. You don’t need to wait that long.

Maybe you hesitated to implement authentication at your company because it sounded too complex, or because you or your IT people were waiting to see which standard would emerge. Today, neither argument holds up any longer. There’s simply too much information about the reasons and methods on how to authenticate to remain opposed or ignorant.

Sender ID/SPF is relatively simple to use and should take the average system administrator only about 15 minutes to configure. If your IT department is unsure how to implement, AOTA offers plenty of resources, listed below. While DKIM is a bit more complicated, it can still be accomplished with minimal effort and complements Sender ID/SPF. Both protocols can and should be used.

Of the two standards, Microsoft-backed SenderID has the longer track record and is a must for effective sending into MSN and Hotmail/Windows Live e-mail. DKIM has support from AOL and Yahoo, with Yahoo being one of the originators. AOTA endorses both standards. So, cover your bases and authenticate by using both.

The one downside with authentication is that if you do it incorrectly, you might end up telling the ISPs not to deliver your own e-mail (a problem I’ve addressed previously). While it’s a small risk, it’s still better to authenticate your messages than expose your brand to a phishing attack.

More Resources

AOTA, a relatively new cross-industry alliance dedicated to fighting e-mail and Internet fraud and building trust in online commerce, has assembled an impressive library of resources relating to authentication, including in-depth backgrounders on the major protocols and a detailed review of its survey on authentication adoption. Find it all on one page.

AOTA’s 2008 Summit will be June 4-6 in Seattle this year, with tracks for both IT/security people and marketers or brand managers. Learn more about the conference here.

Until next time, keep on deliverin’!

Want more e-mail marketing information? ClickZ E-Mail Reference is an archive of all our e-mail columns, organized by topic.

Related reading