Mandatory Email Authentication and What It Means for Marketers

Many years ago I recall surprising co-workers by sending them email claiming to be from Mickey Mouse. This is trivial to do because Simple Mail Transport Protocol (SMTP) has no built-in authentication. You can quite literally send email claiming to be anyone you wish. In the early days this wasn’t much of a problem. Sure, you could easily spoof email, but why would you want to? Beyond a little harmless fun there was nothing to be gained.

Today, though, it’s a very different story. As the Internet has grown, so have the opportunities for nefarious behavior and criminal gain. Spammers use spoofing to avoid the repercussions of their behavior and many phishing attempts spoof their sender identity to do the same and to improve the likelihood of tricking a recipient. A message apparently sent from a friend is far more likely to get a response than one from a stranger.

Consequently, network operators have been working on email authentication and authorization systems for as long as spam has existed. Many email marketers think of those systems in terms of blocklists, spam filters, and sender reputation, but they all work through a combination of authentication and authorization. It started simple, with checking DNS and closing open relays, but over time grew to include sender IP reputation and more recently added true message-level authentication in the form of DomainKeys Identified Mail (DKIM).

Great history lesson, but so what? What’s that got to do with email marketing optimization, and why write about it today?

In 2012, a group of organizations launched DMARC (Domain-Based Message Authentication, Reporting, and Conformance) to solve key questions that arise from authentication. In particular what to do when a message fails authentication. At first blush it might seem obvious that a message that fails authentication should be discarded or bounced but email is one of the oldest protocols on the Internet. It’s a complex patchwork of historic solutions, kludges, and workarounds that’s grown over the decades and it has a lot of baggage. Roaming users, mail forwarding, unregistered servers, even mailing lists can all cause authentication failures. DMARC makes it possible for organizations to tell each other what to do if and when email purporting to be sent by them fails authentication. Until now that typically meant “report the problem.” People rely on email, really rely on it, and there are major implications when it breaks, so bouncing otherwise valid email due to an authentication failure is a big risk. But things are changing.

In April, Yahoo switched their DMARC record to “p=reject,” meaning “if a message from us fails authentication, don’t accept it.” They did this without notice over a weekend. They’ve been having a major problem with phishers spoofing Yahoo users’ addresses and this will make that much less common. Then last week AOL made the same change for similar reasons. These changes have two important implications for email marketers.

The first is that if you’re sending out your messaging using a From address at a major ISP (especially Yahoo or AOL), you need to stop. You’re spoofing those addresses and your email is increasingly going to get bounced. The same applies if you’re using any system that purports to send on behalf of someone else, such as many forward-to-a-friend and sharing systems. You can no longer send on behalf of Yahoo or AOL users and the new normal is that you won’t be able to send on behalf of anyone else, either.

The second is that email is moving to a mandatory authentication model where every email that fails authentication will be bounced or at least bulked. Last year 91.4 percent of non-spam email sent to Gmail was authenticated. Just one year after DMARC’s release, more than 60 percent of the world’s mailboxes were protected by it. Those numbers are what make it practical for ISPs like Yahoo and AOL to make this change. The remaining 8.6 percent of email is just going to have to get with the program or face the consequences.

To quote the Microsoft representative at the M3AAWG 30 meeting in February, “If you don’t have your authentication in order, get it done.”

Until next time.

Image via Shutterstock.

Related reading

Flat business devices communication with cloud services isolated on the light blue background.
Vector illustration with a magnifying glass focusing on a pie chart, a graph line trending upwards, and other metrics symbols.