Marketers Still Unclear on Authentication

The first question members of my deliverability discussion panel at ClickZ Specifics: E-Mail asked the marketers in our audience was: “How many of you use at least one form of authentication?”

Only two people raised their hands.

The big question back from the audience: “What’s authentication?”

Amazing! All studies I’ve read state over 85 percent of commercial e-mail senders report using some form of authentication, which allows an ISP to verify the sender. That means either most people in our audience represented the other 25 percent or they don’t know what’s going on in their IT departments or with their e-mail service providers (ESPs), where the actual authentication work gets done.

E-mail senders and the ISPs they work with agree authentication is one of the most important steps in the process to reduce unwanted e-mail, including spam and phishing. Unauthenticated e-mail is more likely to get blocked at the server or shunted to the junk folder.

Does your company invest in e-mail marketing or rely on it for customer communication? Then you’re responsible for providing a healthy return on that investment. You need to know whether your firm has done what’s necessary to add this step to the sending process. If your return is low due to poor delivery, you’re the one who will be blamed, not the tech guys.

Don’t be intimidated by the arcane language IT people and ESPs use. Here’s a cheat sheet to help you ask the right questions and understand the answers.

What’s Authentication?

Authentication helps you, as an e-mail sender, prove you are who you claim to be and that you have the right to send e-mail from your IP address. It’s designed to block fraudulent e-mail that forges its identity or hijacks someone else’s server or IP address to send e-mail.

Do We Use It?

If the answer is yes, find out which methods are used. You’ll probably hear about three major protocols:

  • Sender ID Framework. Hotmail inserts a warning into any unauthenticated e-mail that warns the reader when the sender’s ID can’t be verified. The sender inserts a line of code into a DNS (define) text record, which the receiving server looks for. If it finds the code, it passes the e-mail to the next blockade.

  • Sender Policy Framework (SPF). SPF is a solution similar to Microsoft’s Sender ID, storing authentication information in DNS text records. Developed as an open-source project by Pobox, SPF has been adopted by several mainstream companies, including AOL and Google. SPF is also incorporated in the recent version of the popular content filter, SpamAssassin.
  • DomainKeys Identified Mail. Developed largely by Yahoo, this process inserts a tiny icon (a key in an envelope) into message headers to indicate the sender can be verified. The sender inserts half a line of code, called the key, in the message header. The receiving server queries the sender’s DNS zone for the other half of the code. If they match, the e-mail’s authenticated.

If Not, Why Not?

I can’t think of a single reason your company or ESP wouldn’t want to do the simple work needed to protect and improve your e-mail deliverability.

Seven key reasons to lobby for it:

  • Major ISPs, including AOL, Yahoo, and Hotmail, check for authenticated senders. They filter, block, or deliver each e-mail message depending on its presence or absence.

  • ISPs are beginning to require authentication to qualify for whitelisting or to join feedback loop programs, which help manage and reduce spam complaints.
  • You can use more than one form of authentication without causing coding or other back-end problems.
  • It costs little or nothing to set up an authentication process, besides about 15 minutes of a system admin’s time.
  • Adding authentication won’t harm e-mail delivery in any way (assuming you set it up without errors), even if the ISP you send to doesn’t recognize the type of process you use.
  • Authentication is an essential step for building a good sender reputation.
  • Authentication provides a competitive advantage. If your major competitors use some form of authentication and you don’t, their e-mail may get delivered while yours won’t.

The Step After Authentication

Useful as it is, authentication is just the first of a two-step process. It doesn’t judge the sender’s or e-mail’s quality. It just affirms the sender is who it claims to be. A spammer can get his e-mail authenticated, just like the Grade-A e-commerce provider.

Authentication delivers its greatest effect when coupled with reputation, the way a sender’s worthiness is judged based on how it manages its e-mail program, from permission practices to message compliance with technical standards to bounce and spam-complaint management.

This process is more involved than simply authenticating e-mail. My next column will review reputation services and the key factors that enhance or destroy your reputation.

Until then, get authenticated and keep on deliverin’!

Vote for your favorite product or campaign for the 2006 ClickZ Marketing Excellence Awards, October 30 through close of business (5 pm EST) on November 8. Winners will be announced on November 13.

Want more e-mail marketing information? ClickZ E-Mail Reference is an archive of all our e-mail columns, organized by topic.

Related reading