Rooting out fraudulent e-mail by way of authentication
Despite marketers' best intentions to weed out e-mail spam, they are sometimes the victim of phishing or spoofing campaigns whereby a spammer uses their information to send fake e-mails to consumers, sullying their name and customer goodwill. The task of rooting out such spam often falls to the service providers, such as Google and Yahoo, but these services are far from fool-proof.
On Monday, Return Path rolled out a service designed to give marketers more control over this process. “Domain Assurance” is an e-mail authentication service designed to prevent phishing or spoofing e-mail from reaching the inbox. The service conducts a companywide e-mail domain audit to ensure each sender within the company – whether mailing transactional, marketing or corporate e-mail – is authenticated. These “authenticated” domain names then go into a registry that the Internet service providers (ISPs) and other e-mail inbox providers can access to determine whether the e-mail headed to your inbox is coming from the company it says it is. If anything looks remiss, i.e., the domain name is incorrect, the service provider can block the e-mail from the intended victim's inbox.
The service, which Return Path first debuted in beta last June, also provides clients with alerts about fraudulent e-mails and other e-mail intelligence on phishing and other scams related to their domain.
“We're using it to instill trust in our card holders, and if people trust our messages they're more likely to take an action,” said Nathan Fehler, e-mail marketing manger at prepaid debit card issuer NetSpend, a Domain Assurance user. “It alerts you to internal set up challenges or issues, as well as external threats.”
Financial services companies can be particularly prone to such e-mail phishing scams, noted Sam Masiello, Return Path's general manager and chief security officer who joined the company this month from McAfee. However, interest in Domain Assurance has come from a swath of industries, he said, including daily deal sites, large gaming companies and large hotel companies.
“Phishing and spoofing is a huge problem,” he said. “It can cause huge damage to a brand's reputation.”
Return Path also said Google is working with the program, in addition to Yahoo, Tucows and Cloudmark.
Fehler pointed out that the task of blocking fraudulent e-mail typically sits with the ISP, but NetSpend has additional protections in place through Domain Assurance.
“The ISPs are supposed to be doing this on their own,” he said. “They should be doing this, but a lot of it is falling through.”
Anne Mitchell, CEO and president of the Institute for Social Internet Public Policy (ISIPP), which offers e-mail accreditation services through its SuretyMail, suggested NetSpend might be in the minority when it comes to taking its e-mail marketing to this level of assurance.
“The people who care about the actual authentication of sending systems, it's not the marketers that care about that, it's the receivers,” she said. “That's because they're the ones being deluged with this incoming e-mail and they need a way to quickly differentiate, to triage, ‘Which ones should we pay attention to?'”
SuretyMail authenticates its customers' e-mail in a three-step process whereby the provider can look for the domain name and its corresponding IP address, as well as an IP address embedded in the e-mail's sending header. It works with “all the major ISPs,” according to Mitchell.
“So someone can spoof one of those things but not all three of those,” she added. “It's a system of checks and balances.”