Expert Advice: E-Mail Authentication: Mistakes and Misconceptions
E-mail is a medium under siege. Trustworthiness has eroded as consumers find their inboxes jammed with spam, identity theft scams and e-mail posing as brands they know.
According to Pew Research, more than 50 percent of consumers trust e-mail less and nearly 25 percent use it less. E-mail's reliability has taken a big hit, too, as 20 percent to 30 percent of legitimate, opt-in e-mail gets caught in the filters intended to prevent abuse. These are not healthy indicators for a medium that we increasingly depend on for communication and commerce.
Authenticating the identity of e-mail senders is crucial to establishing the accountability in e-mail that will end the abusive practices - spam, spoofing, phishing - that pollute our medium and tarnish the image of us all. It's also a big step toward restoring the trust and reliability of e-mail. As such, authentication has been endorsed by the Federal Trade Commission as an important industry initiative, advocated by trade associations and backed by the major brands that send e-mail as well as the Internet service providers that receive it.
The good news is that the emphasis on authentication is paying off. The latest estimate is that 40 percent of e-mail is being authenticated. The bad news: 60 percent is not. Though Fortune 500 companies and e-mail service providers largely have embraced it, many small to midsize companies have not. Some still have not even heard of e-mail authentication.
If your company is a straggler, the time to adopt authentication is now. The debate over different protocols is over. The industry has settled on Sender ID and Domain Keys Identified Mail and is moving rapidly toward enforcement. Trade associations such as the DMA and ESPC have made authentication mandatory for members. ISPs and other domains are checking for it and beginning to penalize e-mail senders who don't authenticate or do it wrong. Some ISPs, such as MSN/Hotmail, even warn recipients about e-mails that can't be authenticated.
No longer is authentication an arcane technicality that marketers and business managers can ignore. Mistakes and misconceptions are costly. If not done or done incorrectly, authentication can have a direct, bottom-line impact:
· Poor placement that depresses clicks and conversions.
· Warning messages that degrade brand perception.
· Outright rejection of business-critical communications.
To help you avoid costly mistakes, here are tips for establishing and maintaining an authentication program. They come from having examined the authentication practices and technical infrastructures of dozens of companies, large and small.
Understand what authentication is ... and isn't. A common belief is that authentication is the opposite of blacklisting. It's not, nor is it a "fix-all" that will magically eliminate spam. Authentication is a way to identify the sender of an e-mail. It makes no qualitative judgment about the message itself or the practices of the sender.
But what authentication does is critical: It prevents spammers from hiding their identity or assuming yours in their illicit attempts to deliver unwanted e-mail. And once the identity of senders is known, authentication lets ISPs make more informed decisions about whether to accept e-mail based on the reputation associated with that identity.
So don't assume that authentication is your ticket into the inbox. Authentication is a starting point, not a destination. Even if it passes their authentication checks, ISPs still may reject your e-mail if your reputation reflects poor practices.
Don't under-authenticate. Inventory your systems to learn who sends e-mail. Large companies with multiple business units often aren't aware of all entities that send e-mail, or they have units that run their own e-mail and domain space under the corporate umbrella. As a result, there's a high risk that the Internet protocol (IP) address for some e-mail servers may not appear in your company's authentication records, leaving their e-mails vulnerable to rejection by ISPs, subjecting them to more stringent filtering and hurting the company's overall reputation.
An inventory of all units that send e-mail lets you oversee the consistent, complete and correct implementation of your authentication program and ensure that your entire company realizes its benefits.
To manage your ongoing program, larger companies should form a central committee that meets routinely to review system and network changes. By doing so, you can stay on top of which systems have been eliminated, and need to be removed from authentication records, and those that have been put into operation and need to be added. It also can be a forum for ensuring compliance with other new regulations, industry standards and company-wide policies affecting e-mail.
Ensure your hosting facility can support authentication records. If you use an outside hosting facility, verify that your ISP or domain name server (DNS) provider can support the TXT-based records used for publishing authentication information. If they can't, you risk having customers not receive your e-mail. Either get them to support TXT-based records or start looking for a new ISP or DNS provider.
Build time for testing and rollout into your plan. One of the biggest mistakes companies make in publishing their authentication records is failing to conduct end-to-end testing to verify that they are working. Because DNS entries aren't instantaneous due to ISP caching, another major mistake is not allowing sufficient time for new or corrected records to propagate across the Internet before launching a mailing. In either case, authentication failures are the likely consequence.
Check authentication records when making network or e-mail program changes. IT administrators and marketers have made proofreading of systems and content changes part of their routines. E-mail authentication should be added to that task list. If you forget to check those records regularly - especially during network and program modifications - mistakes will slip though, jeopardizing your e-mail communications to customers.
Avoid typos (syntax) and formatting errors. Common mistakes include inserting unnecessary spaces, quote marks and carriage returns in the record. People tend to put quote marks around every bit of data rather than the complete title. They end up with "v=spf1" "foo" "bar" baz" rather than the correct "v=spf1 foo bar baz." Incorrect formatting also is common. Though it's not unusual for a company to use multiple formats, authentication records should be formatted only as TXT.
Don't over-authenticate. Publish records only for servers that send e-mail. Some IT administrators think that by publishing records for all of their company's IP addresses they can cover any contingency for units that may send e-mail. But this practice negates the benefits of authentication and can even increase their vulnerability to spammers and damage their company's reputation because it allows non-authorized systems, such as virus-infected desktop PCs or Web servers, to send e-mail on behalf of their domains.
IT administrators should account for all domains used in e-mail headers, SMTP servers and IP addresses, and then publish records only for those servers that are authorized to send mail for a particular domain or sub-domain.
If multiple servers are used to send e-mail for a domain or sub-domain, it's also a mistake to publish separate authentication records for every server rather than for each individual domain or sub-domain. The profusion of records can confuse and overwhelm ISPs.
Include e-mail service providers and others who send e-mail on your behalf. Many IT administrators and marketing managers forget to include the IP addresses of their ESP, CRM and other external partners in their authentication records. It's critical that you communicate with those allowed to send e-mail on your behalf and include them in the authentication scheme you select. Otherwise, you risk your e-mails not reaching customers because the ISPs believe your domain is being spoofed.
Manage your identity and reputation. Companies often allow different classes of mail (transactional and marketing) and different business units to share identities by mailing under the same domain names or from the same servers (IP addresses). This unfortunate practice co-mingles the identities of all classes of mail and senders and subjects them all to a common fate based on the reputation of the worst player. It also makes it difficult to isolate problematic practices and take corrective action to restore your reputation and ensure high deliverability.
Conversely, some companies use different domains or sub-domains for every e-mail project or program or rotate their IP addresses. These are not good practices either, because ISPs look for continuity in your identity and may resort to blocking your entire domain or range of IP addresses. Such practices also make managing your reputation and authentication program difficult. Moreover, they may expose your customers to phishing attacks with look-alike domains or depress their response to your mailings because they can't reliably predict what you are sending them.
Re-examine how to segregate your different classes of mail, business units and brands based on how you want to establish and manage your identity and reputation. Of course, you will then want to publish your authentication records accordingly and find a deployment solution that supports your strategy.
Collaborate, collaborate, collaborate. Authentication is critical for all companies that care about their brands, reputations and the delivery of their e-mail. With so much at stake, marketers and IT administrators must join forces not only to strengthen their e-mail infrastructure, but also ensure it's done right. Doing so will yield great dividends for you, your customers and the future of e-mail as a medium for communication and commerce.