sign in sign up
<<
Home , Email address, Email authentication, Feedback loop (email)

GUIDE Frequently Asked QUES T ION S

T OGETHER STRONGER

Marketers that use email for communication and transactional purposes should adopt and use identification and authentication protocols.”

This document will explain what authentication is – includ- ing some recommendations on what you should do as an email marketer to implement these guidelines within your organization.

* This Guide should not be considered as legal advice. It is being provided for informational purposes only. Please review your email program with your legal counsel to ensure that your program is meeting appropriate legal requirements. THIS COMPLIANCE GUIDE COVERS:

Basics of Email Authentication Technologies Basic FAQs on the DMA’s Email Authentication Guidelines Implementation: Complementary Types of Email Authentication Systems Beyond Authentication: Email Reputation Email Authentication Resources for Marketers

1. What Do the DMA’s Email Authentication Guidelines Require?

The DMA’s guidelines require marketers to choose and implement authentication technolo- gies in their email systems. It is up to your company to decide what kind of authentication protocol to use, though all are recommended based on current-day trends. The DMA does not require nor endorse the use of any specific protocol, as there are several interoperable, inexpensive, and easy to implement solutions available today.

2. Why does the DMA Require Members to Authenticate Their Email Systems?

The DMA requires its members to authenticate their email systems primarily because mailbox providers (aka ISPs, MSPs or receivers) are increasingly requiring authentication. This strongly aligns with a growing trend in the email deliverability industry that’s leaning more towards domain-based reputation (as opposed to IP-based reputation a couple of years ago). Secondly, authentication improves the likelihood that legitimate/wanted email will get delivered to the intended recipient’s inbox folder.

Additionally, email authentication reduces the likelihood of spam, spoof and attacks (thus protecting the integrity of marketers’ brands). Authentication is seen as one way to make the email marketing arena more secure and improving consumer confidence in email, thus preserving it as a valuable email marketing communications tool.

3. Does DMA’s Email Authentication Guideline Require Marketers to Authenticate Inbound , Outbound Emails, or Both? InboxArmy The guideline applies only to outbound email that marketers send either from their own IP addresses or via the use of a third-party service bureau. Designed by 1 4. Is Email Authentication Required Just for Marketing Messages?

No, DMA’s Email Authentication Guideline applies to ALL outbound messages that marketers send or that their third-party service bureaus send on their behalf.

5. Does the Guideline Apply to B-to-B Marketers?

Yes, the DMA believes that similar common best practices in email deliverability for consumer promotions should be used for business-to-business campaigns.

6. Does the Guideline Apply to Nonprofits?

Yes, non-profit organizations, as well as for-profit businesses, should authenticate the email messages they send.

BASICS OF EMAIL AUTHENTICATION TECHNOLOGIES

1. What is an Email Service Provider (ESP)?

A company that offers email services to send (bulk/marketing) email on behalf of a marketer.

2. What is an Service Provider (ISP)?

A service provider that provides access to the Internet (and most times an email account). InboxArmy Designed by 2 3. What methods/types of Email Authentication are out there?

There are a few major email authentication methodologies:

Sender Policy Framework (SPF) - an IP-based solution, DomainKeys Identified Mail (DKIM) - a cryptographic solution, Domain-based Message Authentication, Reporting & Conformance (DMARC) - builds on the widely deployed SPF and DKIM protocols.

The goal of the first two is similar: create a public record against which to validate email messages so that a sender’s legitimacy can be verified. Both the SPF and DKIM technologies work to verify that the sender is authorized to send mail.

4. What is the Difference Between IP-Based Authentication and Cryptographic Authentication?

A fundamental difference between IP-based and cryptographic authentication solutions is that cryptographic technology protects the integrity of the email content, while IP-based technology verifies or proves that the sender is authorized by the domain owner to send email.

5. What is the System (DNS)?

The (DNS) is an Internet directory service. DNS is where companies publish information about their domains.

6. What is Transport Layer Security (TLS)?

Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).

TLS for email isn’t required but has been widely adopted following revelations of government snooping. Some ISPs (like Google’s ) add a warning flag to email messages that were received without TLS encryption. For this reason it is recommended that all outbound email support TLS. An overview of TLS is available at:

https://www.google.com/transparencyreport/saferemail/tls/ with an

FAQ available at https://www.google.com/transparencyreport/ InboxArmy saferemail/faq/. Designed by 3 IMPLEMENTATION OF COMPLEMENTARY TYPES OF EMAIL AUTHENTICATION SYSTEMS: SPF, DKIM AND DMARC InboxArmy Designed by 4 (SPF):

1. What is it?

SPF is an IP-based technology that verifies the sender IP address by cross-checking the domain in the listed in the non-visible “Mail From” line of an email against the published record a domain owner has registered in the Domain Name System (DNS). SPF technology is free to all users. An SPF record is a list of computer servers or IP addresses that senders indicate are “authorized” to send email that claims to be coming from their domain. When you publish an SPF record for your domain, you declare which IP addresses are authorized to send out email on your behalf.

SPF allows senders/marketers effectively to say, “I only send mail from these machines (IP addresses/servers). If any other machine claims that I'm sending mail from there, they are not telling the truth.”

2. How Do I Implement Sender Policy Framework (SPF)?

Run an audit, write a list of all IP addresses that send email on your behalf. As an extra precaution, talk to your IT staff & any Email Service Providers you work with to ensure you don’t miss any IP addresses. Create your SPF record. http://www.openspf.org/ provides syntax details and tools to help with this. Publish your SPF record in DNS. Verify that your SPF record is published & working.

(i) An easy-to-use third-party tool can be found at http://tools.wordtothewise. com/authentication:

a. Input your domain name in text box to check a published SPF record b. View “Results”. You should see ‘This seems to be a healthy SPF record’, meaning the SPF record is good to go. InboxArmy Designed by 5 DOMAINKEYS IDENTIFIED MAIL (DKIM)

1. What is it?

DomainKeys Identified Mail is a cryptographic, signature-based form of email authentication. DKIM is offered to all users free of charge.

The DKIM specification is available at http://www.dkim.org. DKIM requires email senders’ to generate “public/private key pairs” and then publish the public keys into their Domain Name System (DNS) records. The matching private keys are stored in a sender’s outbound email servers, and when those servers send out email, they generate message-specific “signatures” that are added into additional, embedded email headers.

The DKIM authentication process involves checking the integrity of the message using the email signature header and verifying whether the key used to sign the message is authorized for use with the sender’s email address. This step currently involves utilizing the DNS record of the sending domain. The authorization records in the DNS contain information about the binding between a specific key and email address.

Using a US Postal Service analogy DKIM is like verifying a unique signature which is valid regardless of the envelope or letterhead it was written on.

ISPs that authenticate using DKIM look up the public key in DNS and then can verify that the signature was generated by the matching private key. This ensures that an authorized sender actually sent the message, and that the message headers and content were not altered in any way during their trip from the original sender to the recipient. InboxArmy Designed by 6 2. HowDoesEmailAuthentication ReduceandProtect AgainstSpam? 1. Whatisit? suggest toreceiverswhatdowithmailthatfailsDMARC. protection fromfraudulentemail.Finallyitprovidesamechanismwherebydomainscan a reportingfunctionthatallowssendersandreceiverstomonitorimprovedomain “From” addresscheckedbySPFtothevisibleDKIM.Itprovides DMARC addressesthesethreeissuesasitusesdomainalignmenttomatchtheenvelope sites astowhatdowithmessagesthatfailauthentication. fails, orwhentheirdomainisbeingspoofed.Finallytheyprovidenoguidancetoreceiving from’). Secondtheyprovidenofeedbackmechanismsfordomainstoknowwhenemail First theyoperateondifferent‘fromaddresses’(the‘visiblefrom’versusthe‘envelope SPF andDKIMprovidevaluableauthenticationcapabilitiesbuthavesomeshortcomings. DMARC isanemailauthenticationprotocolthatbuildsontheSPFandDKIMprotocols. better identify legitimateemail.Spammers arethendistinguished fromsenders of is legitimateandwhich isspam.AuthenticatedemailhelpsISPsand MailboxProviders Providers thusblurring theperceptioninconsumers’mindsofwhich commercialemail going away,andspammers quicklyadapttofilterssetupbyInternet andMailbox Spam causesproblems forbothconsumersandmarketers.Thespam problemisnot CONFORMANCE (DMARC) AUTHENTICATION, REPORTING & DOMAIN-BASED MESSAGE DMARC Overview: spam filteringdecisionsandmanymoreare implementingthereportingfunction. Many domains,includingmajorISPs,arechecking DMARCandutilizingitaspartoftheir A moredetailedexplanation&overviewcan befoundat .2C_and_in_non-technical_terms.3F. https://dmarc.org/wiki/FAQ#How_does_DMARC_work.2C_briefly- A brief,non-technicaloverviewisavailableat https://dmarc.org/overview. 7 Designed by InboxArmy SpoofingandPhishing? 3. HowDoesEmailAuthentication ReduceandProtectAgainst and atalowercost. legitimate emailenablingwantedmailtobedeliveredconsumerswithhighercertainty reaching itsintendedvictims. Authentication makesiteasierforISPstoidentifysuchfraudulentemailprevent has beenforgedorspoofed. Most phishingattackscomefromemailinwhichthesender’sname‘FromLine’ legitimate source,suchasauser’sbank,creditcardcompany,oronlineWebmerchant. such ascreditcardnumbersoraccountpasswords.Theemailpretendstobefroma sending anemailthatattemptstotrickrecipientsintogivingoutpersonalinformation, Spoofing istheforgingofanotherperson’sorcompany’semailaddress.Phishing 8 Designed by InboxArmy BEYOND AUTHENTICATION: EMAIL REPUTATION InboxArmy Designed by 9 isGood? 2. WhatMetricsShouldIMonitor toEnsureThatMyEmailReputation 1. WhatisaCompany’sEmail Reputation? infrastructure arethefoundation tohavingagoodreputation butkeepingcomplaint rates High Relevance/Low Complaint Rate: volume throttling(spreading outthenumberofemailssentover a longperiodoftime). the numberofsimultaneous connectionstotheirnetworks.Orit may institutemail becomes suspiciousofanemailsenderitmay askhighvolumeemailsenderstoadjust considered suspiciousbehaviorandthesender maybeidentifiedasaspammer.IfanISP unknown address.Whenanemailsenderdoes notacceptbouncebackerrorrepliesitis messages thatarebouncedbacktothemwhen theyattempttoemailaninvalidor campaign. MostISPsrequirethatemailsenders arecapableofreceivingatleast90% receiving thevolumeofbouncesthattypically accompaniesanyhighvolumeemail Therefore, todifferentiatethemselves,legitimate sendersareexpectedtobecapableof bounces andrepliestospoofed,non-functional ornon-existentreturnaddresses. Sound EmailSendingInfrastructure: isn’t justgoodfordeliverability,butReturnonInvestment(ROI)aswell. addresses atlessthan3-5%ofeachmailing.Ofcourse,reducingthesetypeserrors of error.However,itisgenerallyacceptedthatmarketersshouldaimtokeep“invalid” consumers changingemailaddresses,andbecauseofthattheydoallowforsomemargin practices andissendingspam.ISPsacknowledgethattherealotofchurninterms trait ofspammers–itisaanyentitythatconsideredtohavepoormarketing Good ListHygiene: remains ingoodstandingwithISPs. There areafewsimplestepsmarketerscantaketoensurethattheirEmailReputation spammer. Thisiswherereputationandwhitelistingcomeintoplay. tell mailboxprovidersanythingaboutwhethertheauthorizedsenderislegitimateora deliver/non-deliver decisions.Authenticationverifiesauthorizationtosend,butitdoesn’t Authentication aloneisnotsufficientforInternetServiceProviders(ISPs)tomake Authentication andreputationarefundamentallylinked. Internet ServiceProviders(ISPs)andEmail(ESPs). policies, andmore.Mostofthesefactorscanbemeasured,quantifiedweightedby complaint rates,identitystability,unknownuservolume,securitypractices,unsubscribe information aboutthesender’spractices.Reputationisbasedonnumerousfactors: Email ReputationisawayforISPstocombinethesender’sidentitywithadditional Sendingemailtotoomanyaddressesthatdon’texistisn’tonlya Acommontraitofspammingistoredirectemail Havinggood listhygieneandsound delivery 10 Designed by InboxArmy 4. WhatAreFeedbackLoops? 3. WhatisaWhitelist? Authentication Protocols: Best Practices for Implementing Email and messagingstreamsemanatingfromtheirIPaddress/computernetworks. An FBLisessentialformarketerstoidentify&resolvehighcomplaintemailcampaigns with sendersinordertomonitorlisthealthandremovecomplainantsfromtheirlists. A complaintfeedbackloop(FBL)isatechnicalsystemwhereISPssharespamcomplaints sophisticated filtering. In recentyearsmostISPshavemovedawayfromwhitelistinginfavorofmore being subjectedtocertain/stricter)levelsoffiltering(anti-spam/policy/volumefilters,etc). allow emailmarketers/senderstosendemailsintotheirnetworksofenduserswithout A whitelistisalist/processthatsomeISPs(andmailboxprovidersandreceivers)useto Develop apolicy forassigningdomain and sub-domain names. Research themajorprotocols todetermine thebestsolution(s)foryourcompany. try orgovernment-sponsored workshops. Follow developments in theindustryfield includingtechnological whitepapersand Know yourcustomersandwhereyouare mailingto. best results,authenticateyouremailsystems withoneormoretechnologies. free technologiesthathavedifferentdeliverability successrateswithdifferentISPs.For Authenticate usingmorethanonetechnology. SPF, DKIMandDMARCareinteroperable relevant departmentsandvendorstoimplement emailauthentication. Assign anindividualorgroupatyourcompany toberesponsibleforworkingwithother complaint rateundercontrol. reputation systems,andseverelong-termblockingifthesenderdoesnotbring thousand emailsdeliveredcouldresultinshort-termblockingbyISPsthatemploy the totalnumberofdeliveredemailsinaspecificmailing.Justtwoorthreecomplaintsper 0.1 percent.Thecomplaintrateiscalculatedbydividingthetotalnumberofcomplaints complain aboutlegitimateemail.Marketersshouldaimtokeeptheircomplaintratebelow the recipient.Ingeneral,ISPsbelievethereshouldbelittletonoreasonforaconsumer having alowcomplaintrateismakingsurethatyouremailrelevantanddeliversvalueto low iswhereacompanycansignificantlyimproveordamageitsreputation.Thekeyto indus- 11 Designed by InboxArmy FOR EMAIL MARKETERS EMAIL AUTHENTICATIONRESOURCES EmailMessage? 5. WhatistheDifferenceBetween Pass,FailandSoft Failof an https://www.ftc.gov/news-events/events-calendar/2004/11/ mail-authentication-summit example: The FederalTradeCommission hasheldsomeworkshopson thisissue,for http://www.m3aawg.org Messaging, MalwareandMobileAnti-Abuse WorkingGroup(M3AAWG): https://www.dmarc.org Domain-based MessageAuthentication, Reporting &Conformance(DMARC): DomainKeys IdentifiedMail(DKIM)Information page: Sender PolicyFramework(SPF)infopage: available, including: There aremany Email Authentication resources message. is notlistedontheISP’slistofauthenticatedsendersbutanoutrightfailed to theISP’sstandards;AsoftfailmessageusuallycomesfromasenderorIPaddressthat or themessagemaybeblocked.Asoftfailisathat“probablefail”according to theintendedrecipient’sinbox.Itwilleitherdirectedspam/junkfolder, standards forthatISP’sdefinitionofalegitimatemessageandlikelywillnotbedelivered the recipient’sinbox.Ifamessagefailsanauthenticationcheckitdidnotmeet standards forthatISP’sdefinitionofalegitimatemessageandislikelytobedelivered If amessagepassesanISP’sauthenticationcheckitmeanstheemailmeets Research waystoauthenticateincomingemailyourcompany. deliverability tothoseyouwishreach. Develop awaytomeasuretheimpactofemailauthenticationintermshigher http://www.openspf.org http://www.dkim.org

12 Designed by InboxArmy [email protected] Mailing Address

1333 Broadway, Suite 301 New York, NY 10018

emailexperience.org