Email Authentication: An Email Marketing Guide
In email marketing, authentication is becoming an even larger issue than the mountains of spam that make it to the inbox. Why? Because while spam itself is pretty straightforward – a sometimes obviously unwanted message that shows up in the inbox – email spoofing is more nefarious because it lets spammers take over the email identities of perfectly legitimate, rule-abiding email marketers and ruins their reputations.
Case in point. Have you ever seen emails sent to you, with your own company's name in the sent from field, pushing Viagra, fake Rolex watches or anything else of that sort? That's an example of a spammer who took over your identity, forged your information and is now using your perfectly good reputation to send out junk to angry recipients. And the spam complaint will affect your good name, not the fraudster who used it.
At the moment, there's really only one way to combat the forging of where an email comes from and who sent it: authentication.
Authentication: Different Types
Email authentication is a process that verifies the true identity of each sender and the origin of their emails or newsletters. This means that even if your totally legitimate paper company purportedly sent out an ad featuring mail-order brides from Pango Pango, the email service provider can look at various sets of data, compare it against the data they already have on file for you and immediately block your email from making it to the inbox.
You might ask why authentication is even necessary, but remember that email service providers process millions of emails per day. This means that there isn't time to pore over every single email, check to see if the headers and sent field are accurate, and shuffle it off to the inbox. Hence, authentication is a must for any email marketer serious about preserving their reputation.
There are three types of authentication available at the moment: SPF, DKIM and Sender ID.
SPF, or Sender Policy Framework, works as the sort of gold standard of email authentication. They provide the email service provider with a framework of data for every email you send.
When your email gets to the email service provider, the ESP checks your info against the info in the email. This info might include the DNS, what types of fields your emails use when you send, and other data.
If this data does not match up and your email is sent from an unknown or different origin that doesn't match the info you provided, the ESP blocks the email from making it to the inbox, removing the chance of spam complaints.
DKIM, also known as Domain Keys Identified Mail, is the ESP's way of checking the DNS records you provide with the ones that come with the email. If the DNS records fail to match, the ESP will block that email and you won't have to suffer from spam complaints.
Sender ID is almost identical to SPF, with a few key differences. Ultimately, they're both out to do the same thing: authenticate every email you send by matching data records the ESP holds against the ones that accompany the email or newsletter waiting to make it to the inbox.
The Controversy Surrounding Authentication
The core issue facing ESPs today starts and ends at how each email is handled. For instance, with Gmail and Yahoo!, both might handle emails that fail to pass the authentication sniff test in the same way. The powers that be at Gmail and Yahoo! may simply choose to block the email altogether, which is an easy and quick way to handle any forged headers, sent fields and other fraudulent data.
Meanwhile MSN Mail and AOL might handle the situation in an entirely different way. They might choose to put a message with the email that says the sender cannot be identified or go an entirely different route altogether.
The big unknown is the thousands of free and paid email services, some of which may not use authentication at all. In that case, you may find that the email sent unwittingly in your name, pushing herbal products or lotto winnings, might make it all the way to the inbox, with no interruption or verification whatsoever.
The good news is the major ESPs use authentication as a standard practice. And since they are major ESPs used by the vast majority of all email users, there's a great chance authentication will save you from spam complaints and preserve your online reputation. And there's a good chance that with the smaller email service providers, you can show your authentication records as a way of proving that you're not a spammer and that your spam complaints were much undeserved.
Not if, but When
Unfortunately, as much as we see the standard phishing outfit asking for money or touting lottery winnings, phishers are getting more and more sophisticated as the days go by. It's not entirely uncommon to encounter a phishing outfit far more educated and creative than its predecessors, which makes authentication a must for any email marketer looking at the long-term picture.
The new generation of phishing outfit matches the headers or fields from the type of company it wants to appear to send from. Hence, if you run a small bank, it's entirely possible that your email's identity will be taken over to send a highly legitimate-looking form asking for detailed account data, fooling many recipients in the process.
There will be a day very soon when the obviousness of phishing and spam disappears. We'll no longer see the bank verification email sent from the forged headers of a clothing shop, but more likely, as mentioned above, more bank verification emails sent from actual banks.
For this reason and the unknowns of whatever else spammers come up with to tilt the system in their favor, we recommend that you implement at least one, if not two authentication methods. If you want to keep your email marketing reputation pristine in the face of so many growing threats, authentication, simply stated, is a must, especially if you have a medium to large list.