All You Need to Know About E-mail Authentication

A recent Direct Marketing Association (DMA) survey on multichannel marketing in the catalog industry shows that all catalogers use both their catalogs and Web sites to generate sales. Nearly nine out of 10 also use e-mails to reach customers. E-mail provides them with an easy method for order confirmation, shipping notices and customer service follow-up.

But are you sure your e-mails are making it into customers’ inboxes? Is your brand protected from criminals who send fake e-mails in your name and use your company’s good reputation to defraud consumers?
Strides Made, But Problems Persist
While enormous strides have been made in recent years to combat the problem of spam, unwanted and potentially harmful e-mails remain a problem for many Americans. Not only can they clutter up an inbox, today’s spam — usually generated from networks of hijacked personal computers that conceal the spammer’s identity — often is used to launch phishing attacks and to deliver malicious code or “malware” to consumers’ computers. This results in significant harm to consumers. It undermines the foundation of trust that drives online commerce.

At a recent FTC summit on combating spam, Chairwoman Deborah Platt Majoras emphasized knowledge — knowing with whom we interact — as an important weapon in the fight against spam. And in verifying the identity and source of an e-mail message, there’s no tool more important than e-mail authentication. “Just as we can ask visitors to swipe identification badges and use biometric identifiers to verify who is entering our physical space, we can use authentication technology to verify who is entering our electronic space,” Majoras said. “This technology, paired with reputation and accreditation systems, holds the greatest promise for preventing spammers from operating anonymously.”

Certainly Internet service providers (ISPs) are taking these words to heart. More are using authentication technologies to verify the identity of the person or organization sending e-mail. And if your e-mails don’t pass the authentication test, it’s increasingly unlikely that your customers are going to get your messages.

Like all commercial marketers, catalogers need to make sure that messages are deliverable and that consumers have confidence your messages actually are from your organization. Using a postal analogy, e-mail authentication can assure the recipient that your return address, letterhead and personal signature are legitimate. Authentication helps prove that you’re who you claim to be and that you have the right to send e-mail from your IP address.

Very soon, however, e-mail authentication may be more than just best practices; it may be a necessary process in order to clear ISP gatekeepers. If you don’t authenticate your e-mail, it may not be delivered.

In October 2005, the DMA passed an ethics guideline requiring members to authenticate their outgoing e-mails. The guideline, which went into effect Feb. 1, 2006, states: “Marketers that use e-mail for communication and transaction purposes should adopt and use identification and authentication protocols.” It’s designed to protect brands against illegal use and reduce false positives, while decreasing deliverability.
How to Authenticate
E-mail authentication is easy to do and there are several interoperable and inexpensive ways to do it. There currently are two major types of interoperable e-mail authentication systems: IP-based solutions like Sender Policy Framework (SPF) and Sender ID Framework (SIDF), as well as cryptographic solutions such as DomainKeys Identified Mail (DKIM).

The goal of each is the same: to create a public record against which to validate e-mail messages so the legitimacy of senders can be verified. Both technologies work to verify that the sender is authorized to send mail from a particular IP address. Authentication makes it difficult to forge IP addresses or the cryptographic signatures utilized by e-mail authentication systems.

Sender Policy Framework (SPF) is an IP-based technology that verifies the sender IP address by cross-checking the domain in the e-mail address listed in the visible “mail from” line of an e-mail against the published record a sender has registered in the Domain Name System (DNS). When you publish an SPF record for your domain, you declare which IP addresses are authorized to send out e-mail on your Domain Name System behalf. SPF allows senders/marketers effectively to say, “I only send mail from these machines (IP addresses/servers). If any other machine claims that I’m sending mail from there, it is not telling the truth.”

SIDF, created by Microsoft, is similar to SPF. SPF verifies the visible “from” line of the e-mail, while SIDF authenticates either the “from” line or the invisible “from” line of the e-mail header. Using the U.S. Postal Service as an analogy, SIDF is akin to verifying the authenticity of both the outer envelope and the letterhead on the document inside the envelope.

DKIM is a cryptographic, signature-based type of e-mail authentication. DKIM is a combination of Yahoo’s DomainKeys (DK) and Cisco’s Identified Internet Mail (IIM). DKIM requires e-mail senders’ computers to generate “public/private key pairs” and then publishes the public keys in its DNS records. The matching private keys are stored in senders’ outbound e-mail servers, and when those servers send out e-mail, the private keys generate message-specific “signatures” that are added into additional, embedded e-mail headers.

Plain and simple: Regardless of whether you’re a large company or a small one, business-to-business or business-to-consumer, you should authorize any outbound e-mails you send.

If you’re still unclear, take a look at the DMA’s online Authentication Resource Center at www.the-dma.org/emailauthentication.

Beyond your marketing and promotional e-mail messages, authenticate transactional and information e-mails that include the following:

* order confirmations and shipping notices,

* customer service messages,

* monthly statements,

* customer newsletters, and

* individual correspondence with customers.

Pat Kachura is senior vice president for ethics & consumer affairs at The Direct Marketing Association. You can reach her at (202) 861-2410 or pkachura@the-dma.org.