Email authentication
Featured service
With industry leading deliverability, Campaigner Email Marketing now supports DomainKeys. Start your free trial today.
Like me, you may be in a state of either denial or ignorance (or both) when it comes to such wonders as email authentication, certification, accreditation and reputation.
Most of us are aware that these things somehow impact on our ability to get emails delivered to the intended destinations. But that's pretty much where our understanding ends.
Determined to lift my veil of ignorance, this is my interpretation of what authentication is, why it's important for email marketing, how it works, and what you need to do about authentication in your business.
The basic idea
One of the big problems for email is the question of origin and accountability. In other words, if an email claims to be sent from bigbrand.com, does it really come from bigbrand.com?
Many spammers and all phishers fake the true origins of their email. Spammers do it to avoid accountability for their actions. Phishers do it because that's the whole point of the email: to convince you it comes from your bank or a large retail chain, rather than a fraudster and con artist.
Email authentication refers to a process (or processes) that enables those that actually put emails into people's inboxes (the ISPs and email providers) to verify the alleged identity of the sender.
Email authentication allows an ISP to be pretty certain that an email purporting to be from bigbrand.com really does come from bigbrand.com.
What are the issues here?
Once an ISP or email provider has the capacity to verify the authenticity of the sender, they have another criteria on which to judge whether they should deliver that email or how they should tag that email when it is delivered.
Some possibilities:
- If a sender cannot be verified through authentication, then an ISP might consider blocking that email or at least adding a few more points to its spam score
- Alternatively, the ISP might deliver that email, but tag it somehow as "cannot verify sender"
- Or the ISP might deliver unverified email as normal, but mark verified email as "Sender authenticated"
You can immediately see how this impacts on email marketing. Email authentication is an important issue for marketers because it affects deliverability directly. And it impacts how your readers perceive your message (through the "verified" and "non-verified" tags).
Now, there are lots of ISPs, email providers and senders of email. And authentication requires specific action by both receivers (ISPs and providers) and senders to work. An ISP can only authenticate an email if the sender has taken particular steps to enable the authentication process.
And there's more than one authentication process.
Messy!
Since many senders aren't yet supporting authentication, ISPs are unlikely to start blocking non-authenticated email immediately; so much legitimate email would be rejected unfairly. And some ISPs don't do email authentication checks anyway.
But don't let that mislead you into false security. ISPs and others are a long way down the road to agreeing on common standards. And most major ISPs and email providers are already implementing authentication processes.
Current status
The Authentication and Online Trust Alliance (AOTA) reported in February 2008 that over 50% of the largest brands were already authenticating outgoing email. A position confirmed by another study of top retail emails.
Another study suggests major ISPs and webmail sevices like Yahoo, Gmail, AOL, Earthlink etc. all now use authentication.
In other words...authentication is already playing a role in email delivery and labelling. And it's well on the way to achieving the critical mass that allows all ISPs to start acting on non-authenticated email.
You can "get away" with not authenticating your emails for the moment. But you do need to address this issue very soon.
As the number of email senders and recipients using authentication grows, so does the downside of non-authenticated email: negative labels attached to your email or outright blocking of your email.
Authentication is a good thing, but not a panacea
Clearly, authenticating email (assuming you've implemented authentication) is a good thing for email marketers. Legitimate email can only gain. Not just in terms of a positive tag or avoiding a filter.
Just as important is the fact that authentication ought to clear inboxes of some unwanted emails, like those from phishers. This helps restore trust in email as a communication medium.
And, as a sender of authenticated email, you're contributing to a positive reputation for your emailing practices. This has benefits for other deliverability hurdles where reputation plays a role.
But it's not a global panacea to the spam problem. Remember: all authentication does is verify that the alleged sender is the actual sender. It says nothing about whether the email is solicited or unsolicited, opt-in or opt-out, spam or a personal message from mom.
So it's just one step on the road to a pristine email system.
OK, so how does it work? How do we implement it?
Unfortunately, there is no one universal authentication system in place. But competing standards follow similar principles.
Basically, it involves your domain name records. This is the formal information associated with your domain name.
You can modify these domain records to indicate which IP addresses (think of these as particular machines at particular locations) are allowed to send email on behalf of your domain.
When an ISP, for example, gets an email purporting to be from a particular domain, it can check these records and identify which IP addresses are allowed to send email for that domain.
It then compares the physical source of the email with the records. If the sending IP address is on the approved list, the email is authenticated. If not, it's not.
This is a simplistic not-totally-accurate description, but it will do for us marketers.
The important point is this: you need to modify your domain name records so that ISPs have something to refer to when attempting to authenticate your email.
If they find no appropriate entries in your record, then they cannot authenticate your email.
You may also need to modify the information sent with your emails to support authentication, too.
And this is where most marketers run into a brick wall. Me included.
How do you modify and publish a domain name record. Where is it? What exactly do you need to put in it? What else do you need to do? Which standard do you follow?
This is, if you'll forgive me, an issue where you probably need to enlist the help of an IT expert or your list host and email service provider.
They have the know-how to help you with this process.
Standards
For the record, there are two authentication standards that seem to have established themselves as the most important and you would be wise to follow the requirements of both.
These two are Sender ID and DomainKeys (or DKIM in its updated form).
You'll find explanations of why each one is good, how they work, and how you implement them (not that I understood much of that bit, hence the recommendation to enlist appropriate help) at these sites:
- The DKIM page at Yahoo (DKIM also requires changes to your outgoing emails, as well as to domain name records)
- The Sender ID page at Microsoft
See also:
As standards are refined and authentication spreads, the process required to implement the standards for your emails will undoubtedly get simpler. You may find your email is already appropriately authenticated by your ESP.
But for now, the simple message is this: work on implementing authentication standards for your outgoing emails. Get help if you can't understand the jargon yourself. Hassle your IT or technical folk. Bug your email service provider.
Authentication is here to stay, and it's important for your email marketing success.
Need more email marketing guidance? Try the email newsletter.