We all know about the dangers of phishing. We may even think we can tell a real email from a fake one.
And yet we’re still falling for it.
Last year, phishing attacks increased by more than 60%, and more than 30% of personal and enterprise users are exposed to these attacks every quarter. For marketers, spam and phishing are crushing the ability to reach customers and prospects with emails: phishing erodes trust in the email channel, and brand spoofing erodes trust in your brand.
Increasingly, scammers are spoofing branded emails as an entry point for their schemes: nearly 25% of all branded emails are actually phishing scams.
While some consumers take a closer look at who’s really sending them emails before they engage with senders, others are ignoring the messages entirely.
How do you ensure customers can trust that your brand’s emails are authentic, and how can you protect your brand from being an unwitting platform for phishing?
One answer may be email authentication, code that proves email senders are who they say they are. Brands are stepping up their use of authentication: our 2023 Inbox Insights survey showed that 30% of companies are planning such initiatives this year, making their customers’ inboxes safer while protecting their brand reputation.
Finding the Fakers
At a high level, email authentication verifies sender identity using multiple methods to separate messages sent by real senders from forged ones, such as bad actors who try to use your company name or website domain name in phishing attempts. Authentication makes it much more difficult to send phishing emails that look like they’re from your company while allowing customers to open your emails without fearing that the links and information within isn’t safe.
Email authentication also makes it easier for receiving mail servers to identify imposters (who aren’t using email authentication) and can automatically block emails from potential scammers and notify you about them. With this, you can let customers know that someone is impersonating you and urge them to use caution when opening suspicious emails and links.
With email authentication enabled, messages from bad actors have a lower likelihood of arriving in inboxes — reducing phishing attacks including brand impersonations. Customer engagement goes up when people can trust the emails they’re receiving from businesses, strengthening deliverability and ultimately, the success of your email campaigns.
Marketing Technology News: 5 Ways to Future Proof your eCommerce Success
Marketing Can Influence This IT Decision
While authentication is squarely in IT’s domain, marketers still need a broad understanding of the topic. Ultimately, it’s your marketing campaigns’ results that are going to be impacted, so it’s reasonable to require some say in the martech decision making process.
Let’s take a look at the four authentication types: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Brand Indicators for Message Identification (BIMI).
SPF
SPF — in essence, a list of allowed senders — ensures that emails are coming from IP addresses or hostnames associated with the sender. It restricts who is allowed to send on behalf of your company’s domain, which decreases the risk of domain spoofing. Without implementing SPF, mailbox providers are much more likely to mark messages as spam.
DKIM
DKIM authentication allows recipients to validate certain digital aspects of the email by matching a public key with a private key to verify the message was authorized by the owner of the domain it was sent from. It can also determine if an email was modified in transit en route to the recipient.
You can think of DKIM like a watermark or fingerprint that is unique to an email sender. Unlike SPF, DKIM signatures continue working when an email is forwarded.
As secure as all of this sounds, it’s still possible for hackers to get a hold of DKIM keys and use them to impersonate a sender. For that reason, it’s recommended that DKIM keys are changed a few times per year. If you need to produce your own digital signature, there are DKIM generators that help create these email authentication records for you.
DMARC
While SPF and DKIM are for inbox providers, DMARC gives the power to senders, allowing them to determine how they want inboxes to handle suspicious emails that appear to come from their domains. With DMARC, senders can instruct inbox providers to default to one of three policies for any email that fails SPF and DKIM authentication:
- p=none, the most relaxed policy that is typically implemented at the start to monitor email activity, then shifted to another of two policies
- p=quarantine, putting questionable emails automatically into spam
- p=reject, outright rejecting questionable emails
Ultimately, setting a DMARC policy that authenticates legitimate traffic (p=quarantine or p=reject) makes it very hard for malicious actors to abuse a domain and impersonate a brand.
Despite being embraced by major inbox providers like Google and Microsoft, DMARC adoption is still relatively low — our forthcoming State of Deliverability survey shows that just 43% of senders have implemented DMARC. That said, the email industry is pushing its adoption as a means of helping the entire channel become more resilient and less vulnerable to fraud.
BIMI
This last one is particularly alluring for marketers: BIMI takes the anti-fraud capabilities of DMARC to the next level by adding a branded logo right with your message, so contacts recognize your email at a glance right in their inbox. The email industry created BIMI, an email specification that serves as a potential reward for being a trusted sender, as a way to encourage senders to adopt DMARC and enforce strong p=quarantine or p=reject policies.
Phishing and spam aren’t going away any time soon — but neither is email. With the right precautions and technological safeguards in place, it remains an important channel for you to reach your customers. Email authentication ensures your emails make it to your customers’ inboxes, and they can feel confident that any emails that appear to be coming from you are actually legitimate.
Businesses that use email authentication will protect their brand reputation as well as their customers’ inboxes while improving email deliverability, strengthening customer relationships and extracting more value from their email marketing efforts.
Marketing Technology News: MarTech Interview with Shachar Orren, CMO and Co-Founder of EX.CO
