May 02, 2009, 4:55 AM — Email authentication is a way to say, “This email is from my Email Service Provider’s ("ESP") servers, but it’s being sent on behalf of me (my company), so you can trust it.” Email authentication prevents your email from looking spoofed (like a forgery) and what are called 'phishing attacks'. DKIM is the e-mail authentication standard developed by the Internet Engineering Task Force to address one of the Internet’s biggest threats: e-mail fraud. As much as 80% of e-mail from leading brands, banks and ISPs is spoofed, at least according to the Online Trust Alliance (www.otalliance.org). DKIM is an important step in rebuilding consumer confidence in e-mail, because DKIM makes it hard (i.e., almost impossible) for evil, fraudulent spammers to send emails where they pretend to be someone else - like your bank - asking you to update your account information. Email protocols (like SMTP) do not include Authentication support, so a recipient of a message has no confidence that the message they are receiving is from whom it claims to be from. DKIM is a way to permit a receiver of a message to validate that a message is, in fact, from whom it claims to be from.
DKIM, which stands for “Domain Keys Identified Mail”, lets an organization insert a cryptographic signature on outbound e-mail and associate that signature with its domain name. The signature travels with the e-mail regardless of its path across the Internet. The recipient of the e-mail can use the signature to validate that the message came from the organization’s domain name. (If you’re a Pinpointe customer - you don’t have to worry - by default we use DKIM signing for all of your emails). DKIM won’t eliminate e-mail fraud altogether, but it will help companies that are targets of phishing scams to give their customers a way of ensuring they sent a particular message.
DKIM is a merger of two protocols: DomainKeys, which was created by Yahoo, and Identified Internet Mail, which was created by Cisco. These companies along with other ESP’s and ISPs work with the IETF’s DKIM working group on technical specifications. DKIM has been under development since 2004 and it’s finally reaching a critical mass: we expect to see Enterprises implement DKIM through 2009-’10.
For more information, the Webinar "Email Marketing 201: Advanced Email Delivery Topics explains email authentication and authorization in depth. Here's a link: http://www.pinpointe.com/blog/webinar-email-marketing-201-tips-to-improv...
DKIM Usage will Boom in 2009-10
Use of Email Authentication using DKIM is accelerating, especially among banks, mortgage companies and insurance companies. It’s pretty easy for a corporation to go out and deploy DKIM because there are now enough commercial products that have DKIM support, and many Email Service providers (”ESP”s), like Pinpointe are now supporting DKIM authentication. Now that the standards are complete and compliant products are readily available, many enterprises will implement DKIM in their email systems in 2009. In order to ensure your emails are not blocked by these domains, you’ll want to ensure your emails are being sent with DKIM enabled.
Here are a few examples validating that DKIM is quickly gaining critical mass:
- BITS, a group of 100 of the largest U.S. financial institutions, last year recommended that its members adopt DKIM by October 2008. The fact that 100 large financial institutions are throwing their weight behind a standard together is going to help drive rapid DKIM adoption.
- BITS also recommends either Sender ID Framework (SIDF) or Sender Policy Framework (SPF) to validate that a received e-mail originates from an authorized mail server within a particular domain. (Read our Blog Tutorial on setting your SPF record correctly.)
- ISPs are adopting DKIM because they want to protect their customers against spam and phishing scams. E-mail senders are tying to protect their brands, identities and customers from phishing scams.
- Ebay, PayPal and banks in general have always attracted fraudsters and “phishers”, so PayPal and eBay are signing their e-mails with DKIM to battle what are called Phishing attacks. [link] Yahoo will block e-mails claiming to be sent by eBay and PayPal that haven’t been signed through DKIM.
Email Authentication with DKIM - Advantages
If you have a very large list, your campaigns are more likely to get blocked or “throttled” by major ISPs like AOL, Yahoo, Hotmail, and Gmail. However, if you are using DKIM authentication, (or if your ESP is doing DKIM signing), the throttling limits are often raised by some domains.
Potentially less stringent SPAM filtering. If you send marketing messages, email firewalls can be harsh when they scan your content. For example, if you have a large number of email subscribers that are all in the same domain, then sending a campaign to that list is going to look like a wave of spam. Again, authentication (and maybe some email certification) may smooth things out a bit.
Not too long ago, Bellsouth started blocking HTML emails randomly (no idea why - perhaps a Bellsouth employee can enlighten us?) Interestingly, since Pinpointe authenticates all of our customers’ emails by default, our emails seemed to get through just fine.
One thing to keep in mind however is that authentication (and authorization) do not give you a free license to start creating and sending spammy, low value email content. Your content is still going to get filtered. Authentication and authorization help receiving systems to know, with absolute assurance, that you are who you say you are.
DKIM Authentication - Disadvantages
Authentication has a few minor drawbacks worth noting. These are relatively minor and only occur in edge cases, but for full disclosure - here are the downsides:
If you are using an ESP who is doing DKIM signing, you “might” see this scenario. Depending on the email software being used by the recipient, your email may be displayed to some recipients as follows:
>> Sent from mail.pinpointe.com on behalf of john@yourcompany.com
For most people, that’s not a big deal - but the receiving email might be displayed like this.
Authenticated emails can occasionally get rejected by mobile devices if the email is forwarded. Here’s the scenario. You send an authenticated email to your customer account. The message’s authentication says, “this message is only authentic if it came from Pinpointe Server [server-name],” but the recipient forwards the message from his company account to his Blackberry. The Blackberry server receives your message, but since it was forwarded from your recipient’s company server, it appears to be a forgery when they read the authentication instructions.
The bottom line is this: if you have a big list (tens of thousands), you should be working with your ESP to do authentication and authorization to help improve email delivery. If your list is relatively small (in the hundreds) then you probably don’t need it yet - but start getting yourself educated on the topic. Feel free to drop me a note if you have questions: cstouffer@pinpointe.com or visit our blog at www.pinpointe.com/blog for more information on email delivery topics.
