Habeas Study Confirms Strong, Ongoing Demand for Email

Yesterday Habeas and Ipsos, announced the finding of their 2008 email study which finds that there is still a very strong preference for email and the expectation that this will continue to be the case for several more years.

Some very interesting findings include that the majority of people trust companies that use opt-in email, have the ability to customize communications and can reliably get messages delivered. While having a strong privacy practice gets you bonus points, many people still believe that two-thirds of companies are still sharing their data with third parties.

Report Highlights include:

Email's Vitality

• 67% of respondents prefer email over other online vehicles
• Consumer opinion of the future importance of email registered far above future expectations for other online channels.
  

Consumer Concerns Regarding Online Threats Increasing

• 96% expressed concern about being victimized by email fraud, up from the 62 percent finding in the 2007 report.
• 43% of respondents voiced concern over mobile spam and virus threats.
  

Online Reputation Management Best Practices to Build Trust

• 88% of respondents said they would like organizations to give them more choices over the content and frequency of the emails they receive.
• 80% of participants favour doing business with organizations that use opt-in permission to send them email.
• 75% of participants prefer engaging with organizations that exhibit strong privacy practices.
  

Online Business Practices to Avoid

• 25% of respondents lose faith in an organization that is unable to deliver email reliably.
• Daily email messages ranked with pop-up advertisements as the most damaging online tactics to a company's online reputation.
• 80% of respondents are not comfortable with businesses sharing their email address.
• 80% feel that a business' reputation is negatively affected if it shares customer email addresses with third parties.
• Internet users believe that about two thirds of companies are likely to share their email addresses with third parties.

Q&A | Is SPF2.0 Dead?

Q:
I've spoken with several folks and am still confused about whether or not SenderID is actually needed when sending to MSN/Hotmail.

What's the verdict? Is SenderID dead? Do spfv2 records need to be published? Is it sufficient to just publish SPF (v1) records when sending to MSN/Hotmail?

Sincerely confused on this one...

A:
I was intrigued by this question, as it was not something I had ever been told while working with the support teams at Hotmail, so I sent a note off to my contacts within Microsoft and got back the official word;

"In the majority of cases, using the SPF record will satisfy both SPF as well as SenderID verification within the Hotmail systems. Organizations that wish to publish a SenderID record are encouraged to do so. This second record will be used for SenderID validations, of the PRA domain only, and will take precedence over the classic SPF record."

Conclusions:

• SenderID is not dead - in fact it's still the one method used by Hotmail's authentication services.
• SPF (v1) implementations will continue to validate the MAIL FROM domain unless the sender has published a spf2.0/pra record.
• Publishing both records is not going to hurt your delivery to Hotmail.
• SPF is still being checked in the absence of SenderID - SPF is supported ongoing because most senders don't have just a 2.0 record yet.
• While only one records is sufficient, my recommendation continues to be publish both, as some other ISPs continue to pick one over the other.

Q&A | Protecting users from fraud

I got asked a great question by a co-worker today...

"What have you seen other organizations doing to protect their users from fraud or phishing in emails?"

It got me thinking of all the different things I see when dealing with different organizations.

1. Yahoo!'s security seal is a good example of a service that lets you can create an avatar type icon hat is displayed on their login pages
2. Credit card companies may send the last 5 digits of your card in every email message.
3. Your phone company might send you your postal code or the last 4 digits of your phone number in each message to validate the relationship and validity of the message
4. Your bank or financial institution may ask you to populate a number of security questions/answers that are then randomly presented during your login.
5. PayPal's random number security key

While not all of these are email related, they could easily be applied to protect your users from fraud as part of your security planning process to protect your members.

What are you doing to protect your members? Care to share with us leave a comment or email us at contact.

Q&A | Setting up Authentication Records

Q:
Hello Email Karma,

Would you happen to have a link that specifically shows how to set up SPF2.0 records?

Thanks very much for your help.

A:
Thanks for your question.

SPF 2.0 (aka. Sender ID) is probably better known as Sender ID, and the full details are available directly from Microsoft's Sender ID Home Page. Microsoft also supplies a handy "Sender ID Framework SPF Record Wizard" tool for building your records correctly.

Regarding the setup of these records... Create a new TXT record in your DNS for the domain your setting up Sender ID for and add the results from the Wizard tool above. Your result should look something like this (depending on the network information of your email system):

email.example.com in TXT "a mx ip4:1.2.3.4 -all"

While I'm talking about Authentication, some other handy sites include;

• OpenSPF
• DKIM.org
• ESPC's Authentication testing tool

Hope these tools and suggestions help you out.

Do you have another tool you use for testing or a better suggestion on setting these records up - let us know, by leaving a comment or email us at contact.

Updates at AOL

Laura from, Word to the Wise, is reporting some new features at AOL including;

AOL's announcement on the Email Sender and Provider Coalition call that they have begun checking DKIM on inbound email being sent to their domains (AOL.com, AIM.com, Netscape.net and cs.com).

The other interesting piece of information to come from this call is that AOL, is also going to start asking "How do you categorize this messaging stream?" when your applying for whitelisting within their mail services. What this means is that AOL is looking to track metrics on Transactional mail vs. Commercial/newsletter type email entering their systems.

This builds on the SPF authentication tests that AOL has already been using for the last couple of years.

Q&A | Email Authentication

Q: Dear EmailKarma,

Where can I find the most updated information on how to properly set up SPF records, Domain Keys, and DKIM? Also, would you know what the exact difference is between Domain Keys and DKIM?

A: The best locations for SPF and Sender ID information are straight from the respective project web sites.

• OpenSPF
• Sender ID

When prepairing to launch authentication for these two services it best to;

• Have your mailserver list ready and researched, and use the record wizard (SPF, SID)
• Roll out with a "~all" flag to test your configuration
• Move to a "-all" flag once your testing is completed
• Publish these records for all of your domains, don't forget your corporate domain.

As for the difference between Domain Keys and DKIM the project site dkim.org provides a great FAQ answering this question.

Experimental Authentication Survey #3

Month three regarding the measurement and progression of email authentication.

Spam is running at 7031 (96% of inbound*) messages in the last 30 days comparing to 229 ham messages.

The percent of spam passing authentication tests is now at 1.5%, with 16.7% failing. Leaving 81.9 % as a neutral source.

Comparing the ham ratio of 38% neutral and 62% passing (50% in August, 57% in Sep/Oct) authentication tests.

Remember the holidays are coming - and you still have time to ensure that all of your email is authenticated. Don't forget your corporate email should also be authenticated. This will help your inbox placement and to protect your brand.

See the previous results: Month 1 and Month 2

Green flag = Passing authentication response
Yellow flag = Neutral authentication response
Red flag = Failing authentication response

* One complete month of spam used as a sample, prior tests used only 2 weeks of data. Complete monthly data will be used going forward.

Gmail talks about fighting spam and reputation

A look at the Gmail anti-spam team and the methods they use to combat spam.

Gmail has also recienly published the paper "Sender Reputation in a Large Webmail Service" for the CEAS (CONFERENCE ON EMAIL AND ANTI-SPAM - 2008). This paper discussed how a large webmail service can define and use reputation to identify and clasify authenticated sending domains to be spammy or not spammy.

Q&A | The possibality of collateral damage

Is there a possibality of collateral damage if the ESP I mail with has other clients with bad email reputaitons?

Will there be an impact on delivery if a sender with a bad reputation is on the same network as my server with a good reputation?

It is a possibility that your neighbour could cause you some pains along the way
if they are not tended to by your ESP. In many cases it depends on who is doing
the blocking and the number of bad actors on the same network.

The good news - for most ISPs they will notice the difference and act only on bad IPs. That is where your revers DNS is important - to show the distinct nature/sender on each IP.

Does this mean then that a unique sending IP address given to me by my ESP is not necessarily as "safe" as we might otherwise think?

Yes this is true, but new systems are being developed by the leading ISPs and
ESPs to help distinguish one sending entity from another. Systems like Domain
Keys (or Domain Keys Identified Mail) are able to distinguish the "sender"
reputation and begin the movement from IP reputation to a domain based
reputation system.

The possibility of collateral damage bounces is greatly reduced on an isolated IP address, especially when compared to that of a shared IP address.

How do escalating blocking systems work?

Systems like UCE Protect are a good example of an escalating block pattern.

Level 1 - Contains single IP addresses

Level 2 - Lists larger netblocks based on the number of listings in Level 1 (4 or more IPs in level 1 in the same network) with increasing size based on the total number of IPs listed.

Level 3 - Lists Networks with a lot of level 1 or 2 listings, possible listing an ASN (Multiple networks) of an ISP/ESP. (more then 100 IPs listed in Level 1)

For more on this discussion and others like this please join us on the Email Marketers Club.

Anti-phishing education resources

As part of a user education process Paypal has launched the anti-phishing challenge. I received a notice of this to my registered paypal address (I found this legitimate message in my junk mail folder1 by reviewing and verifying the DomainKey). I scored 5 out of 5 and received the seal shown here; "Anti-phishing Champion".

Paypal is also hosting information sites on How to protect yourself and supplying information on how PayPal fights phishing and the Identity Theft Guide.

American Express has also added educational information to their "Front of the line" email program with these great tips for consumers to watch out for in phishing emails:

1. A sense of urgency created by the message. Example: Your account will be closed or temporarily suspended. You'll be charged a fee if you don't respond.
2. The e-mail addresses you by a generic term and not personally by first name and/or last name. Example: Dear Customer.
3. Embedded links within the e-mail may look legitimate because they contain all or part of the real company's name (may be slightly misspelled). These links will take you to fraudulent sites that ask you for sensitive personal information.
4. The e-mail may contain obvious spelling errors.
5. The e-mail address states American Express, but the content has little to do with American Express products

Check out these great resources and learn how to protect yourself and your financial information.

1 - Even successfully signed and verified emails get delivered to the bulk folder.

Experimental Authentication Survey #2

Back in August we conducted a quick and Experimental Authentication Survey of the EmailKarma inbox, what we found was that 50% of messages received in the month of August were not being authenticated correctly.

Comparing this to the messages received in the first two weeks of October we are now seeing that 57% of solicited messages are now authenticating. We also saw that the messages that failed authentication (no red flags), but were solicited, from August have been corrected and are now passing authentication tests.

The other item of note is our spam folder has 2% (up from 1.5%) of email passing authentication, with the majority of these messages (79%) having no records at all, meaning these domains are venerable to attack and forgery.

October's Ham to Spam ratio is running at a solid 89.1% which is slightly better then August's 91% spam percentage.



The holidays are coming - make sure all of your email is authenticated to help your inbox placement and to protect your brand.

eBay, Paypal and Yahoo!

Yahoo users can feel a little bit more secure when receiving email from eBay and Paypal after today's yodel: Say goodbye to eBay and PayPal fraudsters.

"We’ve teamed up with eBay and PayPal to become the first Web mail service to block the delivery of unauthenticated eBay and PayPal emails, reducing your risks of receiving phishing scams or fraudulent emails. Our weapon is a technology Yahoo! spearheaded called DomainKeys, which uses cryptography to verify the domain of the sender."

This is similar to the discussions in the past about Hotmail delivery issues and how to resolve them. Publishing your SPF and SENDER ID will help your messages deliver at a number of ISPs, similar to the Domain Keys implementation at Yahoo!

This is the first major announcement of this kind, be prepared for more to follow by authenticating your mail now. Not just your commercial or transactional email but also your Corporate email.

Q&A | Are IP address portable?

Q: Hello EmailKarma,

Are IP address portable? If you are thinking of moving hosting facilities and have built your reputation on your IP address that is owned by a telecom company – how do you suggest handling this? If you can’t take your IP with you, how do you take your reputation with you? Any insight would be great.

Best,
Nancy

A: After doing some research and talking with some other delivery experts to get their opinions on this, here is what we are able to suggest.

IP addresses are only portable if you "own" them (were allocated them by ARIN or RIPE or whoever). To get IPs that you own and could move from one provider to another you would need to be using at least a /21 (approximately 2,000 IPs).

A few ISPs (Hotmail specifically) have said, that they are now able to transfer reputation between IPs if they are published in the same authentication records with the old ones and that you continue to send email from. After your reputation is established you remove the old from the record and keep the new ones in there while you use the new system or IPs.

There was also discussion about the benefits gained from the reputation of your Domain Key (or DKIM) selectors and mailing history, that allow you to move reputation based on these keys and the past performance associated to them. Basically if an authentication technique can be tied to a domain and the reputation is based on that domain, then reputation should be portable. The problem is that, most reputations systems are still evolving and many still focus on the IP address.

Early in September EmailKarma answered the question Whats the best way to build reputation on new IPs? Using these suggestions and migrating your mail from one Network paired with the information above will give you the best results for moving your reputation from one IP address to another.

Do you have a question for EmailKarma? Email them to contact or leave a comment.

Special Thanks to Steve, Dennis, and Jeff for their insight and opinions

More on Proactive User Relationship Building

Following up on Fridays Proactive User Relationship Building, there are a few additional things that should also be done with these type of relationship building messages, especially when warning users about phishing attempts on your brand:

• Explain where your messages will be coming from; we only send promotional email from this address - newsletter@email.marketer.com and purchase notices from purchases@email.marketer.com
• Explain how your links should look like - http://links.email.marketer.com/URLEncoding... Ensure your using branded links and not a link to your providers link redirect site
  
• Explain your mailing frequency; We only send you messages on Monday afternoons and after you purchase something on http://shop.marketer.com
• Add a notice on your home page about these kinds of fraud attempts, ensure this notice is linked to on the checkout, shopping chart and privacy pages of the website (basically anywhere you ask for sensitive information).
• Explain what you have done to safe guard your email; We use the latest forms of email authentication and web encryption services to ensure our messages and networks are secure and protect your information
• Provide a resource for questions or an FAQ your subscribers can check and ask questions

Do you have any other ideas; share them with EmailKarma or leave a comment.

Q&A | Whats the best way to build reputation on new IPs?

I saw this question posted to the Email Marketer's Club today and I could not help myself, I just had to answer it here.

Q: Whats the best way to build reputation on new IPs?

A: The best way to build reputation, or to repair a reputation, on an IP address is to send small amounts of email to the ISP your working to build reputation at. These numbers have varied across the ISPs but you can be safe by starting with a few thousand message a day (<5,ooo) after a couple of days or a week you should double this and then double again after another week. To build a proper reputation on an IP address between 50 and 100 thousand messages need to be sent and monitored by an ISP, approximately 3 business weeks mailing daily

ISPs measure the following;

1. Number of unknown users attempted
2. Number of spam/junk reports from recipients
3. Number of spam trap or long inactive (12+ months disabled) accounts that are being attempted
4. Number of concurrent connections attempted from one mail server.

Key items to note:

• Send relevant and permission based emails
• Send only to live addresses, remove invalid account immediately
• Monitor ISP feedback loops for high levels of user complaints
• Frequent mailings (daily) in smaller batches than less frequent and larger campaigns
• Authenticate your messages with SPF/Sender ID and DK(IM)

Do you have a question for EmailKarma? Email them to contact or leave a comment.

Experimental Authentication Servery

A quick and experimental survey of the solicited messages in the EmailKarma inbox shows that ~50% of messages received in the month of August are not authenticating (total neutral = 59) or are not passing (total fail = 12) one of the four main authentication technologies (SPF, Sender ID, Domain Keys or DKIM).



Inversely the last 8 days worth of spam received (1547 messages) shows that only 24 messages (1.5 %) have been authenticated in a positive manor. The largest set of spam messages are sent from domains that are not supporting authentication off any kind thus becoming an easy target for spoofing or forgery.

Based on these numbers our spam to email ratio is 91%.

If your looking to get noticed and your looking for help getting your campaigns to your users make sure your authenticating. ISPs and businesses are already beginning to evaluate the presence of these solutions and make delivery decisions based on their accuracy, and results.

Why is your ‘from’ Address so Important for Email Deliverability?

In response to the posting at trinity7 about the importance of your from address.

These are five great things to note about your campaign and your mailing address;

1) From name is not always displayed
Most email clients will show you the friendly from address used to send the email but AOL, among other, web browsers users will only see your email address.

2) Email client whitelists
Almost every email client available, be it Webmail readers (Hotmail) or client readers (Thunderbird) have built in personal whitelists for users. These personal level filters will overrule any potential filtering done by an ISP.

3) Domain Blacklisting
Domain Block listing is no longer limited to Email address, URLs are also commonly blocked by anti-spam filters check over at rules emporium to see if your listed on any of the most popular domain based blacklists. It is also very common to filter and messages containing any URL with an IP address in the message - using a Fully Qualified Domain Name is recommended for all links and images in your email messages.

4) Spam filter scoring
Many companies are now offering pre-deployment content testing for your email, even offering multiple views as to your messages appearance in the inbox. Look for Habeas, ReturnPath or Pivotal Veracity for these eRSPs.

5) Sender ID Records
We talked about The importance of Authentication last week. We also recommend that you look to use Domain Keys Identified Mail (DKIM) as soon as your MTAs or ESP offer these solutions.

The importance of Authentication

ISPs are now serious about authentication, from SPF to DKIM, and not authenticating your email is causing issues with your mail delivery. Not authenticating can lead to not delivering your message to a user.

Taking steps to ensure that email can and is authenticated is one of the prerequisites to ensuring email delivery. Publishing your SPF and Sender ID records is relatively easy and can be accomplished in a number of minutes if you have all the right information.

What you need for SPF and Sender ID;

1. An accurate list of your outbound IP address (the network location where your mail originates) or the network range (a number of IP addresses).
   - Your ESP or technical support team should be able to provide this to you.
   
   
2. Recommend tools are available at OpenSPF and Microsoft to help build the proper records for for SPF and Sender ID records.
   
   
3. After determining your records you will need to publish these in your DNS records for your domain(s)
   
   
4. Your DNS records should look like this:
   mail.example.com IN TXT "v=spf1 MX A ip4:1.2.3.4 -all"
   mail.example.com IN TXT "spf2.0/pra a mx ip4:1.2.3.4 -all"
   
   
5. After publishing these records you should start to see your messages authenticated on delivery.

1. To test this setup, send a message from user@mail.example.com to a gmail address.
   
   
2. Open the message and select "Show original" from the drop down menu on the right side of the message, This will give you a text version of your message.
   
   
3. Look through the header (top of page) and find the list looking like this:
   - Received-SPF: pass (google.com: domain of user@email.example.net designates 1.2.3.4 as permitted sender)
   

Other test sites are available to use - try this one from 'Return Path'