contact contact contact
  Articles | Editorials | Reviews | News | InfoSec Directory | Releases | Submit PR

GFI MailArchiver for Exchange - Easily archive Exchange Server mail & comply with Sarbanes Oxley - Free evaluation available.

Network Security Software - Sponsored by GFI Network Security.

Free VoIP Assessment for your business

Beyond Authentication: Keys to Email Delivery Success
Author: Matt Blumberg, CEO, Return Path
Wednesday, 13 July 2005, 12:55 GMT

When it comes to making sure your emails get properly delivered into the inbox, email authentication is just one piece of the puzzle. This whitepaper will discuss email authentication protocols in the context of broader reputation and accreditation systems, and it will detail steps every email sender needs to consider today to achieve 100% delivery to the inbox.

As of late, there has been a lot of discussion about email authentication protocols and their impact on email marketers. With Microsoft leading the charge with Sender ID – implementing the first rules around non-compliance (see sidebar) – authentication has jumped to the forefront of the spam debate. Marketers are hoping that the email authentication crackdown – and their compliance -- will lead to an increase in email delivery rates. But will it work?

Sidebar: At Microsoft domains, emailers who do not publish a proper Sender ID record are now going to (a) have their emails placed in the bulk mail folder at Hotmail and MSN, and (b) have a text alert/disclaimer placed on top of their emails by Microsoft warning users that the source of the email can't be authenticated.

Return Path views email authentication as a necessity to stop phishing and other fraud, and as a foundation for future spam solutions. Authentication alone will not stop spam or lead to better email delivery rates. Here’s why:

- Authentication WILL make a big dent in spoofing, phishing, and fraud because those particular elements of email deviance are identity-based. Therefore, identity authentication will either stop those things, make it easier for consumers to steer clear of them, or make it easier for law enforcement to go after them.

- Authentication WILL NOT make a big dent in spam right away because spam is much more nuanced than fraud. Just because an ISP knows you are who you say you are, does not mean they want to accept your email. Spammers can publish authentication records, too. And they do, in record numbers.

- Authentication WILL lay the foundation for longer-term spam solutions. Email receivers need to understand exactly who is sending mail into a network in order to answer the next question of "do I want to accept that mail?" We think the answers to that question lie with accreditation and reputation services.

Three Steps to Email Delivery Assurance

In addition to email delivery monitoring and proactive troubleshooting, every sender of email should be considering three things if they want to achieve higher delivery rates:

1) Set up authentication records for SPF, Sender ID, and Domain Keys.

2) Pay close attention to email reputation, and proactively try to improve it.

3) Consider email accreditation programs, if standards can be met.

The Importance of Authentication

Authentication is seen in two forms, IP-based and Cryptographic. IP-based ties a responsible sending domain back to a set of permitted IP addresses, which requires publishing text records in the Domain Name Service record for every one of your domains. Examples of an IP-based solution are SPF and Sender ID. Cryptographic authentication signs each message in a way that is impossible to spoof, proving that the message came from the indicated sending domain. An example of a cryptographic approach is Yahoo’s Domain Keys.

Each set of authentication requirements is different. AOL (and other receivers) use Sender Policy Framework (SPF); Microsoft (Hotmail, MSN, Exchange) uses Sender ID; and Yahoo! is promoting Domain Keys. Authentication is important to delivery for the reasons already outlined – it will be necessary for delivery acceptance for some ISPs, and could influence how email appears in some readers. Due to the fact there is not one method that is widely accepted by all ISPs, it is important to comply with the authentication requirements set by the primary players. Authentication will play a huge role in email reputation systems going forward.

Email Reputation Systems

Email reputation will become the next layer to authentication – once an ISP knows who a sender is, they will then be able to determine whether to accept that sender’s email based on reputation data.

“Reputation” sounds like a nebulous term – who judges it? What’s good, and what’s bad? The goal of reputation systems is to make email reputation more transparent – allowing senders to see the standards that email receivers care about, and giving them the information they need to make improvements to their email programs.

Email reputation is based on numerous factors -- complaint rates, identity stability, unknown user volume, security practices, unsubscribe policies and more. Most of these factors can be measured, quantified, and weighted.

By looking at those factors for each mailer as compared to their peers, receivers establish reputation-based standards for their platforms. They do this already, though formalized systems such as Return Path’s Sender Score will give them more broad information on which to base their decisions. Likewise, that same information allows email senders to see where they stand and what they need to do to improve their reputation in the eyes of the email delivery gatekeepers.

Email Accreditation Systems

For companies with the best email reputations, email accreditation becomes the next key to inbox reach. Accreditation systems such as Return Path’s Bonded Sender Program analyze a company’s email program against a strict set of best practice guidelines, and if a program is accepted, email sent by that company is exposed to less filtering by email receivers. While there is no way to “guarantee” email delivery, accreditation is the closest to a guarantee at email receivers accepting accreditation systems.

In the case of Bonded Sender, the certification process is conducted by a TRUSTe, as an independent third party. Much of the same data that is looked at in reputation systems is considered as part of an accreditation application – those with the best email reputations are much more likely to gain acceptance into premier accreditation programs.

Early Bonded Sender studies show at least 21 percent increase in inbox delivery rates for companies in the program, with average delivery rates surpassing 95 percent.

No Silver-Bullet

The important thing to remember when it comes to email deliverability is this: there is no easy way to ensure all email gets to the inbox. Companies must work for email delivery success, managing a constantly changing industry landscape. The good news is that there are guidelines to follow, and supporting resources available, to help ensure that delivery rates are as high as they can be on a consistent basis. For starters, make sure your email program follows the guidelines outlined in the following Email Deliverability Checklist.

For more information about authentication, reputation, accreditation or general email deliverability, email or visit

Email Deliverability Checklist

Ten things all email senders need to do to get more email to the Inbox

Test campaigns for content and configuration issues before sending

- Use a pre-campaign monitoring system to test creative against primary filtering packages.
- Check campaigns for image-rendering and filtering issues at the primary ISPs

Monitor campaign delivery across the primary ISPs and B2B filters

- Use a seed list system to gauge Inbox, Bulk, or Missing status

Minimize complaint rates

- Manage your registration process so that you can meet future expectations
- Use the highest permission standard you can support
- Always respect unsubscribe requests
- Ensure your content/program relevancy is on target – it impacts behavior
- Conduct complaint analysis- where are they coming from?

Keep your email list clean

- Use a bounce algorithm that will remove all bad addresses from your file promptly, handing both “inline” and “message” bounces.
- Process your file through a consumer-reported Email Change of Address service.
- Run your file through a list hygiene service.
- Require double entry of addresses for accuracy.
- Check addresses for RFC compliance & ISP standards.
- Send a welcome message and pull bounces off immediately.
- Manage your reputation by understanding how ISPs look at you.

Ensure proper server configuration

Establish email authentication records

If following all email best practices, apply for email accreditation program.

Sunday, July 24, 2005

Network Security

· Intrusion Detection on Steroids
· Sys Admin: Friend or Foe?
· Product Review: HP ProLiant DL320 Firewall Server
· AusCERT threatened by anti-cyberterrorism plans

Wireless Security

· UK companies failing to put basic security measures in place for smart handhelds
· Is wireless security pointless?
· AirMagnet binds Cisco kit into Wi-Fi security
· Capital open to hackers

InfoSec Directory

· Passive Visual Fingerprinting of Network Attack Tools
· How Secure are current mobile operating systems
· Setting Up And Using Bluetooth Hardware With Development Tools
· The Battle Against Phishing: Dynamic Security Skins

Free VoIP Assessment for your business

Press Releases

· Linux Security, Audit and Control Guidance Featured In New Book from Information Systems Audit and Control Association
· Telekom Malaysia Selects BSCS 8 From LHS to Support New Multi-Media Content Services
· Validian's Secure File- and Message-Exchange Software to be Available for the First Time in an On-Demand Mode
· Finally! A Simple and Affordable Solution for Home PC Network Set Up, Management, Security, Parental Controls And 24/7 Tech Support
 Copyright © 2000 - 2005 eBCVG IT Security Affiliates :: RSS feeds :: Privacy 
Site Meter