Authentication GUIDE. Frequently Asked QUES T ION S T OGETHER STRONGER

Transcription

1 Authentication GUIDE Frequently Asked QUES T ION S T OGETHER STRONGER

2 AUTHENTICATION Marketers that use for communication and transactional purposes should adopt and use identification and authentication protocols. This document will explain what authentication is including some recommendations on what you should do as an marketer to implement these guidelines within your organization. * This Guide should not be considered as legal advice. It is being provided for informational purposes only. Please review your program with your legal counsel to ensure that your program is meeting appropriate legal requirements.

3 THIS COMPLIANCE GUIDE COVERS: Basics of Authentication Technologies Basic FAQs on the DMA s Authentication Guidelines Implementation: Complementary Types of Authentication Systems Beyond Authentication: Reputation Authentication Resources for Marketers 1. What Do the DMA s Authentication Guidelines Require? The DMA s guidelines require marketers to choose and implement authentication technologies in their systems. It is up to your company to decide what kind of authentication protocol to use, though all are recommended based on current-day trends. The DMA does not require nor endorse the use of any specific protocol, as there are several interoperable, inexpensive, and easy to implement solutions available today. 2. Why does the DMA Require Members to Authenticate Their Systems? The DMA requires its members to authenticate their systems primarily because mailbox providers (aka ISPs, MSPs or receivers) are increasingly requiring authentication. This strongly aligns with a growing trend in the deliverability industry that s leaning more towards domain-based reputation (as opposed to IP-based reputation a couple of years ago). Secondly, authentication improves the likelihood that legitimate/wanted will get delivered to the intended recipient s inbox folder. Additionally, authentication reduces the likelihood of spam, spoof and phishing attacks (thus protecting the integrity of marketers brands). Authentication is seen as one way to make the marketing arena more secure and improving consumer confidence in , thus preserving it as a valuable marketing communications tool. 3. Does DMA s Authentication Guideline Require Marketers to Authenticate Inbound s, Outbound s, or Both? The guideline applies only to outbound that marketers send either from their own IP addresses or via the use of a third-party service bureau. 1

4 4. Is Authentication Required Just for Marketing Messages? No, DMA s Authentication Guideline applies to ALL outbound messages that marketers send or that their third-party service bureaus send on their behalf. 5. Does the Guideline Apply to B-to-B Marketers? Yes, the DMA believes that similar common best practices in deliverability for consumer promotions should be used for business-to-business campaigns. 6. Does the Guideline Apply to Nonprofits? Yes, non-profit organizations, as well as for-profit businesses, should authenticate the messages they send. BASICS OF AUTHENTICATION TECHNOLOGIES 1. What is an Service Provider (ESP)? A company that offers services to send (bulk/marketing) on behalf of a marketer. 2. What is an Internet Service Provider (ISP)? A service provider that provides access to the Internet (and most times an account). 2

5 3. What methods/types of Authentication are out there? There are a few major authentication methodologies: Sender Policy Framework (SPF) - an IP-based solution, DomainKeys Identified Mail (DKIM) - a cryptographic solution, Domain-based Message Authentication, Reporting & Conformance (DMARC) - builds on the widely deployed SPF and DKIM protocols. The goal of the first two is similar: create a public record against which to validate messages so that a sender s legitimacy can be verified. Both the SPF and DKIM technologies work to verify that the sender is authorized to send mail. 4. What is the Difference Between IP-Based Authentication and Cryptographic Authentication? A fundamental difference between IP-based and cryptographic authentication solutions is that cryptographic technology protects the integrity of the content, while IP-based technology verifies or proves that the sender is authorized by the domain owner to send What is the Domain Name System (DNS)? The Domain Name System (DNS) is an Internet directory service. DNS is where companies publish information about their domains. 6. What is Transport Layer Security (TLS)? Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL). TLS for isn t required but has been widely adopted following revelations of government snooping. Some ISPs (like Google s Gmail) add a warning flag to messages that were received without TLS encryption. For this reason it is recommended that all outbound support TLS. An overview of TLS is available at: with an FAQ available at safer /faq/. 3

6 IMPLEMENTATION OF COMPLEMENTARY TYPES OF AUTHENTICATION SYSTEMS: SPF, DKIM AND DMARC 4

7 Sender Policy Framework (SPF): 1. What is it? SPF is an IP-based technology that verifies the sender IP address by cross-checking the domain in the address listed in the non-visible Mail From line of an against the published record a domain owner has registered in the Domain Name System (DNS). SPF technology is free to all users. An SPF record is a list of computer servers or IP addresses that senders indicate are authorized to send that claims to be coming from their domain. When you publish an SPF record for your domain, you declare which IP addresses are authorized to send out on your behalf. SPF allows senders/marketers effectively to say, I only send mail from these machines (IP addresses/servers). If any other machine claims that I'm sending mail from there, they are not telling the truth. 2. How Do I Implement Sender Policy Framework (SPF)? Run an audit, write a list of all IP addresses that send on your behalf. As an extra precaution, talk to your IT staff & any Service Providers you work with to ensure you don t miss any IP addresses. Create your SPF record. provides syntax details and tools to help with this. Publish your SPF record in DNS. Verify that your SPF record is published & working. (i) An easy-to-use third-party tool can be found at com/authentication: a. Input your domain name in text box to check a published SPF record b. View Results. You should see This seems to be a healthy SPF record, meaning the SPF record is good to go. 5

8 DOMAINKEYS IDENTIFIED MAIL (DKIM) 1. What is it? DomainKeys Identified Mail is a cryptographic, signature-based form of authentication. DKIM is offered to all users free of charge. The DKIM specification is available at DKIM requires senders to generate public/private key pairs and then publish the public keys into their Domain Name System (DNS) records. The matching private keys are stored in a sender s outbound servers, and when those servers send out , they generate message-specific signatures that are added into additional, embedded headers. The DKIM authentication process involves checking the integrity of the message using the signature header and verifying whether the key used to sign the message is authorized for use with the sender s address. This step currently involves utilizing the DNS record of the sending domain. The authorization records in the DNS contain information about the binding between a specific key and address. Using a US Postal Service analogy DKIM is like verifying a unique signature which is valid regardless of the envelope or letterhead it was written on. ISPs that authenticate using DKIM look up the public key in DNS and then can verify that the signature was generated by the matching private key. This ensures that an authorized sender actually sent the message, and that the message headers and content were not altered in any way during their trip from the original sender to the recipient. 6

9 DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING & CONFORMANCE (DMARC) 1. What is it? DMARC is an authentication protocol that builds on the SPF and DKIM protocols. SPF and DKIM provide valuable authentication capabilities but have some shortcomings. First they operate on different from addresses (the visible from versus the envelope from ). Second they provide no feedback mechanisms for domains to know when fails, or when their domain is being spoofed. Finally they provide no guidance to receiving sites as to what to do with messages that fail authentication. DMARC addresses these three issues as it uses domain alignment to match the envelope From address checked by SPF to the visible From address checked by DKIM. It provides a reporting function that allows senders and receivers to monitor and improve domain protection from fraudulent . Finally it provides a mechanism whereby domains can suggest to receivers what to do with mail that fails DMARC. DMARC Overview: A brief, non-technical overview is available at A more detailed explanation & overview can be found at Many domains, including major ISPs, are checking DMARC and utilizing it as part of their spam filtering decisions and many more are implementing the reporting function. 2. How Does Authentication Reduce and Protect Against Spam? Spam causes problems for both consumers and marketers. The spam problem is not going away, and spammers quickly adapt to filters set up by Internet and Mailbox Providers thus blurring the perception in consumers minds of which commercial is legitimate and which is spam. Authenticated helps ISPs and Mailbox Providers better identify legitimate . Spammers are then distinguished from senders of 7

10 legitimate enabling wanted mail to be delivered to consumers with higher certainty and at a lower cost. 3. How Does Authentication Reduce and Protect Against Spoofing and Phishing? Spoofing is the forging of another person s or company s address. Phishing is sending an that attempts to trick recipients into giving out personal information, such as credit card numbers or account passwords. The pretends to be from a legitimate source, such as a user s bank, credit card company, or online Web merchant. Most phishing attacks come from in which the sender s name in the From Line has been forged or spoofed. Authentication makes it easier for ISPs to identify such fraudulent prevent it reaching its intended victims. 8

11 BEYOND AUTHENTICATION: REPUTATION 9

12 Authentication and reputation are fundamentally linked. Authentication alone is not sufficient for Internet Service Providers (ISPs) to make deliver/non-deliver decisions. Authentication verifies authorization to send, but it doesn t tell mailbox providers anything about whether the authorized sender is legitimate or a spammer. This is where reputation and whitelisting come into play. 1. What is a Company s Reputation? Reputation is a way for ISPs to combine the sender s identity with additional information about the sender s practices. Reputation is based on numerous factors: complaint rates, identity stability, unknown user volume, security practices, unsubscribe policies, and more. Most of these factors can be measured, quantified and weighted by Internet Service Providers (ISPs) and Service Providers (ESPs). 2. What Metrics Should I Monitor to Ensure That My Reputation is Good? There are a few simple steps marketers can take to ensure that their Reputation remains in good standing with ISPs. Good List Hygiene: Sending to too many addresses that don t exist isn t only a trait of spammers it is a trait of any entity that is considered to have poor marketing practices and is sending spam. ISPs acknowledge that there is a lot of churn in terms of consumers changing addresses, and because of that they do allow for some margin of error. However, it is generally accepted that marketers should aim to keep invalid addresses at less than 3-5% of each mailing. Of course, reducing these types of errors isn t just good for deliverability, but for Return on Investment (ROI) as well. Sound Sending Infrastructure: A common trait of spamming is to redirect bounces and replies to spoofed, non-functional or non-existent return addresses. Therefore, to differentiate themselves, legitimate senders are expected to be capable of receiving the volume of bounces that typically accompanies any high volume campaign. Most ISPs require that senders are capable of receiving at least 90% of messages that are bounced back to them when they attempt to to an invalid or unknown address. When an sender does not accept bounce back error replies it is considered suspicious behavior and the sender may be identified as a spammer. If an ISP becomes suspicious of an sender it may ask high volume senders to adjust the number of simultaneous connections to their networks. Or it may institute mail volume throttling (spreading out the number of s sent over a long period of time). High Relevance/Low Complaint Rate: Having good list hygiene and sound delivery infrastructure are the foundation to having a good reputation but keeping complaint rates 10

13 low is where a company can significantly improve or damage its reputation. The key to having a low complaint rate is making sure that your is relevant and delivers value to the recipient. In general, ISPs believe there should be little to no reason for a consumer to complain about legitimate . Marketers should aim to keep their complaint rate below 0.1 percent. The complaint rate is calculated by dividing the total number of complaints by the total number of delivered s in a specific mailing. Just two or three complaints per thousand s delivered could result in short-term blocking by ISPs that employ reputation systems, and severe long-term blocking if the sender does not bring the complaint rate under control. 3. What is a Whitelist? A whitelist is a list/process that some ISPs (and mailbox providers and receivers) use to allow marketers/senders to send s into their networks of end users without being subjected to certain/stricter) levels of filtering (anti-spam/policy/volume filters, etc). In recent years most ISPs have moved away from whitelisting in favor of more sophisticated filtering. 4. What Are Feedback Loops? A complaint feedback loop (FBL) is a technical system where ISPs share spam complaints with senders in order to monitor list health and to remove complainants from their lists. An FBL is essential for marketers to identify & resolve high complaint campaigns and messaging streams emanating from their IP address/computer networks. Best Practices for Implementing Authentication Protocols: Assign an individual or group at your company to be responsible for working with other relevant departments and vendors to implement authentication. Authenticate using more than one technology. SPF, DKIM and DMARC are interoperable free technologies that have different deliverability success rates with different ISPs. For best results, authenticate your systems with one or more technologies. Know your customers and where you are mailing to. Follow developments in the industry field including technological white papers and industry or government-sponsored workshops. Research the major protocols to determine the best solution(s) for your company. Develop a policy for assigning domain and sub-domain names. 11

14 Develop a way to measure the impact of authentication in terms of higher deliverability to those you wish to reach. Research ways to authenticate incoming to your company. 5. What is the Difference Between Pass, Fail and Soft Fail of an Message? If a message passes an ISP s authentication check it means the meets the standards for that ISP s definition of a legitimate message and is likely to be delivered to the recipient s inbox. If a message fails an authentication check it did not meet the standards for that ISP s definition of a legitimate message and likely will not be delivered to the intended recipient s inbox. It will either directed to the recipient s spam/junk folder, or the message may be blocked. A soft fail is a message that is a probable fail according to the ISP s standards; A soft fail message usually comes from a sender or IP address that is not listed on the ISP s list of authenticated senders but is not an outright failed message. AUTHENTICATION RESOURCES FOR MARKETERS There are many Authentication resources available, including: Sender Policy Framework (SPF) info page: DomainKeys Identified Mail (DKIM) Information page: Domain-based Message Authentication, Reporting & Conformance (DMARC): Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG): The Federal Trade Commission has held some workshops on this issue, for example: mail-authentication-summit 12

15 Mailing Address 1333 Broadway, Suite 301 New York, NY experience.org