Over on the Magill Report, Stephanie Colleton from Return Path shares her thoughts on how to tell whether or not an email message is legitimate.
Let’s add to that some more thoughts from Return Path’s Lauren Soares.
Then let’s add to that some of my own thoughts specifically for email senders.
Every company sending email today ought to:
- Use DKIM Authentication. It’s not the end-all, but authenticating your email makes it easier for the receiving ISP to denote good mail versus bad mail. (Sure, spammers authenticate their mail, too. But authentication doesn’t overcome a bad sending reputation.)
- Utilize DMARC, if you can. It doesn’t make sense for everyone, but for domains sending lots of bulk mail (marketing messages, transactional messages) and if you’re representing a brand that is, was, or could become a phishing target, you really ought to consider using DMARC.
- Think about your from address and link domains. If your main domain name is domain.com, don’t send mail as domain3.com or domainmail.com. If you need to use a specific domain or subdomain for an outsourced service provider, make it a subdomain under your main domain name (email.domain.com instead of domainemail.com).
- Think about what you’re actually putting in the body of those email messages. Be careful not to do the things that phishers do. If you’re a financial institution, is it safe to include links back to a login page? How much PII (personally identifiable information) are you putting in email messages?
I’m sure I’m barely scratching the surface here. What else should senders be doing to help reduce, mitigate or prevent phishing/domain misuse? What else should companies be doing to help educate their subscriber base on how to tell good emails from bad emails?