Working around email security

One of the common things I see as a delivery consultant is that companies do their best to set effective policies about email, but make it difficult to comply with those policies. It happens all the time. It’s one of the reasons that the tweets Steve shared about Sec. Clinton’s email server rang so true to me.

One of the commenters on that post disagrees, and uses banks and health care as an example.
Erik says:

Disagree. I work for a bank – highly regulated, just like health care and the government itself.
We go through quarterly compliance training – yes every three months. I can assure you anyone working on department of state information systems also has security clearance and goes through compliance training.
They knew what they were doing and did it anyway, my theory is that some higher up (Clinton or direct report) asked for it and someone was afraid to say no.

Banks and health care companies are notorious for registering new domains and creating infrastructure because they can’t do what they want through normal IT channels. I’ve had both industries as clients and I’m a consumer of mail from both. I’ve had conversations with folks in their security and their marketing departments. If anything, banks and health care are prime examples of how companies will work around things.
Generally the work around involves registering an entirely new domain and then authenticating that domain through their ESP. It’s mail that’s sent to customers by the bank, but it’s not the primary bank domain. This can be done for all sorts of reasons.
In at least two cases a bank registered a new domain to use for alerts of a security breach. In one case it was my credit card company, sending to the tagged address only the company had. I called the bank and they told me it was a phish and not to answer it. Except if that was true, there was a much bigger breach as only the bank had that address of mine.
In another case a bank sent us an alert that a system one of our customer uses for invoicing and payments was compromised. Again, the bank sent out an alert. That alert failed DKIM checking and was unauthenticated email. I’d believe this was a phish / spoof, except I used tagged addresses and I know that only the supplier portal had that address. If it was a phish, it was a phish using data stolen from the company.
To be fair, things are getting better. Banks are working to consolidate domains and stop with the using so many different domains. I even had a discussion with on bank employee earlier this year at CNX16 about the delivery implications of the consolidation they’re undergoing. Seems a different division was having problems with a blocklist and she was concerned those problems would spread to her mail when they consolidated the domains.
As I was writing this post I discovered that our health insurance company has finally started DMARC protecting the cousin domain they use to send billing notices. Last year they weren’t and I used them as an example during one of my talks to a health care audience. Many of the DMARC advocates were loudly trumpeting that this company was protecting all their mail with DMARC, but they weren’t they were only protecting part of it. So things are improving.
The point is that this isn’t unusual at all. IT can’t do what part of the company needs, whether for policy or budget reasons, and so options are explored. Those options are often registering a new domain and handling the mail on external hardware. It is common business practice, even in highly regulated industries like health care and banking. It does seem to be becoming less common, which is great! But let’s not pretend that email is some perfect bastion of security and policy compliance in regulated industries.

SPF ?all
Brief blogging break

Related Posts

About that permission thing

I wrote a few days ago about permission and how it was the key to getting into the inbox. It’s another one of those “necessary but not sufficient” parts of delivery. There are, however, a lot of companies who are using email without the recipient permission. These companies often contact me to help them solve their delivery problems.  Often these are new companies who are trying to jumpstart their business on the cheap by using email.

The calls have a consistent pattern.

Read More

Content is the new volume!

I’m having a great time here at #EEC16. Today is my visit and go to sessions day, since tomorrow I’m speaking at 2 different sessions.
I was lucky enough to get into the Customer Experience session presented by Carey Kegel of SmartPak and Loren McDonald of IBM Marketing Cloud. It was an interesting session.
If you don’t know, SmartPak is a brand focused on selling horse tack and supplements. They initially started off by creating packs of supplements for your horse. This is great for horse owners, as it means the barn staff just needs to add one pack to your horse’s feed. No measuring, no confusion, it’s simple and means your horse gets what they need.
First they started talking about the volume of email sent by SmartPak. Their mails aren’t that consistent, but they mail between 25 and 30 emails a month. Some months last year they mailed every day.
What they started seeing, though, is that the volume of marketing mail drove list churn. The biggest reason users gave for unsubscribing was “too much volume.” The more mail they sent, the more unsubscribes they saw. Even worse, more volume did not translate into revenue. As email volume went up, email performance decreased.
They tested adding content to emails. Just a block on the side of the email with links to content on their website. Adding the content links increased click through rates by 9% and revenue per email by 15%.
These results don’t require the content be in the emails. Using emails to drive recipients to already existing content on the website, including videos and surveys.
The session didn’t specifically discuss deliverability directly, but I think there were some clear deliverability benefits to content marketing.  In fact, an email with no call to action, simply a post-purchase “what to expect” email had an open rate of 33%. These types of open rates help improve overall reputation and lead to more inbox deliveries.

The session really drove home how valuable content marketing is. One thing that was continually repeated during the session is that most marketers have the content already. Use email to drive users to the content you already have. Include that content in marketing mails. Meet the recipient’s needs and wants.
There are a couple takeaways I got from the session.

Read More

Thoughts on filters

One of the questions we received during the EEC16 closing keynote panel was why isn’t there a single blocklist that everyone uses and why don’t ISPs share data more. It would be so much easier for senders if every ISP handled mail the same as every other. But the world isn’t that simple, and it’s not always clear which mail stream is spam and which is good mail.

Read More