On Friday I talked a little about DMARC being a negative assertion rather than an authentication method, and also about how and when it could be deployed without causing problems. Today, how DMARC went wrong and a partial fix for it that is coming down the standards pipeline. What breaks? DMARC (with p=reject) risks causing problems any time mail with the protected domain in the From: field is...
We know that legitimate email sent with valid SPF and a DKIM signature often breaks in transit. SPF will fail any time mail is forwarded – via a mailing list, a forwarding service used by the recipient, or just ad-hoc forwarding. DKIM will fail any time the message is modified in transit. That can be obviously visible changes, such as a mailing list tagging a subject header or adding a...
All the authentication and DMARC in the world can’t save you from stupid. I just got a survey request from my bank. Or, at least, it claimed to be from my bank. From: Barclays International Banking Survey <internationalbanking@barclayssurveys.com> The mail passed SPF (though the SPF record suggests this is being mailed from all over the place) and was validly DKIM signed for...
Phishing is an online threat that’s been around for more than 20 years. I initially heard of it in relation to spammers taking over an AOL account to send out spam. These days phis is more dangerous and more sophisticated. Phishing is not just used to send spam. It’s used to take over elections; it’s used to steal millions of dollars. Experts estimate that globally phishing...
Using unique addresses for signups gives me the ability to track how well companies are protecting customer data. If only one company ever had an address, and it’s now getting spam or phishing mail, then that company has had a data breach. The challenge then becomes getting the evidence and details to the right people inside the company. In one case it was easy. I knew a number of people...
April was a big travel month for us. I went to Las Vegas for meetings around the Email Innovations Summit and to New Orleans, where Steve spoke on the closing keynote panel for the EEC conference. I wrote several posts this month about privacy and tracking, both in email and in other online contexts. It’s increasingly a fact of life that our behaviors are tracked, and I wrote about the need for...
Yesterday I had the pleasure of attending my first ESPC semi-annual meeting. I was scheduled to talk on a panel about list hygiene with a couple vendors. Because some folks didn’t make it, I also sat on the panel talking about blocklists. It was a fun day. I got to meet and talk with some colleagues I haven’t seen in an age. And I met some new faces and had interesting interactions...
One of the questions I get from folks about delivery is what the optimal text to image ratio there should be in an email. I’ll be honest, I hate this question. Why? Because the question is actually irrelevant. I’ve seen companies with a single image and no text get to the inbox. I’ve seen companies with no images get to the inbox. The text to image ratio is not going to make or...
I talked last week about how incentivizing people to sign up for your mailing list could be effective when it’s done well. This week I’m staying at a Large International Hotel Chain and I’ve got a great example of what happens when it’s done poorly. The “free” wifi requires you to join the hotel’s loyalty programme. I’ve done that in the past, so I...
We’ll be in New Orleans next week for the EEC conference. Steve will be on the closing keynote panel taking about subscription bombing. Say hi! while you’re there!
Happy Friday!
RSS - Posts