The Intersection of Authentication: where security and BIMI meet

This week’s blog comes from Matthew Vernhout, VP of Deliverability at Netcore Cloud and Founder of the Canadian Email Summit. With two decades of experience in email marketing, and a deep understanding of email authentication and deliverability, Matthew is an industry veteran on improving digital marketing programs worldwide.

“Being the last to authenticate leaves your business open to being used as a tool of fraud and phishing”

As an email deliverability and compliance consultant I’ve lost count how many times I’ve talked with a brand’s marketing team only to have them tell me “we’re too small to be phished”, “we’re not in ecommerce, so we’re not a target”, “that’s a job for our security team”, or “it’s too hard to get authentication configured properly”. While in reality, domains of all sizes and verticals are targets for abuse, even domains that are not configured to send email. Being the last to authenticate leaves your business open to being used as a tool of fraud and phishing. It also means you miss out on all the benefits that are tied to authentication. 

I get it, email is hard. But it’s never been easy and it won’t ever get easier. Marketing teams need to work closer with security groups to protect their brands from spoofing or phishing attacks, the privacy or legal groups to ensure that the messages are compliant with the GDPR, CCPA and any other laws. And, they still need to reach consumers with compelling messages to drive the business’ goals. Keep in mind that your business succeeding is a team effort and each group has a part to play in the business’ success.

“Never forget your brand is a target”

Your staff, customers and infrastructure are also targets. Implementing a strong defence with email authentication takes major steps to protecting your business, clients and staff. Implementing strong email authentication solutions like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are all going to help you. These also lead to enabling the use of Brand Indicators for Message Identification (BIMI) which puts your brand logo into the consumers email client. 

But why authenticate? Beyond protecting your brand’s authentication this is a tool to help build your domain reputation. Cleaning up old email solutions that have been forgotten and fixing broken or outdated authentication records also leads to better delivery, consumer engagement, and most importantly conversions. An additional benefit of authentication is that the implementation project helps to reduce the potential of your brand identity being used for fraudulent purposes that contribute to dragging your reputation down. 

Don’t forget to implement these same authentication solutions on your own inbound email solutions to protect your organization from receiving and accepting fraudulent emails as well. If you’re using a hosted solution like Google WorkSpaces or Office 365, your provider is already running these tests inbound on your behalf.

“Make use of the tools which enable authentication”

Netcore built the GradeMyEmail tool to help any brand easily understand the technical configurations of their email domains. Are your domains properly authenticated? Are your systems properly configured? Are your IPs or domain names blocked? Once you’ve established a baseline you can start planning your road to enforced authentication.

There are several ways to understand the scope of work you need to plan for. Start with publishing your DMARC record with a p=none policy. Look to use a professional set of tools like OnDMARC to help with this part of the process, you’ll thank me later. After you’ve published this record you’ll start to receive reports on where mailbox providers are receiving email associated with your domains from and the current state of authentication. From these reports you can start to tease out the legitimate emails from your corporate email domains and IPs, your marketing email domains and IPs, and you might even find other legitimate or forgotten sources along the way. This first step always takes the longest, but is also the most important as it sets everything one the right path. 

From here you can then make all the required adjustments to your email domains. This involves configuring SPF and DKIM records for each domain/subdomain without the fear of causing any delivery issues. You’ll need to talk to your IT teams, ESP, ticketing providers, and anyone else that sends mail on your behalf to get them properly configured. After identifying all of the legitimate email sources you can move to more restrictive settings of p=quarantine and eventually on to p=reject. This is where the magic starts to happen and the option to implement BIMI is now available. 

“Implementing BIMI is a major branding win for the marketing team”

BIMI requires that a domain be using DMARC with an enforcement policy in order to have a minimum level of confidence in the sender’s messaging. Some MBPs will have different levels of support for BIMI such as having a good reputation, sending a specific type of email message (i.e. marketing and transactional vs personal email). Google requires a Verified Mark Certificate (VMC) for use of BIMI in Gmail. BIMI also requires that a brand hold a specific logomark on the design that is to be displayed in the email client. Implementing BIMI is a major branding win for the marketing team as your logo will now appear next to the from name in the user’s inbox, and in the list view on mobile devices.

“Email takes a village, and your partners are looking to help protect your brand”

Remember that email is hard, it takes a village to get it right and your internal and external partners are looking to help you protect your brand and consumers. Taking the time to properly configure your email with all the right authentication records now ends with the added benefit of your logo in the consumers inbox. This builds true win-win scenarios for organizations, your customers, and the mailbox providers looking to stop the influx of spam and fraud being sent to their networks. 

About Matthew Vernhout:

Matthew Vernhout (@emailkarma) is Netcore’s Vice President Deliverability North America. He is a digital marketing and privacy advocate, and also acts as chairperson of the Email Experience Council (eec), director at large with the Coalition Against Unsolicited Commercial Email (CAUCE), Marketing Chair with the AuthIndicators Working Group, founder of the Canadian Email Summit, co-founder of Privacy Summit North and GradeMyEmail.co. He is a trusted industry expert, recognized as the 2019 EEC thought-leader of the year and is a Certified International Privacy Professional (Canada) (CIPP/C). Matthew speaks frequently at email marketing and technology conferences around the globe, and maintains his celebrated blog, EmailKarma.net.

PUBLISHED BY

Red Sift

8 Jul. 2021

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Winter wins: Red Sift OnDMARC wraps up 2024 as a G2 DMARC…

Francesca Rünger-Field

The season of giving has brought us another reason to celebrate! Red Sift OnDMARC continues its winning streak in G2’s Winter 2025 report, earning Leader status in the DMARC category for another consecutive season. This recognition reflects our strong market presence and the unwavering satisfaction of our customers. Cheers to wrapping up 2024 on…

Read more
AI

Text classification in the age of LLMs

Phong Nguyen

As natural language processing (NLP) advances, text classification remains a foundational task with applications in spam detection, sentiment analysis, topic categorization, and more. Traditionally, this task depended on rule-based systems and classical machine learning algorithms. However, the emergence of deep learning, transformer architectures, and Large Language Models (LLMs) has transformed text classification, allowing for…

Read more
Security

How to drive cybersecurity as a top business priority

Jack Lilley

Everyone has a role to play in protecting the enterprise. Whether you’re shaping strategy or implementing solutions, aligning efforts to mitigate critical risks ensures a stronger, more resilient enterprise. If you missed Red Sift’s recent webinar on “From Data to Buy-In: Driving Cybersecurity as a Top Business Priority” we’ve got you covered. The session…

Read more
DMARC

BreakSPF: How to mitigate the attack

Red Sift

BreakSPF is a newly identified attack framework that exploits misconfigurations in the Sender Policy Framework (SPF) a widely used email authentication protocol. A common misconfiguration involves overly permissive IP ranges, where SPF records allow large blocks of IP addresses to send emails on behalf of a domain. These ranges often include shared infrastructures like…

Read more