The Intersection of Authentication: where security and BIMI meet

This week’s blog comes from Matthew Vernhout, VP of Deliverability at Netcore Cloud and Founder of the Canadian Email Summit. With two decades of experience in email marketing, and a deep understanding of email authentication and deliverability, Matthew is an industry veteran on improving digital marketing programs worldwide.

“Being the last to authenticate leaves your business open to being used as a tool of fraud and phishing”

As an email deliverability and compliance consultant I’ve lost count how many times I’ve talked with a brand’s marketing team only to have them tell me “we’re too small to be phished”, “we’re not in ecommerce, so we’re not a target”, “that’s a job for our security team”, or “it’s too hard to get authentication configured properly”. While in reality, domains of all sizes and verticals are targets for abuse, even domains that are not configured to send email. Being the last to authenticate leaves your business open to being used as a tool of fraud and phishing. It also means you miss out on all the benefits that are tied to authentication. 

I get it, email is hard. But it’s never been easy and it won’t ever get easier. Marketing teams need to work closer with security groups to protect their brands from spoofing or phishing attacks, the privacy or legal groups to ensure that the messages are compliant with the GDPR, CCPA and any other laws. And, they still need to reach consumers with compelling messages to drive the business’ goals. Keep in mind that your business succeeding is a team effort and each group has a part to play in the business’ success.

“Never forget your brand is a target”

Your staff, customers and infrastructure are also targets. Implementing a strong defence with email authentication takes major steps to protecting your business, clients and staff. Implementing strong email authentication solutions like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are all going to help you. These also lead to enabling the use of Brand Indicators for Message Identification (BIMI) which puts your brand logo into the consumers email client. 

But why authenticate? Beyond protecting your brand’s authentication this is a tool to help build your domain reputation. Cleaning up old email solutions that have been forgotten and fixing broken or outdated authentication records also leads to better delivery, consumer engagement, and most importantly conversions. An additional benefit of authentication is that the implementation project helps to reduce the potential of your brand identity being used for fraudulent purposes that contribute to dragging your reputation down. 

Don’t forget to implement these same authentication solutions on your own inbound email solutions to protect your organization from receiving and accepting fraudulent emails as well. If you’re using a hosted solution like Google WorkSpaces or Office 365, your provider is already running these tests inbound on your behalf.

“Make use of the tools which enable authentication”

Netcore built the GradeMyEmail tool to help any brand easily understand the technical configurations of their email domains. Are your domains properly authenticated? Are your systems properly configured? Are your IPs or domain names blocked? Once you’ve established a baseline you can start planning your road to enforced authentication.

There are several ways to understand the scope of work you need to plan for. Start with publishing your DMARC record with a p=none policy. Look to use a professional set of tools like OnDMARC to help with this part of the process, you’ll thank me later. After you’ve published this record you’ll start to receive reports on where mailbox providers are receiving email associated with your domains from and the current state of authentication. From these reports you can start to tease out the legitimate emails from your corporate email domains and IPs, your marketing email domains and IPs, and you might even find other legitimate or forgotten sources along the way. This first step always takes the longest, but is also the most important as it sets everything one the right path. 

From here you can then make all the required adjustments to your email domains. This involves configuring SPF and DKIM records for each domain/subdomain without the fear of causing any delivery issues. You’ll need to talk to your IT teams, ESP, ticketing providers, and anyone else that sends mail on your behalf to get them properly configured. After identifying all of the legitimate email sources you can move to more restrictive settings of p=quarantine and eventually on to p=reject. This is where the magic starts to happen and the option to implement BIMI is now available. 

“Implementing BIMI is a major branding win for the marketing team”

BIMI requires that a domain be using DMARC with an enforcement policy in order to have a minimum level of confidence in the sender’s messaging. Some MBPs will have different levels of support for BIMI such as having a good reputation, sending a specific type of email message (i.e. marketing and transactional vs personal email). Google requires a Verified Mark Certificate (VMC) for use of BIMI in Gmail. BIMI also requires that a brand hold a specific logomark on the design that is to be displayed in the email client. Implementing BIMI is a major branding win for the marketing team as your logo will now appear next to the from name in the user’s inbox, and in the list view on mobile devices.

“Email takes a village, and your partners are looking to help protect your brand”

Remember that email is hard, it takes a village to get it right and your internal and external partners are looking to help you protect your brand and consumers. Taking the time to properly configure your email with all the right authentication records now ends with the added benefit of your logo in the consumers inbox. This builds true win-win scenarios for organizations, your customers, and the mailbox providers looking to stop the influx of spam and fraud being sent to their networks. 

About Matthew Vernhout:

Matthew Vernhout (@emailkarma) is Netcore’s Vice President Deliverability North America. He is a digital marketing and privacy advocate, and also acts as chairperson of the Email Experience Council (eec), director at large with the Coalition Against Unsolicited Commercial Email (CAUCE), Marketing Chair with the AuthIndicators Working Group, founder of the Canadian Email Summit, co-founder of Privacy Summit North and GradeMyEmail.co. He is a trusted industry expert, recognized as the 2019 EEC thought-leader of the year and is a Certified International Privacy Professional (Canada) (CIPP/C). Matthew speaks frequently at email marketing and technology conferences around the globe, and maintains his celebrated blog, EmailKarma.net.

PUBLISHED BY

Red Sift

8 Jul. 2021

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more
Email

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more
Email

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more
Cybersecurity

Your guide to the SubdoMailing campaign

Billy McDiarmid

A significant number of well-known organizations have been attacked as part of what’s being called the SubdoMailing (Subdo) campaign that has been going on since at least 2022, research by Guardio Labs has revealed.   The scale of execution of this attack is staggering, and the impact is hugely damaging, but the goal is simple…

Read more