In session after session at last week’s Authentication and Online Trust Alliance (AOTA) Summit, speakers used automobile analogies to simplify the uber-granular topic of email security. Best practices were called “seat belts.” Authentication standards, such as Sender ID, Sender Policy Framework (SPF) records and DomainKeys Identified Mail (DKIM), can now be to your ecommerce “engine” what emissions tests are to your car (see hotlinks below for definitions).

“Who you are is more important than what you are mailing,” says George Bilbrey, VP & GM, Delivery Assurance Solutions, Return Path. “Today, reputation is the major determinant if your email is getting delivered or not.”

Buzz in the Halls
o Get ready to test deliverability issues against the emerging Windows Live -- it won’t be long before all Hotmail users are transitioned over.

o About half of the domain names sending email to Hotmail/MSN/Windows Live are from domain names “we’ve never heard of,” says John Scarrow, GM, Technology Care and Safety Group, Microsoft.

o Microsoft (lead sponsor of the Summit) says Sender ID adoption has tripled in the past year, with more than 8 million domains using its protocol. GoDaddy.com says more than 50,000 of its domain name system (DNS) customers are Sender ID compliant.

o Comcast promises to have a feedback loop by the end of the calendar year. “In the meantime, call us and we’ll give you the feedback,” says Jay Opperman, Director Privacy & Security.

o As if it’s not enough for the government to monitor the sector, there’s also the whims of the ISPs that the industry seems unable to adequately confront. “It’s not that the trade organizations aren’t doing anything, but I don’t think marketers have a loud enough voice,” says Neil Bibbins, Compliance Director/Marketing Data Analyst, Auto Revenue. “I don’t think it’s fair that companies can enforce policy simply because of their market shares. In fact, I find it unnerving.”

o Missing from the conference: Yahoo!, which, along with AOL and MSN Hotmail, make up the big three email providers. It would have been nice to get some kind of word on the likelihood of whether Yahoo! is moving toward shutting images off by default in all its inboxes, which was the scuttlebutt last week. “While it’s not surprising that Yahoo! wouldn’t want to endorse Microsoft’s show, it’s easy to see it as a bit political at the same time,” said one direct marketing manager.

(Note to burgeoning Gmail: more needs to be heard from you on deliverability issues as well …)

Finding Solutions - a Community Effort
Although Microsoft, AOL, Comcast and reputation management providers, such as Datran Media, StrongMail and Lashback, tried to exude a “We Are Family” vibe, it wasn’t all handshakes and hugs. Throughout the course of the summit, an occasional hiss could be heard after a comment from one of the powers-that-be or service providers. Simply put, marketers are tired of the rules changing.

“We don’t have all of the answers,” conceded AOL Postmaster Charles Stiles. In between speeches, Stiles offered this tidbit: “Most complaints [at AOL accounts] happen within the first few hours of a campaign, and then they dramatically drop off from there. This at least tells us that people usually see your email right away.”

Still, authentication gets you only partway to the inbox -- your content (including relevancy) or a bad reputation may still *junk* your messages. What’s frustrating is that the major ISPs cannot (or will not) disseminate deliverability tips specific to their brand because they think it will fuel the fire for spammers -- who are now masking themselves as legitimate mailers in a variety of fashions.

In presentations and Q&As, everyone clearly communicated that tackling spam, phishing, spoofing, deliverability and consumer distrust needs to be a communitywide, grassroots effort. Thankfully, the responsibilities are spreading. It’s no longer just a marketer’s issue -- ISPs, ESPs and domain registars are increasingly interested in meeting the cyber-pandemic head-on.

Image Rendering Concerns
Unfortunately, no silver bullets were given about how to sidestep the image rendering problems that all marketers are having with nearly every ISP. “You can test and test, but you don’t know exactly how each image will render in each [inbox],” says Jared Blank, VP, Client Solutions, Epsilon. “Email is not about looking beautiful -- it’s about getting read.”

Blank and others had this advice on the topic:

- From the moment visitors sign up, educate them about how you will send images and what they need to do to receive them. (While you are at it, tell them how to add your domain name to their address book.)
- Design campaigns for image-blocking accounts. Use descriptive copy around where the images are supposed to give the recipient a good reason to click the display button.
- Make sure your offer is above the fold, which might give them another reason to enable images. This should cut down on deletes (and complaints, too).
- Longtime Sherpa readers will recognize this one: let recipients sign up for text-only messages.

Holding Spammers Accountable
Spammers are starting to use SPF records and other authentications to hide their actions. However, this is good news “because reputation can be applied” to them, says Pat Peterson, VP, Technology, Iron Port.

It’s also clear that legitimate emarketers are no longer held accountable for spam. Multiple current and former governmental speakers confirmed that the general public is starting to understand that botnets, zombies and organized crime are behind most CAN-SPAM violations these days.

“There is not enough working together between domain [name] registars and reputation management providers,” says Warren Adelman, President/COO, GoDaddy.com. “What are we going to do? In the months ahead, I think we’ll see conversations unfold to leverage the information we have to work with -- with this group of leaders -- to provide a better experience going forward.”

Top Takeaways: A Baker’s Dozen
#1. SPF records and Sender IDs aren't just for email marketers. Big-name companies who don't use email need to protect their brands and be on the record to combat spoofers, says Josh Baer, Chief Technology Officer, Datran Media. “The net of setting up your Sender ID right is a plus and not a negative.”

#2. If you switch ESPs, take the necessary steps to transfer your authentication records with the new provider.

#3. No two spam filters are alike, so you have to test and test against ALL of them as much as possible.

#4. You can protect your domain from being spoofed with proper SPF record filing.

#5. Publish a SPF record to a DNS that supports “txt” records. This type of protection will cover more ground.

#6. ESPs that send under dealer domains (for instance, car dealerships) need the dealers to publish individual SPF records to correctly track each business’s reputation.

#7. Give a staff member the title of Reputation Manager, who will ensure that your firm is signed up for feedback loops and not showing up on blacklists.

#8. Be on top of reputation management for both transactional and marketing emails if they are segregated and/or mixed.

#9. Including a list-unsubscribe header in your emails will reduce complaints and improve deliverability. (See hotlink below for more info.)

#10. Your complaint rate should never exceed your unsubscribes for a campaign. If it does, you need to re-evaluate what you are doing.

#11. Look for a vendor who will mentor your company on reputation/delivery –- not just a rudimentary service provider.

#12. Expect some initial hits to your goals before achieving success on all the major deliverability fronts.

#13. Include marketing and IT people in meetings so everyone is on the same page. Greg Tseng, CEO Tagged Inc., allocates three to five weekly man-hours for deliverability issues, including a weekly one-hour teleconference with his ESP vendor.


Useful links related to this article

SPF information site:
http://www.openspf.org/

Microsoft’s SPF tips and download site:
http://www.microsoft.com/downloads/details.aspx?familyi
=B7CE1CAC-D884-4216-82FE-379F875663FF&displaylang=en#Instructions

List-Unsubscribe.com, a very helpful learning tool:
http://www.list-unsubscribe.com/

Learn about DKIM:
http://email.about.com/od/understandingspamfilters/g/dk
m.htm

AOTA presentation about DKIM given by Jon Callas, CTO, PGP Corp., and Jim Fenton, Engineer, Cisco:
http://www.aotalliance.org/summit2007/2007_presents/301
DKIM.pdf

IP spoofing:
http://www.webopedia.com/TERM/I/IP_spoofing.html

For more information on spoofing, check out expert Deb Shinder's free online resource:
http://www.windowsecurity.com/articles/Email-Spoofing.h
ml?printversion


Definition of Sender ID:
http://en.wikipedia.org/wiki/Sender_ID

Microsoft Program Manager Henry Katz's overview of the Sender ID Framework from AOTA:
http://www.aotalliance.org/summit2007/2007_presents/201
SIDF.pdf

Microsoft's Sender ID/SPF info and signup pages:
http://www.sign-up.to/html/total_support/resources/send
r_id_spf.htm

Epsilon's Jared Blank and AOL's Charles Stiles' slide show on image suppression from AOTA:
http://www.aotalliance.org/summit2007/2007_presents/503
image_surpressionx.pdf

AOL Postmaster site:
http://www.postmaster.aol.com/

MSN Windows Live/Hotmail postmaster site:
http://postmaster.msn.com/

Comcast help for marketers:
http://www.comcastsupport.com