Just two months after releasing a disappointing report on e-commerce site security, the Online Trust Alliance (OTA) has revealed the findings of a deeper investigation into the state of email security at some of the top social media, financial services, retail, and news companies. Of the 800 consumer sites evaluated, 92 percent failed, according to the OTA's Email Trust Scorecard, revealing that organizations are not taking the proper steps necessary to protect consumers from phishing scams and other deceptive emails.
One of the main causes for the security struggle is automation technology, which marketers use to send email campaigns on a large scale, according to Craig Spiezle, president of the OTA. "Security breaches happen because hackers usually don't target top-level domains, but rather focus their efforts on subdomains, such as those maintained by email marketing vendors for their users," Spiezle explains. "The subdomains just create a lot of confusion, and make it harder for consumers to know which emails to trust and which ones to delete," he adds.
The biggest offenders, according to the OTA's report, are news organizations and Internet retailers—only 6 percent of each group passed the Email Trust Scorecard. The best performers, on the other hand, were social media companies. Twenty-eight percent of them passed, the report states. "This is likely because they're newer platforms, and they've got more homogenous site and email architectures," he says. Across all segments, however, there's plenty of room for improvement; to avoid email vulnerability, the OTA suggests that marketers who rely on marketing automation tools should work closely with their IT departments to ensure that proper protective steps are being taken.
Given the poor performance of some of the most popular consumer brands and organizations, Spiezle says there is a growing need for more comprehensive adoptions of security protocols, namely the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC).
The SPF is a simple implementation and serves as a text record of the IP servers that are allowed to send email on a company or organization's behalf, Spiezle explains. The protocol doesn't perform well when it comes to forwarded email, which makes up between 5 and 7 percent of all mail. "This is where DKIM comes in," he says. "It essentially signs all secure mail and performs well with forwarded messages. List emails tend to present a challenge to DKIM, but lists are not a problem for SPF. The two complement each other," Spiezle adds. With these two mechanisms in place, DMARC serves as an added level of protection. The protocol works like a feedback mechanism that gives instructions on what to do with emails that fail the other two protocols.
Though the latest results are concerning, Spiezle remains optimistic. "We're not seeing enough widespread adoption of all three yet, but many organizations do already have at least one in place. The best protection comes from having all three working together, and we are seeing a lot of growth in individual areas, so we're hoping to see more improvements overall soon," Spiezle says.