Making Email Effective Again

Fortunately there are new technologies and services available that are easy to implement and can help consumers answer this question in a simple, intuitive way. To find out how these technologies and services make email effective again, read on.

A Big Problem Gets Bigger

It’s not a hypothetical question. The Anti-Phishing Working Group reports nearly four times as many new phishing sites in May 2006 as in May 2005, and Symantec’s Internet Security Threat Report from September, 2006 estimates that individuals receive more than 59 million phishing messages a day. The financial sector is by far the largest target, representing 84% of the messages sent.

“Individuals receive more than 59 million phishing messages a day... the financial sector is the target of 84% of the messages.”

The bad guys are getting more creative, too – cloaking fraudulent messages as gift certificates, tax refunds, and recommendations from friends. So, in addition to the inbox clutter and spam we’ve grown accustomed to, we now have to question every message, no matter how innocent it looks.

Undermining Effective Communication

This onslaught of fraudulent email impacts consumer behavior – Gartner estimates that over 80% of consumers have less trust in email received from businesses. Surveys of banking customers found that 79% of users are less likely to respond to email from banks, and 20% won’t even open them.

“Surveys of banking customers found that 79% of users are less likely to respond to email.”

Consumers are rightly concerned – not only can they become victims through divulging personal information (credit card, account number/password, etc.), but new attacks often infect the user’s PC even if they don’t divulge information overtly. This can happen when they open the email message or when they click through to a fraudulent website listed in the body of the message. Crooks can then extract information from the user’s PC behind the scenes, use the PC as part of their scheme, or redirect the user’s access to websites at some point in the future.

The combination of the overwhelming nature of the problem and the lack of trust created by fraudulent email activity hurts everyone:

• Companies wishing to effectively communicate with their customers must continue to use more costly, less efficient, less tailored means to interact
• Consumers, who have flocked to e-commerce due to its convenience and efficiency, now have a hard time finding what they want in their inbox amidst the clutter, and then don’t know whether to trust the message once they find it

Email Authentication to the Rescue

A major step toward addressing this issue is provided by email authentication, which allows email recipients to verify the authenticity of the sender. Because the messages can be traced to the sender, authenticated email actually addresses both spam and phishing – the former because spammers want to operate “in the dark” and therefore don’t want to be identified, and the latter because recipients can truly authenticate the sender.

In the last year, email authentication has gained significant momentum in the industry, spurred on by a combination of:

• Educational initiatives by Yahoo!, Microsoft, Cisco and other market leaders;
• Organizations such as the Direct Marketing Association (DMA) requiring their members to implement email authentication;
• The knowledge that the large email providers (AOL, MSN, Yahoo) use authentication as part of their “scoring” to determine whether to deliver a given message. As email providers continue to raise the bar in this area, implementation of authentication will be more and more critical for all senders.

In fact, as of October 2006, Microsoft estimates that more than 5 million domains now support some form of email authentication, and IronPort estimates that approximately 40 percent of email messages are now authenticated.

There are two main approaches used today for email authentication, each with their own set of tradeoffs:

• Sender ID: In this approach, senders publish a list of their authorized email domains/addresses for recipients to verify as they receive the message. It is simple to implement since it requires only an administrative change to the sender’s DNS record.

  It is by far the most widely implemented method today, with more than 5 million domains supporting Sender ID. However, since it only verifies the final “path” from sender to receiver, it does not work when messages are forwarded, which limits its usefulness for a “hard” decision on the authenticity of messages.

• DomainKeys/DKIM: In this approach the message is cryptographically “signed” and a public key is published to allow recipients to verify both the original sender (even if the message is forwarded) and that the message has not been altered in transit. However, implementation requires specific software at the sending email server (or accompanying appliance), which has slowed its adoption.

  This approach is also in transition – from the original DomainKeys specification sponsored by Yahoo! to DomainKeys Identified Mail (DKIM), which is a joint proposal by Yahoo! and Cisco. Interoperable solutions are available for both approaches, and most vendors have committed to track the transition with their products.

Problem Solved, Right?

Unfortunately not. Even if email authentication was adopted by all senders and receivers and worked perfectly, there are still ways to spoof the system. Sure, the risk for the bad guys is higher if they have to send authenticated email, but this game involves a constant readjustment of the risk/reward ratio.

“Even with email authentication, there are still ways to spoof the system.”

A common technique used by bad guys to spoof the system is something called “cousin domains”, where they use something like we11sfargo.com (notice the “1’s” where the “l’s” should be?), or citibank-security.com, which may be valid domains as far as the Internet is concerned, but are not actually owned by the legitimate companies. Using domains such as this, bad guys can send messages that pass authentication but aren’t really from the legitimate entities.

In fact, it’s even easier than that. Since the real sending address is hidden from users, bad guys can send from imacrook.com but show “Bank of America Customer Support” as the address we all see. If they support authentication from imacrook.com, the message will pass, presenting even a tougher challenge for the consumer.

Beyond Authentication

Because of this “it’s authentic but not really legitimate” issue, there is a need for an additional layer on top of email authentication to verify who owns the domain being authenticated and that they are a legitimate company portraying themselves properly. Interestingly, the “email authentication is necessary, but not sufficient” theme is echoed broadly throughout the industry, even (especially?) at gatherings focused on email authentication.

Iconix was the first company to introduce a service that provides this additional identification layer – it is analogous to Web site security certificates, but in this case senders subscribe to ensure that their domains and email addresses are accurately verified.

How Do I Know What’s Real?

Well, now we know the message really came from the claimed sender, and that they’re legitimate. What next? If the consumer’s inbox looks the same, they’re still opening Pandora’s Box every time they open a message.

“By using this display, it becomes trivial to answer the question “Is this message real?””

So, a third step is needed – displaying the result of the authentication and identification checks. In the IconixSM Truemark® service, this display has the following characteristics (see the accompanying screen shot example):

• Simple and intuitive Truemark icon to indicate legitimate messages, integrated into the consumer’s inbox and opened messages;
• An additional visual differentiator – in the form of the sender’s logo – that uniquely identifies the message;
• A way for the consumers to verify the sender’s identity (a la Web site security certificates) by mousing over the Truemark icon;
• Consistent across email clients so that the experience in Yahoo! Mail, Hotmail, Gmail, Outlook Express and other clients is the same

By using this kind of display, it becomes trivial to answer the opening question “Is this message real?” The underlying layers of verification ensure that only legitimate messages are marked, and using the sender’s logo as the unique identifier for the message helps consumers find the messages quickly.

Does It Make a Difference?

In short – “Absolutely.” The Truemark service currently marks email messages from more than 350 major companies in all market segments – financial institutions, online retail, online auctions, online travel, social networking, dating, and news/information services.

“Open rates for messages more than doubled compared to messages that were not marked with an icon.”

In tests conducted by Iconix throughout 2006, the presence of a visual icon to indicate legitimate messages made a significant difference in user behavior – open rates for messages more than doubled compared to messages that were not marked with an icon.

Using the Truemark service, companies can simultaneously protect their brand and restore email as an effective means of interacting with their customers.

Getting Started

Sending trusted, branded email with the Truemark service is a simple process:

• Outgoing messages must be authenticated using one or both of the standards described above;
• Subscribers to the service supply a list of domains/addresses and associated logos to Iconix.

Send Effective Email Again

In summary, there are three key elements needed to restore trust in email and re-establish this efficient communication path between companies and their customers:

• Industry-standard email authentication;
• Identification service to ensure sender legitimacy;
• Simple, intuitive, consistent display for users.

The Truemark service performs these steps in a seamless manner, benefiting both companies and consumers as they regain the convenience and efficiency of online interaction. To learn more about the Truemark service and how to send trusted, branded email, visit www.iconix.com/corp.

“The Truemark service benefits companies and consumers as they regain the convenience and efficiency of online interaction.”

With this kind of solution in place, maybe “Is this message real?” can become the rhetorical question it should be.