Let’s Be Authentic: How retailers can protect their subscribers with Authentication Protocols

By Inboxable

According to CyberArk, 56% of IT security professionals chose email phishing as the greatest security threat to brands and subscribers alike. A key tool for marketers to fight this threat is email authentication. Email authentication helps Internet Service Providers (ISPs) like Gmail, Outlook or Hotmail verify that an email is coming from a legitimate source, like an actual brand and not a scammer. Marketers who use proper authentication can protect both their subscribers and their brand from major threats like phishing attempts, deliverability issues, blacklistings and much more.

Analyzing the Trends Impacting Email Security and Authentication

Each year, the Online Trust Alliance (OTA) – a non-profit organization dedicated to online best practices for consumer safety and brand compliance – publishes an annual Email Marketing and Unsubscribe Audit to help brands understand the trends and best practices impacting the integrity of email – including protections like authentication.

OTA’s Audit evaluates 200 of the top North American online retailers and their online presence – from their marketing program sign-up process (including components like pop-ups, (re)CAPTCHA authentication, etc.) and overall user experience, to the unsubscribe process. Each of these components are monitored to ensure retailers comply with best practices and regulations.

Authentication Trends and Missed Opportunities

An overview of this year’s OTA Audit shows us that retailers are getting smarter about authentication, demonstrating their commitment to protecting their subscribers and ensuring messages that reach users are legitimate. Retailers are increasing their adoption of authentication practices, but there are important qualifiers that are being overlooked.

The OTA Audit revealed two promising trends in authentication:

Trend #1

Two of the most effective practices for authenticating senders are SPF (Send Policy Framework) and DKIM (Domain Keys Identified Mail). SPF is an authentication process where the domain owner (a brand in this case) adds a DNS record specifying which servers are authorized to send emails; this allows ISPs to check against the SPF to detect forged sender addresses. DKIM provides an additional protection by embedding a key in the message that connects the email to the server thus ensuring that the message has not been changed or intercepted. The OTA Audit revealed that all of the evaluated retailers in the audit have adopted both SPF and DKIM authentication policies.

Trend #2

Almost all of the retailers in the Audit (95.7%) were using Opportunistic TLS (Transport Layer Security). This type of authentication optimizes the use of encryption. If an ISP’s mail server prefers encrypted emails, then Opportunistic TLS allows for retailers to send encrypted mailings; if the mail server does not accept encryption, then the email is sent unencrypted. Encryption helps prevent cyber criminals from eavesdropping on email communications. Opportunistic TLS is especially prominent in Gmail where a small red padlock will appear if a message is not using encryption.

Protecting against phishing with DMARC

DMARC (Domain-based Message Authentication, Reporting & Conformance), is an email authentication, policy, and reporting protocol that helps protect against direct domain spoofing. Domain spoofing is a form of phishing which occurs when an imposter uses a company’s domain to impersonate said company. The end goal of domain spoofing is to trick consumers into providing personal information or access to personal information.

Although the majority of retailers have a DMARC record, many have not defined its policy settings which is key to preventing unauthenticated emails from reaching consumers. A DMARC record has three policy settings: none, quarantine, and reject. Having ‘none’ as a setting means that despite having an authentication policy in place, if a mailing is not authenticated, it still gets through to a subscriber’s inbox without any issues. In this case all mailings are accepted by the respective ISP, regardless of whether they pass or fail authentication protocols.

A ‘quarantine’ setting for a retailer’s DMARC record notifies ISPs to treat unauthenticated mailings with more caution. With this type of setting, a phishing message will end up in a spam folder or the ISP will mark the message as potentially unsafe.

A ‘reject’ policy setting for DMARC tells ISPs that any unauthenticated mailing should be blocked and prevented from reaching a subscriber’s inbox.

The OTA Audit revealed that while 71.4% of the top 200 retailers have a DMARC policy in place, only 35.2% have set up their policy to ‘quarantine’ or ‘reject’ which highlights an urgent need for retailers to improve their DMARC policy settings. Without a ‘quarantine’ or ‘reject’ policy, any malicious sender posing as a brand could still reach a subscriber’s inbox. To protect consumers from phishing and improve trust, retailers should consider updating their DMARC settings.


Retailers are making steady improvements to their email authentication processes which can help protect consumers from growing security threats. Yet, as email scams and phishing attempts become more sophisticated in their efforts to collect consumer information, it is imperative for marketers to continually examine how they can ensure their subscribers and their brand are safe.

For more insights into the latest OTA Email Marketing and Unsubscribe Audit, please visit the OTA website HERE.



1290 Central Pkwy W #500
Mississauga, ON 
L5C 4R3, Canada




1 (877) 937-6245




Get Started With Inboxable


Connect with us!



© 2020 Inboxable
All Rights Reserved

Privacy Policy