When Authentic Isn’t Real

Our Truemark service relies on email authentication (SPF/Sender ID or DomainKeys/DKIM) as a foundation for verifying legitimate messages. And there are some email services out there that indicate with an icon whether a message has passed authentication. But is email authentication by itself enough?

Nope (you knew that was coming). Email authentication only tells me that the message really came from the entity who claimed to send it. That works great when someone pretending to be a bank uses the bank’s email address – the authentication will fail and the message can be dropped so consumers never see it. 

But what if they create a domain name that sounds like it belongs to the bank (e.g., bank-support.com) and then send email from there? It’s possible for the sender of such a message to authenticate their email and have it pass. Uh-oh. So much for using authentication alone to determine the legitimacy of messages.

So how do you really know when a message is legitimate? It takes at least one more piece of information. The most definitive is a list of domains the company uses to send email. Then it’s simple – compare the domain in the message to the company’s list, and if there’s a match and the message can be authenticated, you’re good. That’s how our Truemark service works (it’s actually more complicated than that since there are several “from” addresses in an email message, but that’s for another time). 

Another way to verify legitimacy is by assigning reputation to messages from specific domains or IP addresses. This requires a monitoring of new domains/addresses over time to determine whether messages sent from there are “good”. In this case, authentication plays a role since it allows you to verify that the message actually came from those domains/addresses, but it isn’t as definitive as comparing to a known-good list.

Bottom line? Like those products labeled “made of genuine artificial leather,” just because an email is marked as “authenticated” doesn’t mean it’s real.

A Rose By Any Other Name…

We mark thousands of domains in our Truemark service, representing more than 1700 companies. One of our biggest challenges (which is shared by companies themselves) is keeping up with all the domains used to send email. Most consumers would assume that email is sent from the main corporate domain (e.g., company.com), but that’s not the case.

In reality, while there may be one main front door for web visits, there are usually many side doors (and windows, and vents, and…) for sending email. It varies by company:

• Large multinationals usually have domains tied to specific countries (e.g., company.co.uk, company.ca, company.fr)
• Some use a different domain for each line of business (e.g., Dell  for large business vs. small business/home office vs. consumer products)
• Some use different domains for different types of messages (alerts, transactions, promotions, etc.), and
• Most create one or more separate domains that are managed by third parties who send marketing or informational email on their behalf (email.company.com and news.company.com are typical examples). 

When you calculate the possible permutations (countries, lines of business, types of message, third parties), it quickly gets out of control. It’s not uncommon for a company to send email from dozens of domains even within one country.

Why does this matter? The answer varies for each player in the email ecosystem:

• Companies who send email – They want their messages to get through, so the more consistent they can be in their naming conventions, sending process and authentication practices, the easier it is on the other players. Ideally there’s some central point of coordination where these items are tracked and managed, but practical reality dictates that implementation specifics are usually delegated to countries, departments or lines of business. 
• Receivers of email – Whether its an email service like Gmail, Windows Live Hotmail or Yahoo! Mail, or a corporate email system, all mail servers these days are geared to block spam and phishing while delivering only the good stuff. When there’s consistency in use, naming and authentication of domains sending email from a company, their job is easier, the right mail gets through, and everybody’s happy. 
• Users of email – Though most consumers don’t really understand the innards of email, actual domain names are often seen as part of the address in today’s systems, so they carry brand value (yes, brand value!). Use of funky-looking or many different domain names can make consumers leery, preventing them from engaging with the message.

So what’s the right way to do it? There’s no one size fits all answer to this.  We’ve seen the entire spectrum. Amazon.com probably has the tightest use of domains, with just one primary domain per country. They use addresses to differentiate the type of message. Some of the banks are on the other end of the spectrum, with different domains for each line of business and type of service.

The happy medium that looks to be a manageable best practice is use of the main corporate domain for transactional email (orders, statements, confirmations, etc.), and a few additional domains (e.g., email., offers., updates., news.company.com) to use for specific purposes or outsourced services.  

Keeping a tight rein on domain names makes everyone’s life easier and helps them accomplish the ultimate goal – get the message seen by the person who wants it.

“Classic” Use of Email

We have an ongoing study with approximately 10,000 users that allows us to see how they interact with email at a macro level (anonymously of course). One of the interesting items we track in the study is which email program people are using. There are the obvious top-level major webmail and standalone clients – AOL/AIM webmail, Earthlink, Gmail, Windows Live Hotmail, and Yahoo! Mail along with Outlook Express and Outlook 2003/2007 – but we can also determine the particular subtype, which yields some interesting insight.

Most webmail programs offer full-featured versions that are richer in graphics, chat links and companion applications, but often do not work well in low-bandwidth environments or across all browsers. That’s where the “classic” or basic versions come in. They have less sizzle, but work across a wider variety of environments and perform all the basic email functions just as well as their full-featured siblings.

Yahoo! Mail is a prime example of this. As a Yahoo! Mail user, you can select (even within a session) which version you want to use – the full-featured Yahoo! Mail (released in August 2007 – known prior to release as Yahoo! Mail beta) or the more streamlined Yahoo! Mail Classic (based on the “original” Yahoo! Mail introduced in 1997). Yahoo! offers a great comparison of the two on their site. Yahoo! Mail offers the latest in rich interfaces (preview pane, tabs, drag-and-drop, etc.) and application support, while Yahoo! Mail Classic works in more environments.

But which do users prefer? Based on our study, 56% of Yahoo! Mail users use Yahoo! Mail Classic, while 44% use the newer Yahoo! Mail. This could be historical – most of the Yahoo! Mail accounts came into being before 2007 when the new version was introduced. Interestingly, this ratio has remained constant (varying less than 1%) over the last year.

What about the other webmail programs? Gmail also has a dual offering, named Gmail standard and Gmail basic (see good comparison here), but as a more recent entrant to the webmail market (initially offered as an invitation-only beta in 2004, opened to the public in 2007), they haven’t dealt with a historical user base to the same extent as Yahoo! Mail. As a result, 95% of Gmail users in the study use Gmail standard, while only 5% use Gmail basic.

Visual ID for Email – Find What You Want at a Glance

There are two major value propositions for users of the Truemark service: find what you want and know that it’s real. Last week we announced our latest step in improving the user experience in email – use of favicons to visually identify messages in the inbox (see press release here).

Prior to favicons we used either a company logo or a generic “check-lock” to highlight legitimate messages. In July we started displaying senders’ favicons in the inbox, which allows consumers to identify the sender of the message at a glance. It’s a compact way to distinguish messages in an easily recognizable way.

Through July and August we continued to add favicons and logos – we estimate that about 90% of the messages we mark today (for more than 1700 companies) have a favicon or logo.

Typical Gmail Inbox w/Favicons

The screen shot above shows a typical inbox with a mixture of messages from individuals, retailers, social networks, payment and information services. Compare this to the sea of text you normally see in an inbox. 

Users we’ve surveyed have been unanimous in their support of this change – it dramatically improves their email experience and allows them to instantly find what they want. In fact, they want us to take it a step further and give them some kind of visual indication about every message (more on that in the future).