September 2018 - Online Marketing | Email Best Practices | Email: Trust & Challenges

Immunizing Email Marketing Against Brand Impersonation

Prevention is better than cure: DMARC offers protection against phishing attacks, saving brands from the headache and cost of reputation damage, as Julia-Janssen Holldiek, Director of the Certified Senders Alliance, explains.

© Murat Göçmen | istockphoto.com

It is a bitter pill to swallow: Suddenly, a deceptively real looking email from your brand appears in the email in-box of one of your loyal customers. On some pretext, the email requests personal data from your customer, and your customer – trusting your brand – provides it. Your customer – and your brand – has become the victim of a phishing attack. In this, you are not alone: According to Agari, 90 percent of leading brand domains were targeted by malicious email in 2017. Also in 2017, the Anti-Phishing System of Kaspersky Lab users was triggered 246,231,645 times, an increase of 59% from 2016. And such a phishing attack not only damages the recipient who all-too-readily discloses personal data; it also – looking at it from the perspective of the brand that has been spoofed – damages your reputation and ultimately the deliverability of your future marketing emails. 

So, how can a customer know your email correspondence is actually from you?

There are multiple ways that a sender can be identified on an email. For your customers, the most obvious way is to check the “from” address listed at the top of the email. Unfortunately, manipulating the “from” address is also the easiest way for cyber criminals to spoof your brand. However, going deeper into the technical side of emailing, there are also two other ways of establishing the authenticity of the email. The first way is if you publish an SPF (Sender Policy Framework) record in the domain name system (DNS). By checking the “return path” (basically, the “return to sender” option on an email – this is where a report will be sent if your email has bounced), it is possible to see if this address matches your brand’s SPF record. If not, this would be a heads-up for your customer that the email is not legitimate. 

And secondly, the cryptographic signature with which you sign emails (DomainKeys Identified Mail, or DKIM) needs to match with your brand’s public key (also published in the DNS) before your customer can really trust that the email sent by your brand is safe to click on, and really contains a message from you. 

When your customer clicks on a spoofed email, your brand reputation is in major trouble.

As Alex Zeh, Engineering Manager for the email whitelisting project the Certified Senders Alliance explains, “You can visualize this as being equivalent to a classic paper letter. The ‘From’ is the author indicated on the actual letter. The ‘Return-Path’ is the sender on the envelope in which the letter is sent. You probably would not consider a letter trustworthy if the sender on the envelope (the ‘Return-Path’), the sender/author in the letter (the ‘From’), and a final signature under the letter (the DKIM domain) all differed from each other.”

The problem is, your customer is very unlikely to have the knowledge, skills, or time to double-check. And when your customer clicks on that spoofed email, your brand reputation is in major trouble.

But how can you, as a marketer, protect your email marketing effectively?

This is where brands can make a huge difference themselves in ensuring that only legitimate customer communication is exchanged between them and their loyal customers: The best medicine is to implement a process called “DMARC” for commercial emailing. DMARC, or “Domain-based Message Authentication, Reporting & Conformance” allows you to publish a policy (or a rule) in the DNS, which tells mailbox providers what to do with emails from you if they fail either the SPF or the DKIM test. 

If a sender uses DMARC, the customer’s ISP can check and verify whether the email is legitimate

So, if a sender uses DMARC, then the customer’s Internet service provider (ISP) can check and verify whether the email is a legitimate and important email from you to your customer, or is rather a malicious attempt to disguise criminal activity using your logo as the bait. If the email fails the DMARC test, then the ISP can block delivery of or quarantine the phishing email. More than that, any attempt to spoof the “return path” address will be recorded, and as well as blocking the email, the mailbox provider will send you a report of the phishing attempt. This gives you far greater insight into how attackers are attempting to manipulate your brand.

Now, don’t panic – it’s not like you as a marketer suddenly need to become an expert in cryptography and the technical details of emailing. You can leave that to your email service provider (ESP) if you don’t take care of your commercial emailing internally. But you can talk to your ESP about their making use of DMARC.  

Using DMARC pays off: the UK HM Revenues & Customs was able to reduce phishing attacks on their customers by 300 million (60 percent) in 2017.

And it pays off. As an example, the UK HM Revenues & Customs, reputedly one of the most phished organizations in the world, was able to reduce phishing attacks on their customers by 300 million (60 percent) in 2017, simply by implementing DMARC.

So it’s worth doing, and the onus is on your ESP to do the technical work to implement DMARC. As Alex Zeh points out, one thing that you do need to take care of is a subdomain delegation, so that your ESP can also send from your domain as a legitimate sender. This ensures the “alignment” of the domain (e.g. example.com) between the “return path” address and the domain of the public key, both of which are published in the DMARC policy.

And once you’ve implemented DMARC and are ensuring that only authenticated emails are being sent to your loyal customers, there’s another cool trick that you can do with it. This is to become part of the BIMI (Brand Indicators for Message Identification) project which, as Thede Loder, from the Authindicators Working Group, is convinced, is something that brands will love. BIMI allows you simply to also publish your official, authentic logo in the DNS, so that email clients and third-party apps can use it to represent your logo in authenticated messages from you.

Another cool trick with DMARC: become part of the DMARC-based BIMI project, aimed at increasing trust and security for your logo.

This, according to Loder, offers brands the potential of billions of new brand impressions. It also helps to increase the trust in and security of your logo, given that it is based on the authentication procedures of the DMARC policy. Equating BIMI to air bags in cars, Loder explains that, “BIMI is designed to make consumers safer, without the consumers having to be involved or even aware.” And finally, it will make future brand image updates much, much simpler: All you need to do then is to publish the updated logo in the DNS, and all websites, apps, and email clients making use of your BIMI entry will be automatically and centrally updated.

The communications company OATH has recently started a trial of BIMI, and one of the participating companies, Valimail, is launching a product built on top of the proposed standard. After seeing strong interest from brands and the increase in traction for BIMI during the pilot project, Oath now intends to include it in their service portfolio. Marcel Becker from Oath and the Authindicators Working Group commented on the pilot that, “we saw higher quality logos than we already had in our system, and we also had the legal assurance that brands had given their permission for us to use the logos. BIMI will be the primary source for logos for us going forward.” He believes BIMI benefits brands by, “offering brand recognition, brand awareness, and brand impressions, using a simple technology that also helps to send secure email.”

DMARC allows the two sides of the email ecosystem – the brand or ESP on the one side, the ISP or mailbox provider on the other – to protect their mutual customer.

On the subject of DMARC itself, Becker believes that brands can benefit greatly from the system and reporting functions, which “allows brands to control and understand how the brand is being used or abused in the email space.” For the ISP or mailbox provider, it has the added benefit that they can trust the policy set by the brands, and know how to deal with emails that fail authentication. It also allows the two sides of the email ecosystem – the brand or ESP on the one side, and the ISP or mailbox provider on the other – “to protect their mutual customer.”

In short, DMARC can reliably protect brands against being abused by phishing attacks and from the damage this can cause to brand reputation. Brands can ensure that their ESP undertakes the technical implementation of DMARC, and this can increase the trust customers will have in brand communication via email. With the Certified Senders Alliance (CSA), a project initiated by eco (Association of the Internet Industry) and the DDV (German Dialog Marketing Association) to increase the quality of emails, there exists in any case an experienced partner that can offer advice and certification of ESPs and brands – and help protect your reputation and improve the health and deliverability of your valuable email communications.

... But what about the GDPR? Is DMARC compliant? Download the CSA’s report on the compliance of DMARC with the GDPR.


Julia Janssen-Holldiek became part of the CSA team in 2014 and Director in 2017, and is passionate about creating and enabling quality standards for commercial emailing. Prior to the CSA, she worked for several years in Marketing and Sales at Dell. Julia studied business administration at the University of Cologne and the Universidad Torcuato di Tella, Buenos Aires.