Email Accountability: A Vision Worth Pursuing?

Related Articles

• Email Is Going Away?
• New Features Added to Barracuda Spam and Virus Firewall
• Most SMEs Investing in Web Monitoring and Filtering in Support of Policies

Subscription Options

Subscribe Newswire

Widgets & RSS Feeds

Plain talk about our commitment to safe and secure messaging in email

The virtually free and anonymous nature of email has frustrated its use by legitimate marketers since the earliest days of the medium. From the point where email achieved critical mass (sufficient adoption for reach and revenue), the bad guys have been exploiting the enormous potential of email as well as its weaknesses for their greater profit, or elicit gain. Spam, spoofing and a host of other negligent, abusive and criminal behaviors all come from the lure of lots of money made at very low cost and with little risk of being stopped or caught; it’s a compelling value proposition for the bad guys, and one that we must change to preserve the integrity of email.

Of course, the ISPs have been waging war on the bad guys for many years now. And it’s been their efforts to shield customers from schemes perpetrated by the bad guys that’s led to the challenges with email deliverability for the good guys. Yet more critical than the collateral damage done to the good guys is a key question: can the war be won without fundamentally altering the bad guys’ value proposition? I’d suggest not, and to date, the key enablers of their business model—low cost and anonymity—remain intact, and so their motivation to make a lot of money still holds sway. Not surprising then, the war continues to rage in a point/counterpoint game of escalating technical sophistication and imagination.

In this article, I connect the two issues—cost and anonymity—and discuss them in the context of an industry-wide solution for Email Accountability that establishes identity, imposes cost and improves the email ecosystem for the benefit of all stakeholders, including you as an email marketer. Or rather, I want to talk about our collective commitment to an industry solution that’s been hanging around incomplete for over seven years—50 years in dog time, an eternity in Internet time.

The Price of Anonymity

There’s no question that ‘free’ incents (or at least enables) behaviors in email that wouldn’t be feasible in another, more costly medium (direct mail, for example). Cost can definitely function as a constraint even when a marketer’s actions aren’t constrained by his own conscience or respect for the customer. I guess ‘spammer’ is the right term for such a marketer in email, if not called worse.

The lack of identity in email feeds this behavioral problem in a major way—it allows the bad guys to get away with their misbehaviors. And the same thing holds when you graduate from spam to more malicious schemes where the intent is truly criminal. Regardless of the degree of ‘badness,’ anonymity is the bad guy’s shield from being held accountable. And ‘getting away with it’ is a potent motivator when coupled with the big bucks to be made.

What does allowing the bad guys to ‘get away with it’ mean to you?

As a legitimate email marketer, it means your bottom line takes a hit whenever your email gets caught up in the ongoing battle between the ISPs and bad guys. It means you sometimes can’t get relevant email delivered to your own customers or properly targeted prospects. It means you suffer a potentially huge brand and opportunity loss. That’s true, even if you put aside all the frustrations and headaches, diversions of time and technical resources that go into managing deliverability and recovering from the occasional train wrecks.

Yes, you, email marketer, bear a heavy cost for us allowing anonymity to shield the bad guys from accountability. And I’d suggest that your only recourse is to fight anonymity with clear, persistent and unambiguous identity. Proper identity credentials are what enable you to differentiate yourself from the bad guys, assert that you’re a reputable sender (good guy) and for the ISPs to accept those assertions. Without such credentials, how do the ISPs know that you are whom you say and not just someone spoofing you?

If this is all true, why haven’t brands universally adopted email identity standards? And for that matter, why aren’t ISPs universally checking email identity credentials and acting on what they check? Because what good does it do if you fully and properly disclose your identity when the ISPs don’t bother to check or act?

You First. No, After You.

The answers to these questions come down to one thing—adoption. Brands don’t adopt identity standards because they don’t see the risks and rewards of doing so, partly because the ISPs don’t strictly enforce them. And ISPs don’t strictly enforce the standards because adoption by brands hasn’t reached critical mass.

Am I overdrawing this chicken/egg situation a bit? Yes, but it’s pretty much where things are at—and where they’ve been for some time now. Despite the best efforts of the Online Trust Alliance (OTA), Email Sender & Provider Coalition (ESPC), Direct Marketing Association (DMA) and other industry groups to push the email authentication agenda, we’re stalled in implementing this critical component to our vision for Email Accountability. So maybe it’s time to revisit that vision and ask ourselves: “Do we have it right?”

When I speak of Identity, my frame of reference is what was envisioned in Project Lumos years ago as the conceptual blueprint for Email Accountability. [PDF] It was the genesis, at least in part, for the authentication protocols and reputation systems that subsequently emerged.

In Lumos, Identity and Accountability were seen as interlocking principles, but it was recognized that Identity had to come first for a simple reason: you can’t hold people accountable for their actions if you don’t know who they are. But Lumos postulated that if you could identify the good guys, it would then be possible to isolate the bad, hold them accountable and impose a ‘cost’ that would destroy their business model. (The ‘cost’ would take the form of denied access (blocks) that would depress response to a point where spamming was no longer financially viable.) While email is very low cost, it’s not accurate to say it’s actually free—even for a spammer. But therein lies the rub. Since spamming can be highly profitable at incredibly low response rates, it takes broad adoption and strict enforcement of the authentication protocols to impact a spammer’s business model and for the benefits of an improved email ecosystem to materialize.

I’ve always felt this vision for Email Accountability was a pretty nifty one for choking off spam. But of course, our environment has changed since Lumos was proposed—it’s become much more dangerous. Now we have extremely targeted elicit schemes to deal with, such as phishing and spear phishing. Yet, the monetary motivation is the same and today’s bad guys are enabled by the same email weaknesses—anonymity and cost. For phishers, anonymity is achieved by masquerading as legitimate brands, and it’s that identify spoofing that makes company employees and customers alike vulnerable to exploitation. And all that’s made possible because senders aren’t authenticating their email, receivers aren’t checking or both. So by the time a phishing scheme is discovered, it’s usually too late. The assets have been stolen and the perpetrator has moved on, often using those assets in new, more dangerous exploits. The cost is low because phishing schemes are inexpensive to launch and the risk of being caught is low too.

And this brings us back to the problem at hand—achieving the levels of adoption and enforcement required to make authentication work. How many years have we been discussing this topic? Yet, as the OTA notes in its May report, while 56% of sampled entities apply SPF and/or DKIM, “the volume of authenticated mail sent from these domains is estimated to be significantly lower due to inconsistent adoption across all domains, sub-domains and mailstreams” thereby limiting the value of authentication in brand and consumer protection. The OTA report also confirms that ISP enforcement remains limited at best.

Authentication: Its Time Has Come

I believe that it’s well past time for our industry—senders and receivers alike—to implement email authentication as the first step toward true accountability. And implementation means full and consistent compliance by senders, and, most importantly, more than ‘wink and nod’ enforcement by receivers. Enforcement must mean that receivers routinely check and block senders who don’t comply with the authentication protocols, whether their reputations warrant acceptance of their mail or not. Period. No exceptions.

I know this may seem like an extreme position for a marketer to take, but I have three good reasons for it.

First, all players in our ecosystem have a big stake in winning this war against the bad guys. But to win the war, they must first join the war—and I’m speaking here to my marketing colleagues at enterprises and service providers. Up to now, their primary motivation in supporting authentication has been the deliverability of their own email. However, recent breaches should convince them that they have much more at stake than mere collateral damage. The war has shifted, expanded. The customers, employees and assets of enterprises and services providers are now being targeted too—and more often than not, email is the vehicle of access and exploitation with cost and anonymity being the key drivers.

What does this mean? Just in case you missed the inference in my use of the generic term ‘receiver,’ let me be clear: enforcement isn’t an issue for just ISPs anymore. With all the exploits being directed at enterprises and service providers, everyone needs to be both authenticating their outbound email and blocking email that fails their inbound checks. The stakes are too high not to do so. Authentication is not only central to safeguarding our individual companies, but also to the integrity of our ecosystem—the way we interact with each other and conduct business together. And all stakeholders have a highly vested interest in protecting that. Senders and receivers must close ranks, aggressively pursue the bad players together, and give them no quarter by stripping them of their anonymity and imposing the ultimate cost on their operations—put them out of business.

Admittedly, email authentication won’t solve all the data and network security problems plaguing our industry at the moment. There’s much more that will need to be done. Nonetheless, authentication is an essential plank in a broader security platform that will solve these problems. Because by establishing identity and imposing a cost, we can shut down the use of email as a transport agent for unwanted messages and those that might carry malicious code targeting companies and their customers. And that’s certainly essential to maintaining consumer trust and confidence in the integrity of email for safe communication and commerce.

And this leads to the second reason for my position. It relates to the great promise of Email Accountability—an improved ecosystem. It’s a promise that’s as compelling today as it was years ago when Lumos was first proposed, namely an ecosystem that would enhance the experience for customers and ensure the reliable delivery of email for the legitimate marketers who’ve long suffered collateral damage in the ongoing fight and are now incurring direct financial and brand damage. To me that promise is worth the pursuit.

My third and final reason stems from concern for the future of digital communication beyond email. If the history of direct marketing teaches us anything, it’s that the bad guys are opportunists. They follow the media adoption curve—junk mail, phone scams, email abuse—because that’s where the money is. It’s easy to see what’s next. What form will abuse take in an increasingly mobile, multi-channel digital messaging environment? That’s a scary thought. But scarier still is what our inability to solve today’s problem in email says about our readiness to tackle this greater challenge.

So why don’t we get on with it? Let’s get serious about achieving our vision of Email Accountability. There’s no better time than now since ‘safe and secure’ messaging is very much part of the whole data security debate. And no better place than the upcoming OTA Forum to join with others of like mind.

Either that, or let’s admit our vision for Email Accountability is unachievable or fatally flawed, and rethink what our vision should be. We’ve lived in limbo land long enough. This can’t be our permanent residence.