Back to the Future at the CSA Summit 2017
On a beautiful sunny day, around 120 attendees gathered in the Sports Museum on the banks of the river Rhine in Cologne for the plenary session of the annual CSA Summit on Thursday, 11 May 2017.
After a light breakfast for those who arrived early and a chance to wake up and chat over croissants and good coffee, Ivo Ivanov welcomed the guests and introduced the representatives of the three sponsors of the event: the silver sponsor dmarcian, the gold sponsor port25, and the diamond sponsor 250ok. “Back to the Future” is the motto of this year’s Summit; while half of CSA participants are already preparing for the future, the other half are still implementing current best practices.
After giving an overview of how the CSA has developed over recent years (e.g. from 9 certification criteria in 2004 to 9 pages outlining the certification criteria in 2017), Ivanov formally handed over to the new Director of the Certified Senders Alliance, Julia Janßen-Holldiek. In a touching scene, Julia thanked Ivo for his work and leadership over the last years and presented him with a compass to symbolize his new role in the background guiding the overall direction of the CSA. The CSA team, the day’s host, took to the stage, all decked out in team t-shirts in CSA blue. In keeping with the “Back to the Future” film theme, all guests found sunglasses under their seats for some inspiration in the photo booth, with a prize promised for the funniest picture tweeted from the Summit.
So what did the CSA get up to in the last 12 months? Thirteen new Certified Senders brought the total to 110. Six new partners swelled ranks to a total of 45 partners. By no means all senders who apply for certification are successful; of the 163 applicants in the last year, only thirteen were successfully certified and six are still in the certification process.
The CSA’s most recent publications were introduced by some of the authors present; eco Directive for Permissible Email Marketing https://certified-senders.eu/documents/, which deals with the legal aspects and requirements of e-mail marketing, and Best Practices for e-Mail Marketing https://e-mail.eco.de, an overview of how to best get your emails into recipients inboxes. All of the various white papers and publications that were published in recent months are available online under https://certified-senders.eu/documents/.
The new partnership with Email Vendor Selection (www.emailvendorselection.com), announced at last year’s Summit, started successfully with 77 impressive numbers of unique page views supporting the business of CSA certified senders.
Knocking on the door of the inbox; relevance, identification and maintaining trust are key.
AOL’s Marcel Becker and 250ok’s Paul Midgin, filling in for Greg Kraios, went through current best practices and the various measures taken to defend our inboxes. Midgin compared unwanted emails to unwanted visitors knocking on your door and demanding to come in. Actually, as he put it, they don’t actually bang on the door nowadays, but say “Hi! I’m someone you know, can I come in please?”, which makes it harder to filter out whom should actually be left in or not.
Something senders should be diligently noting and respecting is a correct opt-in and consent. This is key information. Recipients will either engage with your marketing messages or complain – what do you want them to do? Up to now, lesser engagement and frustration with email marketing has in the long run resulted in reduced revenue, though with smart phones etc. this will increasingly result in a negative impact on reputation. Too many marketing messages just look like spam. The email needs to matter; target the customer specifically, e.g. follow up on a sale with an email that is relevant to what the consumer is likely to do next.
On mobile devices, people really triage their emails; it’s like Tinder – “I like that email, I don’t like that email”. Put something meaningful right at the start of the email. People are categorizing their email more and more, and directing emails to various subfolders – or this is been done for them; for instance, Yahoo!’s smart views for shopping, travel or finance emails.
Now it’s not just about individual emails that people want or don’t want, but the types of emails they want or don’t want. You have to track what your customers want and tailor your messages to them.
Even though Slack is increasingly the tool used in the enterprise world, people still manage their everyday lives largely with emails. What people really want is a concierge, someone who manages all of the information in the emails to pull it up when it is needed, e.g. showing a coupon while it is still valid, surfacing the flight confirmation email a day before you fly etc. The new challenge for senders is to find a way to share information to improve relevance and performance while respecting trust and security.
ISPs, ESPs, and Trust Agencies have become brokers between consumers and brands. They can be that concierge that manages the flow of information. These bodies need to work together to create a good email experience for their consumers. Becker pointed out that trust agencies like the CSA are becoming increasingly important to ISPs and ESPs to help create trust with consumers.
Wrapping up, Becker and Midgin recommended senders start with processing bounces diligently, if they want to save and improve their reputation. If you’re knocking on someone’s door, start with SPF and then add DKIM into the mix to identify yourself.
They also warned the industry: there are only a few experts who move from company to company and know what needs to be done to improve email security. There is a perception that approaches like DMARC are black magic and are too difficult; they’re actually not, but there aren’t enough people who know how to implement the best solutions for improving deliverability. The industry also doesn’t make it easy for senders to make sense of all of the data that is available. Most senders need external experts to help them make using the available technology easier and more effective.
How to pass the reputation test; authentication and domain reputation
After the coffee break, the Reputation Twins, SPLIO’s Udeme Ukutt and Cisco Systems’ Don Owens, took to the stage to talk about “Reputation Demystified”. They explained the difference between blacklists and whitelists in terms of test grades. If you get one question wrong on a blacklist, you fail the whole test. With whitelists, you get to skip the test.
Ukutt and Owens reminded senders that a good reputation cannot be maintained if it’s not clear who the sender actually is. Senders need to make sure that they don’t look like one of the bad guys; so don’t use DGAs and do use anchor text: “n3456x35.example.com looks evil – don’t do it.” Show you’re not a robot and authenticate, authenticate, authenticate:
- Use a real public host name for HELO and make sure HELO and PTR match.
- Don’t publish “messy” SPF records and set up and correctly configure DKIM and DMARC.
- Don’t neglect to show that you are a professional; include a clear unsubscribe link & headers.
- Don’t run DNS, web servers, etc., on the same IP.
- Absolutely avoid domain privacy services.
- Don’t use generic froms; include your company name.
- Require a double opt-in; quality is more important than quantity.
- Monitor and, even more importantly, process bounces.
Owens and Ukutt finished up by summarizing what they believe will be the future of reputation: Domain reputation will gradually be weighed more than IP reputation. New standards are coming: ARC (Auth Rcvd Chain), and BIMI (Brand Indicators for Message Identification), among others.
One-Click will save them all: stopping your newsletters ending in the spam folder
“The Internet is for cats. Therefore everything on the Internet can be justified with a cat analogy.”
Sven Krohlas, Mail Security Specialist, 1&1, and Tobias Herkula, Head of Deliverability & Abuse Management, optivo GmbH, started with a story about the once-off purchase of a cat-scratching post (which solves the problem of the cat scratching your furniture) and the subsequent newsletter for cat-scratching posts that’s almost impossible to unsubscribe from (your new problem). Rather than try out the various email addresses you may have used to make the purchase or fill out complicated unsubscribe forms with Captchas etc., many annoyed recipients just mark the newsletter as spam.
An informal analysis of people’s spam folders showed 25% adult content, 29% erectile dysfunction, 23% (legitimate) newsletters, 13.5% phishing and 9.5% other. So almost a quarter of recipients’ spam folders are filled with legitimate newsletters. Not only that, spam filters are being trained to filter out non-spam newsletters. The senders lose both reputation and customers. All of this can be avoided with a one-click unsubscribe link.
A one-click unsubscribe method was created almost 20 years ago with RFC 2369 https://www.rfc-editor.org/info/rfc2369, e.g. unsubscribe@newsletter… However, this is not always reliable, as you cannot be 100% sure that the email with the unsubscribe request is successfully delivered.
RFC 8058 https://www.rfc-editor.org/info/rfc8058 solved this problem with one-click functionality for list email headers; by clicking on unsubscribe, a URL is opened and the user is unsubscribed, an email does not need to be sent (full disclosure: Tobias Herkula was involved in developing RFC 8058). AOL, Yahoo! and Gmail have already implemented it and Microsoft plans to do so at a later stage. Senders can very easily protect their reputation, avoid frustrated customers, and prevent their newsletters being sent to the spam folder, just by implementing this new Standard.
You think DMARC is easy? Think again!
Martijn Groeneweg and Nick Hristov of dmarcian, Inc. presented the lessons they learned from introducing DMARC at PostNL; something that was not as easy as many think. In recent years, the Dutch postal service, PostNL made it into the TV news because of large numbers of spam and phishing mails sent in their name. dmarcian were hired to help the company implement DMARC to prevent this from happening. While this is a technical task, it was by no means just a technical project. The technical aspects of implementing DMARC were just 30% of the project; 70% is process.
Groeneweg and Hristov distinguished between three project phases; Assessment, Implementation, and Management. In the Assessment phase, they did a SWOT analysis (e.g. S: Free open standard, W: Not enforceable, O: Ecosystem of large companies, T: Bad DNS management).
In the Implementation phase, they had to distinguish between active (50) versus a whopping number of inactive (2846) domains. PostNL had to be convinced that the parked/inactive domains also had to be made DMARC-capable in order to avoid abuse by third parties. There had been massive abuse, for example, on the domain post.nl, which belonged to PostNL, but was not actively used by them. PostNL had around 30 suppliers that were sending email on their behalf (e.g. Salesforce, Microsoft Office, SAP). Not only were not all of these DMARC compliant, but PostNL wasn’t aware that some of the suppliers could send emails on their behalf.
Once DMARC was successfully activated, 99.8% of threats/unknown emails sent through PostNL domains were blocked.
Groeneweg and Hristov recommend explaining the importance of DMARC to brands. Many stakeholders, especially in big companies, have to be convinced to implement DMARC. Those helping them should also not underestimate what is involved. While the actual realization is not so difficult, so “only” changing lots of DNS entries, it is easy to misjudge how complex the underlying email ecosystem can be. The impact of getting something can be huge, as legitimate email could also be blocked.
A lot of cooperation between ISPs, ESPs, applications, brands, and government is required to implement DMARC across the board. PostNL is now trying to push DMARC and actively advocate it, also on an organizational level. There is a Coalition Safe Email in the Netherlands, with a focus on DMARC, which PostNL is part of. The Dutch government has now made it mandatory for any email application they buy to be DMARC-capable. A key take-away for dmarcian from the PostNL project was how strong an advocate for DMARC a happy customer can be.
When email authentication can and cannot stop phishing
Microsoft’s Terry Zink kicked off his talk with this year’s magic trick; demonstrating his seemingly superb memory of a book on Sherlock Holmes, with the help of CSA’s Alex Zeh. He “phished” the entire audience; a great fun introduction to his talk on where email authentication is great, and not so great, at stopping phishing.
The good news on phishing is that lots of domains now do authenticate with SPF, DKIM, and DMARC. Spam filters have got very good at detecting phishing using traditional methods. However, the bad news is bad. Lots of domains in the enterprise sphere still do not authenticate at all and there has been a large increase in spear phishing.
Phishing is hard to detect and hard to measure. https://blogs.msdn.microsoft.com/tzink/2016/11/23/where-email-authentication-is-not-so-great-at-stopping-phishing-random-it-phishing-scams/ Phishing emails are often set up so that they actually are authenticated, which makes them harder to detect. Some domains have weak authentication, but are not actually blocked. The lack of strong authentication allows cybercriminals to launch a springboard attack.
Some phishing emails contain no malware or URL, but are just social engineering in preparation for e.g. a spear phishing attack. What can also now be seen increasingly are real contact names used with lookalike domains, e.g. …@tovota-europe.com instead of …@toyota-europe.com. Microsoft has started blending in warning notices to emails they have clearly identified as phishing, in case users try interact with it anyway, believing a mistake has been made when the message was flagged as a threat. It has become a very effective tool to get senders to change their behavior.
Microsoft will soon introduce Branded Indicators for Message Identification (BIMI) (the IETF draft will be published May 2017).The logo of the trusted sender will be displayed in MS email clients. It requires the sender to use strong email authentication, plus it must be on a known sender list; a white list. Banks and insurance companies, in particular, are very interested. The goal is not to get users to change their behavior, but to get marketers to want product placement and therefore push security teams to implement authentication in order to benefit from the free advertising.
BIMI works through DNS, rather than just in the header, as DNS lets this scale beyond email.
At the end, Terry revealed that he had phished the audience once more, by changing shirts – and indeed no one had noticed!
The Russian email market
Aleksey Shelkovin and Ilya Vorobiev, both from Yandex, gave an overview of the Russian email market. Yandex is the #1 search engine in Russia with 56% market share. Yandex Mail has 32.5% market share in Russia with a monthly audience of 26 million users and a daily audience of 9 million with over 300 million email accounts (main competitors: Gmail 13.6%, Mail.ru 48.7%, Rambler 5.1% market share). Yandex Mail has seven data centers in Russia and Finland.
Yandex Mail also strongly recommend that senders use double opt-in for mail lists, One Click to unsubscribe, and that addresses are automatically unsubscribed after bouncing. The From address must be clearly associated with the brand, and black lists must be monitored. Shelkovin and Vorobiev showed graphs breaking down where spam and abusive emails originate.
Yandex offers senders comprehensive postmaster tools under postmaster.yandex.ru which allow them to quickly check how many emails have reached inboxes, ended up in the spam folder or were deleted. They also currently offer an IP-based feedback loop. Soon, Yandex plan on introducing a domain-based feedback loop as well as DMARC reports, user activity monitoring, the option to display AUTH status and an automated check your email function.
While Yandex offer a rich email user experience, not many senders design emails that allow information to be extracted. The key challenges are the lack of machine-readable data, which leads to inaccurate classification, invalid or partial information extraction and broken user scenarios. They would like to see schema.org used more, so they can extract more information from emails to offer users a richer email experience.
Everything you always wanted to know about … but never dared to ask!
The day ended with a question and answer session with a panel of experts on all things related to email authentication and best practices. The Director of CSA, Julia Janssen-Holldiek, moderated the panel with Marius Bauer, Head of Deliverability Germany, Experian Marketing Services, Sebastian Fitting, Consultant at the eco Complaints Office, Thomas Fontvielle, General Secretary at Signal Spam, and Terry Zink, Program Manager at the Microsoft Corporation.
Some of the many take-aways from the discussion, questions and answers follow.When asked how they weigh their vetting process for senders, Experian pointed out that using double opt-in for mailing list is 80% of the way.
Though direct neighbors, France and Germany have different markets when it comes to email deliverability. The French market is all about self-regulation. The ISPs regulate the market and you need to learn how to work with them. The German market features more presence by law enforcement and government bodies.
Controversially, Marius Bauer was asked which countries have the lowest quality standards when it comes to email marketing. If customers based in countries where there is the biggest gap between national requirements and international best practice, then senders are not aware of international quality standards and ISPs have to step in. As Terry Zink added, the quality of email traffic seems to correlate with the country’s GDP: the lower the GDP, the higher the level of spam, with the exception of the USA. It seems linked to infrastructure and presence or lack of regulation and governmental oversight.
How problematic mailings from a non-EU sender to a non-EU recipient are dealt with by the CSA and the eco Complaints Office was a question for Sebastian Fitting. Though, of course, European law does not apply to mailings outside of Europe between non-EU parties, the CSA regulations still apply to all Certified Senders, regardless of where they are based.
Terry Zink warned that if white list providers don’t police their list effectively, Microsoft will no longer use the list. Microsoft actually already partially uses the CSA whitelist; it is referenced in the approval process for senders and abuse by Certified Senders is reported to the CSA.
A low open rate is not related to deliverability. It has more to do with reputation and content, Marius Bauer pointed out. When asked what measures Experian takes if a customer is causing problems, he replied that the focus is first on starting a conversation and then trying to figure out if the customer is planning to continue their problematic activities before taking sanctions.
After a content-heavy day, and a quick feedback form, attendees had the chance to play hockey on the roof of the Sports Museum – parallel to the World Hockey Championship take took place in Cologne that week. Then dinner, drinks, and music gave everyone a chance to process the day’s sessions and to network and continue discussions on the banks of the river Rhine.