Email Authentication in the Time of COVIDWill Boyd
The COVID-19 crisis continues to teach us all quite a bit about what is important. In the world of email, this is no different. As an email community, we’ve seen COVID-19 related messages connect people and transfer critical information, while making it possible for us to stay connected.
However, bad actors are using the pandemic as air cover—they’re harnessing our collective anxiety and need for legitimate information and weaponizing it by spoofing critical sources of information and dangling items we deem essential in our inboxes. Whether it is a scammer trying to impersonate your bank or a thief trying to sell you masks that don’t exist, phishing related to COVID is taking a bad situation and making it worse. It’s corrupting the digital mediums that we all rely on to obtain goods, do our jobs, and engage with trusted sources of information and each other.
Statement from M3AAWG on COVID-19 Emailing
The Messaging, Malware, & Mobile Abuse Working Group (M3AAWG), (of which Twilio is a member) released a statement on Email Authentication For COVID-19 mailings calling on the email community to work together to help prevent spoofing, a major component of phishing, through proper use of email authentication.
This statement asks senders to “take further steps to authenticate and secure their sending domains and email addresses by deploying email authentication at scale and at enforcement.” It goes on to suggest the following authentication parameters:
- Publishing SPF records with at least ~all, or -all if the domain does not send email
- Signing all email with aligned DKIM
- Publishing DMARC policies for organizational domains—even non-sending ones—at enforcement: using at least p=quarantine, although p=reject is preferable, across the entire domain and all subdomains without exception
Proper authentication not only helps protect your subscribers from phishers and scammers trying to impersonate your brand, but it also helps mailbox providers make better decisions about the mail and senders they trust. In times of crises, senders who take the time to properly authenticate are often rewarded with better inbox placement, a more robust brand that’s harder to spoof, and more predictable results. Consequently, this is the same result during non-crisis times—the only difference is that the internet is THE essential means of socially distant connectivity.
Learn more about all things email authentication by reading How Email Authentication Works.
Setting up proper email authentication
If you are not an email authentication expert or hobbyist, don’t worry. Twilio’s professional services offerings are a very helpful way to both make sure your sending authentication is working as expected and identify any parts of your email program that might need a tune-up. You can find more info here.
If you are a Twilio SendGrid customer looking to get started with DMARC, we have recently partnered with our friends at ValiMail to offer DMARC Monitor for Twilio SendGrid. This free tool will allow you to immediately see who is sending email as your domain, both legitimately and maliciously.
Read more about this partnership on the Twilio SendGrid Blog or you can signup here.