How to Send a Secure Email: 5 Tips for Government Senders Len Shneyder November 15, 2016 Best Practices // SUMMARIES ?> Messaging Security and Government I recently had the pleasure of speaking on a panel titled: How Do We Achieve the Google of Government? The panel was part of the Reverb Conference which pairs up private sector leaders with those working in government to inspire and drive innovation in what we normally assume are agencies trailing behind in terms of their use and implementation of technology. When I was invited to participate on this panel, I sat down with Kurt Diver, our head of Deliverability to ruminate on what the Google of Government looked like from a messaging standpoint. We dove deep into our inboxes to fish out examples of email we had received from government agencies to see if they met a minimum bar for security. Not surprisingly, the emails we reviewed didn’t meet our litmus test for safe and secure messaging. (As a disclaimer, we only looked at a couple examples from San Francisco, Oakland, and Denver.) In all instances, they lacked DKIM (DomainKeys Identified Mail) on their sending domains to ensure the content of the message. DKIM is a cryptographic solution used by sending platforms around the world and ISPs to help ensure that messages are not tampered with in flight and that domains aren’t spoofed. The extension of DKIM, DMARC, helps create a policy that a receiving domain (like Gmail or Hotmail) can reference when a message arrives that failed a DKIM check. What should the mailbox provider do with this message? Keep it? Deliver it? Quarantine it? Or drop it on the floor because it’s deceptive, designed to defraud someone of their identity, or worse? Given the prevalence of email in the national news, and that it is often a vector in high-profile data breaches, the fact that local and state governments are not leveraging email authentication to increase the trustworthiness of their digital communications is disconcerting. On the bright side, when we looked at the USPS, we did find a valid DKIM policy set to reject fraudulent messages. In addition to leveraging basic email authentication protocols such as SPF, the USPS email was sent using TLS (Transport Layer Security), an opportunistic means of encrypting email in flight from sender to receiver that ensures no one can read the content as it traverses the Internet. It may be that government agencies are not aware of how vulnerable messages in transit can be and the ease with which a domain can be spoofed. Understandably, messaging isn’t at the heart of local, state, or the federal government’s job description, but arguably it should be on their radar given its utility in automating customer service functions associated with a people-driven government. Messaging as a Path to Automation Last year, I spent a day bouncing from desk to desk at San Francisco’s City Hall trying to obtain a business license. The entire application process was human driven and lacked clarity. Then most recently, I received a bill for one of the business licenses that required me to download an application in PDF format from the web, fill it out, and mail it back to City Hall. This is what I like to think of as a half committed attempt at digitizing a simple process. The fact is that hosted web forms with intelligent triggers can easily accept a submission and instantly issue a confirmation of that submission with additional information. Once the paperwork/request has been approved, another message could be sent. Many of the phone and in-person intensive processes that punctuate City Hall could be done electronically through email and mobile apps. After I mailed back my application to City Hall, I did receive an email confirmation. I really want to celebrate the email I received, but it’s rather difficult given the fact that it lacked any of the basic identifying features of today’s run-of-the-mill marketing and transactional communications. Like the Fortune 100 brands that shape consumer expectations, the inner workings (or not) of government shape citizen attitudes toward dealing with local, state, and federal agencies. 5 Sending Tips for the Public Sector After looking at the email a bit more, I put together the following short list to help anyone working in a city or state agency and thinking about email, to better serve people electronically. Use a friendly from: The message I received came from “noreply@.” Think about the tone that this sets. It’s one thing not to accept replies to a certain address, but if I stopped at noreply and didn’t bother to read the domain, I’d have no clue who the sender was. Include a signature: The email lacked a signature—it was short and informational but again, think about the kind of communications we’re used to seeing out in the wild—they have footers and headers. Include an identifying seal: There was no city seal to help me know that this email came from San Francisco’s City Hall, or an associated agency. Beware of attachments: There was an attachment in my email. Email attachments aren’t necessarily a good practice. In this case, it was an HTML document which is more benign than a zip file, executable, or other binary document, but it increases the likelihood that this message would wind up in the spam folder. The best practice here is to encode the information in the body of the email or link back to a portal with a login where this information could be accessed. Don’t be afraid of text-only emails: The emails were encoded as HTML documents, but were nothing but text. When looking “under the hood,” there was a tremendous amount of unnecessary code that really wasn’t accomplishing anything. The relatively simple emails, one of which had no links in the body, could’ve been sent as text vs. HTML. If you’re going to code HTML, leverage images and other traditional elements associated with HTML email because that’s what the recipient expects and what anti-spam filters look at to measure text to image ratios. Where the Government Goes from Here The government of tomorrow should take a page out of the startups and businesses of today that are pioneering technologies and new communication methods on the Internet. As our society becomes more and more complex, human scale can’t keep pace with population growth and consumer expectations that are evolving and becoming increasingly more complex and technologically savvy. I don’t fault government agencies for not knowing what the minimum requirements or basic expectations of consumers are when it comes to email or other forms of digital communications. But, it’s important that whatever messaging a government agency chooses, whether its app driven, email, or SMS, it needs to be done with care and according to industry best practices in order to protect the agency along with you and me. For more on email authentication and best practices, check out our 2016 Email Deliverability Guide.