2017 State of Email: What we Can Expect in the New Year
Entering 2017, email continues to thrive while sustaining a long transformation that it has been undergoing for quite some times – literally decades. Throughout 2016, email solidified its place in a world where users use many communications app simultaneously. Email is and continues to be the record of identity for transactions. Apps use email to reset accounts and services send the most important notifications through email. Furthermore, email is the only widely used cross-platform communication protocol that is free from proprietary control. This open nature is why email continues to thrive. With 2017, we’ll likely see these major trends around email continue:
Move to Transactional.
Email has had a long life – 45 years and counting – and during that time, the nature of its primary role has changed. For a time, email was the dominant form of personal communication over the internet. As other messaging platforms have become more predominant in personal communications, email has transformed to being the system of record. Indeed it is an email address that often underlies the user’s authentication & account recovery methods of the newer communication mediums.
With email standing behind most new internet services & account types, email continues to be one of the best ways that apps and services can reach out to users to engage and activate them. With this, email continues to be the foundation of many growth programs.
Becoming Phishing Proof.
Since email is how apps and services authenticate users around account changes, it is absolutely important that email continue its development to becoming phishing proof. Public cases in 2017 have shown how sophisticated attackers have gotten using email and the damage they can do. Email providers like Google and Microsoft achieved major milestones around DMARC during 2016. When “DMARC reject policies” are finally deployed by these and other providers, email will have gone a long way from taking the onus off the user to know when to trust a message.
Today’s users have many communications apps or services. While email has a well earned place here, it is not the only way that apps and services communicate with users. Apps continue to experiment with and see what is the best mix of notification types. In 2017, we’ll see apps get even smarter about notifications, where beyond sending the right message at the right time, they’ll also send on the right medium at that time.
If 2017 is like the years before it, users will receive & send many more messages than they did in 2016. When these messages are done smartly, they provide users with options and control of their communications.
– Josh Aberant
Thoughts on the 2017 State of Email? Drop us a line below.
Continuing on my new years resolution to share what I’ve learned and put those learnings into practice, I thought I’d dig into the subject of security. One of the things that I learned was that security is very important for everyone, but particularly for customers who are moving away from hosting their own infrastructure and entrusting their assets to a cloud provider. The learning is clear — but putting it into practice is the next step.
As it happens, a large number of features that we’ve rolled out over the past six months were, in fact, security related. This includes:
- Adding a maximum number of log-in attempts before the system times out.
- Two-Factor Authentication.
- Whitelisting API Keys allowed to inject messages.
- Implementing OAuth2 for Webhooks.
- Adding an option for Single Sign On (SSO) on SparkPost Elite accounts.
- Adding Roles-based access controls, more specifically a Reporting-Only role.
And those are just the customer-facing ones. We were looking at our overall cloud email security practices, even before hiring Steven Murray, our CISO. And he’s making changes — features, internal functionality, processes — to make sure security continues to be a high priority. For example, we’ve instituted intrusion detection to make sure we’re keeping our systems locked down.
The things we recommend our customers do to improve cloud email security when using SparkPost:
- Use strong passwords!
- Make sure every user enables Two-Factor Authentication when accessing the SparkPost account. This is the single biggest deterrent from attempts to hack into your account and it’s easy to do.
- Assign roles to your users. If all they’re doing is looking at reports, then making them a Reporting-Only user.
- Make sure to change the password on any shared accounts on a regular basis.
- Set up your engagement tracking domains as https (Elite accounts).
Looking ahead, we will be adding support for more Single Sign On identity providers, rotation of DKIM keys, and continually looking at how we store and access data without impacting performance.
What are your most pressing security concerns?
Do not go gentle into that new normal
At SparkPost’s recent Insight user conference, Steve Jones, executive director of DMARC.org, didn’t hold back. He began his talk on email authentication by bluntly observing that “spam and phishing are the new normal.” I sucked in my breath. Steve’s comment felt like a punch to the gut. I felt like I wanted to defend the honor of email. Yeah, bad guys—sometimes really bad guys—are out there, I thought to myself, but it’s the exception, not the rule! But I knew he was right. I settled down and nodded my head, knowing that Steve’s perspective squared with the experiences of people who manage the front-lines of defense at ISPs and corporate email hosts, as well as the findings of email industry organizations like M3AAWG.
Steve noted that 28 billion spam messages are sent every day. By some estimates, phishing is a $3.7-million annual cost for the average enterprise. And for publicly-traded companies, a disclosure of phishing leads to a loss of stock value of $411 million or more. As Steve put it, costs like these are fraudulent email’s “hit to reputation and brand, made tangible. And there’s no bottom to what bad actors will do to get your money.”
So, spam and phishing really are the new normal. Companies must incorporate a security posture that takes into account email as a major attack vector that’s exploitable through phishing, malware, and socially engineered content designed to defraud recipients of sensitive information and to steal credentials that grant access to systems.
And this new normal is why Steve’s organization does its work. DMARC, or “Domain-based Message Authentication, Reporting & Conformance,” is a technical specification that builds on earlier SPF and DKIM email authentication mechanisms. In his talk at Insight, Steve presented an overview of the current landscape of email authentication, including why DMARC is important, how it works, and recent developments.
ISPs are moving to an authentication-only world. So should you.
The biggest consumer mailbox providers prefer authenticated email. But that preference may be changing to a mandate. In 2015, Yahoo took the plunge and published a “p=Reject” DMARC record. By doing so, Yahoo essentially told receivers, “if you can’t verify an email came from Yahoo, throw it away. No exceptions.” There are reports that Google may take a similar step for Gmail in 2016.
There have been issues with this “strict” posture—in some cases, legitimate email has suffered because of this spam counter-measure. But, I remind you that false positives are nothing new. It’s frankly just a cost of doing business for senders (and a much smaller cost than those that result from successful phishing attacks). Legitimate senders long have been operating in the shadow of compromised hosts, spam, phishing and other abusive digital communications, and incurring short-term inconveniences to stem that tide is worth the effort. Truth be told, what disturbs me more is the fact that everyone hasn’t yet adopted SPF, DKIM and DMARC as a means of combating spam and protecting their own reputations!
It’s time to splice email authentication into corporate DNA.
The watch guards of enterprise security (especially CISOs) often talk about a company’s “security posture,” the plan and cultural shift that a business puts into place to protect its employees, customers, intellectual property, and systems from attack, both cyber and physical. We’re likely all familiar with defenses like firewalls, multi-factor authentication mechanisms, access and password policies, and more.
But what about email? It’s the lifeblood of every company doing business on the internet today. But at too many businesses, email security is limited to spam filters or malware scans. Those are fine front-line tools to help protect against brute force bad guys, but they do little for phishing (and spear-phishing) attacks.
The simple power of email is its ability to connect people and businesses the world over. But the simplicity and ubiquity that makes email the Internet’s “connective tissue” also allows the spread of viruses, fraud, phishing, and compromises to accelerate to pandemic speed as they move from one email box to another.
Every company that works with customer data, financials, or has a broad national or global presence is nothing short of a flame in the night that draws all sorts of malicious attacks. In the digital marketing industry, ESPs, marketing automation companies, anyone who purports to be a marketing system of record… are just some of the inevitable targets for phishing attacks.
Adopting email authentication standards like DMARC (and transport layer encryption standards such as STARTTLS) will go a long, long way to improving your digital messaging security posture. What are you waiting for? Do it.
Ready to learn more about DMARC and email authentication? Here are a few resources to get going.
- How DMARC Is Saving Email, a great ebook written by our deliverability team
- The Validator, the free, all-in-one DKIM validation, SPF checker, and DMARC validator app from SparkPost
- Understanding SPF and DKIM In Sixth Grade English
- Twitter’s Email Privacy Report, powered by SparkPost
In light of the recent security breaches making the headlines, our own CMO Dave Lewis has posed eight points for consideration for CMOs, and what the possibility of a breach could mean for them and their own marketing activities.
Says Lewis: “This isn’t a pretty picture relative to the preservation of trust, but uglier still are the potential consequences—customers being unwilling to share the data that makes digital communication and commerce work because they no longer trust companies to keep it safe. Equally devastating would be a breakdown in the trust relationships we have with each other and an inability to effectively work together as partners in this ecosystem. These are the things that worry me if the breaches continue. They jeopardize our ability to generate revenue and build customer relationships as CMOs, putting our individual and collective success at serious risk.
So what can we do about it?”
Read the whole thing here at the CMO Council’s Marketing Magnified.