Spoofing: Bad emails in a good name

Your customers rely on your good name and the good name of your brand. Without hesitation, they open your messages, click on download buttons or log in to linked websites with their login details. But what happens if someone else misuses your good name to send spam, phishing emails, viruses, and Trojans? Would you notice? And what can you do about it?

An email in my name — is it that easy?

Yes, it's that easy. The Simple Mail Transfer Protocol (SMTP), which is used when sending emails, does not initially provide for checking the sender address. In principle, when sending an email, any sender address can be used — be it your own address, someone else's address or an address that doesn't exist at all.

How can I find out if fake emails are being sent in my name?

It is often relatively difficult for senders to quickly find out about fake emails in their name. With a bit of luck, there might be a recipient who complains to you about a malicious email. With bad luck, you may only notice the misuse of your sender domain when this domain is already on numerous blacklists and you are struggling with massive deliverability problems.

Is there a way to identify my organization as a legitimate sender?

There are various ways to signal that you are highly likely to be the legitimate sender of an email. One option is to use the Sender Policy Framework (SPF). Here, the owner of a domain stores a so-called SPF record, which determines exactly which servers with which IP addresses can send emails in the name of their domain — and which not. A second way is to use a DKIM signature. In this process, the owner of a domain stores a public key and provides each of his emails with a digital signature in the header. The recipient can compare the signature in the email with the public key and determine whether the two match or not.

Why isn't that enough?

Imagine an email provider receiving an email on your behalf. It checks SPF and DKIM and determines that the email is most likely not from you. Now it's up to the email provider to decide how to handle this email — put it in the recipient's inbox, send it to the spam folder, or not deliver the email at all? Whatever the provider chooses, you can't influence their decision — and you won't learn anything about the existence of the fake email that carries your domain in the sender.

What is DMARC and what can DMARC do?

DMARC is a technical specification developed by a group of companies and organizations — including AOL, Gmail, Hotmail, Yahoo, Facebook, and ReturnPath. Thanks to DMARC, more and more email senders and email recipients will decide together what to do with potentially fake messages — testing is based on SPF and DKIM. This not only protects the recipients of your emails, but also your good name. In the DMARC entry, you can make a recommendation about what should happen with messages that fail the DMARC check: Should the receiving mail server deliver the email anyway, put it in the spam folder, or simply reject the email? As a sender, you can also have various types of reports sent to you by participating organizations — simply by email. These reports are a valuable monitoring tool: They enable you to check exactly whether fake emails are being sent on your behalf — and also to determine whether there are problems with authenticating the emails you send. This allows you to maintain an overview and control of your sender domain at all times.

And that works?

DMARC is a relatively new process that is still in its infancy. Not all email providers have already implemented DMARC. And even with providers that already use DMARC, there are sometimes minor technical difficulties. Senders should therefore work carefully when it comes to their own DMARC policy. A detailed test phase is highly recommended — otherwise there is a risk that in the event of a technical glitch, the majority of your own authentic communication will simply not be delivered.

The preparation of the DMARC record, the detailed test phase and the regular, expert evaluation of the reports — all this requires knowledge, experience and time. Overall, however, we are of the opinion that the effort pays off. Thanks to DMARC, senders can better protect their good names and recipients from damage caused by fraudulent emails — and at the same time optimize the deliverability of their email campaigns.

Share this article now
link
blog

Even more about email marketing

e-mail-marketing, zustellbarkeit
All Categories

Risk or opportunity? Use your primary domain for marketing emails

All companies that send email marketing campaigns in addition to business email correspondence are faced with an important question when configuring the delivery settings of their email delivery tool: “Should all emails from my company be sent via the same domain?

e-mail-marketing, studie
All Categories

Email marketing of the 1,000 top-selling German online shops 2024

Publicare market overview 2024: The EHI Top 1,000 e-commerce companies in Germany are using these email marketing solutions.

e-mail-marketing, studie
All Categories

Revolution in the mailbox: Gmail replaces GMX and Web.de

Revolution in the mailbox. GMail displaces GMX and Web.de in Germany. Are Germans turning away from German email providers?

e-mail-marketing, studie
All Categories

Email template kits put to the test: Which tool is the best in 2024?

Email template kits put to the test: Which tool is convincing in 2024? There are numerous email marketing platforms on the market (75 different marketing platforms are used in German e-commerce alone!).

e-mail-marketing
All Categories

Emails for everyone: tips and tricks for barrier-free email marketing

Accessibility has long been an important issue when designing websites and apps to ensure that content is also accessible to people with disabilities. According to the European Accessibility Act and Accessibility Strengthening Act,

e-mail-marketing, studie
All Categories

Email marketing from North America's 1000 largest e-retailers

Market shares of email service providers in the top 1000 online shops in North America and comparison with the most used email platforms of the top 1000 e-commerce companies in Germany

e-mail-marketing
All Categories

Why countdown clocks in emails are (almost) at an end

Scarcity is an age-old sales strategy, time pressure is a variant of it: If you decide too late, you miss out on the good offer. Countdowns sum it up perfectly: As a buyer, I literally see the seconds I have left to make a purchase decision melt away. So it's no wonder that countdown clocks have become very popular not only on shopping sites but also in promotional emails over the last 10 years. They still work well — even though they are no longer a big surprise for most recipients and, in our experience, the desired uplift effect on conversions has diminished over the last few years.

e-mail-marketing, studie
All Categories

Study on email marketing in e-commerce 2023

Analysis of the email marketing of the 1000 top-selling German online shops: ESP market shares 2023 and marketing trends: Where is the innovation?

e-mail-marketing
All Categories

14 myths about when you can send promotional emails to whom — and when not

14 myths about when you can send advertising emails to whom — and when not: The question of which legal guidelines advertisers must comply with when setting up email address lists and sending promotional emails is always a topic of dicsussion