Archive for the ‘Email Deliverability’ Category

Protect Your Customers and Your Brand With DMARC

Posted by Alex Wolski on November 5th, 2015

email securityTrust is critical to digital marketing. Every time customers open your email or visit one of your web pages, they need to feel secure knowing that their personal information is not getting into the wrong hands. Unfortunately, there are cybercriminals who profit from stealing this information and using it fraudulently. One of their tactics is called phishing, which can have a serious negative impact on your organization and your customers. Luckily, there are methods, such as Domain-based Message Authentication Reporting and Conformance (DMARC) available to help combat phishing, and it’s relatively new and very promising.

What is phishing?

Phishing is a type of scam where a criminal uses digital media techniques to impersonate a reputable brand or person with the express purpose of stealing something from victims. For example, the attacker might send an email to a victim that appears to be from the victim’s bank telling them there is some issue with their account that needs to be resolved immediately. Social engineering techniques are used to create fear to make the victim believe they have been falsely accused of something or plays on their greed1. The emotional response that is created can cause even sophisticated “techies” to fall prey to these techniques. When the victim follows a link in the email and enters their account information into a fake web form, the attacker gains access to the victim’s account information and can drain their funds.

The impact of phishing on relationships

Data vendor, Return Path, recently published some scary facts about phishing:*

  • 97 percent of people globally can’t identify a sophisticated phishing email
  • Email fraud has up to a 45 percent conversion rate
  • 71 percent of U.S. adults would be at least somewhat likely to switch to a different bank if they became a victim of online fraud at their current bank
  • The average cost of an enterprise data breach is $3.79 million

* Return Path. (June 3, 2015). “13 Email Fraud Stats Every Security Professional Should Know.”

Cybercriminals are getting more advanced with their ability to mimic the look, feel and even domain names of their target brands. If your account holders are victimized, they will be angry, and it’s likely their anger will be directed at your financial institution, not the criminals. So what can be done?

The role of email authentication

The best way to stop phishing is to ensure that phishing emails never get delivered to the inbox. Internet Service Providers (ISPs) have sophisticated filtering techniques that cybercriminals try to get around by using a tactic called spoofing. Spoofing is the act of impersonating another organization’s domain name(s) in the delivery of email messages and/or in the links in those messages. Spoofing hijacks the trust relationship between an organization and its customers.

One tactic in the fight against spoofing and cybercrime is email authentication. Email authentication requires participation from both the sender and receiver to determine if a message is valid or not. In the type of email authentication called Sender Policy Framework (SPF), the sender publishes a range of IP addresses in its Domain Name System (DNS) that are authorized to send out email on its behalf. If the receiver sees messages purporting to be coming from that sender but from an invalid IP address, it has the option to block those messages.

Another type of email authentication is DomainKeys Identified Mail (DKIM), which is a cryptographic method where a public key in the sender’s DNS is resolved against a private key that the sending machine applies to the message. The receiver needs to resolve these keys in order for the DKIM signature to be valid. The receiver can then filter out messages if the DKIM is not valid.

These methods are very useful, and we suggest that all senders authenticate their emails with both SPF and DKIM. Harland Clarke Digital does this with all of its own domains as well as its clients’ custom mailing subdomains. But unfortunately, both protocols can be hacked, because they work in isolation from each other. To make matters worse, legitimate senders do not always use SPF and DKIM across all of their valid email channels. For example, your marketing emails might use DKIM, but your online banking messages do not. So, ISPs are still left in a position of not having an acceptable and reliable way to filter out bad mail and ensure good mail gets through.


DMARC is a newer authentication mechanism that leverages both SPF and DKIM. With DMARC, senders can:

  • Receive reports about messages that purport to come from their domains but fail SPF and DKIM checks.
  • Set a policy for how mailbox providers should treat these messages. The options are to deliver the message (but send a report), to quarantine the message or to outright reject the message.

One of the greatest benefits of the DMARC protocol is the reporting aspect. With that information at hand, senders can improve their message streams while also having an early warning system for spoofed messages. Because an outbreak of spoofing would likely not use valid DKIM and SPF, the spoofed messages show up in the reports. The organization can use this information to track down the spammers and hopefully get them shut down. The other advantage is that the sender can set a clear policy about what ISPs should do with messages that fail authentication.

How do you set up DMARC? What are the downsides to implementation? Are there any pitfalls organizations need to be aware of? We will cover in next month’s entry.




Don’t Forget About Suppression Lists

Posted by Deanna Cruzan on August 13th, 2015

List Suppression SegmentationI have noticed that when it comes to deploying emails, many financial institutions do not consider ALL of their list options… meaning while it is critical to target your emails by getting the right promotion or message to the right person, it is equally important to identify segments that shouldn’t receive all your deployments and suppress them from future mailings.

Working with financial institutions, I have noticed that many are under utilizing this tactic, which may have negative results on deliverability as well as click-through rates, opens and renders, etc. Here are a few suggestions on the types of list suppressions you should create and implement into your best practices:

 1. Suppressing account holders who are younger than 18 years of age.

Although I am not an attorney, I would suggest reviewing this website for additional information on communicating with children online. And just to be safe, consider suppressing anyone younger than 16 even if they fall within the guidelines of COPPA.

 2. Suppressing account holders who are in default on loans.

It is most definitely not a best practice to send promotional emails to anyone who is in default of paying a loan, consistently misses payments or has declared bankruptcy. The sale that you make can actually cost you more money later on especially if they have a poor financial history.

 3. Suppressing screaming deletes

Screaming deletes are those customers who do not want your email communications no matter what. In fact, when you find a customer that is so disgruntled by your communications, check your file for any additional email addresses that you might have for them. Add ALL of the email addresses to the ‘screaming deletes’ file. This will save you some headaches down the road.

 4. Create a file for long term disengaged account holders

I recommend putting older email addresses with zero activity in at least 12 months or more into their own list. Not only will it be helpful to see the results from customers with current activity versus those without, but also you can identify older email addresses that may have become part of a spam trap. This will help keep your deliverability at its highest standards.

Although sending out emails is less expensive than sending out direct mail pieces, the same rules should still be considered and applied… just because you can, doesn’t mean you should.


Canadian Anti-Spam Law Expert Talks CASL

Posted by Rob Ropars on March 12th, 2015


Interview with Shaun Brown, Canadian lawyer practicing at nNovation LLP and Canadian Anti-Spam Law (CASL) expert

These are the opinions of the guest and not that of Harland Clarke Digital. This does not serve as legal advice and is informational only. Facts and circumstances vary, so please seek the advice of counsel on the topics discussed below if you have further questions. 

HCD: In the lead up to CASL’s final form, what surprised you most about the Canadian government’s approach to promulgating this law?

SB: The fact that it happened at all. It was a big undertaking, and it’s a fairly aggressive approach. When you look at federal privacy legislation, which has been in place for almost 15 years, the government has been working since 2006 to make relatively minor amendments to that law, and it still hasn’t happened.

In the same time period, CASL was drafted from scratch, addressing a variety of issues, and although it draws on the experiences from other countries, it was largely new. So, I think the most surprising thing was the government having the energy to draft and get CASL through the legislative process.

HCD: What do you consider to be CASL’s strengths as an anti-spam law?

SB: In many ways, the government tried to capture and reflect industry best practices.

HCD: Conversely, what are its weaknesses?

SB: CASL is very prescriptive. It’s a very detailed set of rules for sending email. While spam and malware can bring huge problems/threats, the vast majority of businesses are doing things right, and the emails they send aren’t a huge problem for most consumers. So, we have ended up with a large number of rules, in some cases redundant/overlapping to other laws, which now causes challenges for compliance. For example, there are various requirements for capturing opt-in consent, such as the requirement to provide more specific contact information and telling a person he/she can unsubscribe — these things can be a hassle.

HCD: Based on your dialogue with industries and businesses, what are the top misconceptions/questions you heard prior to CASL’s launch?

SB: A lot of people weren’t aware of allowances to transition existing databases, such as the transition provision for extending the time periods for implied consent, and the ability to grandfather those with existing consent obtained in compliance with privacy legislation.

Also, some didn’t understand the breadth of some of the implied consent provisions, specifically within the B2B space. For example, consent can be implied if someone gives you his/her email address, or if he/she conspicuously publishes his/her email address, so long as the information you send is relevant to what the recipient does in his/her business capacity. This can be quite helpful for B2B marketing where you have to essentially “cold call” people by email, which is less appropriate in B2C context.

Another example was how Canadian Radio-television Telecommunications Commission (CRTC) was going to enforce the legislation. With penalties of up to $10 million per violation, there was a lot of concern that the CRTC would begin penalizing everyone for minor violations. This hasn’t been the case.

HCD: What are the top misconceptions/questions you heard since CASL’s launch?

SB: Generally the same as pre-launch, but the computer program rules in CASL went into force the week of Jan. 12 of this year. So for some businesses, the focus has moved to these rules, which are potentially more complicated as are the involved scenarios. The software portion of CASL does not impact as many businesses, whereas the anti-spam portions apply to anyone doing email marketing.

The computer rules don’t apply as broadly as a lot of people think at first glance. CASL only applies when a business is installing software on someone else’s computer, not self-installed software. A large number of software programs are self-installed, i.e., apps.

HCD: We are six months post-CASL’s official start date (7/1/14). What did you anticipate we’d be experiencing at this point?

SB: I thought we might see a few published enforcement actions by now, although I knew it would take some time. The fact that we haven’t seen anything yet is not a bad thing.

This indicates, to me, that the CRTC investigations are complex, and they’re not coming out looking to tag some bigger business with “borderline” enforcement issues. This suggests that they are looking at the worst behavior going on, and it’s complex with multiple levels and players potentially in various countries.

Of course that is largely speculative at this point. There were comments pre-launch that maybe this was going to dramatically change email marketing, and people weren’t going to use email any more. I haven’t seen any indication of that.

HCD: Related to that, what has actually transpired related to CASL enforcement thus far?

SB: The indications, so far, are that the CRTC is going to tend to be reasonable, and for the time being focus on the worst actors causing actual harm to consumers.

HCD: Looking ahead, what do you anticipate we’ll have seen occur when we reach the first anniversary of CASL’s launch?

SB: More of the same. We could see some enforcement actions based on my assumptions about the type of situations being investigated. I don’t know if that’s going to result in guidance to the average email marketer however.

For example, there are outstanding questions about what constitutes a Commercial Electronic Message (CEM) vs. a transactional message. I don’t know if the CRTC is focusing on those types of specific questions/scenarios. I don’t think they’re focused on things that impact the day-to-day reality of marketers. I could be wrong, but don’t expect to see anything that will dramatically impact what email marketers are doing in the next six months.

Shaun, I want to thank you for taking some time to talk with me and share your thoughts on CASL with the readers of Digital Spin.

UPDATE: Following my interview with Shaun, the first CASL enforcement has coincidentally occurred.

CRTC Chief Compliance and Enforcement Officer issues $1.1 million penalty to Compu-Finder for spamming Canadians


Enchantment, Deliverability and The Beatles

Posted by Kavita Jaswal on February 13th, 2015

KJBlog_21315The Email Evolution Conference (EEC) in Miami was all it promised to be. As we boarded the yacht of information and sailed along the smooth sea of industry-expert knowledge, I was able to soak in an abundance of informative ideas, trends and industry information.

Here are a few key points I took away from the conference:

Opening keynote speaker, Guy Kawasaki spoke to the “Art of Enchantment.” He defined enchantment as, “the process of delighting people with a product, service, organization or idea,” and introduced this concept with the idea of creating an atmosphere of likability and trust in any given situation. He went further by stating that, “cultivating those elements  into a service or product, we can “enchant” a consumer.”

As marketers, our email campaigns rely heavily on engagement. We create and deploy several emails within one campaign, collect data, test and analyze metrics. But sometimes, no matter what we do, we do not get the results we are looking for. Kawasaki’s theory is not rocket science, anyone can assume that being “delighted” with a service or product would initiate the click of a button to open an email or request more information, but to actually attain that level of enchantment through elements such as likeability and trust is the challenge.

An email marketing conference would not be complete without the topic of deliverability. In his Deliverability 101 session, Spencer Kollas spoke to the importance deliverability has on an organization as, “98% of brands use email as a marketing channel.” Clearly, this indicates the importance email deliverability can have on an organization’s overall marketing plan.

Kollas also discussed how, “78% of organizations globally have had deliverability issues within the last 12 months.” The results are not only staggering, but they prove the point that an organization must continuously monitor bounce rates, manage list hygiene and ensure its sender reputation is not susceptible to email filtering. The discussion lead to various types of spam traps, and the impact they have on inbox delivery. Once an IP address is blacklisted in a spam database, 85-90% of mail can be blocked. These are frightening figures for any marketer, but it’s more proof that organizations need to pro-actively take all the necessary steps to stay clear of simple spam traps.

Through a series of cleverly chosen song and album titles, a panel of industry experts lead a discussion on trending topics that encompass the future of email marketing.

The Beatles’ “Here, There and Every Where,” began a discussion on today’s omnichannel consumer. Today, marketers have the ability to reach customers through multiple channels other than email. What does this mean for today’s marketer? While it’s still necessary to utilize and optimize an email communications plan, we must  use a multi-level approach for any email campaign can offer greater opportunity for success.

R.E.M.’s “Automatic For the People,” lead to a conversation of traditional vs. behavioral marketing. Traditional email included the idea of filling up a marketing calendar with general content. Today, behavioral marketing is more impactful and easily accessible through data collection and marketing automation. The general idea was to go from being a push marketer to advancing into a pull marketer. This means instead of pushing out all sorts of content and information that is relevant to your brand as a whole, you take the time to learn more about what your consumers want to read by pulling in data and revising and personalizing your content calendar on a regular basis.’s “Geekin’” brought about a discussion on the ever present struggle between a company’s marketing department and respective technical teams. As we progress into the future, marketers need to get their left-brain wheels turning, so to speak. Technology is now a big part of marketing and everything we do seems to be more data-centric. In order to progress towards these technological advances, pairing up with other departments and working cohesively can ensure successful outcomes.

Beginning with a keynote session on enchantment, a seminar on deliverability and a panel discussion on what we can expect for the future of email marketing, the EEC proved to be an informative and insightful success.

For more insight from the EEC, check out the Twitter stream from attendees using the EEC15 hashtag.


Email Design Strategies – According to Whom?

Posted by Deanna Cruzan on February 5th, 2015

CruzanBlog_2_5_15Strategies to improve email engagement are constantly evolving. With the ever-changing digital landscape, I find it critical to research new design trends, find a consistent pattern and test it out. Once I have solid results, I share them with my clients so they can incorporate them into their email marketing program. However in my experience, I find that when it comes to email design, there is not always one correct answer.

Email design has a tremendous affect on email deliverability, which is based on understanding and complying with the laws that make up the business of sending email. Deliverability is measured by taking a hard look at the numbers of emails sent compared to the numbers of emails that actually land in an inbox. In order to ensure the best deliverability, I tell my clients that they need to put their communications through an internal content evaluation so the email can be accepted by the IP filter.

Regarding design, IP filters take a look at the ratio of texts to images and font color. The structure of the HTML is an important part of a filter’s analysis. If it sees more HTML comments to actual text, this can trigger the filter to mark your email as spam. But how can companies such as Dunkin’ Donuts® or Menard’s® send image-only emails directly to their customer’s inbox? Many filters take what is called a “fingerprint” of the email, which is then compared to a database that lists out known spammers. Filters also look closely at the sender’s domain name. If the domain name has an exceptional reputation, that is factored into deliverability. So being a big brand name like Dunkin’ Donuts or Menard’s, these businesses can send image-only emails that aren’t flagged as spam. So, what should you do if you aren’t a large, well-known brand? Stick to the tried-and-true rule — Use an equal ratio of images to text and avoid hard-to-read color palettes.

Responsive design is turning into more than trend; it’s becoming the norm especially regarding web design. But, is it always necessary for email messages? Responsive designs can lead to a user-friendly experience while on a mobile device, but that doesn’t apply to ALL mobile devices especially those that are not iOS or Android or ALL email providers like those who use Outlook or Gmail. The coding for email is much more complicated and can lead to problems especially if the CSS style isn’t formatted correctly. While it might not be a huge problem with simple CSS, the more complicated the code becomes with tables, nested tables, spacing and so on, the harder it may become for an email provider to format the message correctly.

Responsive design is a great option if you have a simpler message or the right employees who have experience creating responsive code for email. You also want to take into consideration the state of your website. Is it responsive as well? If it’s not, you might have some displeased clients who go from a responsive email experience to an unresponsive website experience. Although this detail might not be detrimental, it’s extremely important to keep your messaging as seamless as possible. You want tone and branding to come across the same in all locations. So while responsive design might seem like a “must-have” in regards to email design, it’s not always the right option at the moment. You can still create positive experiences with your email recipients by focusing on a design that works well with mobile users.

Email design strategies are constantly changing as new technologies emerge. The key is to determine what is best for you and your clients, and the best way to do this is to test, test, test. Then once you figure that out, something new will come along, and you will need to test again!