What marketers can do to prevent email spoofing
RTL: 'Dutch Government vulnerable to spoofing'
An hour ago, Dutch national broadcaster RTL Nieuws opened with a headline about possible fake COVID-19 update emails from the National Institute for Public Health (RIVM). Contrary to earlier cases, the received emails looked official and did not seem to come from fake email addresses. An inside job? All of a sudden, SPF and DKIM, commonly used terms in email marketing, got introduced in mainstream media. How can you as a marketing or communications professional avoid that you or your clients become a victim?
Image courtesy: RTL Nieuws
The usual spoofing case
This message hit my spam box today and seemed to be sent by a Dutch retailer. Besides the unnecessary underscores in the subject line, there is not much suspicious to notice.
However, after having a look at the from-address, you’ll notice immediately that this message has nothing to do with the retailer.
How to prevent common spoofing?
You cannot prevent criminals from using fake names, email addresses or even calling people on behalf of your company. But you can make sure your clients get used to your regular style of writing, visuals and sending frequency. That makes it easier for them to recognize any abnormalities. Below you’ll find some further advice on this.
Today’s RIVM case
It’s way more difficult in case your real email domain is used, which happened to be the case with the Dutch National Institute for Public Health today. It was sent from a real noreply@ address from the right domain, rivm.nl. Is it possible for people outside of my organization to send emails from my official domain? Yes, it is. In case you’re using Outlook to send emails to coworkers or external contacts, Microsoft sends the email using your domain’s email server, but you can use any server to send emails. In case you’re using software like Mailchimp, Hubspot or Marketo to send your mass emails, these messages will be sent via their servers, not yours. To make sure the emails are recognized as authentic by your recipients’ email clients such as Outlook, Gmail or Hotmail, you can ‘sign’ your email messages.
SPF, DKIM, DMARC
Without going into the tech details, you can authorize external servers to use your domain name in outgoing emails. This makes it easier for email clients and spam filters to avoid unauthorized messages from being delivered to the reader’s inbox. In a nutshell: Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) settings in your own domain’s DNS white list servers to use your domain and sign the email along its journey to make sure it hasn’t been modified and is authentic. Domain-based Message Authentication, Reporting and Conformance controls the SPF and DKIM policy to enable a final sign-off.
As explained by RTL’s tech journalist Daniël Verlaan (link, Dutch) it was possible to use spoofing software to send mails from official government accounts, because of incorrect DNS settings.
How to prevent RIVM-like cases?
Improve your email deliverability. Every email service provider or email marketing solution has instructions on how to make sure your domain settings are correct. It requires some information from your ESP as well as a configuration in your domain’s DNS settings. Here’s a quick overview of instructions for common marketing tools:
- Mailchimp: set up custom domain authentication
- Hubspot: SPF, DKIM and a deeper dive in troubleshooting
- Marketo: SPF and DKIM for email deliverability
Chapman Bright customers can always get in touch with any of our certified professionals to check their settings.
The bottom-line: educate your recipients in what they can expect from you
With the above tech settings, you can improve your email deliverability and direct your marketing emails to your customers’ inbox rather than their SPAM filters. But criminals are always one step ahead of you, so their messages might pop up right next to yours.
Have a look at recent messages I’ve received from KLM Royal Dutch Airlines. The screenshot from my inbox shows 11 messages legitimately sent by KLM in a time frame of 5 days, using 11 unique different sender names, a wide variety of email addresses and 3 different languages.
If any of these messages would have been fake, would I have noticed it?
Probably not. That’s why I strongly encourage you to educate your recipients, to facilitate them in recognizing spoofed emails. My tips:
- Keep your email marketing consistent and professional.
- Limit the use of different email addresses and sender names.
- Avoid spell mistakes or unnecessary capitals or interpunction – or always use them ? Don’t surprise your clients too much.
Marketo Certified Solutions Architect "The best way to prevent spoofing is to educate your recipients in what they can expect from you"