Email is the lifeblood for many advocacy programs and campaigns, and it’s no secret that threats to email security have surged in the past few years. But even in this environment, email deliverability and security are often overlooked.
The largest email list and the best content are useless if the emails aren’t arriving in your intended recipient’s inboxes. Organizations that don’t secure their emails leave themselves open to being hacked—someone with malicious intent can send emails that appear to come from your organization. This is exactly what happened with the Clinton campaign hack in 2016.
The good news is that there’s a simple way for organizations to improve email deliverability and secure their domain. The bad news is that according to a recent report, only one presidential campaign (Elizabeth Warren) has taken the necessary steps to do so. The solution that countless organizations are failing to implement is called a DMARC policy.
What is DMARC?
It stands for domain-based message authentication reporting and conformance. A DMARC policy is a way for a domain (e.g., hillaryclinton.com) to tell a recipient’s inbox “don’t accept an email that looks like it is coming from me unless the email can pass two tests.” More on those tests in a bit.
Thankfully, companies like PayPal have implemented a DMARC policy, which means that you won’t receive an email from an email address with the @paypal.com domain that isn’t actually from PayPal — dream on, scammers.
Not only does DMARC protect domains, but senders that adhere to DMARC will have much better email deliverability. If an email is able to pass the two tests — called SPF and DKIM — then email providers like Gmail and Outlook will know the email is less likely to be spam, making it more likely to land in the inbox. Sending emails that pass SPF and DKIM does take additional work to set up, but it’s important for the long-term sustainability of an email program. That’s why we have made it a standard part of the onboarding process for our clients at my firm.
What are SPF and DKIM records?
To better understand DMARC, it’s helpful to have a high-level understanding of what the two tests emails need to pass are. SPF stands for Sender Policy Framework and it’s simply a list of IP addresses that a domain will allow emails to be sent from. The problem with SPF is that it’s not a difficult policy to circumvent and it does nothing to secure the actual content of the email.
This is where DKIM comes in. DKIM uses cryptography to make sure that the email that you send has exactly the same content as the email that lands in the recipient’s inbox. It’s helpful to think of it like this: if you mailed a letter to your parents and signed it at the bottom, then when they received it they would recognize your signature and know that the letter came from you. If someone wanted to steal your identity and tried to mail your parents a letter but signed it with a signature that did not match yours at all, then your parents would know the letter did not come from you.
Are your emails authenticated?
Email campaigns that send emails that aren’t authenticated with SPF and DKIM aren’t secure and are more likely to end up in the dreaded spam folder. This is easy to see for yourself, if you go into your spam folder and open a couple different emails you’re likely to notice that at the top of the email, in the FROM field, there’ll be two email addresses separated by a “via”. For example, campaign donation emails that are sent from “firstname.lastname@example.org via email@example.com.”
Now that you have a better understanding of DMARC, you can see how important it is and can talk with your technical team about implementing it. If you’re an organization or campaign then it is important that you have a DMARC policy in place to protect your reputation, your employees, and your advocates. If you’re responsible for sending emails for your organization, then you need to authenticate your emails to make sure that even more of your emails land in inboxes. Implementing DMARC is, according to one member of Congress, a “no-brainer.”
Dane Sherrets is a Technical Solutions Specialist at Quorum.