If you’ve been in the business long enough, you’ve probably heard of at least a few significant data breaches involving small and medium-sized businesses, small and medium-sized enterprises, and large enterprises. Recently, services like Mailchimp, Klaviyo, and Signal were also compromised.
Considering the degree of personal data needed to ensure CTRs of 10% or more, it is no surprise that these data breaches lead to spooked customers and severely limit the impressions and deliverability of subsequent marketing emails.
Due to the myriad ways in which lax security can affect brand trust and your marketing strategy, it’s essential to ensure that every step of your marketing process, from your end to that of your customers, remains secure.
Depending on the nature of the exploit utilized by hackers, such security compromises could also cause you to face litigation due to failures to comply with the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), General Data Protection Regulation (GDPR), Canada’s Anti-Spam Legislation (CASL), etc. Hence, the best practices you must adhere to safeguard your marketing strategy, customer data, and trust in your organization.
Actionable Security Goals: Where to Start
While it is well known that email recipients are vulnerable to cybersecurity attacks, it is often overlooked that these same methods can be used on email marketers.
When this happens, it is with much more significant consequences due to the sheer amount of sensitive personal data email marketers hold. Hence, email marketers should have measures in place to protect against the most common cyber security threats i.e. malware, fishing, and compromised attachments.
Therefore, your efforts should target stemming data loss via these means first; you certainly don’t want your copy and CTAs to be used for malicious purposes. In addition, your security infrastructure should address systemic lapses, such as a dearth of email security protocols, encryption measures, and human judgment (concerning your marketing team and your customers.)
Finally, it is essential to integrate measures that address the faults unique to your current email framework, including your email client, Email service provider, Internet service provider, etc.
Email Security Protocols
Without robust security measures, email security protocols like Simple Mail Transfer Protocol (SMTP), Internet Message Format (IMF), Internet Message Access Protocol 4 (IMAP4), and Post Office Protocol 3 (POP3) are not enough to ensure data protection.
The best practice regarding email security is to integrate multiple Email Security Protocols and tools and stack them. Here are some solutions that you can add to your environment.
Sender Policy Framework (SPF)
SPF allows you to create a record that restricts what IP addresses can use your domain to send out emails to prospective customers. It prevents email spoofing – a technique where threat actors use your domain to send malicious emails. Using SPF, you can specify what services, servers, or ESPs you are authorized to send emails.
A significant benefit of this is that it increases customer trust by verifying that the email's sender is authorized to do so. Hence, it may indirectly increase engagement, CTRs, and ROIs.
Unfortunately, not all email/domain providers support this protocol because not all provide the prerequisite DNS data to set it up. Hence, it is essential to verify what providers support SPF functionality.
Once SPF is set up, it’s essential to give it 2-3 working days to reflect in your subsequent newsletters, welcome emails, retargeting emails, etc. Subsequently, you can use SPF diagnostic software to analyze the record and confirm that it is functioning as intended. However, best practices require that you stack SPF with other email security protocols due to one major pitfall SPF suffers from — an inability to restrict authorization to non-bad actors.
Due to this, bad actors with sufficient technical know-how can seek out a domain and add an SPF record that authorizes the use of that domain by their IP address. Hence, SPF serves only as the bedrock of your protocol strategy, and DKIM should accompany the use of SPF.
Domain Keys Identified Mail (DKIM)
DKIM adds two forms of functionality to its bedrock, SPF: encryption infrastructure, and being attached to your copy or content. The former ensures that each of your emails is uniquely identified by 2 encryption keys: a private key and a public key.
The first is linked to your Message Transfer Agent (MTA) and should not be revealed, while the latter is included in the DNS TXT record that is used to set up the protocol. It is also important to note that setting up DKIM is a bit more cumbersome than for SPF because a separate record is needed for each email domain.
In addition, by being attached to the copy or content itself, the DKIM helps to validate the identity of the original author further. Hence, while in the previous example, bad actors might be able to seek out a domain and upload a false SPF DNS record, that would be much more difficult with DKIM.
Furthermore, anyone receiving an email purportedly from you may use the freely available public key to verify that the email signature corresponds to your token. Nevertheless, just like SPF, it is essential to verify what providers support DKIM. Once established, the waiting period and process needed to run DKIM diagnostics as similar to that of SPF. While DKIM does not possess the apparent deficiencies of SPF, the implementation of the protocol is left at the discretion of your marketing team’s provider. Though most providers implement the protocol as outlined, they are not obligated to do so hence why there is a need for DMARC.
Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
DMARC is an email security protocol that is an “enforcer” for SPF and DKIM records. Essentially, DMARC analyzes an email for the presence of SPF and DKIM, carries out the instructions you outlined in the absence of either of the protocols, and communicates back to you (or your email server) about this absence.
Though it is possible to upload a DMARC TXT record without having both SPF and DKIM, it is best to set up the latter two first for reasons already addressed. Similar to the security protocols earlier discussed, you will need to individually list all the domains already employing the SPF or DKIM record and include them in your DMARC record.
It’s especially important to perform the process of switching to DMARC over weeks rather than months. This will allow you to verify whether your implementation records are too strict (you could inadvertently mark genuine emails sent out by your marketing team as spam).
Over these weeks, you should analyze the DMARC reports sent back by recipient email servers and confirm whether the protocol is working as intended or an error has been made. It’s also important to look out for sudden, unexplained falls in deliverability and impressions.
Gradually, you may increase the stringency of your protocol while ensuring that each instruction functions as intended along the way. Once completed, your emails will be immune from most Business Email Compromises (BECs).
Brand Indicators for Message Identification (BIMI)
BIMI is similar to DMARC, with the critical difference being that it allows you to display your business logo on recipient email servers (once those emails have been validated with (SPF, DKIM, and DMARC). This helps to increase trust, brand awareness, and long-term visibility.
It also eliminates the need for DNS lookups outlined earlier with public and private keys. However, to use BIMI, you must implement a DMARC policy that either tags suspicious emails as possible spam and returns them to your domain or blocks the delivery of those emails outright.
In addition, you must have a good IP reputation as a recognized bulk email operator, the prerequisite data needed to create the BIMI Assertion Record (BAR), and a logo in an SVG format.
Unfortunately, as of October 2022, only Apple Mail, Fastmail, Pobox, Gmail, Google Workspace, La Poste, Yahoo, AOL, Netscape, and Zone support BIMI. In addition, Gmail requires a Verified Mark Certificate to display your logo via its servers.
Once BIMI has been set up, you may use a similar process as your SPF record to analyze it and confirm that it is functioning as intended.
IP And Domain Reputation
As alluded to previously, IP reputation is essential for email marketing security, and for a good reason. IPs with poorer reputation scores are known to send more suspicious emails, ergo, facilitate more phishing attacks, identity theft attempts, and email spoofs.
Aside from the effect this has on brand trust and deliverability, using such IPs may also put your SMB, SME, or LE at risk of BECs by allowing bad actors easy access to the data hosted on your servers.
Hence, switching to an IP with a good reputation benefits your customers’ security and the business. It’s also important to mention that changing providers from a platform such as Klaviyo to one such as Convertkit can boost deliverability rates.
Another important metric to pay attention to is domain reputation. It is worthy of note that security protocols such as those already outlined may indirectly raise this score. Therefore, a domain change is not always needed if you want to boost your domain rating.
Ideally, you should seek an IP and domain reputation score of 70 or more to ensure your copies remain secure and trusted. Various reputable IP reputation diagnostic tools are available to identify disreputable IPs and recommend industry-established providers.
Multi-Factor Authentication (MFA)
While selecting a secure email password is a priority, hackers may still decipher these passwords using details gathered from data breaches and sophisticated phishing attacks. MFA adds extra layers of security to your email password and prevents attackers from compromising your account, even if they got ahold of your login information. Specifically, it requires extra verification methods such as using a random and unique alphanumeric code, Universal 2nd Factors (U2Fs), and biometric data.
U2Fs utilize physical devices separate from any internet connection, which need to be physically connected to a personal computer. At the same time, biometric data is more amenable to mobile devices and takes advantage of the wide availability of fingerprint scanners.
Making MFA a requirement for your marketing team is a good idea since it is superior to two-factor authentication, which is limited to only one added method.
Secure Email Gateways (SEGs)
SEGs monitor inbound and outbound traffic from your native email servers. This software is effective at preempting BECs and malware and preventing them from gaining access to your email servers. SEGs may be employed onsite if your organization is sufficiently large or may be utilized over the cloud if there is a large amount of remote or hybrid workers.
Aside from incoming threats, SEGs are also efficacious in preventing outgoing data lapses and diagnostic analytics that help to optimize inbound-outbound email security for individual servers further.
In addition, SEGs allows users to store emails that may be accessible following system-wide data loss due to malicious attacks.
Virtual Private Networks (VPNs)
VPNs help to ensure the anonymity of email traffic by changing the location of the source data. Aside from allowing specialists to analyze how their marketing efforts are displayed and work in a completely different region with a VPN, by ensuring privacy, VPNs provide security against email attacks and malicious social engineering explicitly directed at your email client.
In addition, VPNs obfuscate data transmitted over the Internet networks on which they are used. Thus, protecting the data packets containing sensitive customer data and aiding compliance with CAN-SPAM, GDPR, and CASL.
Moreover, VPN security is not limited to bad actors alone; VPNs also impede ISPs from accessing data you send over your network due to the efficacy of the authentication technology.
However, using VPNs alone is not the best practice because VPNs only secure the connection between two fixed endpoints. Hence, VPNs do not address attacks directed primarily at your device before data transmission. Furthermore, the data is often accessible to the VPN service, which poses a security risk should the third party’s databases be compromised.
Cyber Security Training
Cyber security training helps to address the most vulnerable aspect of data protection – human error. Proper in-house cyber security training is the most effective method of preventing social engineering attacks. An ability to analyze subject lines, trusted domains, and content is extremely important.
Also, it is essential to be wary of any attachments and hyperlinks, as they are the most commonly used to carry out cyberattacks.
However, cyber security awareness should not be limited to employee awareness training. Your marketing strategy should include efforts geared at warning leads of the possibility of spam, malware, and phishing emails. This should also be included in landing pages.
All in all, accompanied by your SPF, DKIM, DMARC, and BIMI, a focus on cybersecurity will allow your business to position itself as a legitimate and trustworthy establishment capable of protecting customer data and concerned with ensuring said customers are not subject to malicious attacks.
This will lead to an uptick in brand awareness, trust, and conversion rates. However, it is essential to integrate bucket and multivariate testing in marketing campaigns to maximize the KPI metrics.
Encryption
This is a must-do to ensure email security. Directly encrypting data and using a VPN helps to overcome some of the limitations of VPN-only security measures. Specifically, it denies third-party VPN vendors access to the data packets.
For in-house communication, asymmetric encryption is best used as it requires the recipients to possess a public key and a private key, both shared with them beforehand, to access any data. For outbound communication, encryption in transit may be used.
Takeaways
Every email marketing team should have a set of best practices and strategies they utilize to prevent data breaches. This has the effect of securing company data, increasing brand trust, and securing long-term deliverability.
These practices should target technical and human aspects of email security, focusing on the marketing team and the email recipient. Email Security Protocols are mainly necessary, with BIMI, DKIM, DMARC, and BIMI at the forefront.
In addition to the above methods, VPNs, cyber security training, data encryption, MFAs, SEGs, and switching to a reputable IP should be integrated into the security infrastructure.
