Last week I wrote a long post about email and why you need to do more to get emails delivered. If I’m honest, it was too long and most of you didn’t read it (TL;DR). So, here’s a more concise explanation the state of email security.
You are NOT in charge of securing the emails you send. You must delegate this to someone else and give them instructions to help them confirm the email from you is legitimate.
Let me explain…
Imagine you are trying to get into a nightclub. When you show up this is a lengthy line of people waiting to get in and the bouncer is checking everyone over to determine if they are a threat to their club. They are filtering people based on what they see and can observe based on experience. This is what your email scanning systems do.
But you are special, and you took the effort to get on the VIP list, so you can skip to the front of the line. You’ll still get the filtering experience, but you are deemed more trustworthy. This is SPF which is a list of trusted systems that send email as you.
Next, we want to make sure you are who you say you are and not a fraudster. This is DKIM that puts a special set of codes on an email to validate that you (or your organisation) sent the message, and no-one has messed with the message on the way.
Lastly, we need to instruct the bouncers what to do if these checks fail and who to tell about it. That’s DMARC.
And you need all these elements if you want to give your emails a chance at being delivered in 2024. SPF, DKIM, DMARC are NOT OPTIONAL.
But what if you are Spamming yourself?
Recently a business partner explained they were being spammed by their own email account and what to know how to stop it. Obviously, you cannot block your own email address. A quick bit of digging discovered that the spam emails were coming from their website. They had forgotten to enable CAPTCHA to filter out those pesky robots spamming you via your website contact forms.
The good news is that Google provide this service for free via reCAPTCHA which aims to detect if the submitter of the form is a real person or not.
Humans are erratic by nature. Google’s reCAPTCHA system uses that knowledge to determine if you are human. And it’s made its decision BEFORE you ticked the box “I’m not a robot”.
A bouncer at a nightclub is looking for erratic behaviour to keep undesirables out. CAPTCHA systems use erratic behaviour to let you in—it’s what makes you human.
What are the takeaways?
Get your email systems complaint with new security rules to help email security systems determine if your email is legit or not.
AND
Fix your website to make sure you are not spamming yourself via your contact forms.