Working around email security

One of the common things I see as a delivery consultant is that companies do their best to set effective policies about email, but make it difficult to comply with those policies. It happens all the time. It’s one of the reasons that the tweets Steve shared about Sec. Clinton’s email server rang so true to me.
Security.
One of the commenters on that post disagrees, and uses banks and health care as an example.
Erik says:

Disagree. I work for a bank – highly regulated, just like health care and the government itself.
We go through quarterly compliance training – yes every three months. I can assure you anyone working on department of state information systems also has security clearance and goes through compliance training.
They knew what they were doing and did it anyway, my theory is that some higher up (Clinton or direct report) asked for it and someone was afraid to say no.

Banks and health care companies are notorious for registering new domains and creating infrastructure because they can’t do what they want through normal IT channels. I’ve had both industries as clients and I’m a consumer of mail from both. I’ve had conversations with folks in their security and their marketing departments. If anything, banks and health care are prime examples of how companies will work around things.
Generally the work around involves registering an entirely new domain and then authenticating that domain through their ESP. It’s mail that’s sent to customers by the bank, but it’s not the primary bank domain. This can be done for all sorts of reasons.
In at least two cases a bank registered a new domain to use for alerts of a security breach. In one case it was my credit card company, sending to the tagged address only the company had. I called the bank and they told me it was a phish and not to answer it. Except if that was true, there was a much bigger breach as only the bank had that address of mine.
In another case a bank sent us an alert that a system one of our customer uses for invoicing and payments was compromised. Again, the bank sent out an alert. That alert failed DKIM checking and was unauthenticated email. I’d believe this was a phish / spoof, except I used tagged addresses and I know that only the supplier portal had that address. If it was a phish, it was a phish using data stolen from the company.
To be fair, things are getting better. Banks are working to consolidate domains and stop with the using so many different domains. I even had a discussion with on bank employee earlier this year at CNX16 about the delivery implications of the consolidation they’re undergoing. Seems a different division was having problems with a blocklist and she was concerned those problems would spread to her mail when they consolidated the domains.
As I was writing this post I discovered that our health insurance company has finally started DMARC protecting the cousin domain they use to send billing notices. Last year they weren’t and I used them as an example during one of my talks to a health care audience. Many of the DMARC advocates were loudly trumpeting that this company was protecting all their mail with DMARC, but they weren’t they were only protecting part of it. So things are improving.
The point is that this isn’t unusual at all. IT can’t do what part of the company needs, whether for policy or budget reasons, and so options are explored. Those options are often registering a new domain and handling the mail on external hardware. It is common business practice, even in highly regulated industries like health care and banking. It does seem to be becoming less common, which is great! But let’s not pretend that email is some perfect bastion of security and policy compliance in regulated industries.

Related Posts

About that permission thing

I wrote a few days ago about permission and how it was the key to getting into the inbox. It’s another one of those “necessary but not sufficient” parts of delivery. There are, however, a lot of companies who are using email without the recipient permission. These companies often contact me to help them solve their delivery problems.  Often these are new companies who are trying to jumpstart their business on the cheap by using email.
SalesMarketing
The calls have a consistent pattern.

Read More

The truth matters.

bullhornCall within the next 10 minutes…
Consumers with last names starting with O – Z can call tomorrow…
Only 5 seats left at this price!
 
All of these are common marketing techniques designed to prompt consumers to buy. It’s not a new idea, create a sense of urgency and people are more likely to buy.
I think some marketers are so used to making outrageous claims to support their marketing goals, that it doesn’t occur to them that the truth matters to some people.
There’s almost no better way to get me to send in a spam complaint than to send me an email with a claim about how I opted in.
Example:

Read More

Email in 2020

time_report_forblogLate last year Litmus invited me to contribute to a whitepaper they were putting together about email in 2020. Today, they released Email Marketing in 2020. I am honored to be included in the list of experts that they chose.
One of the things I find so so much fun in participating in this type of joint project is seeing what other people’s visions are. When Chad first contacted us, his request was very simple. He wanted 400-ish words on what we thought would change. We all approached it from our own perspectives. The final document really touches on a wide range of changes and gives an bright and rosy view of the future of email.
It’s hard to imagine I’ve had email for more than 25 years. It’s become such a fundamental and critical part of my life. I mean, sure I’m an email professional but it’s more than that. Some of my best friends I met over email. I’ve gotten multiple jobs based on my presence on email discussion lists. Steve and I met around email. One of the fun bits of M3AAWG is that I get to see friends I first met almost 20 years ago over email.
Email has really changed in the last decade. It is now a critical part of daily life for many people. Even social networking would be nowhere without an email address. Email really is the key to the digital kingdom. That’s not going to change.
Email being the key to the digital kingdom is a challenge. It lets nefarious people into our homes and into our lives and into our computers. A lot of very smart people are working on how to make email safer for us. I think it will be much safer in 2020, through the hard work and dedication of a lot of people.
I strongly encourage you to download the Email Marketing in 2020 white paper from Litmus. There is a lot of insight. It will be fun to see how much of what was said becomes reality.

Read More