In recent months, technical standards for all bulk email have been tightened. It’s started as a response to changes in the US, but as of this month will be affecting everyone. At the TUC, we’re seeing some cases of union email not getting through to the members and stakeholders we want to communicate with.
That’s a big risk to unions if we could lose the ability to communicate with members when we need to. There are ways to put it right though, and prompt action in union IT teams will hopefully avoid damage.
About email authentication
The changes focus on email authentication – how receiving mailservers can tell that your message coming in to their customer (your member) is genuinely coming from your organisation.
That’s become ever more important as we’re seeing ever greater levels of spam and phishing attacks – where criminals impersonate a trusted organisation to trick email recipients into divulging personal data. They often do this by “spoofing” the organisation’s email address – claiming to come from that address, whilst actually coming from somewhere different.
It’s tricky for us though, because there are many legitimate ways in which unions use spoofing to communicate with members.
Take your newsletters for example. Mailchimp is the most common mailing software used by unions, but others will use bulk mail tools like Campaign Monitor or Dotmailer.
Campaign email also gets sent by tools like Action Network, and membership information can come direct from a union’s CRM system. Add in event management tools, member helpdesk software or case management tools, and you could have a lot of different tools sending email from your union to your member.
This matters because in a world of cloud-based software, none of this email is coming direct from the union’s own email accounts. Each of these third-party services has to pretend its email on the union’s behalf is genuinely coming from a real union email address, so that members will recognise it, and will have a real address to reply to.
Understanding the key protocols: DKIM, SPF and DMARC
To make sure your email has the best chance of getting through, you need to understand the three pillars of email authentication: DMARC, DKIM, and SPF.
- DKIM (DomainKeys Identified Mail) involves attaching a digital signature to outgoing emails. This is linked to a code in your domain’s DNS record (the address you use for web and email traffic, e.g. “tuc.org.uk”). The receiving server checks the email against the code in your DNS to verify the email content hasn’t been tampered with in transit and confirms its origin.
- SPF (Sender Policy Framework) allows you to list which third-party email servers are authorised to send emails on your behalf. Again, this is done through a DNS record. Receiving email servers check to verify that the email was sent from a server that is authorised by you.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) works with DKIM and SPF. It’s a protocol that tells receiving servers how they should handle any unauthenticated emails coming from your domain. Having DMARC in place can help you specify to receiving servers not to trust any non-authenticated email from your domain. It also provides a way for your admins to receive reports on email authentication status, helping you identify and address vulnerabilities.
What should we do to authenticate our bulk email?
For unions, the first step towards using these protocols is to conduct an audit of all sender channels – every platform, service, and tool used to send emails to members. That’s whether it’s your core email system or any third parties.
For IT teams this will involve talking to colleagues in membership and communications teams in particular, but also seeking to understand everywhere in the union that might be sending bulk email.
Once identified, these channels must be integrated into the union’s DNS records:
- Updating DNS records to include SPF information for authorized sending servers.
- Configuring DKIM to ensure emails are digitally signed.
- Implementing a DMARC policy and setting up a mechanism to receive and analyse reports on email authentication and delivery issues.
What’s the risk if we don’t?
Failing to adopt these authentication measures can have pretty serious repercussions for trade unions.
Adding DMARC can help reduce the risk of your domain being used for phishing attacks and scams via email spoofing. There’s the potential for significant damage to member trust in the union if they fall victim to scams masquerading under the union’s name.
But all three taken together will also help receiving servers have confidence in your email. Conversely if your domain starts to get a reputation for risky email, it could be hard to rebuild.
And every member you lose to email deliverability will be someone that’s that much harder for you to mobilise, contact or renew when you really need them.
Receiving servers are now implementing the DMARC checks increasingly strictly, and you may find that your emails stop getting through for a whole company.
The biggest providers of free email services, Yahoo! Mail and Gmail, have tightened their requirements at the start of February 2024, which will mean a significant number of union members will now need these protocols in place if you want to reach their personal email.
Things to consider
- If your union did this last a long while ago, you might only have SPF in place, as it’s the protocol which has been in common usage the longest. Many organisations have only adopted DMARC more recently, often only because of the recent push for it.
- In some large unions, branches or regions might use a different email domain to the union’s core domain. Anything you do for the core domain won’t help with other domains.
- Some unions will have so many email sending services that you may run out of space in your SPF record. This can only hold 10 lookups (For example, you can see the TUC’s filled-up SPF record here). It could be worth rationalising services to reduce the number, rather than have some suffer reduced deliverability.
- Consider setting the strictness of your rules more gradually – don’t start with the strictest rules. For example, setting DMARC to ‘p=none’ with reporting enabled will let you see which emails would fail without affecting delivery. When you are more confident in your SPF and DKIM settings, you can update DMARC to ‘p=quarantine’. This will prevent most fraudulent emails from reaching your members. If you are certain your settings are comprehensive, ‘p=reject’ will provide the highest protection against unwanted spoofing.
- Look at subdomains as well if you have any that send email (eg mail.nasuwt.org.uk as well as nasuwt.org.uk), as these will need addressing separately.