The genesis of the OTA Honor Roll started in 2005, as a scorecard focused on the Fortune 500 and email authentication to help fight spoofed and malicious email. Today it has evolved to an independent audit including a composite analysis of over 850 websites and a two-dozen data elements evaluating a site’s brand protection, site security and privacy practices.
2005 – First score card published focusing on the Fortune 500's adoption email authentication.
2006 - Program expanded to including three leading and complementary draft technical standards including Sender Policy Framework (SPF), Sender ID Framework (SIDF) and DomainKeys. More >
2007 - Data providers expanded with broad support from leading orgnizations including ESPC, APWG, DMA, U.S. Chamber of Commerce and MAAWG. More >
2008 - Scope expanded to include DKIM, (DomainKeys Identified Mail). Target segments were expanded to the Fortune 500, Internet Retailer 300, top 100 FDIC member banks and top ranked U.S. Federal Government banks and financial institutions.
2009 - Report expanded to include SSL and site security.
2010 - Honor Roll concept introduced, focused on providing recognition to early adopters. Email authentication expanded to look at SPF record types and use of DKIM at both TLD and subdomains.
2011 - OTA members and top ranked social sites were added. DNSSEC added for U.S. government sites. Increased focus on the importance of sites adopting both SPF and DKIM at the top-level domain level tro counter phishing and online fraud.
2012 - Introduction of the Online Trust Index (OTI), as a comparative metric across key market segments and industries. The report was expanded to analyze sites’ SSL implementation using tools from Qualys SSL Labs, as well as privacy practices and policies utilizing data provided in part by PrivacyChoice. Added Always On SSL (AOSSL) and DMARC as bonus scores, with weighting applied to sites who published “reject” or “quarantine” policies. Evidence of data breaches, WHOIS private registrations and past FTC settlements or fines were included in the composite analysis.
2013 - The Honor Roll audit process has become more rigorous, requiring a combined score of 80% or above and a minimum score of 55 in each major category. Weighting of email authentication has shifted to focus on the importance of adoption at the corporate domain level, addressing brand protection and the risk of spearphishing. DMARC moved from a bonus score to a baseline component of the scoring. SSL analysis evolved to address current attack vectors, with bonus points added for sites who have adopted 2048-bit certificates. SSL analysis was also enhanced with additional data and vulnerability assessments from HighTech Bridge SA, SiteLock and Symantec. More >
2014 – As threat vectors become more precise, in an increasingly complex ecosystem, it is important for site operators to take reasonable steps to protect their data, their consumers, and their brand. For this reason the standards for making the Honor Roll increase each year. Setting a policy in a DMARC record set to quarantine or reject is part of the base email authentication score. Having a 2048-bit certificate moved from a bonus score to a minimum requirement for making the Honor Roll to comply with new California standards. Always on SSL was given slightly more weight in scoring. Having a layered or short form privacy notice, having a Do-Not-Track disclosure (to comply with new CA requirement), honoring the Do-Not-Track Signal, or using a Tag Management System or a standalone Privacy Solution all received bonus points in the Privacy Section. More >