HomeResourcesEmail Security & Integrity

Email Security & Integrity

Email is the dominant form of online communication for citizens, businesses, and governments. The ubiquitous and open nature of email has also provided criminals with an ideal platform to perpetuate fraud, with upwards of 90% of today's email consisting of spam, phishing, identity theft attacks, attempting to capture personal and sensitive information, spread malware, and take-over a user's device.

OTA recognizes the critical role email plays in today's online ecosystem, and publishes a set of recommendations that prescribe the adoption of freely available and standards-based email authentication technologies as an effective response to rampant abuse of the email channel.

A core focus of this effort includes providing training and prescriptive guidance promoting the adoption of leading email authentication protocols including SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance).  Figure below outlines how email authentication provides the ability for ISPs and receiving networks to detect and block spoofed and forged email.

Email Authentication

OTA recognizes the critical role email plays in today's online ecosystem, and publishes the following Recommendations:

  1. Deploy email authentication across all outbound email. This allows email receivers to easily identify legitimate email, which is the necessary first step towards proecting consumers from fraudulent email.
  2. Check email authentication on all inbound email. Inbound checking allows companies to reduce the risk of spear-phishing and resulting data-loss by rejecting email from the outside world that is pretending to be from the company.
  3. Require partners to adopt email authentication — deploy outbound and check inbound. When ready, apply controls to reject partner email that fails authentication. Ask business partners to do the same. Doing this allows companies to reduce the risk of being spear-phished and to begin attaching trust to partner communications.


2014 Unsub Audit Presentation

2014 Unsub Audit Report Presentation (PDF)

Unsub Report and Audit

OTA 2014 Unsubscribe audit of ecommerce sites. OTA reported that 70 percent of the top 200 online retailers have moved beyond compliance and are demonstrating a commitment to user empowerment and control of their inboxes. The merchants passed the audit by implementing at least eight out of 10 of what OTA considers unsubscribe best practice.

OTA SPF & DMARC Resources & Tools

The value of DMARC is growing rapidly with leading MTA vendors providing inbound checking to help protect businesses and government agencies from the threat of spear phishing and malicious email.  The following is a summary of support.  Send updates to admin At otalliance.org with a supporting link


Google Docs

IronPort - Cisco


Leading email service and technology providers and organizations including OTA support DMARC as an emerging standard for reducing the threat of deceptive emails. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.

SPF & DMARC Tools & Record Validator

OTA SPF & DMARC Tools & Resources - Including tools to validate SPF and DMARC records in a domain's DNS zone file

Mar 5, 2015

It's still unclear what, if any, security measures former Secretary of State Hillary Clinton deployed on the ad hoc personal email system she used for government business.

Some cyber specialists and transparency advocates are voicing outrage over the potential presidential candidate possibly flouting federal security rules with a “homebrew” server arrangement.

Sep 25, 2014

Many marketers are still struggling to adopt unsubscribe best practices in their email programs. Here is a look at three of the most important things you can do to deal with unsubscribe issues.  I haven't written about unsubscription since shortly after CAN-SPAM came into effect in the United States.

Unsubscribe Best Practices - Moving From Compliance To Stewardship

Consumers often react negatively to email which they feel is irrelevant to their interests or which may be sent to their inboxes too frequently. Today ISPs are placing added weight on user engagement to make a determination on the placement of email into the user’s inbox, junk or spam folder. With these considerations, it is in any marketer’s best interest to create a trustworthy unsubscribe mechanism for their recipients. The opt-out function should be easily discoverable and useable. OTA encourages mailers to move past the minimum compliance requirements outlined in the U.S. CAN-SPAM Act and the recently passed Canadian Anti-Spam Legislation (CASL). More >


Subscribe to Email Security & Integrity