HomeResourcesEmail Security & Integrity

Email Security & Integrity

Email is the dominant form of online communication for citizens, businesses, and governments. The ubiquitous and open nature of email has also provided criminals with an ideal platform to perpetuate fraud, with upwards of 90% of today's email consisting of spam, phishing, identity theft attacks, attempting to capture personal and sensitive information, spread malware, and take-over a user's device.

OTA recognizes the critical role email plays in today's online ecosystem, and publishes a set of recommendations that prescribe the adoption of freely available and standards-based email authentication technologies as an effective response to rampant abuse of the email channel.

2014 Email Integrity & Security Audit

A core focus of this effort includes providing training and prescriptive guidance promoting the adoption of leading email authentication protocols including SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance).  Figure below outlines how email authentication provides the ability for ISPs and receiving networks to detect and block spoofed and forged email.

Email Authentication

OTA recognizes the critical role email plays in today's online ecosystem, and publishes the following Recommendations:

  1. Deploy email authentication across all outbound email. This allows email receivers to easily identify legitimate email, which is the necessary first step towards protecting consumers from fraudulent email.
  2. Check email authentication on all inbound email. Inbound checking allows companies to reduce the risk of spear-phishing and resulting data-loss by rejecting email from the outside world that is pretending to be from the company.
  3. Require partners to adopt email authentication — deploy outbound and check inbound. When ready, apply controls to reject partner email that fails authentication. Ask business partners to do the same. Doing this allows companies to reduce the risk of being spear-phished and to begin attaching trust to partner communications.


Canadian Anti-Spam Resources

Share Your Resources - Email admin @ otalliance.org

CRTC Anti-Spam Page: http://www.crtc.gc.ca/eng/casl-lcap.htm

CRTC CASL FAQ: http://crtc.gc.ca/eng/com500/faq500.htm

CRTC Guidance on Computer Program Rules: http://www.crtc.gc.ca/eng/info_sht/i2.htm

2014 Unsub Audit Presentation

2014 Unsub Audit Report Presentation (PDF)

Unsub Report and Audit

OTA 2014 Unsubscribe audit of ecommerce sites. OTA reported that 70 percent of the top 200 online retailers have moved beyond compliance and are demonstrating a commitment to user empowerment and control of their inboxes. The merchants passed the audit by implementing at least eight out of 10 of what OTA considers unsubscribe best practice.

OTA SPF & DMARC Resources & Tools

OTA Query Tool  for SPF & DMARC Records

Dmarcian - DMARC & SPF Tools - Provides several valuable tools including Domain Lifter,  DMARC Inspector, SPF Surveyor, DMARC XML Converter and more.

DMARC & TLS (Agari)

DMARC Record Generator (Agari)


Leading email service and technology providers and organizations including OTA support DMARC as an emerging standard for reducing the threat of deceptive emails. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.

SPF & DMARC Tools & Record Validator

OTA SPF & DMARC Tools & Resources - Including tools to validate SPF and DMARC records in a domain's DNS zone file

Email Retail Collection Best Practices

October 30, 2015 - As we head towards the holiday buying season, increasingly retailers are deploying email collection at point of sale.  Collection at time of purchase provides significant benefits to the retailer and done right the same for the consumer.  That said, how can a consumer understand what and how the email is being used?   What forms of notice are appropriate and is it reasonable a sales clerk can understand the nuances of data collection, transactional purposes and sharing with affiliate or unaffiliated third parties? 

Mar 5, 2015

It's still unclear what, if any, security measures former Secretary of State Hillary Clinton deployed on the ad hoc personal email system she used for government business.

Some cyber specialists and transparency advocates are voicing outrage over the potential presidential candidate possibly flouting federal security rules with a “homebrew” server arrangement.

Sep 25, 2014

Many marketers are still struggling to adopt unsubscribe best practices in their email programs. Here is a look at three of the most important things you can do to deal with unsubscribe issues.  I haven't written about unsubscription since shortly after CAN-SPAM came into effect in the United States.


Subscribe to Email Security & Integrity