Here are a few tips I usually give to get an inbox organized:

1 – Learn to Archive emails

In Outlook (this also works in most other email clients) I tell people to create multiple PST folders for organizing email – this gets the messages off your corporate exchange system – freeing yourself from those nasty “You’re almost out of Space emails” – and onto a network or local drive (be sure it is somewhere that gets backed up regularly). My typical set-up is to create a new folder pair each year 1 for sent items and 1 for inbound items – typically I keep it simple and name the Matt-2013 and Sent-2013.

Under the root folder I create folders that allow me to categorize and sort items in a way I’ll easily be able to recall and find them. This included larger ideas like; Staff, Clients, Personal, Alerts, Industry Groups and vendors. Under all of these folders I break down the items again Staff > Corporate news, Staff > Account Team, Staff > Social events etc… and Industry Groups > M3AAWG, Industry Groups > CMA, Industry Groups > EEC etc… This allows for high level sorting of general messages and conversations into these folders for later recall.

2 – Move that message

Possibly the hardest part of building this process is getting into the habit of moving messages you are finished with or have already responded to. As I mentioned earlier the only emails that sit in my inbox are things I’m actively working on, this usually lets me leave at the end of the night with less than 25 messages in my inbox… Those that remain are mostly serving as reminders for things I’m working on at the moment or need to follow up on later.

Building an easy to use folder structure will take time and getting into the practice of using it might take a little longer, but once you find your process it will save you a ton of headache in the future. No Two people think alike so try a couple of different methods and see what works for you.

3 – Get rid of things you don’t need

Look at all of the automated alerts or newsletters you are receiving… Do you really need them? All of them? Can you get the information elsewhere just as easy without clogging your inbox? When was the last time you actually read that newsletter from “ACB Widgets Co” or the automated “Process was Successful” notifications.

Being in charge of the support and ISP teams I can get hundreds of alerts from our systems, some about rate limits auto correcting others about error notifications from a failed broadcast or just questions from Clients and other staff members. Almost everyone system alert is informational and doesn’t require any action. Turn these off where you can and action only critical notifications… If you can’t turn them off set up an automated rule to move or delete the non-critical alerts and leave those you need to action directly in your inbox.

4 – Use Labels in your Gmail client

If you are a Gmail user you can ad labels to virtually any message you automatically by creating rules directly from the search box. If you have a catch all domain or use the “+Alias” (username+alias@gmail.com) options in Gmail you can use the recipient address to distinguish who you gave permission to then you can search “to:Account@” (to:username+alias) and create a rule that auto labels any inbound emails being sent to these account, or you can search on the from domain and build the rule that way “From:@somemailer.com”. After you create these labels you can color code the message labels according to your liking… I use the following processes: Green for system or account notifications, Blue for distribution lists or industry group mail, Purple for Newsletters or commercial emails, and Beige for Social networking sites and notifications.

Lastly I’ve started to track two additional colors – Orange for addresses that have leaked or been sold/stolen from the original mailer I provided this to and Red for addresses I’ve previously unsubscribed from. This gives me an easy view at should I question this message or trust the sender without having to think to hard about it. All of these labels are coloured and tagged automatically via Gmail’s filters (Sample Shown in picture).

Advanced users can build complex rules using advanced search functions in Gmail and build filters from these results.

5 – Purge old messages

Much like spring cleaning your house and garage, from time to time you should clean out old emails sitting around in your accounts… Maybe you are holding on to communications from old clients/coworkers that are no longer useful, or your email account has 124,000+ emails in it (like my gmail does)… I’m not going to read the vast majority of these again so once a year I run a search and remove a portion of the archive I maintain. Search your Gmail for old messges by using the “before:yyyy/mm/dd” search option to look for really old email in your account.

What tips or tricks do you use to keep your inbox manageable and useful?

I felt the sessions went quite well and the mood in the room was typically very positive, but mixed with a touch of apprehension because of the number of outstanding questions most of the group had and that were left on the table after the session. To addresses these questions the session was set-up to address 6 key topics, that were predefined and selected during the invitation/registration process.

Topics covered:

• Means of obtaining “express consent”
• Proof of consent
• Section 66 of CASL and the three-year transitional period
• Obtaining consent to send a commercial electronic message (CEM) – seeking consent for affiliates
• Prescribed information in a CEM – “on behalf of”
• Installation of computer programs

The CRTC Notes two key takeaways from this session:

• There is no one-size-fits all answer that will assist every business in complying with CASL, as context is critical to an appropriate interpretation in the circumstances of each case.
• Businesses require assistance in the form of greater clarity on certain provisions of CASL, and to this end, participants suggested that the CRTC consider providing a framework of guiding principles to underpin compliance expectations.

For other facts and discussion notes from this session you can read the full summary report made available by the CRTC earlier this month – “Report on the Informal Consultation of 25 February 2013 among Industry and Consumer Groups and CRTC Staff on Canada’s Anti-Spam Legislation“.

But this brings up the obvious the next question for many people – How do you add Glyphs in an email subject line? NOTE: This is simply one way, others may be available within your specific email solutions.

To ensure that you use a widely supported Glyph (like ♥, ✈,❸,❷,❶) in a subject line use a utf-8 encoded character in your messages Subject. When creating an email newsletter, you would need to replace each Glyph with appropriate utf-8 encoding.

Examples:

You can generate different Glyphs by changing the code in red.
Visit http://en.wikipedia.org/wiki/Dingbat#Unicode_Dingbats and http://en.wikipedia.org/wiki/Miscellaneous_Symbols to find out more symbols that you may use with proper utf-8 encoding.

Visit http://www.percederberg.net/tools/text_converter.html or http://emailstuff.org/glyph/ to find out corresponding utf-8 codes for various Glyphs.

Special considerations when using Glyphs

It is to be noted, not all mail servers, webmail providers and mobile devices support use of Glyphs (encoded using utf-8); so these are to be used with caution. Testing should be done to check rendering across variety of email clients and mobile devices. Also, be sure to measure effect of using these symbols on email metrics.

For example: Outlook 2003, Lotus and some Blackberry devices offer very limited support to Glyphs. Some of these devices might just render a “?” or shaded square instead of the intended Glyph. Rendering may also be different on varying email / mobile clients. For example, a black heart in Gmail UI may render as a red heart on iOS devices.

Industry Canada first published proposed regulations for comment in August, 2011, resulting in comments from 55 stakeholders, many of which are incorporated into the Draft Regulations. Industry Canada will be accepting comments on the Draft Regulations until February 4, 2013, with final regulations to follow some time thereafter.

The Draft Regulations – which contain the following provisions – will ease the compliance burden on businesses without undermining the objectives of preventing spam and related online threats:

• definitions for personal and family relationships;
• new exemptions for routine business communications;
• an allowance for third-party referrals;
• conditions for the use of consent collected on behalf of an unknown third party;
• specified computer programs where express consent may be deemed; and
• definitions of membership, club, association and voluntary organization.

Definition of personal relationship broader, more flexible, no “in-person” requirement

CASL exempts any commercial electronic message (CEM) sent between two persons who have a personal or family relationship, requiring Industry Canada to define both of these concepts in regulation.

A number of stakeholders commented that the definition of a “personal” relationship that appeared in the previously published regulations was too narrow, given the requirements for an “in-person” meeting as well as a two-way communication having taken place within the previous two years. Industry Canada removed both of these requirements.

The new definition in the Draft Regulations is based on a reasonableness test. If the sender and recipient have had a “direct, voluntary, two-way communication”, a personal relationship exists if it is reasonable to conclude that the relationship is personal based on “all relevant factors”, including (but not limited to):

• the sharing of interests, experiences, opinions and information evidenced in the communications;
• the frequency of communication;
• the length of time since the parties communicated; and
• if the parties have met in person. 1

This is a broader, more flexible definition that will allow senders to leverage relationships that have been formed through electronic communications.

The definition of a family relationship – which is drawn from the Income Tax Act – remains unchanged.

New exemption: business relationships

The Draft Regulations exempt any CEM sent by an employee, representative, contractor or franchisee of an organization to:

• another employee, representative, contractor or franchisee of that organization that concerns the affairs of the organization; or
• an employee, representative, contractor or franchisee of another organization if the organizations have a business relationship and the message concerns the affairs of the organization or that person’s role, functions or duties within or on behalf of the organization.

According to Industry Canada the purpose of this exemption is to address the “unintended application of CASL to ordinary, transactional business communications.” Without this exemption, the law would apply to these types of communications sent within and between organizations, potentially creating risk for employers who maintain email and other electronic messaging systems, as well as for the employees who use them for routine communications.

This will require an interpretation of a “business relationship”,2 as well as what it means for a CEM to “concern the affairs of the organization or [a] person’s role, functions or duties within or on behalf of the organization.” Presumably this exemption would not allow an employee of an organizations to solicit products or services to other employees without consent.

New Exemption: Responding to inquiries, etc.

A new exemption is added for any CEM that is “sent in response to a request, inquiry, complaint or is otherwise solicited by the person to whom the message is sent”.

CASL already establishes that an existing business relationship arises out of an inquiry or application from a consumer, allowing a business to send a reply message based on implied consent for a period of up to six months following the inquiry or application. However, in addition to being broader, the new exemption differs in a few important ways. Messages sent under the new exemption are exempted from CASL altogether, whereas a message sent based on implied consent must still meet the identification and unsubscribe requirements. In addition, there is no time limit on the ability to respond under the new exemption.

New Exemption: Messages sent when the sender does not know the recipient is in Canada

CASL applies to any CEM sent to or from a computer system located in Canada. This means that it would apply to any CEM sent to a Canadian – or even to a non-Canadian visiting Canada – regardless of where it was sent from, or if the sender meant to send the message to Canada.

A new exemption in the Draft Regulations would apply to any message accessed on a computer system located in Canada where:

• the message is sent by a person or from a computer system located outside of Canada;
• the message relates to a product, good, service or organization located or provided outside Canada; and
• the sender did not know and could not reasonably be expected to know that the message would be accessed using a computer system located in Canada.

This is a potentially significant exemption for non-Canadian senders who do not target Canadians in their campaigns, but may unknowingly have Canadian recipients on their list. As it is often impossible to know where an individual is located based on their email address (e.g., @gmail.com), this provides some degree of assurance that senders will not be caught by CASL for messages inadvertently sent to Canadians (or to a non-Canadian who accesses a CEM while visiting Canada).

New Exemption: Enforcing legal rights

Finally, the Draft Regulations would exempt any CEM sent to satisfy a legal obligation or enforce a legal right. Industry Canada states that this could apply to messages containing warranty or recall information, or copyright notices. This would also likely apply to debt collection notices.

Exemption from consent: third-party referrals

Many stakeholders commented on the fact that CASL would no longer allow professionals and salespeople to rely on third-party referrals to market their products and services. It is commonplace for individuals to refer to a family member, friend or colleague a professional with whom they have had a positive experience, providing the professional with an electronic address so that they can contact the family member/friend/colleague directly. However, because a sender requires express consent of the recipient (either written or verbal so long as it is recorded), this would no longer be allowed under CASL, even where an individual is expecting to hear from the sender. Although this may be less of an issue for large senders, it is has a particularly significant impact on small businesses in Canada, even though third-party referrals are not known to be a source of spam.

A new exemption would allow a professional to send a single message without consent based on a third-party referral, so long as the following conditions are met:

• the person making the referral has an existing business relationship, an existing non-business relationship, a personal relationship or a family relationship with both the sender and the recipient; and,
• the sender discloses the name of the person making the referral in the message and that the message is sent as a result of the referral.

This is an important exemption as it will allow businesses to continue to use email and other forms of electronic messaging to continue reaching out to consumers without compromising the anti-spam objectives of CASL.

Conditions for use of consent

The Draft Regulations establish the conditions for the use of express consent obtained by one person on behalf of another person, the identity of which is unknown at the time consent is obtained. In other words, these rules apply where an electronic address is collected by one person, and later shared with another person (as opposed to one person sending the content of another person to their list). The Draft Regulations require the name of the person who originally obtained consent to be identified in any message sent to the recipient, and that the unsubscribe mechanism allow the recipient to unsubscribe from receiving messages from any person who has been provided with their electronic address. The consent management/unsubscribe process therefore requires coordination across organizations.

This section of the Draft Regulations remains unchanged from the previous version of regulations published in 2011. Although some stakeholders commented that the section was overly complicated, Industry Canada stated that no alternative regulatory approaches where identified. It is worth noting that any time one organization seeks to share email addresses with another sender, this raises issues that are inherently complex, resulting in rules that are equally complicated.

Specified computer programs

CASL deems a person to have expressly consented to the installation of certain categories of computer programs where “the person’s conduct is such that it is reasonable to believe that they consent to the program’s installation.” The Draft Regulations expand the categories of computer programs listed under this section to allow telecommunications service providers to install programs on its customers’ computers or devices in order to prevent illegal activities (e.g., network hacking), or for the purposes of updating or upgrading a network.

Definitions of membership, club, association and voluntary organization remain unchanged

For the purposes of CASL, membership is defined as “the status of having been accepted as a member of a club, association or voluntary organization in accordance with its membership requirements.”

A club, association or voluntary organization is defined as:

A non-profit organization that is organized and operated exclusively for social welfare, civic improvement, pleasure or recreation or for any purpose other than profit, if no part of its income is payable to, or otherwise available for the personal benefit of any proprietor, member or shareholder of that organization unless the proprietor, member or shareholder is an organization whose primary purpose is the promotion of amateur athletics in Canada.

These definitions are necessary for the purposes of the existing non-business relationship under the implied consent provisions.

Issues not addressed in the Draft Regulations

In commenting on the Draft Regulations, Industry Canada noted that it chose not to accommodate the following requests from stakeholders:

• a form of “grandfather” clause that would recognize consent obtained previously under the Personal Information Protection and Electronic Documents Act (PIPEDA) as valid under CASL;
• an exemption for CEMs sent by Canadian service providers on behalf of foreign senders to foreign recipients; and,
• a provision that would allow manufacturers to send CEMs to recipients who have purchased their products from a retailer.

Industry Canada did indicate that some issues may be addressed in compliance guidelines, possibly developed in conjunction with the Canadian Radio-television Telecommunications Commission (CRTC). In particular, Industry Canada referred to the confusion arising out of the provisions that purport to exempt certain forms of transactional-type messages from the need for consent (but not from the identification and unsubscribe requirements), as well as apparent misunderstanding over the application of CASL to social media.

About the author:
Shaun Brown is a partner with nNovation LLP, a pre-eminent Canadian law firm that advises private and public sector organizations in connection with a broad range of Canadian regulatory regimes. With several years of experience both in the public and private sectors, Shaun’s practice focuses on e-marketing, e-commerce, privacy, and access to information. Subscribe to Shaun’s Privacy newsletter at PrivacyScan.

Footnotes:

1 This exemption does not apply if the recipient has previously indicated that they do not want to receive CEMs from the sender.

2 It is not clear how a “business relationship” for the purposes of this regulation would differ from an “existing business relationship” as defined in the implied consent provisions of CASL. Presumably Industry Canada intends for this exemption to apply only to relationships that are ongoing, as opposed to an existing business relationship, which is deemed to exist for up to 24 months following a sale, contract, etc.

This summary is provided for informational purposes only, and is not intended as legal advice.

Delivering email to Gmail users’ inbox brings with itself some unique challenges as Gmail spam filtering focuses heavily on subscriber engagement, content filtering and user driven spam reporting. Gmail provides individually personalized inbox placement to its users. Below are some best practices that senders may follow to maximize email delivery to Gmail inboxes:

• Spam and non spam reporting

• Include a list unsubscribe header in the messages so users hitting the report spam button are captured and removed from the email file
• Encourage Gmail users to click “Not Spam” button when they receive messages in “Spam” folder
• Send relevant emails to opt in users so overall complaints are reduced

• Engagement

• Limit your broadcasts to users who have engaged with the email program in the last 8-12 months

• Send targeted broadcasts to Gmail users and encourage them to engage with emails by:
  • Marking it as important
  • Replying to it
  • Add a label to the message
  • Add sender’s from address to their Gmail Contact list
  • Add a Star to the message

• Authentication

• Be sure to authenticate the messages with SPF and DKIM (use minimum 1024 bit key)

• IP management

• Consider using separate IPs and sub domains for transactional messages
• Use consistent IPs to send bulk emails
• Use a consistent “from address” in every broadcast

• List Hygiene

• Be sure to remove addresses that have disabled due to hard bounces
• Make it easy for users to unsubscribe and remove these addresses promptly
• Build a re-engagement and sun setting program to target users that have not shown much activity in last 8-12 months
• Review length of time that has passed since user was contacted last time – anything over six months should be used with caution

These are significant changes for the platform as the Sender ID solution has traditionally been championed by the Microsoft team while many other ISPs and webmail providers opted for SPF as their email authentication solutions.

Why has Hotmail shifted away from Sender ID?

While I have not talked to anyone at Hotmail I would say there is a strong corolation to their implementation of DMARC by the Microsoft email team and the relationship it has to DKIM and SPF, it makes sense to move away from Sender ID as the key technology for authentication.

Who else is using DMARC?

I am currently receiving reports from the following ISPs: 126.com, 163.com, AOL, Google, Hotmail, Yahoo, xs4all and Facebook. This also shows the large footprint that DKIM and SPF have achieved with the largest Webmail providers in the world, representing billions of users world wide.

Where can I get more information on DMARC?

Start with reading DMARC.org as a general overview of the solution and how your organization can utilize this Email Authentication solution.

The Guidelines provide further detail on how the CRTC intends to interpret a number of provisions in the Regulations, which answers a few important questions. Most notably, the CRTC clarified what it means to send “on behalf” of another person, and offers its interpretation of express consent.

What it means to send “on behalf” of another person: service providers do not need to be identified

CASL imposes certain obligations when one person sends a commercial electronic message (CEM) on behalf of another. Most significantly, paragraph 6(2)(a) of the Act requires that every message “set out prescribed information that identifies the person who sent the message and the person — if different — on whose behalf it is sent“. This created uncertainty as to when one person is sending on behalf of another for the purposes of the Act. For example, it was unclear whether this was meant to apply to service providers, such as email service providers (ESPs), who merely provide services that enable a CEM to be sent.

The CRTC has taken the position that a person who may “facilitate the distribution of a CEM”, but who has “no role in its content or choice of the recipients” need not be identified. This means that ESPs will likely not need to be identified in a CEM in most circumstances.

A person would be sending on behalf of another person where they deliver content of an advertisement to their own subscribers, such as a list rental or newsletter. In such a case, all advertisers would need to be identified. This is a practical interpretation that provides much needed clarity on this issue, and is consistent with industry practices.

Express consent: boxes cannot be “pre-checked”

One of the most common questions regarding express consent under CASL is whether a check box (referred to by the CRTC as a “toggle-box”) can be pre-checked. The CRTC has taken the position that such a practice would not be considered sufficient for the purposes of CASL.

The CRTC states that a pre-checked box would be considered “opt-out”, and that “in order to comply with the express consent provisions under the Act, a positive or explicit indication of consent is required.” As a result, according to the CRTC, express consent “cannot be obtained through opt-out consent mechanisms.” Thus, in order for express consent to be considered valid, the user must be required to actively check a box or click an “icon”.

This is a prescriptive approach that follows the EU model of “unambiguous consent”. It is arguably inconsistent with guidance that has emerged with years of findings and guidance under the Personal Information Protection and Electronic Documents Act, which provides that consent for marketing purposes can be obtained through “opt-out” means. There is nothing in law that equates “express” with “opt-in”; rather, opt-in and opt-out have often been seen as two forms of express consent.

Furthermore, the CRTC also states that users should be sent a confirmation following a request for consent (i.e., “notified” opt-in).

If the objective was to add further detail around the meaning of express consent, it would have been preferable to state that the form of consent depends on the circumstances. For example, opt-in may be necessary where a user is asked to sign up for the installation of a computer program, for a newsletter that provides information about a sensitive medical condition, or where the individual’s electronic address will be shared with several parties. However, it seems unreasonable to require opt-in consent to sign up for something more innocuous such as a newsletter for a daily deal site (remember that each email must contain an unsubscribe mechanism).

The Guidelines state that typing an email address into a field can be taken as an indication of express consent (i.e., if the email address is being typed in specifically for the purposes of signing up for a list, there is no need for separate check box).

Mailing address is defined

The CRTC has clarified that a mailing address, for the purposes of paragraphs 2(1)(d) and 4(d) of the Regulations¹ consists of a “valid, current street (or civic) address, postal box address, rural route address, or general delivery address.”

Unsubscribe landing pages are acceptable

An “unsubscribe landing page” is acceptable for the purposes of the Regulations, which require that an unsubscribe mechanism must be able to be “readily performed”. The page can allow a user to choose whether to unsubscribe from all or some messages from the sender. In the case of a short message service (SMS) text, the user must be have the choice of being able to unsubscribe by replying “STOP” or “Unsubscribe”, or by clicking on a link to an unsubscribe landing page.

Seeking consent separately for different acts

The Guidelines state that a person must seek consent separately for sending a CEM, installing a computer program, and altering transmission data. For greater clarity, the CRTC states that a person must not be required to consent to one of these acts in order to consent to another. This seems fairly obvious already, but must have been a point of uncertainty for some stakeholders.

Request for consent must be separate from general terms and conditions

A request for consent must “not be subsumed in, or bundled with, requests for consent to the general terms and conditions of use or sale.” A user must be able to consent to the general terms of sale while being able to refuse consent to receiving CEMs, to the installation of a computer program, or to the alteration of transmission data. This appears to be, in effect, a form of “refusal-to-deal” clause like that found in private sector privacy legislation².

Where the installation of a computer program – or certain functions of that computer program, such as the collection of personal information – is necessary in order to use a product or service, consent must still be obtained before the product is used or sold.

The CRTC states that a separate “tick-box” or “icon” must be clicked for any separate request for consent (an image is provided as an example). This could pose challenges for most if not all of the major app platforms (e.g., Apple App Store, Blackberry App World), as these platforms do not seem to provide a separate consent button aside from the “download” button. In other words, it may be difficult for developers to sell apps that are CASL-compliant through these platforms.

Consent obtained orally and in writing

Although the Regulations allow consent to be obtained orally, any person requesting consent orally still bears the onus of proving that consent was properly obtained. The CRTC considers the following as evidence of oral consent:

• where oral consent can be verified by an independent third party; or
• where a complete and unedited audio recording of the consent is retained by the person seeking consent or a client of the person seeking consent.

An audio recording may be reasonable in circumstances where calls are already recorded (e.g., for quality control purposes), but not practical if the infrastructure does not already exist, or for smaller businesses. Furthermore, the concept of an “independent third party” is unclear. While the CRTC states that “consent may be given at the time that individuals use a product or service (e.g. point of sale purchases),” the requirement for an audio recording or independent third party could make this very difficult. As a result, retailers may be forced to require users to fill in a paper form for point of sale collection.

Regarding consent obtained in writing, the CRTC considers the following forms of evidence to be acceptable: “checking a box on a web page to indicate consent where a record of the date, time, purpose, and manner of that consent is stored in a database; and, filling out a consent form at a point of purchase.”

Consent to specified functions in computer programs

CASL requires separate express consent to be obtained if a computer program performs any of the following enumerated functions:

(a) collecting personal information stored on the computer system;
(b) interfering with the owner’s or an authorized user’s control of the computer system;
(c) changing or interfering with settings, preferences or commands already installed or stored on the computer system without the knowledge of the owner or an authorized user of the computer system;
(d) changing or interfering with data that is stored on the computer system in a manner that obstructs, interrupts or interferes with lawful access to or use of that data by the owner or an authorized user of the computer system;
(e) causing the computer system to communicate with another computer system, or other device, without the authorization of the owner or an authorized user of the computer system;
(f) installing a computer program that may be activated by a third party without the knowledge of the owner or an authorized user of the computer system; and
(g) performing any other function specified in the regulations.

The CRTC clarifies that a user must be required to check a separate icon or toggle-box for each and every of the above-noted functions, if applicable.

About the author:
Shaun Brown is a partner with nNovation LLP, a pre-eminent Canadian law firm that advises private and public sector organizations in connection with a broad range of Canadian regulatory regimes. With several years of experience both in the public and private sectors, Shaun’s practice focuses on e-marketing, e-commerce, privacy, and access to information. Subscribe to Shaun’s Privacy newsletter at PrivacyScan.

1 – These sections specify the information that must be provided when requesting consent and when sending a CEM.
2 – “Refusal-to-deal” generally means that an organization cannot require an individual to consent to the collection, use, or disclosure of personal information beyond that which is reasonably necessary to provide a product or service.

Remember I’m running in reporting only mode at the moment and just trying to grasp how bad the spoofing issues for email addresses @emailkarma.net are… Sadly Pharmacy Bots send more email as EmailKarma.net than I do on a daily basis

While I don’t have currently any answers about what to do with reports, I do have a few significant notes about DMARC to consider based on my observations:

• May Not Be For Everyone: DMARC is probably less useful for a hobby domains where there is typically very little out bound email traffic unless you are heavily spoofed in spam. However I have found that tracking these reports and understanding the patterns of spam bots faking users at my domains has become quite enlightening.
  I’m hoping to learn more in the upcoming weeks as I get more in touch with the data and the options available for my domains.
• Mailing List Issues: DMARC may fail when participating on discussion lists as some fail to authenticate the sender appropriately. Yahoo Groups seems to fail both SPF and DKIM tests for messages I have posted to a few lists. This could be an issue for some users if policy rules are implemented incorrectly or too aggressively.
• Information Overload: Seeing the number of forensic reports, individual reports for each message evaluated by the receiving domain, that are being generated for messages (both pass and fail). The number of messages reports could be excessive for large domains, domains that mail frequently or domains frequently attacked by spammers.
  This problem is exponential as more domains check DMARC records and begin sending reports on the messages they are processing.
• Reporting Data: Seeing all the links in spoofed emails could be very useful to commonly phished services by reducing the time to receive notifications of the attack (and shorten take down time) during spam runs. Also I could see services like the URIBL being utilized to quickly list spam sources. This would need to be automated as it can be a lot of data to review.
• Automation is Key: You will never be able to process these reports manually, building a solution or partnering with a reporting service that is already DMARC capable will be key to making use of it.
  More on these solutions later

So far it’s been an interesting learning experience for me on this and I hope that these learning points will help you build your policies and encourage you to test DMARC against your email domains. If you are testing DMARC I’d love to hear your experiences either in the comments or send me an email: contact at emailkarma.net.

Photo credit – agari.com

Lets start at the beginning shall we…

What is DMARC?
Lets go straight to the source for this answer:

“DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is a technical specification created by a group of organizations that want to help reduce the potential for email-based abuse by solving a couple of long-standing operational, deployment, and reporting issues related to email authentication protocols.

DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at AOL, Gmail, Hotmail, Yahoo! and any other email receiver implementing DMARC. We hope this will encourage senders to more broadly authenticate their outbound email which can make email a more reliable way to communicate.” ~ DMARC.org

Confused yet? In short DMARC is a new tool that organizations sending email can deploy to track the source of email that is being sent without their approval and apply policies for the recipients network on how they should treat mail that fails their authentication test.

Why do we need another Authentication Tool?

Unlike the other forms of Authentication that have been deployed previously, DMARC allows the sender to set clear policies AND receive feedback from the ISPs actually receiving email classified under these policies.

What do I need to do?

Setting up your DMARC records is actually quite simple, that is if you already have SPF and DKIM running. If not go do this first as it might take a while to get them right and they are required for DMARC.

An example record for basic reporting, like the one I’ve published, which generates only the daily reports for domains looks like this in your DNS:

_dmarc.YOURDOMAIN.com IN TXT “v=DMARC1\; p=none\; rua=mailto:postmaster@YOURDOMAIN.com”

This will have ISPs supporting DMARC email your postmaster with reports of the email messages that they receive claiming to be from your domain, and any action that they have taken based on your policy – this policy is just a report (a great place to start). I have created a custom email address to receive these reports, and many organizations may want these to be sent to their security teams (or a third party security vendor) for review or actioning – the important peace is to have someone available to review the incoming data and consider the actions you want to take on these messages.

Where can I get more info?

Google has a great set of examples and policy notes you can review here Understanding DMARC and Creating a DMARC record to help you build the policy that works best for your organization. Of course DMARC.org is the central location for up-to-date information on DMARC and lists several great tools available to creating, testing and reviewing DMARC related reports.

Next time I’ll talk about the reports and what you can learn from them.

It is highly recommended that if you have a Linkedin account you login and change the password at your earliest convenience.

Here are some tips for making Strong passwords:

1 – Make your password include a variation of Capital letters, numbers and special characters (!, @, $ etc…)
2 – Longer passwords are harder to guess – use a minimum of 10 characters
3 – Make it easy to remember but hard to guess – avoid anniversaries, birthdates and the name of your pet/family members
4 – Think of a short phrase instead of one word – ex: I love Peanut Butter could become : 1L0v3Pe@nutBu773R
5 – Avoid using common passwords like; password, 123456

This is also another great opportunity to remind you that you should never use the same password across multiple sites, something I think many of us are guilty of. I know I was guilty of this but I looked around and found that LASTPASS was a great option for me – it allows you to store passwords in an encrypted location and access them from any mobile or PC/MAC. It also helps you create strong and secure passwords for any site your create a new account with the Password Generator tool (watch this video to see how it works).

On a side note I would also recommended that you change your linked in Settings to hide your contacts from casual viewers – It’s a privacy thing (for you and your contacts) and can help prevent social engineering due to impersonation of a connection – here is how you make that change:

Settings > Profile > Select who can see your connections > Select “Only you”