HomeResourcesEmail Authentication & DMARC

Email Authentication & DMARC

Authentication   Email Practices  |  Marketing & Unsubscribe  |  Email Integrity Audit 

OTA recognizes the critical role email plays in today's online ecosystem, and publishes a set of recommendations that prescribe the adoption of freely available and standards-based email authentication technologies as an effective response to rampant abuse of the email channel. 

Email security, authentication and related marketing best practices are the foundation of OTA's efforts including promoting the integrity of email and standards to counter email fraud and phishing.  Through the combined use of three email authentication standards including Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC), they form one of the major components of the annual Online Trust Audit. The Figure below outlines how email authentication provides the ability for ISPs and receiving networks to detect and block spoofed and forged email. (See related overview and recommendation of TLS for email to help protect the privacy of email in transit). To view current adoption practices of leading banks, commerce sites, government agencies and consumer services click here.

OTA recognizes the critical role email plays in today's online ecosystem, and publishes the following recommendations:

  1. Deploy email authentication across all outbound email. This allows email receivers to easily identify legitimate email, which is the necessary first step towards protecting consumers from fraudulent email.
  2. Check email authentication on all inbound email. Inbound checking allows companies to reduce the risk of spear-phishing and resulting data-loss by rejecting email from the outside world that is pretending to be from the company.
  3. Require partners to adopt email authentication — deploy outbound and check inbound. When ready, apply controls to reject partner email that fails authentication. Ask business partners to do the same. Doing this allows companies to reduce the risk of being spear-phished and to begin attaching trust to partner communications.

Email Authentication Resources >


OTA Research Shows Increasing Government Agency Adoption of Practices to Help Curb Email and Website Fraud or Abuse

Thu, Nov 9, 2017

Reston, VA – The Online Trust Alliance (OTA), an Internet Society initiative, today released analysis that shows top government agencies are increasingly adopting the best practices to help prevent their emails and websites from being spoofed or impersonated following a recent U.S. Department of Homeland Security (DHS) directive. However, 62 percent have not implemented key email protection, Domain-based Message and Reporting Conformance (DMARC), placing US citizens at risk.

Online Trust Alliance Responds to FTC Feedback Request with Suggested CAN-SPAM Act Modifications

Wed, Aug 30, 2017

Reston, VA – The Online Trust Alliance (OTA), an Internet Society (ISOC) initiative with the mission to enhance online trust, today announced it has submitted its response to the U.S. Federal Trade Commission’s (FTC) request for comments about the CAN-SPAM Act. While OTA believes the U.S.

Dec 3, 2018
Dark Reading

They're also honoring unsubscribe requests as soon as they're made, according to the Online Trust Alliance.

A survey of North America's top 200 retailers released this week by the Internet Society's Online Trust Alliance found they have made great progress in managing emails on their websites.

In fact, 84% of retailers have clear and conspicuous unsubscribe links on their websites, says Jeff Wilbur, the OTA's technical director.

Nov 28, 2018

Except for some backsliding, most retailers are better than they were at handling email unsubscribes and complying with national laws.

A full 74% now qualify as “Best in Class” -- attaining scores of 80% or more, according to the 2018 Email Marketing & Unsubscribe Audit from the Online Trust Alliance (OTA).

Jun 20, 2017

Banks and government agencies always push us to do business online, but many of them get a failing grade when it comes to website security.  The latest online security audit by the Online Trust Alliance shows mixed reviews for websites that collect your your private information.  Healthcare.gov scored high for both tight security and strong privacy. The U.S.

Subscribe to Email Authentication & DMARC