Blue is the color of trust

Blue is the color of trust and shoes have a lot to do with building trust. At least according to Ivo Ivanov, the Director of the Certified Senders Alliance, who took attendees of the CSA Summit 2016, 20 – 22 April 2016 in Cologne, Germany, on a journey exploring trust along the value chain of email marketing. In a packed day of talks and podium discussions on the Thursday, Ivanov invited those present to put themselves in the shoes of consumers, brands, ESPs, ISPs and email security and infrastructure providers.

He quoted an African proverb, “If you want to go fast, go alone. If you want to go far, go together,” and stressed how important it is to talk and work together and to trust each other in order for us all to be successful together as an industry.

Sebastian Biederlack, German two-time Olympic medal winner in field hockey, joined Ivo on the stage to talk about how trust leads to success. Biederlack, who won a gold medal with the German field hockey team at the Beijing Olympics in 2008 to add to his 2004 bronze medal, shared how he and his team met without their coach after losing a game at the 2008 Olympics. After two hours talking about what went wrong, they were able to rebuild trust in one another and went on to win the gold medal in field hockey that year. Ivo Ivanov translated this to the team sport of email marketing. Even though many of the players in the industry are competitors, a team performance and trusting each other can lead to success for all.

ESPs as communication brokers between consumers and brands

Marcel Becker, Director Product at AOL Mail, spoke about “Trust along the email value chain – opportunities and future challenges”. There was laughter throughout the room when he joked that people sometimes wonder if AOL is even still around. Indeed they are, providing content and technology to over 700 million users globally, and no longer just email. He disagreed with Ivo Ivanov’s view that email is a value chain and starts with ISPs. Becker sees a trend towards ESPs becoming brokers of communication between consumers and brands, along with ISPs and trust agencies like CSA.

Email is by no means dead or dying, as often predicted, but how it is used is indeed changing. While a lot of personal communication has moved to instant messaging apps, a huge amount of commercial communication is done by email. Becker quoted a 2015 Adobe survey which found that 58% of consumers preferred to be contacted by companies by email rather than through other channels, and over a third wanted to read such emails on their smartphone. Most of these commercial emails are transactional, e.g. confirmation emails after purchases and details of flight bookings.

There is a trend for ESPs to help end users identify the emails they really want with smart views, formatting and solutions that help users find the email they really need in an overflowing inbox (because hardly anyone actually deletes email anymore). Email- rich scenarios allow users to complete actions within the email client that previously they would have done on companies’ websites, e.g. paying bills or checking-in for flights. ESPs are enabling brands to communicate with consumers in ways that work and allow consumers to interact with their emails without leaving the medium. But for all of this to work, ESPs have to be able to be sure that the brand is who they say they are and trust them. Authentication and trust.

The consumer’s voice

The next pair of shoes, so to speak, were the consumers’. Alexandra Koch-Skiba, Head of the eco Complaints Office, and Peter Meyer, Head of eco Cyber Security Services, spoke about “Email marketing – listening to the voice of the consumer”. Rather than presenting dry statistics, Koch-Skiba translated the facts and figures of her daily work into trends and risks that senders face. Germany was taken as a benchmark for the legal requirements senders need to keep in mind when doing email marketing. Germany’s laws related to email marketing are the strictest in the world. If you fulfil German requirements, then you most likely fulfil the legal requirements in other countries.

The eco Complaints Office found that, while the volume of emails has only slightly increased from 506 billion in 2014 to 537 billion emails sent in 2015, the number of complaints related to emails has risen sharply (192,254 complaints in 2015, a 48% increase compared to 2014, which in turn represented a 47% increase on the number of complaints in 2013). Many such complaints relate to emails which were actually legally compliant, but were classified as spam by the recipients. Consumers are not happy about receiving emails they do not want. The issues most frequently reported is lack of consent given, non-recognition of and hence negative reaction to rebranded companies or newsletters and too many emails.

A key finding in 2015 was that many consumers are not aware that an existing relationship with a company or brand legally allows commercial emails to be sent to them. The tone of many complaints has become much more negative and aggressive, showing the huge frustration many consumers obviously feel about unwanted emails. As Koch-Skiba concluded, if a consumer is angry enough to make a formal written complaint about your email to the Complaints Office, then they are angry enough to share that frustration with others, e.g. on social media. This can impact hugely on senders’ reputations.

Peter Meyer turned the focus to the work of the Anti-Botnet Advisory Centre, which has a current focus on combatting ransomware. The Centre, part of eco’s Cyber Security Services, doesn’t just warn consumers, but develops solutions to keep users safe online, for example, by working with industry partners to provide consumers with free tools to clean up their computers. The most recent malware attacks target the weakest link of a company (with large distribution lists and limited technical knowledge). Attacks tend to be against Sales, HR, or Marketing staff. Malware is now cross-platform and there is exponential growth in currently unbreakable ransomware.

While infected computers might seem like a problem for end users, each infected computer represents a risk not just for the consumer, but for an ISP’s infrastructure and everyone else online. Though many users still lack awareness of the dangers of malware, they are not to be ignored. They can react badly and lose trust in their ESP and ISP.

Cex and trust: “Building up trust with ESPs – how brands select the ideal ESP”

Jordie van Rijn, email marketing consultant and founder of Emailmonday, explored how CEX sells from a marketing point of view. That is, the customer experience sells. Knowing more about the customer experience and explaining your value proposition clearly helps you present yourself more convincingly as their new ESP. He warned against claiming to be the best at many different things. It is not convincing and it just distracts from the value you are offering potential customers. Choose to be more believable and make it easier for companies to select you, recommends van Rijn. His website gives buyers an overview of email vendors and highlights CSA Certified Senders by displaying the CSA trusted seal.

Onboarding new brands as an ESP – best practice

Four representatives of ESPs took the opposite perspective, in the panel discussion on “Building up trust with brands ̶ best practice for onboarding and vetting for ESPs.”

Sebrus Berchtenbreiter, CEO of GmbH and Head of the DDV Council “Digital Dialogue”, moderated the panel and led the panelists through a spirited exchange of best practices for ESPs in vetting and onboarding new customers. How can ESPs recognize the bad senders early enough to avoid risk to their own reputations?

It’s not just about spam. Sebastiaan de Vos, Head of Deliverability at emarsys eMarketing Systems AG, gave a tongue-in-cheek definition of spam: “Spam comes from Nigeria and Russia and sells Rolexes and Viagra”. However, he pointed out that the bigger issue is unwanted marketing, rather than spam.

Tobias Herkula, Head of Deliverability & Abuse Management at optivo GmbH, highlighted that there is hardly any spam from a legal point of view in Germany. For many recipients, the definition of spam is email they just do not want. As eco’s Alexandra Koch-Skiba also said earlier in the morning, even if a sender fulfils all of the legal requirements, their emails can still get blocked. This is often because a lot of marketing teams have not yet realized that email marketing is not the same as print marketing. Volume isn’t everything and there is a feedback channel with email that cannot be ignored.

Frank Strzyzewski, CEO of XQueue GmbH, highlighted the necessity of vetting potential customers, if possible. His team uses Google to look for consumer reactions to companies’ emails and they check out a potential customer’s domain reputation. He calls for email standards that will help build trust.

The spam arms-race – from snowshoe to whaling

The next (two) pairs of shoes belonged to ISPs and Mail Security Providers. Under the heading “Building up trust with ISPs and Mail Security Providers today’s attacks and SPAM”, Cisco Systems’ Senior Technical Leader Don Owens and Sven Krohlas, Mail Security Specialist at 1&1, talked the audience through the arms-race between a spammer building his business and mail security systems. With much humor, they introduced the different types of spam attacks; snowshoe (using a botnet to send just a few emails per IP address), hailstorm (send as many messages as you can in a short period of time), phishing (fake emails that look like emails from authentic trusted companies), spear phishing (more detailed phishing emails including more personal details to smaller, more specific groups), whaling (very focused phishing attacks using social engineering to get big money from targeted individuals).

Senders, who are you really? Prove it!

Owens and Krohlas talked through the measures senders can take to increase trust, by e.g. using a real public host name for HELO, using SPF, DKIM and DMARC, including unsubscribe links and headers, and using mail servers only for emailing (not for Minecraft).

Don’t do, don’t do it, just don’t do it – don’t wash, don’t buy, be transparent. 

Don’t hide domains with domain privacy services. Warm up new IPs and domains. Require double opt-in. Include your brand name in the sender address, e.g. not update@…, but acme-updates@… Avoid using URL shorteners. List washing leads straight to the blacklist and totally destroys trust. Similarly, do not buy or rent lists. Owens and Krohlas both agreed; “your reputation is automatically boosted by being on the CSA white list, because we know you’re trying to do the right thing

Magic (aka automating email authentication) can fix your email

Terry Zink of Microsoft made a great case for automating email authentication with a spectacular card trick that got everyone’s attention at the start of his talk on “Taking the hassle out of email authentication.” He convincingly illustrated science fiction writer Arthur C. Clarke’s third law: “Any sufficiently advanced technology will be indistinguishable from magic.” He believes that the reason why so many people do not implement email authentication is that it is difficult to do right. Automating SPF, DKIM and DMARC set-up is the solution. While there is an additional cost to the service provider for setting up the automation systems, it reduces errors, enforces compliance and, Zink argues, is the only way email authentication will take off in the long run.

Implement DMARC; it works and pays back

“Building up trust with ISPs  ̶  implement DMARC; it works and pays back” was the subject of the five-person panel exploring the benefits of DMARC. As Yahoo’s Elizabeth Zwicky put it; “now the ‘from’ field on your email reflects who actually sent the email. This was not always the case, something users are often very surprised by. Now DMARC brings email more in line with what consumers actually expect”.

Tim Draegen, CEO & Founder of, tracked the changing purpose of DMARC. It was first implemented as an anti-phishing measure around 2012. Around 2014 DMARC helped simplify delivery. Now in 2016, DMARC is implemented to enable rich email scenarios and build better email clients. For those who need to convince other stakeholders to implement DMARC, he recommends, you should “pitch [it] as a project management exercise. DMARC boils down to basically a one-time upgrade, if a bit complex. It’s a good way of selling it”.

Steve Jones, Executive Director,, looked at the numbers. Today 70% of email inboxes globally are protected by DMARC ̶ the new email authentication standard is spreading rapidly, as is SPF. Germany, however, has quite a low implementation rate of DMARC, at just 30%. One of the reasons is believed to be hesitation due to legal concerns about the information shared in the automatic reports. Andreas Schulze, Postmaster at DATEV, advises sending aggregated reports, which are legal in Germany.

Rosa Hafezi, Legal Attorney at the Certified Senders Alliance, advised those struggling with their legal departments over whether to introduce DMARC or not to draw their attention to the Report on the compliance of DMARC with German law developed by the eco Competence Group E-mail. In short, the report concludes that the implementation of DMARC is consistent with German law, taking into account restrictions, some of which are considerable.

Universal Acceptance – evolving email to fit the expansion of the Internet’s Domain Name System

In a video message to the CSA Summit attendees, Ram Mohan, Chair of the Universal Acceptance Steering Group (UASG) at ICANN, explained what universal acceptance is and why it is important: “Universal Acceptance (UA) is the state where all valid domain names and email addresses are accepted, validated, stored, processed and displayed correctly and consistently by all Internet-enabled applications, devices and systems.”

The UASG and its activities were introduced by Lars Steffen of eco ̶ Association of the Internet Industry. UA is key to bringing more of the world’s major languages online and letting the next billion users access the Internet on their own terms. However, right now 56% of websites are in English and only 3% in Chinese languages, despite 1.4 billion Chinese language speakers. UASG is working towards changing the status quo and setting the groundwork for other alphabets and longer domain names to be accepted by systems all over the world.

The Vice President Europe of ICANN, Jean-Jacques Sahel, pointed out that two more alphabets are coming online within the European Union; the Greek alphabet and the Cyrillic alphabet. Many major companies are moving their websites and domains to the new TLDS, e.g. .bmw, .barclaycard, .bnpparibas, .sky. There was much laughter when Lars Steffen revealed the name of the only website that is currently UA-ready: Microsoft’s Terry Zink highlighted that Microsoft is getting ready for Universal Acceptance. UA is built into Office 2016 and Outlook online.

IPv6: It works the same, it looks the same, it smells the same, it just has a lot more addresses

Although most people in the room had heard of IPv6, only a few are actually using it. Marco Hogewoning, External Relations Officer and Technical Adviser at RIPE NCC, looked at the benefits of IPv6 and the delays in its implementation. IPv6 has 128-bit addresses, as opposed to IPv4’s 32-bit addresses, which means there is no need for users or devices to share IP addresses. Although the plan was to implement IPv6 alongside IPv4 and then gradually phase IPv4 out, take up has been very slow (e.g. UK 7%, Brazil 11%, Germany 22.2%, US 30%).