Seth Blank is the Chief Technology Officer at Valimail, a leading provider of email authentication and anti-impersonation solutions. Seth is also co-chair of the DMARC working group for the Internet Engineering Task Force.
We’ll also talk about Valimail’s outreach to political campaigns and what Seth thinks campaigns can do to send better emails.
Eric Wilson (00:04.004)
at Vider Authentication and Anti -Impersonation Solutions. We have a little bit of a celebrity here because Seth is also co -chair of the group, the standards organization for the internet, making him kind of a big deal. If DMARC doesn't mean anything to you right now, stick with us because it's important to understand if you want your emails to reach voters in boxes this year. We'll also talk about ValaMail's outreach to political campaigns.
and what Seth thinks campaigns can do to send better emails. Okay Seth, we have to explain what DMARC is and not just what the acronym DMARC stands for. Explain it to me like I'm five.
Seth Blank (01:13.198)
Sure. It is legal and it is easy to send fake email as anyone online. And there are open standards that let you take control of your identity. These are SPF, DKIM, and DMARC. It is acronym SUP. But what it means is if you send email from your own domain, businessapolitics .com, you can make sure that...
Eric Wilson (01:28.196)
And, and so you said it was an open standard so that it doesn't cost money necessarily to, to implement, but there could be some costs associated with it. Can you kind of walk us through, I mean, we have listeners who have, who have set up these records before. And I kind of, well, the give, give an example of, of, of what's going on behind the scenes. Once you set these up.
Seth Blank (01:40.398)
Only you can send email as you and anyone impersonating you trying to leverage your your brand leverage your campaign Cannot do so
Seth Blank (02:25.422)
Absolutely. So SPF, which is Sender Policy Framework, DKIM, which is Domain Keys Identified Mail, and DMARC, which is Domain -Based Message Authentication Reporting and Conformance, can take a lot of manual effort to configure in DNS. But when you do that, you ensure that only mail
sent by you can reach your audience. And it can be, let me put it this way, there can be a lot of effort involved in setting up the records and maintaining them. You may choose a different mailing system. You may move from mail champ to constant contact or use something more familiar with you, right? These changes happen all the time. You may find a newer, better way to reach your audience.
Eric Wilson (03:15.236)
Yeah, and I, this has been something I've been having to do for, for newsletters and campaigns for a long time. And I, this is not a paid promotion, but Valomail just makes it so much easier than, than all the other services I've, I've had to use in the past. so, so Seth, let me, let me try an analogy and you let me know if I'm, I'm doing a good job of explaining DMARC. So essentially, you know, let's say, I'm,
Seth Blank (03:21.038)
And you have to keep all of this information in the DNS, in the domain name system up to date to make sure that mail continues to deliver. That's overhead. Anyone can do this. It is free, but it's not necessarily easy. And that's where Valomail comes in and others to make this as simple as possible for you.
Eric Wilson (03:44.484)
going to send money to someone, you know, I'm buying a house or something and I need to do a wire transfer. That, the bank that is about to send my money to you, maybe the seller, is going to call me first and say, hey, Eric, we just want to make sure that this is the right information on where you want this money to go.
before hitting send. And so in this way, if I am sending an email to your inbox, they are making sure that I have the authority to send that email.
Seth Blank (05:03.694)
That's exactly right. And the way this works is when someone receives an email, say they're Google or they're Microsoft, and they say, here's an email that says it's from Eric Wilson, they'll go to the DNS and say, hey, I'd like to validate that this email is actually from Eric Wilson. Do you have a credential that I can use to validate it? And what DMARC does is it takes that validation up a notch.
Eric Wilson (05:13.028)
So for those of you still with us, I know this is really sort of technical, but it's really important because the reason we're talking about DMARC on the business of politics that earlier this year, both Google and the office that DMARC would be required for any bulk email sender. And that includes political campaigns where we send a lot of emails, especially for online fundraising. It does get to our bottom line.
Seth Blank (05:31.758)
and says what is validated actually has to match what is shown to the user. So I could send an email that authenticates as fisher .com, but says it's from Eric Wilson. That's the stuff that DMARC stops dead in its tracks.
Eric Wilson (05:39.108)
So Seth, why did the inbox providers decide to take this step? Number one, and two specifically to rely on on DMARC to do it.
Seth Blank (06:27.246)
It's a great question. And the question I have is why didn't they actually do it years ago? Why now? And the honest truth is spam and phishing are at an all time high. COVID and remote work sent them into overdrive. And now there's also the new threat of generative AI in email. And it is simply too easy to impersonate someone and to spread disinformation to someone.
Eric Wilson (06:39.908)
Wow.
Seth Blank (06:56.782)
And we need to stop that as a way to reach consumers. The FBI actually reported numbers over the past couple of years running. Two years ago, they reported $23 billion in financial losses to businesses. This is business email compromise, which is when someone sends basically a fraudulent email and gets a business to send money to the wrong place.
Last year, the FBI's number was, I want to say it was 45 billion. It nearly doubled in a year, the five -year rolling average, right? This is crazy. And that's just U .S. numbers as reported to the FBI. So people are defrauding consumers left and right. Think about all your fundraising emails. You want your audience paying you and not a bad actor. And the best way to ensure that, not the only way, nothing in email.
Eric Wilson (07:36.708)
Right, and I agree with you on that. This is something we should have been doing a long time ago, because there's been a lot of reputational harm to email as a channel. Some of that's our own making in politics and other industries, but...
Seth Blank (07:56.75)
But nothing's security is 100%. But you need to make sure those messages from you to your audience are actually from you so that they can trust you and they can send money to you and only you.
Eric Wilson (07:59.14)
Mm -hmm.
Eric Wilson (08:14.788)
right.
Eric Wilson (08:27.268)
And so we're kind of clawing back that trust or implementing, these, these steps now to, to get back to that. That stage. And it's something that we talk a lot about and we've had, Michael Kaiser from defending digital campaigns on the show before where, you know, we really want to get to this place where it's secure by design. So I don't have to worry about installing airbags and seat belts in my car. They come pre -installed and it.
Seth Blank (08:29.262)
Well, I don't even think that's politics. Email was inherently untrusted, right? You have to think about where email started, right? It started 40 years ago between academics when it was only academics and only university systems online. There was no one else to trust. And so email had no trust baked in.
And then when you have a system that's got global scale that people use to transact and it's inherently untrusted, it's just ripe for fraud and abuse and we have to fix it.
Eric Wilson (08:55.876)
yells at me if I don't buckle my seat. That we are having to kind of add some of that back in the forms of multi -factor authentication, DMARC, things like that. What are, so obviously there's, there are some hurdles to overcome here. What are some of the ancillary benefits to a campaign? So yes, you're going to get your emails delivered. That's number one.
What are some of the other benefits to campaigns by implementing these practices?
Seth Blank (09:29.486)
Excel.
Seth Blank (10:11.47)
There are some huge benefits. We know that campaigns are under constant threat and abuse, right? If you're not protecting your domain, other people are trying to leverage the trust that your constituents have in you. And so by getting this anti -impersonation, anti -spoofing technology in place,
Eric Wilson (10:13.572)
interesting.
Eric Wilson (10:27.428)
Right. And one of the threats that campaigns actually have, and you mentioned this business email compromise, we've actually seen instances where campaigns have wired money, very significant sums, we're talking TV ad buys in an election year, to fraudsters who are able to compromise that vendor's email.
Seth Blank (10:34.286)
What happens is that stuff doesn't count against you. Because right now, if you're sending an email and you're sending good email that your audience wants and someone else is sending bad email your audience does not want, that counts against you. Once you've got DMARC in place, it doesn't. And so you're no longer fighting for inbox placement, good against bad. It's just the product from you. And then it's, does your audience really want the email from you?
Eric Wilson (10:54.628)
and change routing numbers, bank details, things like that. And, you know, obviously that's not something, well, it may be something that DMARC can help cut down on, on some of the spoofing and phishing. But there are other steps we need to be taking. But this, I mean, this, you know, a lot of people think of this as sort of, well, it's not, not a big problem, but yes, it is. If you aren't able to do that TV ad buy in the final 90 days or 60 days of a campaign, you're going to be a
Seth Blank (11:03.374)
is wildly different than what should be seen.
Eric Wilson (11:24.1)
big trouble.
Eric Wilson (11:59.78)
Ha ha.
Seth Blank (12:07.926)
Yeah, absolutely. And we've seen this even recently. There have been wires that went to the wrong place, like in the last 30 days of a campaign, and the candidate lost because they didn't get that last buy that they needed to. And it's crazy. If you look at the business email compromise statistics, there are studies every year on this.
And the astonishing number that keeps on coming up is that 91 % of cyber attacks start from email and start from spearfishing in particular. And it's crazy. Everyone thinks about, you know, all these different types of security, all these places to apply different defenses. Like how do you choose what to prioritize? How do you choose where to spend money? And at the end of the day, if you're not protecting your email, you're not protecting...
Eric Wilson (12:47.556)
Mm -hmm.
Seth Blank (13:01.23)
the largest vector by basically an order of magnitude to everything else. And it's not enough to just protect your email, but you've got to start there. And you mentioned talking to Michael Kaiser and MFA in security by design. And the way I talk about it is, it starts with protect your email so no one can use you to harvest credentials or fish consumers or redirect fraud. But then,
Eric Wilson (13:10.82)
Right.
Eric Wilson (13:23.012)
Yeah, so if we've got listeners who are worried about, you know, they've got a VPN and they're doing all this stuff, good on you, but let's make sure your email is locked down, that you've got DMARC in place. And to that end, Seth, how does ValaMail help campaigns with DMARC setup and enforcement?
Seth Blank (13:30.478)
have MFA so that if someone does not do any of that, they can't actually use it to access the system. And then encrypt your information. So even if they are able to harvest a credential and get around MFA, they can't use it. Like it's all about security by design and defense in depth through layers. But this is stuff that campaigns shouldn't need to worry about. Like you should just be able to send the email you want to send that your constituents want and move on.
You've got to make it easy and approachable. And this stuff can be hard if you're left to your own devices.
Seth Blank (14:33.614)
Sure, so we have a partnership, you mentioned Michael Kaiser, with Defending Digital Campaigns, where we offer our services pro bono. It's a package we call Campaign Lite. If you're an eligible campaign, so you don't have to worry about the cost. We get in, we get out, we make it super, super easy to set the stuff up, move to enforcement, and get on with your life. And the suite that...
Eric Wilson (14:34.66)
You're listening to the Business of Politics show. I'm speaking with Seth Blank, CTO of ValaMail, about email authentication and identity authentication. So, Seth, why is it a priority for you and the team at ValaMail to engage with campaigns in this way and work with defending digital campaigns?
Seth Blank (15:00.334)
DDC that Defending Campaigns provides is really powerful and it's all about getting the minimum security you need in place so that you close the biggest vectors for attack so you can move on with a secure landscape to campaign from.
Eric Wilson (15:39.748)
Yeah, I think that's something that too many people on the campaign front lines don't really appreciate that the goal is not by these foreign actors, nation states to boost one party over another. They just want to create chaos and disrupt the election. They don't have a political agenda beyond that. And similarly, cyber criminals don't care if you have an R or a D behind your name. They just want to know how many commas are in your bank account.
Seth Blank (15:42.51)
Because we believe it's our duty to democracy. We're a very mission driven organization. We want to make, we want to restore trust to email and we need to keep our discourse protected so that it's actually from our.
elected officials and the people who are campaigning against them, right? You don't want the noise entering that. And this is something that we're able to do, that we want to do, and that we think makes the whole world safer to have those discussions in a trusted environment.
Eric Wilson (16:09.636)
and so, it's important work that, that you guys are doing. So I really appreciate you making this, to, to our campaigns. And I really want to encourage everyone, if you were working on a federal campaign, you can get this it's for free and it helps you out in, in numerous ways. if you're at the state level, there are, there are some states where you can work with defending digital campaigns, but, it's mostly for your federal campaigns.
So Seth, aside from DMARC, what are some of the other strategies that campaigns can employ to achieve better inbox placement?
Eric Wilson (17:13.024)
Mm -hmm.
Seth Blank (17:35.662)
Sure. So the, the number one thing is to make sure that you're sending messages that your constituents have opted in for. Right. If you haven't actually gone through that process, what will happen is if you're sending to a mailbox and you've got people who never subscribe and they go click spam, right. The enemy of your message receiving users is someone getting the message and hitting that spam button.
And so you want to make sure that people have opted in and you're not bouncing out. You also want to make sure that you're engaging in powerful ways. The honest truth is there's so much.
Eric Wilson (18:07.588)
Yeah, that's really powerful. I'd never heard that framed that way. Because you all we always talk about, we improve your sender reputation. It, you know, with without d markets, like there could be a lot of people with masks of you going around robbing convenience stores and ruining your reputation. But this really shuts that down in a powerful way.
Seth Blank (18:26.894)
in this deliverability sphere of the ways to send well to users, but it comes down to protect your identity and make sure you're sending to people who've signed up and you're going to be okay. Right. But you've got to get the stuff that people don't want out of the system, which means anyone who's pretending to be you turn that off. And when you turn that off, it's just between you and the individual.
Eric Wilson (18:49.38)
Okay.
Eric Wilson (19:02.788)
wow.
Seth Blank (19:18.926)
And it happens, the funny story on that note, this is the most egregious example, no one else has had it this bad, but it was actually in the UK, it was HMRC, so the Hermitage's Revenue and Customs, the UK IRS. They claimed they had a deliverability rate of like 18%, basically fewer than one in five emails were making it to their recipients. They turned DMARC on and their deliverability rate jumped to 98%.
Eric Wilson (19:24.164)
Seth, what's on the horizon for email? It's still the workhorse of the internet, the killer app. You've gotta have email. It's been around for 40 years. Does it have more tricks up its sleeve?
Seth Blank (19:49.07)
Right? It's the sheer number of people trying to impersonate the tax man and run off with money was so high that they couldn't get their legitimate emails through. Right? Your mileage will be wildly different, but that just underscores the impact. Turn off the stuff impersonating you and you're going to get through far more cleanly.
Seth Blank (20:23.438)
Yeah, like the rumor of emails demise, it's never so baked in because it's this ecosystem -wide industry standard. And so there's always new things. One of the things that I'm really looking forward to is called DIMI. It's brand indicators for message identification. You can lead with your brand, with your campaigns, logo with your officials face.
Eric Wilson (20:46.116)
And just for our listeners, that is your, you know, when you send an email to someone, your logo appears depending on the app. But essentially, Bimmy, if I understand it correctly, because I've tried to set it up on a few of my domains, not necessarily successfully, but working on it, it requires attaching an image to your domain name settings. Is that right?
Seth Blank (20:51.278)
anywhere else. You can put things on signs. Certainly, if you look around the room you're listening to this from, you're going to see logos and names of companies all over the place. In email, you cannot lead with your brand or your campaign until someone actually opens the message and is actually in the message. And so BIMI brings brand indicators into the inbox. And we're seeing that increase open rate and engagement.
And that's new. It lives in Google and in Yahoo. It is not yet at Microsoft. But we're seeing that make a big difference for how consumers engage with email. And then there's a world of how do we... Yeah.
Eric Wilson (21:42.116)
Hmm.
Eric Wilson (21:49.38)
What else can we expect coming out of the internet for email on the horizon?
Seth Blank (22:01.774)
Exactly. You publish it in DNS the same way you do with email authentication records. And then it lets you provide the logo and the consistency you want versus the inbox is guessing or just putting your initials on it. So it takes it from this like stick of here's a question marker, a fish hook to the neutral of here are your logos to the positive of, this is your actual brand. This is your campaign and makes it more visual.
Eric Wilson (22:29.988)
interest.
Seth Blank (22:31.118)
for users of that inbox.
Eric Wilson (22:33.156)
Yeah, so it's sort of like almost changing the delivery and distribution of it. And you still have recipients of the content, creators of the content, but there's a little bit more customization, I guess, between how, when, what that looks like.
Seth Blank (22:43.342)
The other fun thing is we're looking at better ways for users to interact with the brands that send the mail so that they don't need to click the spam button. They can go, hey, I signed up for this thing weekly, but I actually want it monthly. Instead of going, I don't want this right now, clicking spam, and then harming your reputation. Like, how do we give them better controls to get what they want?
without actually harming the reputation of people sending the messages they actually sign up for in the first place. That makes this better for everyone.
Eric Wilson (23:38.052)
Seth, before we wrap up, I want to demote you for a minute and put you in charge of the email program for a campaign for a day. What would you do?
Seth Blank (23:39.79)
Exactly. And I think this is one of the tricky things, especially when it comes to political mailing, right? Like a mailbox, they don't look at their job as to deliver the message you want to send to the consumer. They look at their job as to give the consumer what the consumer wants. And so if the consumer wanted something from you last week, but doesn't want it today, they don't feel obligated to put that message in the inbox. And there should be better ways when people sign up.
that it gets to them and that there's a two -way dialogue going on as opposed to just someone deciding they don't want the message anymore, not telling you, hitting spam, and then harming your ability to send mail to everyone. And so that's really where we want to make things a lot better.
Seth Blank (24:30.094)
Sure.
Eric Wilson (24:35.94)
Well that is very good advice and worth pursuing for anyone on the campaign trail. My thanks to Seth Blank for a great conversation. I'm going to include links to ValaMail so you can sign up for that service. If you are an eligible campaign, I encourage you to get in touch with Defending Digital Campaigns. It will also be linked in the show notes so you can take advantage of all of that. If this episode made you a little bit smarter or gave you something to think about, I learned new things today too right along with you.
Seth Blank (24:39.598)
So I would go get as much data as I can. I would make sure authentication is in place. I would look at the messages I'm sending, who's actually receiving them. And I give them the phone with some of those constituents and say, hey, what did you like about this message? What resonated? What missed you? Hey, it seems like you unsubscribe. Why did you unsubscribe?
Eric Wilson (25:05.028)
You know that all we ask is that you share it with a friend or colleague. You look smarter in the process and more people learn about the show. It's a win -win all around. Remember to subscribe to the Business of Politics show wherever you listen to your podcasts so you never miss an episode. You can also sign up for email updates on our website at business .com. With that, thanks for listening. We'll see you next time.
Seth Blank (25:05.71)
What was wrong? Because you signed up. You wanted a message from you originally. Why did you choose no? And dial in the messaging and how you approach that will make an enormous impact on your ability to get more mail to more people who want it and land in their inbox.