Equifax’s email has a security hole

Failed to implement DMARC – a common anti-fraud protection.

A quick check shows that Equifax has not implemented DMARC to guard against email fraudsters claiming to be Equifax. DMARC is a way to say to the world “any email claiming to be from my domain is authenticated with DKIM or from an IP listed in my SPF record – and if not, the message is fraudulent”

Paypal implemented this year’s ago in consultation with Yahoo and other Internet Service Providers.

The upshot? Anyone can impersonate the equifax.com domain when sending email. Not surprising considering that Equifax had failed to implement a patch available a two months before the breach occurred.

DMARC is a DNS record that uses both SPF and DKIM records to specify which delivery locations (e.g. IPs) are allowed to send email on behalf of a given domain. The below DMARC records for Paypal, Chase bank, and Equifax. Both Paypal and Chase have implemented a strict reject policy ‘p=reject’ on 100% of their mail ‘pct:100’. In effect this presents a guideline to receiving networks. It’s not a difficult authentication method to implement.

For the following lookups, I am using dig, a command available on any MAC or Linux machine. On a PC, one could use the free services offered at mxtoolbox.com to do their own lookups. All these lookups have been performed at 11:10 AM CST, 09-15-2017.

Example lookup with dig from the command line:
>> dig +short -t TXT _dmarc.paypal.com

Paypal.com DMARC record:
“v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari.com”

Chase.com DMARC record:
“v=DMARC1\; p=reject\; pct=100\; rua=mailto:d@rua.agari.com\; ruf=mailto:d@ruf.agari.com\;”

Equifax.com DMARC record:
None. The lookup returns no response indicating that no DMARC records has been installed. We expect equifax will implement DMARC so it should be noted that as of September 15th, 2017 at 11:10am CST, no DMARC record is found from this lookup.

How to interpret a DMARC record.

This post is not meant to be an in depth tutorial in DMARC. Please visit https://dmarc.org/ for a full explanation. The key concepts of DMARC are twofold:

p=reject  – The policy setting (options are reject/quarantine/monitor/none)

pct=100 — The percentage of mail that is to be reviewed (100 means apply the policy to 100% of mail from this domain)

How DMARC policies are implemented by a receiving mail server.

If Gmail receives a message from Paypal that originates from an IP listed in the Paypal SPF record, that message is deemed to have passed DMARC. If the IP is not part of the Papal SPF record, the message bounced per the ‘p=reject’ setting. A setting of ‘p=quarantine’ could mean mail is sent directly to spam or hidden in a server quarantine, never to be shown to any end recipient of the message.

The point here is that equifax.com has not implemented any such record. Any IP in the world is free to impersonate (aka spoof) the equifax.com domain under their current implementation. Of course fraud is still illegal, but there is no DNS record in place to forcefully protect against anyone impersonating the equifax.com domain over email. DMARC is an available option for enhanced security and it seems shocking to us that an institution like Equifax, which holds the personal information for millions of Americans, has yet to implement this level of protection.

DMARC is certainly not the only metric large ISPs like Gmail or Yahoo use to monitor fraud. An SPF record alone (which equifax.com does have in place) will still provide a list of IPs from which equifax.com mail may be sent. But without DMARC in place, there is no policy stated and the decision on how to handle the incoming mail is thus left to algorithms operated by the ISPs themselves.

To be sure, DMARC implementation is still quite sparse even among fortune 500 companies. As the Agari Global DMARC Adoption Report shows, as of August 2017, 67% of Fortune 500 companies in the US have yet to implement any DMARC policy. Equifax is not alone in this by any stretch. For many organizations, implementing DMARC can be risky and difficult. One of the dangers of moving to a p=reject policy too quickly is that if all mail streams for a given domain are not covered by DKIM and/or SPF records, one might inadvertently cause their own legitimate mail to get flagged and possibly rejected.

A word of advice to anyone reading this post about DMARC. If you intend to protect your domain against spoofing with DMARC, make sure you to contact your ESP to let them know. Passing DMARC with your ReachMail messages is possible, but not without additional DNS records being implemented on your domain. We can accommodate DMARC for ReachMail clients and we’ll walk you through how to ensure that all your mail streams are protected in safe manner. A brief explanation of DMARC settings can be found here.

Final thoughts.

We checked the DMARC records for many major financials institutions in the United States. Chase.com, citigroup.com, wellsfargo.com, bankofamerica.com all maintain strict DMARC policies. Their domains are protected against spoofing.

Of the three major credit bureaus in the US, only experian.com has implemented a DMARC record. Experian’s DMARC policy is p=none, meaning they have no policy. Setting a p=none policy may not protect the experian.com domain from spoofing, but it does allow them to receive reports so they can monitor any potential abuse. Neither equifax.com nor transunion.com have implemented any record.

All this begs the question: if these institutions are responsible for maintaining the private information for millions of Americans, should they be held to higher security standards?

Five Ways Email Marketing Can Boost Your Inbound Marketing

It can feel as if the digital world is always creating new opportunities to market your products and services, but some of the oldest methods are still the best. Take email, for example. Email has been around a lot longer than social media, but it’s still one of the most effective ways to acquire and retain customers for many brands. Here are five ways that you can boost your inbound marketing by using some smart email strategies:

  • Use automated campaigns: We’ll start with one of the clearest ways to make your email marketing more effective. Set up an autoresponder email service that runs automatically. Using ReachMail or a similar platform, you can make sure that your company never fails to acknowledge an email from a potential customer by having it send a predetermined response whenever you receive a message. NGO charity: water exercised this strategy to great effect in a campaign that automatically sent each donor an update on the project and showed them the people it was helping.
  • Pay attention to your copy: a lot of companies understand that it’s important to send emails, but many of them don’t pay enough attention to their content. You might be surprised to learn how many companies are run by people who can’t or don’t take the time to write well—but customers notice. That’s why successful email marketers like the ones at Buzzfeed make a point of jazzing up their copy with jokes, catchy phrases, and references that their target markets will enjoy. Join their mailing list, and you’re sure to see good examples whenever you open a message from them. Pro tip – use an A/B testing tool to see which version works best.
  • Offer incentives: marketing shouldn’t be a con, it should be an offer to exchange value. You’re not trying to trick people into giving you their time, attention or money—you’re providing them with something that they need, and they’re compensating you for it. Ramit Sethi offers some good advice on how to create meaningful incentives for your potential customers: make your free content better than your competitors paid content. Focus on giving your target market something they can use is an excellent way to boost your conversion rates and see them opt into your mailing list or subscribe to a paid service.
  • Reward your subscribers for referring others: incentives aren’t just necessary for acquiring new subscribers. You’ll also want to make sure that you’re growing your mailing list—and the best way to do that is through word of mouth. You can turn a customer into a recruiting asset by offering them further benefits for bringing in their families and friends. Since potential clients that have been referred are over 30% more likely to convert than those who haven’t, this is an area you can’t overlook.
  • Grab ‘em with your subject lines: ever open an email from an unfamiliar company with a subject line that includes phrases like “special offer” or “best product ever”? Yeah, me neither. If you want your emails to stand out from the deluge of spam that your customers receive every day, you have to be creative. It’s even better to be funny—check out this list of clever email marketing subject lines for some excellent ideas.

Email remains one of the most practical tools for you to grow your business—you just have to think outside the box a little. You can test these strategies for free with ReachMail,, and watch as your emails net you increasingly more customers.

9 Tips To Inbox at Gmail

“How can I get to the inbox at Gmail?”. Probably one of the most common questions from email marketers we get at ReachMail.

We recently attended the Email Sender and Provider Coalition semi-annual meeting in Palo Alto in May,  Gmail’s Product Manager Sri Harsha Somanachi had these suggestions to get into the Gmail inbox:

      • Personalize as much as possible – Gmail empowers users to control their inbox. If your email ends up in the bulk folder and the user marks your email as “Not Spam” Gmail will weigh this heavily in your favor and lean towards placing your email into the inbox. How should you personalize? Consider:
        • Segregating your non-openers – This will keep your spam complaints down. (Here’s how it’s done in ReachMail)
        • Personalizing content – Use the subscribers history to send them a unique appeal. Possible options beyond their name include product purchase history, website usage and to a lesser extent demographic data including age, geography and gender.
    • Take seed list inbox data with a grain of salt. If your seed list is bulking that may not necessarily reflect bulk folder placement. Seed lists such as Return Path’s Inbox Monitor  may not show user engagement like actual subscribers. Somanchi said that when he gets complaints of seed lists bulking, he often see actual subscribers inboxing.
    • Make sure your email is authenticated - At a minimum, conduct an SPF check or DKIM check. Furthermore, to be extra careful, Gmail recommends publishing a DMARC policy.
    • Send from a consistent sending IP – Gmail still strongly measures your sending IP reputation. Don’t switch it up.
    • Use GMail’s Postmaster Tools You can check on your sending reputation and can see the trendline in how your email is perceived by Gmail.
    • Starting new? Start extremely slowly – If you have a new brand or domain, Somanchi recommends starting very small. Send just 10 emails per day and ramp up only by a factor of 1.
    • Warm-up ALL your sending infrastructure - Gmail looks at everything –  your sending IP, the “From” domain, DKIM, SPF and the “from” header. If you change just one of those – (e.g. from domain), you need to warmp-up all over again.
    • Screw up? Take a break - If you send an email that severely damages your reputation – don’t “mail through”. Rest your sending infrastructure at least 3 or 4 days, correct the issue and start very slowly again.
    • Enable one-click unsubscribe - Top brands know that making it easy to unsubscribe dramatically cuts down on “spam” complaints. Don’t feel like making it easy? Your subscribers will mark your mail as “spam” if it’s difficult to opt-out. Here’s how it looks:

To enable one-click unsubscribe, Gmail states “Provide a ‘List-Unsubscribe’ header which points to an email address or a URL where the user can unsubscribe easily from future mailings. (Note: This is not a substitute method for unsubscribing.) “ Check out more at ReachMail.