December 13, 2017
The Year in Email 2017
Can you believe it? The year 2017 is coming to a close and what a year it has been in the email ecosystem. Email’s staying power continues to flex its muscles as a dynamic channel that can adapt to the ever-changing landscape of digital marketing. This past year saw many changes, trends, and announcements that will help shape the industry moving into the New Year. Let’s relive together the most important moments and highlights in email.
1. Data Breaches, Phishing, and Email Security
Large companies made headlines in 2017 by falling victim to cyber attacks and data breaches that compromised millions of customer records. Many of these cyber attacks were the result of phishing or spoofing techniques using various methods designed to trick the recipient into giving up his or her personal information. Phishing emails and malicious attachments are still the main causes of data breaches, with 91% of all cyber attacks originating from a phishing email.
During May–July 2017, Equifax, one of the three main credit organizations in the United States, suffered a data breach that impacted as many as 143 million consumers in the US. Cybercriminals gained access to names, social security numbers, credit card numbers, and other personally identifying data from the breach. The attack was traced to a simple software flaw that led to the vulnerability being exploited. To make matters worse, Equifax customer support referred those potentially impacted to a phishing knock-off site instead of their own informational site about the breach.
Not to be outdone, Uber disclosed in November that hackers stole 57 million drivers’ and riders’ personal information including phone numbers, email address, driver license numbers, and names. The attack actually took place in 2016, but was concealed for more than a year and included a $100,000 ransom payment to the attackers. Hackers are leveraging the stolen personal information, including names and email address, to target and personalize phishing emails to gather login information or trick victims into downloading malicious payloads.
Google Docs was exploited by a phishing scam in May, resulting in more than 1 million compromised Gmail users. While representing less than 0.1% of Gmail’s active users, the impact wasn’t large, but shows even the most tech-savvy companies in the world can fall victim to phishing emails and data security.
Yahoo clarified in October 2017 that in fact all 3 billion of its accounts were hacked in a 2013 cyber attack, tripling its earlier scope estimate. Hackers were able to use a “spear phishing” email to gain access to a Yahoo employee’s credentials to break into the company’s systems. Yahoo remains the largest data breach of the 21st century that we are aware of.
Silver lining? Email authentication and security, like DMARC, made strides this past year, aiming to fight email phishing as the vehicle for many data breaches. This past October, the Department of Homeland Security announced it is requiring federal agencies to implement DMARC on their sending domains within 90 days. Furthermore, ISPs supporting DMARC grew significantly over the past year, with 4.8 billion inboxes now supporting DMARC, representing 76% of current global email accounts.
“Widespread adoption by the USG will be viewed by other governments and large businesses as a positive signal of the value of DMARC in protecting against BEC/EAC scams and other prevalent email-borne attacks. If they were sitting on the fence, the outcomes experienced by these organizations should help push those considering adoption towards getting started with a monitor-only policy.”
250ok Advisor and co-author of the original DMARC specification.
Alexander García-Tobar, CEO and co-founder, ValiMail, said, “In 2017, email authentication via the DMARC standard moved into the broader marketing consciousness. 2018 is the year DMARC at enforcement becomes the focus – the ability to stop impersonation attacks (phish), improve deliverability, and protect your brand. It brings together CISOs and CMOs for a common cause.”
2. Email Privacy and Harassment
While not a new topic, email harassment and invasion of privacy tactics grew in importance this past year. Privacy is a right that humans feel strongly about, and their email inboxes are no different. In a lot of ways, your email address is your digital identity. It’s how you keep in touch, what you use for accessing sites, and it’s how you are known. The following are highlights that jeopardized the importance of email privacy and your data.
List bombing or subscription bombing, a cybercriminal tactic leveraging bots to create mailing list subscriptions request at rates over 1000 per minute, shook the email industry in late 2016 and into 2017. This tactic presented a unique problem to ESPs, marketers, and anti-spam vendors alike, as it allowed cybercriminals to create an email “DDOS-style” attack to harass individuals. Unique attacks such as these create a sense of collaboration across ISPs, abuse desks, security vendors, and ESPs to share ideas and tactics aimed at combating abusers to stay one step ahead.
Encryption of email during transit saw a rise in importance this past year, primarily with the adoption of email providers implementing Transport Layer Security (TLS). TLS encrypts an email in transit making it harder for others to reach what you are sending. According to Google, inbound email encryption into their networks at the end of November 2017 rose to 90%, compared to just 63% at the beginning of 2016. This is a great sign that more marketers and senders are encrypting email while in transit to their customers to protect their privacy. Google also announced in June of 2017 it would stop scanning inboxes of Gmail’s free user mailbox service for ad personalization.
Unroll.me made news in April when it was accused of selling personal email data to ride-hailing service Uber. Unroll.me, a popular webmail plug-in app for managing unsubscribes, reportedly sold personal information to Uber about when its users were switching to Lyft via recipients in their personal email inboxes. What made customers furious was the dubious nature in which Unroll.me was scraping information out of emails and selling personal info to third parties. There are other providers offering similar services, but the lesson learned here is you must ensure trust and transparency through terms and conditions of granting access to such vendors.
“Allowing third parties to access inboxes isn’t simply a matter of privacy. Nearly all modern online services use an email address to identify users and as a way to confirm account ownership and access permissions. Getting access to the inbox opens up access to dozens of other accounts,” said email veteran Laura Atkins, co-founder of Word to the Wise. “Unroll.me used their access to monetize their user-base by selling information without notifying users it was doing so. It’s not out of the question for hackers and criminals to create their own set of ‘mailbox improvement tools’ and use the access granted by users to compromise bank, health care, and other accounts containing PII. It’s the next generation of phishing and users need to be more suspicious of online tools, particularly those that ask for direct access to email accounts.”
3. Global Email and Privacy Laws
Many countries and governing bodies around the globe took steps in updating digital communication laws and governance this past year. Marketers, especially those in Europe, are gearing up for new changes to the General Data Protection Regulation (GDPR) rules going into effect in May 2018. This legislation applies to all EU businesses handling personal data and increases the definition and accountability of clear, unambiguous consent.
Over in Canada, the government announced suspending the provision known as the private right of action, a part of Canada’s Anti-Spam Legislation (CASL). The provision would have allowed consumers to sue any company that sent email violating this law. July 1, 2017, marked the final rollout of CASL and the end of the transition period for implied consent. 2017 saw the first fine levied against a small business owner, William Rapanos, to the tune of $15,000. Total fines issues from infringement of CASL since 2014 total more than $1.5 million.
“We also saw the first Constitutional challenge of CASL fall in favor of the regulators, and the Private Right of Action put on hold for the foreseeable future,” said Matthew Vernhout, 250ok’s director of privacy and industry relations. “Looking ahead to 2018, we expect to see the review committee and the Ministers recommend changes, if any, to the legislation.”
Here in the United States, the FTC is currently reviewing CAN-SPAM, the law regulating commercial mail. Enacted in 2003, CAN-SPAM is in need of a review as the digital landscape has changed dramatically over the past 14 years. This past June, the FTC opened a request for comment on “the efficiency, cost, benefits, and regulatory impacts of the rule.” Numerous email vendors, anti-spam groups, and advocates submitted comments to the FTC before the August 31, 2017, deadline.
Finally, some good news for anti-spam advocates everywhere: This past April saw the arrest of one of the world’s most notorious email spammers, Peter Levashov, who was listed as #7 on Spamhaus’s World Worst Spammers. Levashov was arrested in Spain while on vacation, under an international warrant.
4. Industry Acquisitions, Consolidations, and Changes
For deliverability and marketers alike, this past year kept us on our toes with numerous acquisitions and changes impacting the ISP and email vendor landscape.
Verizon finalized its acquisition of Yahoo for $4.4 billion on June 13, 2017, creating a new subsidiary called “Oath” that includes brand assets from AOL and Yahoo. The sale price was slashed more than $350 million following Yahoo’s additional disclosure of the impact and details of their data breaches during 2013-14. As a result, Verizon’s mail system began to shut down and transition over to AOL’s mail service for @verizon.net email addresses. Verizon began notifying customers in February 2017, providing options to retain their @verizon.net email address, and AOL announced the cut-over date for MX records would be June 20, 2017.
On the ISP side, many email domains were discontinued in 2017, including British broadband provider EE, who owned numerous domains, most notably Orange.net. Terra’s mail service retired on June 30, 2017, and Vodafone NZ announced their email service would shut down on November 30, 2017. Time Warner Cable also announced Road Runner’s FBL was deactivated in mid-October.
2017 saw email platforms and security vendors announce exciting changes. This past April, Experian PLC announced it would sell 75% of its cross-channel and email marketing line of business to Vector Capital, which rebranded this cross-channel marketing business into Cheetah Digital. In November, Proofpoint acquired Cloudmark in a move that bolsters its position in the email data and security space.
We also witnessed an exciting email tech IPO with SendGrid, listed on the NYSE on November 15, raising $131 million during its first day on the market. “SendGrid’s market opportunity is approximately $11 billion today, and we believe we have a long-term growth opportunity to build our business and doing so as a public company gives us a great opportunity to execute our vision,” said Yancey Spruill, CFO of SendGrid.
5. Email Channel Staying-Power and Deliverability
With the advancement of digital communication through social media, push messaging, mobile apps, and video chat, email remains the most important communication channel for marketers across generations. That’s a lot to be said for a digital marketing channel more than 40 years old. Email marketing and adoption grew 86% over the past two years, and the number of email users in the US is projected to grow to 244.5 million by the end of 2017. With returns on investment averaging $44 for every $1 spent, there is simply no denying email’s staying-power over the years.
An email address has become one’s digital identity. It is the digital key to access accounts, apps, communication and so much more. With the world sending more email than ever before, deliverability and reputation remain vital in ensuring emails reach their intended customers’ inboxes. Inbox delivery remains a top concern for marketers during 2017, with 70% of marketers and brands struggling to have real-time information and data to make timely and informed decisions. 250ok offers a suite of deliverability and email analytics tools to help marketers drive world-class email performance.
2017 also saw a sharp move towards domain reputation for senders, predicated by the shift from IPV4 to IPV6. Leading ISPs, including Gmail, put great emphasis on domain reputation in deciding what mail lands in the inbox versus bulked in the spam folder. Engagement, personalization, and mobile optimization remained consistent themes marketers emphasized in driving email conversion.
2017 was another busy year for the email industry. Email made headlines across the world for political reasons, cyber attacks on high profile business, and abuse of personal privacy. Countries prepared for the digital marketing landscape of the future with new governance and legislation aimed at protecting subscribers and holding marketers accountable. Email platforms, security vendors, and ISPs continued to merge and consolidate across the industry while others discontinued domains and webmail service in what has become an ever-changing industry. Marketers continue to harness the power of and invest more in the email channel to connect with their customers and drive revenue. To all the pundits out there, email is not dead, it is alive and well, and I look forward to another exciting year in email come 2018!
You may also like...
It’s hard to believe we are nearing the end of yet another exciting year in email, and 2019 proved to be one of the most momentous and active years to date. Over the past year, the number of new technologies, mergers and acquisitions, mailbox provider (MBP) announcements, news, and highlights is evidence of the versatility […]
I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]
*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]