OTA Audit: Retailers Achieve Record Email Trustworthiness Leading into Holiday Shopping Season

200 largest online retailers are taking consumer email protection and convenience seriously, according to analysis by the Internet Society’s Online Trust Alliance

Nov. 28, 2018 – Reston, VA – Today the Internet Society’s Online Trust Alliance (OTA) released its fifth annual Email Marketing & Unsubscribe Audit. The Audit analyzes the newsletters and promotional emails of the 200 largest North American online retailers for authentication and end-to-end user experience from signup through unsubscribe.

“Although email unsubscribe and security practices may not win any retail customers, it can certainly lose them, and retailers appear to be paying attention,” said the Technical Director of the Internet Society’s Online Trust Alliance, Jeff Wilbur. “Our research shows that retailers are working hard to eliminate email compromise and impersonation, while generally making it easier than ever for consumers to unsubscribe from marketing emails. We’ve noted there’s still plenty of room for improvement and one or two worrying trends, but overall this shows a serious commitment to improving the online shopping experience.”

Seventy-four percent of the retailers received a “Best of Class” designation, meaning they scored 80 percent or higher in OTA’s analysis of their marketing email trustworthiness. Ten of those sites had perfect scores, which means they adopted all twelve of OTA’s email best practices, did not send an unsubscribe confirmation email, and did not violate CAN-SPAM and Canada’s Anti-Spam Law (CASL). Those retailers are Dick’s Sporting Goods, Home Depot, Lands’ End, Musician’s Friend, Office Depot, OpticsPlanet, Sierra Trading Post, Staples, Talbots and Walgreens. Last year 67 percent were Best in Class, and nine retailers received perfect scores.

Unsubscribe Best Practices Reach Record Levels

Eighty-nine percent of the audited retailers stopped sending marketing emails to consumers immediately after they placed an unsubscribe request, up from 88 percent in 2017. Conversely, companies not honoring unsubscribe requests by consumers dropped from six percent last year to two percent this year. OTA’s research showed three percent of the retailers were in violation of U.S. and Canadian anti-spam laws either by not listing their physical address in an email or failing to honor unsubscribe requests.

OTA also found retailers are doing a better job than ever of making unsubscribe easily discoverable, with best practice compliance increasing from 76 percent in 2017 to 84 percent in 2018. Discoverability deductions are due to a combination of factors, but primarily include placement (footer vs. sentence vs. paragraph), contrast of the unsubscribe link itself as well as with surrounding text (e.g., grey text on a light grey background), text size and alternate wording (i.e., not using “unsubscribe”).

Worrying Trend

The ease of opting out of marketing emails declined because pre-populating the unsubscribe page with the recipient’s email address dropped from 95 percent in 2017 to 90 percent this year. It is inconvenient and error-prone for consumers to manually enter an email address, especially if they own multiple email addresses.

Email and Unsubscribe Security Increases Across the Board

The top retailers showed an improvement in every type of email and unsubscribe security factor measured by OTA, doing an outstanding job of preventing their emails and unsubscribe web pages from being successfully spoofed, impersonated or intercepted. When retailer email is fully authenticated, Internet Service Providers and receiving business networks can make better decisions about the validity of incoming messages and consumers can better trust retailer messages in their inbox. Specifically, OTA found:

• Email Authentication:  One-hundred percent used Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), up from 95 percent and 99 percent respectively in 2017. SPF and DKIM allow a receiver to verify that a message was sent by the purported sender.
• Impersonation:  Adoption of DMARC, which allows senders to tell receivers how to handle messages that fail authentication, jumped substantially from 60 percent in 2017 to 71 percent in 2018. Yet those that are using DMARC to enforce policy with reject or quarantine designations grew much more slowly, from 33 percent in 2017 to 35 percent in 2018.
• Encryption:  Once again the use of Transport Layer Security (TLS) saw a positive increase, jumping from 90 percent in 2017 to 96 percent in 2018. TLS for email adds message level encryption and helps maintain the privacy of emails in transit between mail servers.
• Use of HTTPs:  OTA found that 69 percent of unsubscribe web pages were encrypted using HTTPs rising dramatically from 52 percent. If these pages are not encrypted, consumers’ email addresses and other sensitive information can be passed in the clear, risking exposure.

Methodology
In April 2018, OTA signed up to receive promotional emails from the top 200 North American retailers as defined by revenue in the Internet Retailer Magazine Top 500 Guide. It analyzed the user experience from those retailers from signup through reception of email through the unsubscribe process and whether/how the unsubscribe requests were honored, culminating in data analysis in mid-November. OTA assessed twelve best practice categories related to the unsubscribe process and noted the email authentication practices.

OTA’s 2018 Email Marketing & Unsubscribe Audit report reflects input from industry leaders and government agencies worldwide. This year’s complete report along with an infographic breaking down more report findings are at https://otalliance.org/2018-email-marketing-unsubscribe-audit and previous years’ reports are at https://otalliance.org/unsub.