Tech Insight : DMARC Diligence (Part 3) : Implementing and Optimising DMARC for Maximum Security

In this third and final part of our series of ‘DMARC Diligence’ insights, we explore the detailed process of DMARC deployment, its monitoring, optimisation, and preparing businesses for future email security challenges.

Last Week … 

Last week in part 2 of this series of ‘DMARC Diligence’ articles, we looked at the crucial yet often neglected aspect of securing non-sending or “forgotten” domains against cyber threats. Here we highlighted the potential risks posed by these domains when not protected by DMARC policies, and offered some guidance on how businesses can extend their DMARC implementation to cover all owned domains, thereby preventing unauthorised use for spam or phishing attacks.

This Week … Implementing DMARC: A Step-by-Step Approach 

As noted in the previous article in this series, implementing DMARC is now critical for UK businesses to protect against threats like email spoofing and phishing.

To briefly summarise a step-by-step approach to implementing this, businesses can start by ensuring Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are correctly set up for the domain(s), as DMARC relies on these for email authentication. Next, it’s a case of creating a DMARC record with a policy of “none” to monitor traffic without affecting it. This record is added to your DNS.

Over time, it’s important to analyse your DMARC reports in order to identify any unauthorised use. Finally, gradually shift your policy to “quarantine” or “reject” to block or flag unauthenticated emails, enhancing your email security posture. Looking at this approach in a bit more detail, implementing DMARC means:

– Understanding SPF and DKIM. Before implementing DMARC, ensure you have SPF and DKIM records correctly set up for your domain. These records help in email verification and are crucial for DMARC to function effectively.

– Creating a DMARC record. Draft a DMARC TXT record for your DNS. Start with a policy of ‘none’ (p=none) to monitor your email traffic without affecting it. This stage is critical for understanding your email ecosystem and preparing for stricter enforcement without impacting legitimate email delivery.

– Analysing the reports. Use the data collected from DMARC reports (Aggregate reports – RUA, and Forensic reports – RUF) to identify legitimate sources of email and potential gaps in email authentication practices.

– Gradually adjusting policy: Gradually adjust your DMARC policy from ‘none’ to ‘quarantine’ (p=quarantine) as you become more confident in your email authentication setup. This move will start to prevent unauthenticated emails from reaching inboxes but may still allow them to be reviewed.

– Full enforcement. Once you’re assured that legitimate emails are correctly authenticated and not negatively impacted, shift your policy to ‘reject’ (p=reject). This is the final step where unauthenticated emails are actively blocked, providing full protection against phishing, and spoofing under DMARC.

– Continuous monitoring and updating. Email authentication landscapes and practices evolve, so it’s crucial to continuously monitor DMARC reports and update your SPF, DKIM, and DMARC settings as necessary to adapt to new email flows, domain changes, or security threats.

Monitoring and Reporting – The Key to Effective DMARC 

For businesses, effective DMARC implementation relies heavily on consistent monitoring and reporting.

Why? 

By analysing DMARC reports, businesses can gain insights into both legitimate and fraudulent email sources using their domain. This process not only helps in identifying authentication failures but also in refining DMARC policies over time (as suggested in the step-by-step approach above) for better security.
Remember, regular reviews of these reports is essential for adapting to new threats and ensuring email communication integrity.

Optimising DMARC Policies 

Optimising a DMARC policy involves fine-tuning it to create a balance between security against spoofing and phishing, and ensuring legitimate emails are delivered smoothly.

But How? 

The starting point (as mentioned above) is the analysis of your DMARC reports to identify authentication failures and adjust your SPF and DKIM setups accordingly.

A Phased Approach 

Taking a phased approach, i.e. gradually increasing the DMARC policy from ‘none’ to ‘quarantine’ and then to ‘reject’ as confidence in your email authentication improves, is the way to minimise potential disruptions to legitimate email flow while maximising protection against unauthorised use of your domain.

Future-Proofing Your Email Security Strategy 

Going forward, looking at ways to future-proof your business email security strategy, these could include:

– Keeping up to date with emerging threats and trends in email security (continuous education).

– Implementing advanced security technologies like AI-driven threat detection can offer proactive protection.

– Regularly reviewing and updating your email authentication protocols (SPF, DKIM, DMARC) to adapt to changes in your email infrastructure.

– Fostering a security-aware culture within your business e.g., using training to recognising phishing attempts and safe email practices.

– Engage in industry forums and cybersecurity communities to help stay ahead of evolving email threats and to gain and share information about best practices.

What Does This Mean For Your Business? 

For UK businesses, implementing and optimising DMARC, as outlined in this final instalment, is a commitment to safeguarding email communications that benefits your business and your customers. Taking a step-by-step approach, as outlined above, from establishing SPF and DKIM records, through to DMARC policy enforcement, are now crucial for building an effective defence against email spoofing and phishing (these are now major threats). Taking the phased approach of regular monitoring and gradual policy adjustments ensures that businesses can not only react to current threats but also proactively adapt to emerging challenges. This strategic approach to email security is essential in maintaining the trust of your customers and partners, protecting your brand’s reputation, and complying with today’s data protection regulations. It’s also worth remembering that actively engaging in continuous education and leveraging advanced technologies are ways to stay ahead in the fast-evolving cybersecurity landscape.

Tech Insight : DMARC Diligence (Part 1) : The Basics of Email Authentication

In this, the first of a series of three articles explaining DMARC and email authentication, we look at why SPF, DKIM, and DMARC are the key pillars of email authentication.

The Issue 

Businesses face numerous cyber threats, with email being one of the most common attack vectors. Phishing, spoofing, and malware are prevalent issues, making email security a top priority.

Effective email authentication mechanisms/protocols, therefore, like SPF, DKIM, and DMARC are ways to improve email security and are crucial in mitigating these threats, ensuring only authenticated emails reach their destination.

What Is SPF? 

The SPF (Sender Policy Framework) email authentication protocol helps prevent email spoofing by allowing domain owners to specify which mail servers can send emails on their behalf, i.e. to verify the sender of an email message.

This is achieved by publishing SPF records in the domain’s DNS (Domain Name System). DNS is the internet’s system for translating domain names into IP addresses, enabling users to access websites by typing human-readable names instead of numerical codes.

When an email is sent, the recipient’s mail server checks this record to verify the email’s origin. If the server isn’t listed, the email could be rejected or marked as spam.

What Is DKIM?  

DKIM (DomainKeys Identified Mail) adds an additional security layer by attaching a digital signature to outgoing emails. This signature, verified against a public key in the sender’s DNS, ensures the email’s content hasn’t been altered in transit. DKIM’s role in email authentication, therefore, strengthens the integrity and trustworthiness of email communication.

What Is DMARC? 

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. DMARC is essentially an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorised use, such as email spoofing. It does this by allowing them to specify and enforce policies on how their email should be handled if it fails SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) checks, and it provides a way for receiving email servers to report back to the sender about emails that pass or fail these authentication methods. Essentially, DMARC is a set of rules and reporting protocols added to a domain’s DNS records to improve and monitor the security of the email ecosystem associated with that domain.

DMARC, therefore, offers a way to unify SPF and DKIM’s capabilities, allowing domain owners to define how unauthenticated emails should be handled, and it provides detailed feedback on all emails sent from the domain, aiding in the detection and prevention of unauthorised use and email spoofing.

The Evolving Email Security Landscape – Recent Changes By Email Providers 

In response to a surge in email fraud and to comply with global data protection regulations like the GDPR, major email platforms are tightening their email authentication policies. For example, Google and Yahoo recently (February) expanded their guidelines for high-volume emailers. Yahoo said: “Sending properly authenticated messages helps us to better identify and block billions of malicious messages and declutter our users’ inboxes.”   

As an indication of how serious the problem is, it’s estimated that half of the 300 billion emails sent per day are spam … to reiterate, that’s 150 billion spam emails sent each day! Google, for example, says it blocks a staggering 15 billion unwanted emails every day (spam, phishing, and malware).

The regulatory landscape, demanding higher standards of data privacy and security, plus the sheer volume of spam/phishing/spoofing/malware emails have now catalysed action in the form of platforms trying to enforce stricter measures.

For UK businesses, therefore, adapting to these enhanced authentication standards is crucial to ensure emails reach their intended recipients and to maintain compliance with data protection laws, preventing emails from being lost to spam folders or blocked.

The Necessity for DMARC, SPF, and DKIM 

For the reasons just outlined, implementing DMARC, alongside SPF and DKIM, has now transitioned from a best practice to a necessity, hence a sudden push by many platforms to verify domains. These protocols are fundamental in validating email sources, ultimately enhancing deliverability, and protecting against cyber threats. Although it can feel like an extra hoop for businesses to jump through, their adoption ensures that businesses maintain their credibility and that their communications are effectively received.

What Does This Mean For Your Business?

For UK businesses, the implications of not implementing these email authentication protocols can be significant. Without proper setup, domains are at risk of being used for email spoofing, leading to potential data breaches and loss of customer trust. Additionally, non-compliance with the updated policies of email providers can result in emails being undelivered, affecting operations and communications.

To navigate this landscape therefore, businesses must adopt a proactive approach, regularly reviewing and updating their SPF, DKIM, and DMARC configurations to combat evolving threats. This involves not only technical adjustments but also staying informed about the latest in email security practices and threats.

It’s important to remember that adhering to these email authentication standards is not merely about compliance, it’s about securing your digital communication channels. By implementing SPF, DKIM, and DMARC, businesses can significantly reduce the risk of cyber-attacks initiated via email, safeguard their digital assets, and ensure the integrity of their email communications.

Next Time …. 

In this first of three in the series, we’ve looked at understanding the basics of email authentication and its significance in the digital age, i.e. looking at SPF, DKIM, and DMARC and their importance as business cybersecurity tools.

In the next week’s (second) in the three-part DMARC Diligence Tech Insight series, we’ll be taking a look at the critical but often neglected issue of securing multiple domains, including those not actively used for sending emails. It will emphasise the importance of applying DMARC policies to these “forgotten” domains to prevent them from being exploited in cyber-attacks, offering guidance on implementing comprehensive email authentication strategies across all owned domains.

Tech Insight : No Email Backup For Microsoft 365?

In this insight, we look at what many users think to be a surprising fact in that Microsoft 365 doesn’t provide a traditional email backup solution, and we look at what businesses can do about this.

Did You Know?…. 

Contrary to popular belief, Microsoft 365 (previously known as Office 365) is not designed as a traditional “backup” solution in the way many businesses might think of backups. Most importantly, email isn’t properly “backed-up” by Microsoft. Instead, the onus is on the business-owner to find their own email backup solution. In fact, Microsoft 365’s backup and recovery default settings only really protect your data for 30-90 days on average.

So, How Does It Handle Email and Other Data? 

Although Microsoft 365 doesn’t automatically provide a traditional email backup, it does provide some email and data handling protections that can include aspects of email. For example:

– Microsoft has multiple copies of your data as part of its ‘data resilience.’  For example, if there’s an issue with one data centre or a disk fails, they can recover data from their copies. Although this can help, it’s not the same as a backup that can be used to recover from accidental deletions, malicious activity, etc.

– Microsoft 365 provides retention policies that allow you to specify how long data (like emails) are kept in user mailboxes. Even if a user deletes an email, it can, therefore, be retained in a hidden part of their mailbox for a period you specify.

– For legal purposes, it is possible to put an entire mailbox (or just specific emails) on “Litigation Hold”, which basically ensures that the emails can’t be deleted or modified. Also, eDiscovery tools / document review software can be used by legal professionals for searching across the environment for specific data, e.g. to find emails, documents CAD/CAM files, databases, image files, and more.

– Microsoft’s archiving, i.e. where older emails can be automatically moved to an archive mailbox, can be one way to help businesses ensure that critical data is retained without cluttering the primary mailbox.

– When users delete emails, they go to the ‘Deleted Items’ folder. If emails are deleted from there, they go to the ‘Recoverable Items’ folder, where they remain for another 14 days (by default, but this can be extended) and can, therefore, be recovered.

Limitations 

Although these features help with retaining some important business data and emails, they’re not a substitute for a dedicated and complete email backup solution, and they have their limitations, which are:

– They may not protect against all types of data loss, especially if data gets deleted before a retention policy is set or if the retention period expires. For example, with email archiving, when an item reaches the end of its aging period, it is automatically deleted from Microsoft 365.

– They may not facilitate easy recovery if a user accidentally (or maliciously) deletes a vast amount of critical data.

– They don’t offer a separate, offsite backup in case of catastrophic issues or targeted attacks.

Third-Party Backup Solutions

Given these limitations and given that most businesses would feel more secure knowing that they have a proper email backup solution in place (such as for the sake of business continuity and disaster recovery following a cyber-attack or other serious incident), many businesses opt for third-party backup solutions specifically designed for Microsoft 365 to provide another layer of protection.

These solutions can offer more traditional backup and valued recovery capabilities, such as ‘point-in-time restoration’.

Backup Soultions

There are many examples of third-party Office 365 and email backup solutions and for most businesses, their managed support provider is able to provide an email backup solution that meets their specific needs.

Does Google Backup Your Gmail Emails? 

As with Microsoft 365, Google provides a range of data retention and resilience features for Gmail (especially for its business-oriented services like Google Workspace) but these aren’t traditional backup solutions. The retention and resilience features Google’s Gmail does provide include:

– For data resilience, Google has multiple data copies. If one fails, another ensures data availability.

– Deleted Gmail emails stay in ‘Trash’ for 30 days, allowing user recovery.

– The ‘Google Vault for Google Workspace sets email retention rules, which can be used to preserve emails even if deleted in Gmail.

– “Google Takeout” (data export) is probably the closest thing to backup that Gmail offers its users. Takeout lets users export/download their Gmail data for offline storage. Also, the exported MBOX file can be imported into various email clients or platforms. However, this isn’t necessarily the automatic, ongoing backup solution that many businesses feel they need.

Like 365, Google Workspace offers archiving to retain critical emails beyond Gmail’s regular duration.

Limitations

As with Microsoft 365’s data retaining features, these also have their limitations, such as:

– They might not protect against all types of data loss, especially if emails are deleted before retention policies are set or if the retention period expires.

– They might not offer an easy recovery process for large-scale data losses.

– They don’t provide a separate, offsite backup.

What Can Gmail Users Do To Back Up Their Email?

In addition to simply using Google Takeout for backups, other options that Gmail users could consider for email backup include:

– Third-party backup tools, such as UpSafe and Spinbackup and others.

– Using an email client, e.g. Microsoft Outlook. For example, once set up, the client will download and store a local copy of the emails, and regularly backing up the local machine or the email client’s data will include these emails.

– Setting up email forwarding to another account, although this may be a bit rudimentary for many businesses, and it won’t back up existing emails.

– While a bit tedious, businesses could choose to manually forward important emails to another email address or save emails as PDFs.

– Google Workspace Vault can technically enable Workspace admins to set retention rules, ensuring certain emails are kept even if they’re deleted in the main Gmail interface.

What Does This Mean For Your Business? 

You may (perhaps rightly) be surprised that Microsoft 365, and Google’s Gmail don’t specifically provide email backup as a matter of course.

Considering we operate in business environment where data is now a critical asset of businesses and organisations, email is still a core business communications tool, and cybercrime such as phishing attacks, malware (ransomware) are common threats, having an effective, regular, and automatic business backup solution in place is now essential, at least for business continuity and disaster recovery. Although Microsoft and Google offer a variety of data retention features, these have clear limitations and are not really a substitute for the peace of mind and confidence of knowing that the emails that are the lifeblood of the business (and contain sensitive and important data) are being backed up regularly, securely, and reliably.

For many businesses and organisations, therefore, their IT support company (or MSP – ‘managed service provider’) is the obvious and sensible first stop for getting a reliable backup solution for their Microsoft 365 emails.

This is because their IT Support company is likely to already have a suitable solution that they know well, and have an in-depth understanding of the business’s infrastructure, requirements, and unique challenges. This means that they can tailor their backup solution to fit specific client needs, ensuring seamless integration with existing systems. Also, their first-hand knowledge of a business’s operations positions them better for rapid response and effective resolution in case of data restoration requirements or backup issues. For businesses, lowering risk by entrusting email backup to a known entity can also streamline communication and support processes, making the overall backup and recovery experience more efficient and reliable for the business.

Tech News : Firefox Helps You Hide (Your Emails)

Following several months of testing, Firefox users can now take advantage of the Firefox Relay email masking tool from within the browser to help preserve their online anonymity and boost security.

What Is Firefox Relay? 

Firefox Relay from Mozilla is a Firefox browser extension that lets users keep their email address private when filling out online forms. It does this by creating an email mask (a forwarding email address that’s different to their real email address) and forwards messages to the user’s real email address to keep it hidden. Users can disable or delete the mask when it’s no longer needed.

Why Mask Your Email? 

There are number of good reasons why users may want to mask (hide) their real email address, including:

– Feeling safer when dealing with companies they don’t trust.

– Preventing spam.

– Protecting your real email address from data breaches.

– Protecting your real email address from being sold or shared.

– Email masks can be easily deactivated with no consequences (unlike a user’s real email account).

How Does Firefox Relay Work?

Users just need a Firefox Account and the (free) Firefox Relay browser extension. To activate it, it’s a case of clicking on the Firefox Relay icon in the toolbar, following the prompts to sign in/up to Firefox Accounts, and registering the email address to forward emails to.

To enable/disable Relay, users need to click on the icon in the toolbar, go to Settings, and set the toggle button for “Show Relay icon on email fields on websites” to on or off (green means it’s on).

Once switched to on, when users visit an online form, the Firefox Relay icon appears in the email field, and it’s just a case of clicking it to generate an email mask using a name of the user’s choosing or to see a list of recently used masks.

Challenge 

One challenge for Firefox Relay is that some services don’t allow users to sign up using email masks. Last year, for example, popular cloud-based development platform GitHub blacklisted Firefox Relay domains.

Other Privacy Tools Available 

Firefox, however, is in low fourth place within the Browser market with less than 3 per cent market share (Chrome has over 60 per cent, Safari 24, and Edge 5) so its reach as a privacy tool is slim. Also, Relay has plenty of competition when it comes to the wider market of privacy tools, e.g. VPNs and (other) secure browsers like Brave, DuckDuckGo, Tor, and even Chrome. Furthermore, Relay has competitors in the shape of temporary/disposable email platforms like Tempmail, EmailOnDeck, DispoasbleMail (and more), as well as having more direct email masking competitors such as FastMail and its email-masking browser extension IronVest.

What Does This Mean For Your Business? 

With email still such a vital business tool and with the huge increases in phishing attacks and news of more major data breaches in recent times, plus with tighter data protection regulations to comply with, it’s no wonder email masking may be appealing to many users.

As Mozilla points out, email masking can also be a way of cutting down on the amount of spam that blocks business email accounts, causing frustration, wasting valuable business time, and obscuring opportunities. Email masking, such as that provided by Relay may also make users feel safer, feel more in control, help increase their general security and reduce risk, e.g. when contacting companies they may not fully trust.

Firefox now has a relatively low browser market share and the advantages of giving users a fast, convenient, and easy way to generate and switch off masking email addresses straight from a trusted browser (with an extension rather than downloading yet another unknown app) may be a way to tempt new and returning users to Firefox to give it a try, thereby increasing Firefox’s competitiveness and share.

Tech Insight : Email : Terminating Trackers

In this insight, we look at what email trackers are, how they work, what the main concerns about them are, plus how you can protect yourself from email trackers.

What Is An Email Tracker? 

An email tracker is a tool or technology used to monitor and track the activities associated with emails. It provides information about when an email was opened, how many times it was opened, the location of the recipient, and whether any links within the email were clicked. Email tracking is commonly used in marketing and sales to measure the effectiveness of email campaigns, gauge customer engagement, and obtain insights into recipient behaviour.

Not all email services use email trackers and their usage depends on the specific email service provider or client and the settings chosen by the user. Some email services, especially those focused on privacy and security, may automatically block external images, or disable tracking by default to protect user privacy.

How Do Email Trackers Work? 

Email tracking typically works by embedding a small, invisible image or pixel within the email content. When the recipient opens the email and enables the images to display, the image is loaded from the sender’s server. This loading process notifies the sender that the email has been opened. Additionally, the image can include unique identifiers that help identify the recipient and track their interactions with the email, such as link clicks.

What Are The Main Concerns About Email Trackers?

There are several main concerns associated with email trackers, including:

– Privacy. Email trackers can infringe on the privacy of email recipients. Tracking pixels and unique identifiers embedded in emails allow senders to collect information about when and where the email was opened, as well as other user actions. This tracking can be done without the explicit consent or knowledge of the recipient.

– Informed Consent. Many recipients are unaware that their actions are being monitored when they open an email. Transparency and informed consent are important ethical considerations, and the use of email trackers can raise concerns about the lack of explicit consent from recipients.

– User Awareness. In some cases, email clients may not provide clear notifications or warnings about the presence of tracking pixels or the potential tracking of user behaviour. This lack of awareness can lead to a lack of control over personal data and a diminished sense of privacy.

– Legal Considerations. Laws and regulations regarding email tracking vary by country. Organisations must comply with applicable regulations, such as GDPR (and UK GDPR), which requires obtaining explicit consent and providing clear information about data collection practices.

– Trust and Perception. The use of email trackers, particularly in marketing and sales contexts, can erode trust between senders and recipients. When recipients become aware of being tracked, it may negatively impact their perception of the sender and the organisation they represent.

– Counterproductive Effects. Some recipients may feel uncomfortable or invaded by the tracking of their actions. This discomfort can lead to negative reactions, such as marking emails as spam, unsubscribing from mailing lists, or developing a negative impression of the sender’s brand or organisation.

How Can You Avoid Email Trackers? 

To reduce the likelihood of your emails being tracked and preventing senders from knowing when you’ve opened an email, there are several steps you can take. For example:

 Disable image loading. Most email trackers work by embedding a hidden tracking pixel, which is typically an image, within the email. By disabling the automatic loading of external images in your email client or webmail service, you can prevent the tracking pixel from loading and notifying the sender. Check your email client settings for an option to disable image loading.

– Use a privacy-focused email service. Consider using an email service provider that prioritises privacy and security. Some services, such as ProtonMail and Tutanota, have built-in privacy features that can block tracking and enhance your email privacy. Also, DuckDuckGo email protection is a privacy-focused email forwarding service.

– Use a browser extension. There are browser extensions available, such as Ugly Email (an open-source Gmail extension), PixelBlock, Privacy Badger, Ghostery, and uBlock Origin that can help detect and block email trackers. These types of browser extensions work by identifying and blocking tracking pixels within emails.

– Avoid clicking on unknown or suspicious links. Some email trackers operate by tracking link clicks. Be cautious when clicking on links within emails, especially if you’re unsure of the sender’s intentions or the authenticity of the email. Hover over links to see the URL before clicking on them.

– Disable read receipts. Some email clients or services offer read receipt functionality that notifies the sender when you open their email. Ensure this feature is disabled in your email settings to prevent tracking of your email activity.

– Use a VPN. A Virtual Private Network (VPN) encrypts your internet connection and can help maintain your online privacy by masking your IP address and location. By using a VPN, you can make it more difficult for senders to track your activities.

While these steps can help reduce email tracking, they may not completely eliminate all tracking methods. Also, taking these precautions may affect your overall email experience or limit certain legitimate functionalities, such as displaying images from trusted senders.

What Does This Mean For Your Business? 

Email tracking has become a widespread practice in the business world, providing valuable insights into email campaign performance and recipient behaviour. However, with growing privacy concerns, many people prefer to be proactive in protecting themselves from having their personal or business emails tracked.

For those looking to safeguard their business from email tracking, there are several measures that can be taken. For example, using an encrypted email service that prioritises security and privacy, e.g. ProtonMail or Tutanota offers end-to-end encryption, making it harder for unauthorised parties to intercept or track your email communications. Other measures businesses can take include:

– Reviewing and updating email infrastructure and implementing technologies like Transport Layer Security (TLS) and Sender Policy Framework (SPF) to secure email transmissions and prevent email spoofing and unauthorised senders.

– Training and educating employees about the risks associated with email tracking and teach them to identify suspicious emails, avoid clicking on unknown links, and promptly report any potential security breaches.

– Disabling image loading in email clients or webmail services.

– Using browser extensions that specialise in privacy protection, e.g. PixelBlock, Privacy Badger, or uBlock Origin to help detect and block email trackers and provide an extra layer of protection for the business.

While implementing these protective measures is essential, it’s important to recognise the impact on companies that rely heavily on email tracking for marketing purposes. Blocking email trackers can result in the loss of detailed metrics such as open rates, click-through rates, and conversion rates, which are valuable for measuring campaign effectiveness. However, businesses can adapt by exploring alternative strategies to gather insights without relying solely on email tracking. Direct feedback mechanisms like surveys, preference centres, or explicit opt-ins can provide valuable information about recipient preferences and interests. Emphasising quality content and engagement strategies can also help drive customer interactions and by delivering personalised and relevant emails, businesses can encourage recipients to actively engage with the content, reducing the reliance on tracking data.

It could be said, therefore, that in the business world there is a balance between privacy protection and gathering valuable insights that is currently needed to help senders create successful email campaigns while helping recipients protect their privacy.