“Although email unsubscribe and security practices may not win any retail customers, it can certainly lose them, and retailers appear to be paying attention,” said the Technical Director of the Internet Society’s Online Trust Alliance, Jeff Wilbur. “Our research shows that retailers are working hard to eliminate email compromise and impersonation, while generally making it easier than ever for consumers to unsubscribe from marketing emails. We’ve noted there’s still plenty of room for improvement and one or two worrying trends, but overall this shows a serious commitment to improving the online shopping experience.”

Seventy-four percent of the retailers received a “Best of Class” designation, meaning they scored 80 percent or higher in OTA’s analysis of their marketing email trustworthiness. Ten of those sites had perfect scores, which means they adopted all twelve of OTA’s email best practices, did not send an unsubscribe confirmation email, and did not violate CAN-SPAM and Canada’s Anti-Spam Law (CASL). Those retailers are Dick’s Sporting Goods, Home Depot, Lands’ End, Musician’s Friend, Office Depot, OpticsPlanet, Sierra Trading Post, Staples, Talbots and Walgreens. Last year, 67 percent were Best in Class, and nine retailers received perfect scores.

Eighty-nine percent of the audited retailers stopped sending marketing emails to consumers immediately after they placed an unsubscribe request, up from 88 percent in 2017. Conversely, companies not honoring unsubscribe requests by consumers dropped from six percent last year to two percent this year. OTA’s research showed three percent of the retailers were in violation of U.S. and Canadian anti-spam laws either by not listing their physical address in an email or failing to honor unsubscribe requests.

OTA also found retailers are doing a better job than ever of making unsubscribe easily discoverable, with best practice compliance increasing from 76 percent in 2017 to 84 percent in 2018. Discoverability deductions are due to a combination of factors, but primarily include placement (footer vs. sentence vs. paragraph), contrast of the unsubscribe link itself as well as with surrounding text (e.g., grey text on a light grey background), text size and alternate wording (i.e., not using “unsubscribe”).

The ease of opting out of marketing emails declined because pre-populating the unsubscribe page with the recipient’s email address dropped from 95 percent in 2017 to 90 percent this year. It is inconvenient and error-prone for consumers to manually enter an email address, especially if they own multiple email addresses.

The top retailers showed an improvement in every type of email and unsubscribe security factor measured by OTA, doing an outstanding job of preventing their emails and unsubscribe web pages from being successfully spoofed, impersonated or intercepted. When retailer email is fully authenticated, Internet Service Providers and receiving business networks can make better decisions about the validity of incoming messages and consumers can better trust retailer messages in their inbox. Specifically, OTA found:

• Email Authentication: One-hundred percent used Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), up from 95 percent and 99 percent respectively in 2017. SPF and DKIM allow a receiver to verify that a message was sent by the purported sender.
• Impersonation: Adoption of DMARC, which allows senders to tell receivers how to handle messages that fail authentication, jumped substantially from 60 percent in 2017 to 71 percent in 2018. Yet those that are using DMARC to enforce policy with reject or quarantine designations grew much more slowly, from 33 percent in 2017 to 35 percent in 2018.
• Encryption: Once again the use of Transport Layer Security (TLS) saw a positive increase, jumping from 90 percent in 2017 to 96 percent in 2018. TLS for email adds message level encryption and helps maintain the privacy of emails in transit between mail servers.
• Use of HTTPs: OTA found that 69 percent of unsubscribe web pages were encrypted using HTTPs rising dramatically from 52 percent. If these pages are not encrypted, consumers’ email addresses and other sensitive information can be passed in the clear, risking exposure.