By: Kiersti Esparza
Email marketers are reporting an increase in click volumes. Is this because marketers are just that good now? Unfortunately, not so much. The most common were instances of user behavior where all the links within an email have been clicked. Often, these were narrowed down to specific business targets at the same corporate domain within a customer’s database. But, clicking every single link in an email doesn’t sound like the typical customer or prospect behavior, does it? This method of link inspection is visible because it is so different from expected human behavior. It’s easy to identify and ignore this kind of activity, but the methods for this kind of anti-malware detection vary. Additionally, not all ways are as easy to identify and exclude from reporting.
The underlying issue is email filters inspecting links to prevent their end users from downloading malware. This makes it look like every link has been clicked by a recipient, when in reality, they were inspected by an email filter. For several years, marketing technology companies have been aware of this filter behavior. This anti-malware methodology is increasing in the marketplace and is causing concern.
In this blog, I’ll explain how link inspection works and what you can do to improve your deliverability.
Anti-Malware Filters in Email
For the anti-malware filter or security provider, it is an arms race against bad actors attempting to deliver malware to end users. Barracuda Email Security Service was the first email security vendor to develop link inspection as anti-malware methodology, but other providers have begun leveraging link inspection to protect their users.
Link inspection methods may include but are not limited to:
Clicking one, multiple, or all links within an email
Links may be clicked at the time of delivery and/or at a later time
Clicks may occur before the receiving mail server returns a confirmed delivery response
Clicks may or may not result in a website visit
Some providers rewrite links within an email to inspect the link every time it is clicked
Some providers inspect all redirected links; targeting link tracking utilized by all email
Service providers and marketing automation companies
Filter click traffic can come from the same IP addresses as legitimate click traffic making it impossible to filter out of activity reporting
Some filters inspect links from residential IPs spaces instead of their business or corporate IP space to obfuscate the identity behind the link inspection
The filter is looking to hide the link inspection activity, so it will try to look as human as possible. This is to prevent the bad actor from changing the link’s potential payload after inspection but before a link click from the intended recipient. This behavior is what makes it difficult for marketing automation and email service providers to exclude the activity of the link inspection from reporting.
What You Can Do to Improve Your Deliverability
For some providers, link inspection happens as an enhanced or escalated filtering method applied to a message that has been determined to be suspicious by other stages in a multilevel filtering process. For Barracuda there are thirteen different layers of inbound email filtering. Link inspection is part of a higher level of filtering. This filter is activated if other aspects of the message or sender appear suspicious.
Here are some things to check within your engagement platform to ensure your deliverability is maximized:
Make sure your customer’s email authentication mechanisms, like SPF and DKIM, are in place and valid
Review reputation drivers like acquisition and database management practices that may drive a poor sending reputation
Understand the segment size within individual companies our customer may be targeting because sending to a large number of recipients within the same company can cause link inspection
Inspect the content for malformed HTML
Review specific addresses exhibiting anti-malware filter activity to develop a custom flow to ignore the activity in the customer’s reporting.
One of the risks of ignoring link activity from anti-malware link inspections is patterns are likely to change over time. Hardcoded rules for filtering activities may not be entirely effective. The fluidity and fast evolution of this filtering method can make it difficult to hard code solutions within your marketing automation platform. This issue isn’t fully addressed—more research is needed. Additionally, partnership opportunities with filter providers will help alleviate inaccurate reporting due to anti-malware link inspections.
Comments