> On Apr 14, 2016, at 9:56 AM, Henry Yen <he...@aegis00.com> wrote: > > On Thu, Apr 14, 2016 at 08:33:16AM -0700, Steve Atkins wrote: >> Best practices for that email would be: >> 2. Not including a direct link to the portal, rely on the customers having >> bookmarked it or being able to find it easily from your main site >> 3. Sending the mail From: your main corporate domain, or *maybe* a >> subdomain thereof. Definitely not a third-party domain or a "lookalike" >> domain. >> 6. If the information is of particularly high value, look at what the more >> competent end of banks and other financial institutions do to add trust > > Both Chase bank (jpmchase) and Barclays bank send me emails with direct links > in them, from a bigfootinteractive mailserver. Does that violate these > three suggestions?
It might violate number 2, depending on what they're links *to*. Are they to somewhere that requires you to provide account credentials? If so, it trains customers of those institutions to click on links in email and enter credentials without being wary, which makes them (as a population) more vulnerable to phishing. Number 3 is about what domain is in the From: field and is used for DKIM authentication (and, if you want to dig deeper, is in the return path and is used for SPF authentication), rather than the IP address the mail is being sent from. They're best practices for the situation I was writing about, but I can't tell from what you say whether they're applicable to the mail you're getting from banks. Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
