Home
The Mailjet Blog
Email best practices
Email security and deliverability for banks and public agencies
Email best practices
Emailing for the banking industry: Data privacy and deliverability
Banking and Governmental Agencies are the favorite targets of hackers. This guide explains how to guarantee the deliverability and security of their emails.
PUBLISHED ON
Emailing has proven very effective in virtually every industry right across the board. This is especially true in the financial and governmental sector, where banks, insurance companies, neobanks and fintech companies send millions of emails every day to communicate with current and future customers.
However, the growth of email in this sector means there are new challenges to face: making sure that emails reach the inbox while ensuring the highest standards of data security and privacy. In this article, we have set out the techniques for optimizing your deliverability and achieving a high level of data privacy and security within your organization.
Table of content
What regulations must my company comply with?
Techniques for improving data security and privacy
Encryption
What is deliverability and why is it important?
Techniques for improving deliverability
Maximum data confidentiality
World-class deliverability with a team of dedicated experts
Maximum scalability and versatility for sending emails
Send transactional SMS
The importance of emailing in the banking industry
The banking sector has seen a noticeable rise in the use of email. With the increase of social awareness around the use of paper, financial institutions have been going paperless and looking for other more sustainable ways of communicating with their customers, such as email and mobile apps.
There are several reasons for the popularity of email in the banking sector:
Everyone has an email address: Nowadays, having an email address has practically become an essential, making it one of the most widely-used means of communication, especially for important messages.
It's instant, but can be saved for later: Banks can message their customers instantly. Also, the messages remain in the inbox, which means recipients can go back and read them at a later stage.
Personalized emails can be sent to scale: A reliable email infrastructure lets you send large volumes of personalized email with each customer's individual information, such as month-end transaction summaries or quarterly charge notifications.
It's affordable, easy to use and offers concrete metrics: The simplicity of email and the variety of information available to marketers make this method a perfect tool for sending marketing and transactional communications.
However, digital transformation also poses new challenges for the banking sector. Financial institutions must be sure that the critical messages they send by email are not compromised and that they reach the user's inbox.
How to ensure a high level of data security and privacy in email
According to the study carried out by Capgemini and the EFMA in 2019, 76% of senior executives say that one of the biggest worries for the banking industry in the new digital age is the privacy and protection of their customers' data.
As part of a company that deals with money and people's personal data, you know that your organization should not take security lightly. It is essential to protect confidential information and avoid cyber attacks or data leaks.
That’s why email, as one of the most popular channels for direct and personalized communication with your customers, must be secure and guarantee that all data is safely stored and only available to those with access authorization. It's important to remember that inboxes have become places where those with harmful intentions seek out their victims and exploit their weaknesses.
What regulations must my company comply with?
Of all the emailing agreements that you need to comply with, the most important is the EU General Data Protection Regulation (GDPR).
GDPR came into effect in May 2018 and regulates the processing of European citizens' data. It applies to all European and non-European companies whose customers live in the European Union.
If you are still unsure about the requirements of this regulation, we have prepared a kit with all you need to know about GDPR that will help you achieve compliance within your company.
However, it is not enough to ensure your own company's compliance; you must ensure that your service providers also comply strictly with the regulations, especially if they deal with data and confidential information.
Third-party providers are often the weakest link in a company’s ability to be GDPR-compliant. Email service providers pose an especially high risk as they regularly process and store a large scale of personal data (example: first name, email address, IP addresses) on behalf of enterprises. That is why compliance from the entire processing chain is so important today.
Darine Fayed, Head of Legal and Data Protection Officer at Mailjet
Techniques for improving data security and privacy
Data privacy and security are also a major concern for your customers. According to an IBM survey, 81% of consumers are concerned about how companies manage their data and 87% think that companies need to tighten their personal data management policies.
To help your organization to ensure optimal data security and privacy, we’ve listed the two main techniques required to achieve a firm foundation.
Server security and data storage
Firstly we must make sure that the servers on which the data is stored are secure.
If it is your own company that is responsible for storing this data, it must be, at least, GDPR compliant. Provide continuous surveillance of the servers and limit the number of people with access to them. This is mandatory for your business, and it is key for the protection of your users' information and for their continued trust.
If the data is stored by a separate company, keep in mind that your chosen provider must offer all the guarantees. Redundancies, fire prevention, high security levels, energy self-sufficiency, etc. As you will not be the one directly managing the server, you must ensure that all preventive measures required to guarantee the maximum level of security are followed. If you have European customers, it might be a good idea to also have servers in Europe, as the strictest European laws will apply.
The choice between relying on your internal email infrastructure to manage your email requirements or outsourcing to a third-party service can be a difficult decision. To help you find the best solution for you, Mailjet has created this guide, which looks at everything you will need to consider and gives a detailed explanation of the three solutions available to you.
Encryption
Encryption is the most common method for protecting emails and the information that they contain.
Despite what most people think, the DKIM protocol does not provide message encryption, although it does add an authentication layer which helps to protect your messages. When you send an email using DKIM, the receiving servers will check it. They will use your public key to verify that it matches the private key included in the DKIM signature. If it does, it means that the domain name sending the email is legitimate, and the sender's identity will consequently be validated and the email decrypted. Otherwise, the email might be treated as a phishing attempt.
To protect your emails, Mailjet encrypts the channel by which your emails are sent from your sending server to the recipient's server. This is done by the Transport Layer Security (TLS). However, not all internet providers use TLS, which means that if you send a TLS encrypted message to a server that doesn't follow this protocol, this type of encryption will not be effective.
How to achieve world-class deliverability
If you are a financial sector organization, the security and the privacy of your data are not your only concern when it comes to emailing. Reaching your users' inboxes has become both a challenge and a priority.
If your organization uses email as one of its internal or external communications channels with current or future customers, you must ensure that they are receiving your emails in the right place (inbox) and at the right time.
What is deliverability and why is it important?
Deliverability refers to our ability to deliver an email to our recipient's inbox.
Did you know that statistics show that around 20% of emails sent do not reach the inbox?
Deliverability is undeniably a basic consideration for any company sending emails and especially for those dealing with relevant, financial and personal information such as in banking, insurance or fintech businesses. Information that must be delivered on time and at the right time. And, of course, the privacy and protection of your customers' data must be respected.
There are many practical examples in your sector where deliverability, security and privacy go hand in hand. These include purchase or bank transfer confirmations, transaction authentications, the sending of confidential documentation such as contracts, policies or summaries of a customer's position status, or welcoming new customers to your services. Take a look at this example from ClearScore:
Even something as simple as delivery confirmation of a package containing a new credit card, for example, needs to reach the inbox at the right time. A good example is this email from Barclays:
Finally, there are communications that should literally be instantaneous, especially transactional messages. Email will allow you to do this better than ever, if you have a good email service provider like Mailjet, of course. Although the best way to cover your back is to add transactional SMS to your triggered emails, as these have a 98% opening rate.
Techniques for improving deliverability
Improving your company's email deliverability is a task that requires dedication and consistency, so your team should work consistently and always observe best practices.
Here is a summary of some techniques that will help you to maintain deliverability at optimal levels.
Use a subscription form to create your lists
Good emailing practice starts with a good list of contacts who are active and interested in receiving emails from your company. Your organization will need to follow these two basic rules:
Never buy nor borrow a contact list. This will have a negative effect on your current and future deliverability. These third-party lists are usually outdated and contain spam traps.
Use double opt-in. This way, anyone who subscribes to your emails will receive a confirmation email that they must validate in order to have emails sent to their inbox.
Regularly clean your contact lists
Contact lists change constantly. Some will subscribe to your emails and others will unsubscribe, change their addresses or lose interest in your company's content.
Instead of sending them emails which no longer appeal to them, we recommend that you periodically delete these inactive addresses, as well as those addresses that return error notifications, blocking, cancellation of subscription or spam complaints after every marketing campaign.
This way, you will keep only those contacts who are interested in your services and avoid sending emails to people who do not even open the messages or to addresses that no longer exist. This way, your email statistics will skyrocket, ISPs will receive very positive signals and your deliverability will improve overall.
We recommend carrying out a thorough cleaning of contacts and we have created this article to show you how it can be done.
Have a WHOIS public profile
A WHOIS is basically your website's ID card. It lets everyone know who is behind the domain name: technical and administrative staff, location of its offices, etc.
Having a WHOIS public profile is a guarantee for any internet user, including the ISPs, that there are legitimate individuals behind the scenes. If there are certified credentials, email managers are more likely to allow emails to reach their appropriate inboxes.
Configure your SPF, DKIM, and DMARC
If this sounds like double Dutch to you, don't worry, but it's important that you know that your technical team has configured these protocols, as this will help the ISPs identify you as a legitimate sender. It's good practice and, in fact, it is mandatory to do so as it will have a positive effect on your deliverability and ensure your deliveries.
To avoid going into too many technical details here, we have drawn up a step-by-step guide on how to do it that you can share with your technical team.
As you can see, deliverability is much more important than it seems. If you want more details, we recommend you download our ‘Landing in the Inbox: Deliverability Basics