Report’s author says few campaigns are using email authentication software to prevent spoofing.
During the test period, the most emails were sent on Day 2 of the CNN Democratic candidate debate in July.
For presidential candidates trying to break through the noise in an unprecedentedly large field to reach voters’ inboxes, they might have some bad news: About 21 percent of their emails are landing in the spam folders of Gmail users, according to a new report from Twilio. And fewer than 50 percent of presidential campaigns employed or passed email authentication checks, putting recipients at higher risk of being spoofed and accidentally sharing their personal information with bad actors.
The report released Tuesday, “How Political Campaigns Can Ensure Their Email Messages Hit Home,” was based on a 30-day test in which Twilio, a San Francisco-based cloud communications company, logged where campaign emails from a number of sources — including the then-26 Democratic candidates, President Donald Trump and former Massachusetts Gov. William F. Weld — landed in which tabs in a Gmail account created for the experiment between July 10 and Aug. 9.
The vast majority (74.8 percent) of the emails tracked in Twilio’s report arrived in the promotions folder, which captures commercial and promotional content, while just 3.8 percent landed in the primary tab, or the default view for Gmail users.
And 21.3 percent of campaign emails wound up in spam, which poses a problem for presidential candidates looking to engage with potential voters and donors. By comparison, Len Shneyder, Twilio’s vice president of industry relations and author of the report, said in an interview that 16 percent and 18 percent of all emails from private companies don’t reach consumers’ inboxes — either they go to spam or are bounced back to the sender. Twilio’s study of campaign emails was only able to measure those that landed in the spam folder.
Shneyder said the campaign emails could be landing in Gmail’s spam folder for a variety of reasons, including suspicious text in the body of the email or having email lists that include suspicious recipient addresses.
“Now, the caveat to that is if you interact a lot with a brand” or are “constantly opening” and “clicking the links” in an email, he said, then Google views it as “highly relevant to you” and could start sending it to your primary tab.
During the observation period, Twilio’s Gmail account received a total of 811 emails from the campaigns, with each sending an average of 1.5 emails per day. Half sent an email on a daily basis, the study shows.
And, as is common practice, the campaigns tended to tie their emails to the news cycle: On July 31, the second day of CNN’s Democratic debate, Twilio’s test account received its largest set of messages at 60 total — averaging at about three per campaign that day urging people to donate and watch the debates.
Shneyder said one of the largest issues is campaigns’ lack of email authentication, technology that helps prove that the email landing in an inbox is actually coming from the person it says it’s coming from and determines where to deliver the message — the inbox, spam folder, or not at all.
However, not all messages that lack authentication or fail authentication checks are returned, Shneyder said, and that poses a risk to the email user. When campaigns fail to use email authentication, it’s easier for bad actors to pretend to be the campaign and trick donors into giving their financial information away.
Shneyder said that while presidential campaigns have adopted such technology at a slightly higher rate than the private sector, it’s still “troubling.”
“What if you got a phish who said ‘Hey, can you spare $2?,’ and instead of that information going into a legitimate credit card system and being stored properly, it goes into the vaults of somebody in Eastern Europe?” he said.
And Shneyder said that while he expects the tactics used by campaigns to improve as they learn more about what works and what doesn’t with their supporters, the best things campaigns can do moving forward are: practice good email list hygiene techniques to suss out any potential spam accounts; use email authentication tools; and normalize email sender names, rather than switching them out for various celebrity and campaign staffer names that could confuse supporters.
Some of the tactics described in the report, Shneyder said, result from an “overwrought sense of urgency” in campaign emails. “The urgency of the campaign, the uncertainty, the need to raise funds — that dictates a different set of actions that probably should be tempered with an understanding that there are better ways to do these things.”
Get the latest global tech news and analysis delivered to your inbox every morning.