The Email problem

Email has become the most common means for IT companies to communicate with their clients.  Unfortunately, some companies do it better than others.  The most basic mistake that most companies make in sending their emails is not making them verifiable. Email doesn't in itself provide any mechanism for ensuring the genuineness of its content.  Various types of malicious code (e.g. spyware, viruses/worms, phishing scams) use this lack of inherent genuineness to trick users into behaviour that can harm them and their computers.  In my role as a school IT manager, i have received many emails from suppliers that, aside from the words used and their frequency, are almost indistinguishable from phishing scams.

Most common mistakes

The most common mistakes that i've seen companies make are:

1. No cryptographic signatures: There are two functional, reliable standards for email signing and encryption, OpenPGP and S/MIME.  While neither of these is perfect, each is a massive improvement on unadorned email, and has a current IETF charter.^{[1] [2]}  It is a tragedy that no common email client (at least none that i have seen) provides a simple, integrated method for creating and using these certificates.  (Microsoft could easily corner the market for certificate services if they simply integrated a certificate creation wizard into their setup wizards for Outlook, Outlook Express, and IIS.)
2. Third-party email addresses and URLs: Many companies use a third-party marketing or survey firm to manage their client communications.  While there is nothing inherently wrong with this, most companies are irresponsible in the way they use these services, allowing their marketer to directly insert their email addresses and URLs into emails.  The safe way to do this is to create a subdomain of their offical domain for email addresses which automatically forwards to the third party and a subsection of their web site that redirects to the appropriate part of their marketer's web site.
3. HTML-format emails: While HTML formatting makes email look nice, it is also far less safe for users who are not highly computer literate.  That is why i recommend never to view emails in HTML format.  The safe alternative is to send a plain text email message with a URL pointing to an HTML version of the communication on-line.  Vendors, do your customers a favour by encouraging them to use good email hygiene practices.

What i do about this

While i can't change companies' behaviour singlehandedly, this is what i do when i see badly-managed email communication:

1. Show it to others as an example of what not to trust.
2. Drop the responsible party an email to explain why their email behaviour is unsafe.  I've included a sample template below.
3. Sign all of my own emails with OpenPGP.  The Free Software applications i use for this are Mozilla Thunderbird with GNU Privacy Guard and Enigmail, running on Debian GNU/Linux.  If you email a lot of people who use Microsoft Outlook Express, you may find S/MIME a better choice, since Outlook Express has some pretty serious bugs displaying OpenPGP MIME format messages.  (It has enough other bugs that i always recommend switching to Mozilla Thunderbird when people ask me, but that's another story.  )
4. Most importantly, i drop the email in my spam filter's learning folder so that future versions of the email will likely be caught by the filter.  This is important because vendors (or their third-party marketers) keep statistics on responses to their communications, and are unlikely to change their behaviour unless they realise their money is being wasted on ineffective communication.  The best way to make their communication ineffective is by not reading or responding to it.

Feedback

I'd love to hear from you if you've seen bad behaviour in email management from your suppliers (or colleagues!).  Maybe we could make a "Hall of Shame" from the submissions!  :-)

Email template

Here's a sample email that you could use to inform vendors about their poor email sending behaviour:

Dear supplier representative, This is a courtesy email to inform you that your email has been received but NOT acted upon, because its contents were not verifiably sent by your organisation. Because email is not in itself a verifiable transport, and email-borne security attacks are common nowadays, we no longer accept surveys, marketing information, or the like via email unless you provide an independent mechanism for verifying the contents of the email. If you would like us to respond to your emails in future, please consider the following points:

1. Your email should be cryptographically signed with a digital signature using a recognised open standard such as S/MIME or OpenPGP. Your digital certificate should be readily available on your public web site, or registered with one of the many public PGP key servers.
2. Emails should be sent in plain text to encourage users to avoid poor email hygiene, which makes them more vulnerable to viruses, phishing attacks, and spam.
3. From and Reply-to headers should contain *only* addresses within your organisation's publicly-recognised Internet domain. If you use a third-party supplier for email processing, you should instruct them to use email addresses within your organisation and use appropriate forwarding mechanisms on your own mail servers.
4. HTTP links within your email should point *only* to your organisation's publicly-recognised web site. If you use a third-party supplier's web services, you should instruct them to use URIs within your organisation and redirect requests to them via your own web servers.

Failure to implement these measures will likely result in your future emails to our organisation being blocked by our junk email filter.