EP #48 Secure your email and protect your inbox

EP #48 Secure your email and protect your inbox

About this Podcast

In today’s episode of “For The Love Of Emails” podcast, we welcome Joshua Tannehill – Retired Louisiana Air Force National Guard cyber security leader, with host Matthew Vernhout – VP of Deliverability, Netcore Cloud. Joshua, a retired US Air Force veteran, works full-time as an Information Security (InfoSec) leader and holds 24 years of progressive experience in the field. He is the Communications Sector Chief for the Louisiana Chapter of InfraGard, and President of the Louisiana Chapter, Cloud Security Alliance (CSA).

Quick Snapshots
In this podcast, they discussed:
Segmenting the threat model and identifying the most crucial threats to pay attention to
Importance of having a recovery plan
Understanding the value of cyber security insurance
Key signs to look out for to distinguish between fraudulent and legitimate messaging
Tips to protect your inbox from Phishing emails
Why it is essential for brands to practice email authentication
Cyber security practices brands should be implementing in 2023
Episode Transcripts

Introduction: (00:06) You’re listening to “For The Love of Emails Podcast,” powered by Netcore Cloud, a weekly show dedicated to helping email marketers, marketing enthusiasts, and professionals of all walks engage, grow, and retain customers through reliable, smart, and effective email communication and engagement. Discover actionable ways to increase ROI and deliver value through email innovations, personalization, optimization, email deliverability, and email campaigns. No fluff. Tune in to best practices and tactical solutions from the best thought leaders and practitioners. Master your email communication now.


Matthew Vernhout: (00:39)

Welcome to the Netcore “For The Love of Email Podcast.” I’m your host, Matthew Vernhout, vice president of deliverability for Netcore Cloud. It’s No Redirects November here at Netcore, where we are showcasing all kinds of innovations with AMP for email on our social media channels. If you’re interested in learning more about AMP for email, check out Netcore Cloud on LinkedIn for samples, videos, and case studies showcasing how our clients are driving interactions with their customers directly in the inbox, saving time, reducing drop off, and driving an incremental engagement for their brands. AMP requires a minimum level of email security for your messages to be implementing AMP for email. Meaning you need to have strong authentication, including SPF, DKIM, and DMARC while focusing on building a strong reputation with mailbox providers. Since all this cyber security stuff is really important, I reached out to my friend Joshua Tannehill and said, Joshua, you’ve gotta come on the podcast.


Matthew Vernhout: (01:38)

We have to talk about cyber security. And you know, luckily he said, “Absolutely, I can’t wait to do it”. So here we go. Joshua wears many hats helping businesses, governments, and users protect themselves and their constituents regarding threats on the internet. Joshua has been doing this for several years. He is a former member of the National Guard, a member of the Louisiana Chapter of Cloud Security, the communications sector chief for the Louisiana Chapter of InfraGard, and many more titles in cyber security. Joshua and I also know each other through the messaging, malware, mobile, and anti-abuse working group, where we both have worked with that organization to improve security on the internet for several years. 

Joshua, welcome to the show. If I missed anything, please feel free to add it and introduce yourself to our audience.


Joshua Tannehill: (02:32)

Cool. Thank you, Matthew. Yeah. One thing you missed was that we also interacted with the email sender provider coalition meeting at that time. Yes. And another thing that I do, when I describe myself to people who listen, I describe myself as having a passion for about three or four different things. One is I’m down here in south Louisiana. I have a passion for Louisiana. I love the food, the culture, and my family. And I’m very patriotic to my state. I call it “statriotic”. I love cyber security. I did it for the National Guard. I did it for Fortune 200 technology companies. And helping others is my third passion. I like to mentor younger college students. One of my former roles was as an adjunct professor at Louisiana Delta Community College, helping young students of cyber security try to get their security plus certification and things of that nature. Those are a few of my passions, cyber security, Louisiana, and helping others. I definitely wanted to jump in with this opportunity. So, thank you for having me.


Matthew Vernhout: (03:50)

That certainly makes sense. How do we get along so well? Because, I love all three of those things as well. I got to spend a couple of years doing conferences in Louisiana, down right in the heart of New Orleans, down in the French Quarter area. Such a beautiful place! And my wife’s family has a long history, somehow attached to the founding of New Orleans because,.. 


Joshua Tannehill: (04:14)

Oh, wow. 


Matthew Vernhout: (04:16)

…the families that immigrated south left northern Quebec and eventually made their way down to what became the French part of New Orleans. A long history of connections there. A beautiful place.  If you’ve never been there, put it on your list of places to travel to.


Joshua Tannehill: (04:33)

Which conference did you help out with in New Orleans? ‘Cause I’ve been a part of both besides Nola and Nola Con. I’m on the board for bringing Nola back to New Orleans after the pandemic and everything, in 2023. Which one did you work with?


Matthew Vernhout: (04:48)

It was the Email Evolution Conference. I’m the co-chair of the Email Experience Council, which runs the Email Evolution Conference. We spent three years running that conference in New Orleans. Our next conference will be in Washington, in February 2023.


Joshua Tannehill: (05:11)

Very cool.


Matthew Vernhout: (05:12)



Joshua Tannehill: (05:14)

In Washington State, right?


Matthew Vernhout: (05:15)

No, Washington, DC. 


Joshua Tannehill: (05:18)

There you go.


Matthew Vernhout: (05:19)

I always forget there’s a Washington state. It’s the Canadian Union.


Joshua Tannehill: (05:22)

Well, being on the board of the NOLA Con, besides NOLA for 2023, I would like to have some email security thought. I’ll keep you in mind as we mature in that process… 


Matthew Vernhout: (05:39)



Joshua Tannehill: (05:40)

…in the planning. And see if there’s any guidance you can give us. Or maybe you could be a guest speaker. Who knows? I don’t think we’re going to be doing an RFP. To try to keep it fair, we’re going to be submitting RFPs requests or RFCs requests for Presentations.


 Matthew Vernhout: (05:57)

 Presentations. Yeah, it’s all good. I know the process. We’ll definitely chat after this on that. 


Joshua Tannehill: (06:04)



Matthew Vernhout: (06:05)

Joshua, regarding cyber security, you’ve worn many hats. Working with the Air Force as one of their cyber security leaders, I’m sure is an entirely different thought process around cyber security than maybe working with the Louisiana chapter of InfraGard, right? You’re focusing on two very different threat models. How do you take those threat models and segment them based on the threats that are everywhere? How do you segment that threat model and identify which is the important one for you to focus on, based on the role you’re working within at that time?


Joshua Tannehill: (06:44)

Now, that’s a great question. Doing 21 years in the Air Force and knowing their risk tolerance and if you get it wrong – if there is some security breach and you get it wrong as a good guy and the bad guys win – what does that mean versus in the financial sector, the telecommunication sector, or the retail sector, depending on which sector you’re working in – getting it wrong could mean different things. In the Department of Defence and the military as a whole, not just the Air Force, lives are lost if you get it wrong. That’s a very sobering thought. Luckily, our leaders know that, the leaders at the Pentagon where the budget, the money gets funnelled down to the different branches and agencies, they know that. So going from the DoD cyber security mentality, where they put a lot of money in prevention versus the three areas you want to put money into on cyber security – prevention of the breach detection of the breach, and response to the breach.


Joshua Tannehill: (08:00)

I feel that the DoD, as a whole, put a lot of money into preventing the breach. They spend a lot of money on those defensive controls that will stop the attack before it starts. One of the best analogies I have is two-factor authentication. The DoD requires you to log into your computer, not with just a user ID and a password, but they were early adopters of the smart cards, where every single military member in the entire DoD had to have the smart card. You think about the cost associated with all those smart tokens. I don’t know how many millions they spent on that because they knew the importance of prevention, of getting it right and preventing those bad actors from getting that foothold. So, when you take that mentality there’s very low tolerance for risk, because breach of risk could equal death.


Joshua Tannehill: (09:01)

And then you go into a communication company or a retail company where you might lose some money if you get it wrong. Or maybe somebody defaces a website. Then you have a bit more appetite for risk knowing that your co-worker won’t die if you get it wrong, they may just get fired or lose their job, or there might be some financial impact. It is very different than someone dying or bombs getting dropped on the wrong target —there’s much less tolerance for risk in the military. So, you have to know the risk appetite of the company you’re working for, and the industry you’re working in. With InfraGard, what I love about them is, they closely align with the Air Force, in the sense that they work off for protecting critical infrastructure, and they work closely with the Department of Homeland Security, the Cyber security infrastructure security agency, CISA…


Joshua Tannehill: (10:03)

…and DHS. CISA has designated 16 sectors of critical infrastructure that the FBI and the US government want to protect. Oil and gas, and energy sectors, agriculture, water treatment plants, the water’s another, telecommunications… A matter of concern – communications went down all at the same time as the power grid went down. You know, so those 16 critical infrastructure sectors, that’s what infraGard works with – to help prevent a cyber attack before it happens. I think of InfraGard as a bunch of volunteer informants with their ear to the ground in those different critical infrastructure sectors – those are the good guys partnering with the FBI to help keep the pulse of the trends of operations in those essential sectors of infrastructure so the FBI can prevent an attack from happening. So, they’re on the prevention side, right? In the military, the common phrase is ‘left of boom’.


Joshua Tannehill: (11:01)

If you look at a timeline, the boom happens, and after the boom hits, there’s the attack. That’s the breach. That’s the bombs.  Everything that happens on the timeline to the right of it is the recovery phase. InfraGard is spending a lot of time trying to get left of boom before the boom happens. That’s what InfraGard does as compared to the military. And then in the private sector, you’re working with different retail brands, or whatever you’re working with, you have to know that culture’s risk appetite. The leaders should be able to spell that out for you early in the process. If they’re not doing it, if you don’t know your company’s risk appetite, then it could be a bad sign that you might not be working in a good company.


Matthew Vernhout: (11:45)

Yeah. I think that’s an important thing, especially since, over the last decade we’ve seen data breach after data breach or compromised payment service at the point of sale time and again, and the numbers astoundingly get bigger. I think you’re right. Looking at what it is, you can do the spending on the lead-up to the point of activity, and on a recovery plan. It’s also important for brands to have a recovery plan, especially now. We are probably in the busiest time of year for digital marketing. It is happening around the holiday season. Fraudsters have been waiting all year for this time of year too, looking at – how exactly do I piggyback on the activities of retailers that are going on right now.


Matthew Vernhout: (12:52)

When it comes to those types of activities, what is the advice that you would give to consumers about protecting themselves, protecting their inboxes? They’re not going to die when their email goes to the spam folder. What are you looking at from a consumer point of view? And then, how would you take that advice and tell a business, a retailer, not to do these things because consumers will treat you like spam? Or consumers will look at your messages and say, I don’t trust this.


Joshua Tannehill: (13:42)

Yeah, that’s a great question, Matt, and I understand exactly what you’re asking. But before I dive into that, I have a final thought that I want to put into the previous conversation, which is around risk appetite and companies investing their dollars into prevention or detection and response. One thing, an analogy that I tell business owners – because I do a lot of public speaking in Louisiana – is that I’ve been honored to speak for the dentist’s office. There’s a dental association, and all the dentists, in order to be the best dentist they can be, they have to continue their education credits, dental technology, and hygiene technology. It changes just like in cyber security or email—the landscape’s changing. Well, the dental industry is no different. And those dentists have to have their annual continuing education.


Joshua Tannehill: (14:36)

So, I speak to try to help them with their continued education now and then. And my topic is about cyber security and how they can best protect their patient and dental records, and things to be on the lookout for. Because, as you know, dental records are extremely important, I guess if I wanted to die, I wanted to fake my death and somehow do some fraud that way. The dental records come hard to fraud, hard to mimic, right? Dental records are extremely important. I teach them, and one of the analogies that got through to them that I was so proud of as an original thought was, Hey, in the 1980s, when the AIDS and HIV came out, the dentist office had to buy all this PPE personal protective equipment.


Joshua Tannehill: (15:27)

They needed to buy the gas, the masks, the latex gloves, and maybe the goggles because if they didn’t, maybe their hygienist would catch HIV from a patient, which could lead to death. And so, there was no question, once it became obvious – the severity of this AIDS and HIV epidemic, the dentist’s office had no choice. They spent hundreds of dollars a month or thousands of dollars a year to protect their employees from this obvious threat. So the cost of business for those dental offices went up. And those small business owners, the dentists, had to absorb that cost. There was no getting around it. They had to pay extra money for the PPE to protect their employees from dying.


Joshua Tannehill: (16:20)

When you fast forward to all the ransomware that’s happening today, the dentist’s office could go out of business if there’s a ransom attack on their dental office. And that dental office doesn’t just mean dental. In this case, it could be any business. So the cost of business is going up because of the bad actors. And this ransomware is basically a virus, it’s a pandemic. You mentioned about the criminals – that it is the peak time of year. And you need to have backup and recovery plans in place. I advise people to do this if they need to know how much money retail transactions are losing by the minute or the hour. If there’s an outage, you need to calculate that.


Joshua Tannehill: (17:21)

Because that will help you figure out how much money you want to spend on prevention and recovery. If I’m losing, you know, $10,000 every minute in transactions, then I’m going to need to spend a lot of money on prevention, and I’m going to need to spend a lot of money on detection and response. And those will be the cost of doing business in today’s day and age. Inflation is going up, cost of business is going up. If you don’t understand that, accept that, and bite the bullet, you might have more significant problems in the future. So I like to tell that point, that analogy about the cost of business. It’s just a fact of life. And let me tell you, those dentists, they didn’t like that answer. They liked it because it made sense to him, but it cuts out of their bottom line. They have to pay for that out of their pocket, and they lose revenue and profit. And that’s just the way it is. I still remember the other question. Do you want me to answer the other question, or do you have a final thought on that?


Matthew Vernhout: (18:23)

No, I like that analogy of understanding, the transactional value of your business in regards to, if there is an outage, if there is a breach, if there is a period where you need to make data recovery due to some compromise or due to some type of ransomware encryption program being run. It’s a really interesting fact that I had not considered – if my budget is going to be 5% of that, 10% of that, 20% of that. That’s an interesting thought to look at from a business point of view. Thanks for bringing that up. Well, but let’s go ahead.


Joshua Tannehill: (19:12)

This is the final point. It’s just so good, I have to share. If you have cyber security insurance, that is one of the factors – to get cyber security insurance. You’ll have to fill that out and understand that ahead of time. Let’s imagine you get ransomware and, the ransom, the bad actor is asking you to pay a million dollars. Then, the cyber security insurance company will want to know how long of an outage you can afford before you get to that million, whatever the ransom they’re asking, because it may be worth it to pay. What if it costs you a million dollars for two days of outage, but the ransomware guy is only asking you for $10,000? That might make it easier for you. I will pay the ransom because I’m going to lose more without it. That’s one of the things you need to know. And cyber security insurance is helping drive that conversation too.


Matthew Vernhout: (20:08)

Right. That makes a lot of sense too. Understanding the value. The only concern is you pay the first 10 grand, and they ask for another 10, then a hundred after that.


Joshua Tannehill: (20:18)

Right. And that’s where I need help understanding. They’re criminals. Why would I trust a criminal? I’m going to give you 10 grand. You’re going to give me the key. Some laws are trying to be passed across the US – I don’t know for sure, don’t quote me on this – but they’re trying to make it illegal in the US to pay the ransomware and what that would do if it happens. Imagine if it’s a crime, if I am a victim of a crime, but then I commit another crime to try to save myself… like it’s going to deter that…


Matthew Vernhout: (20:52)

I heard that was also a discussion in other parts of the world beyond the US. And I’ve heard similar things about legislation to not pay the ransom.


Joshua Tannehill: (21:04)

Yeah. And the backup and recovery software industry and those businesses in that industry would love that law to be passed because people would invest more in prevention controls. They would invest more in detection and response, and recovery. Another point is when it comes to recovery – it is the long pole in the tent regarding how much you may get. You may get your data back. Many people need to understand that – just because I have my data back, can I trust it? No, you can’t. But then you can’t trust any of your computers. So you format and reload all 50,000 or a hundred thousand of your company’s computers because you can’t trust them – because they’ve been compromised too. So, recovery is such a large part of it. Just because I get my data back doesn’t mean I’m back operational.


Matthew Vernhout: (21:57)

That speaks of the importance of all backups. You know, here’s a pro tip for those listening. Go back up your desktop onto an external hard drive, just in case you ever need it.


Joshua Tannehill: (22:10)

And test it. That’s the thing. People back up, and they never test it; and when they need it, it goes. They can’t restore it.


Matthew Vernhout: (22:17)

Yeah. I just make a non-local copy. That’s my thing. It’s easy. I can access it. I don’t have that much stuff. But businesses out there, definitely properly back up your stuff. For users, we’re going to focus on the users a bit right now. Do a local backup to an external hard drive that sits on a shelf and isn’t permanently plugged into your machine. You use it once a week. Put that on your calendar. Remind yourself every Friday afternoon to back up your hard drive or at least your important class. The things that you couldn’t live without. Photos, important files, tax return stuff, all of that, put it on an external hard drive, sit it on the shelf, plug it in once a week, and make a local copy. Let’s go back to that question about activities – you tell consumers, since we’re talking about them – that help them understand the difference between legitimate messaging and fraudulent messaging. What are they looking at?


Joshua Tannehill: (23:14)

October was cyber security awareness month. I spoke at four different conferences, maybe five in October. I always talk about email as the number one attack vector. That’s a fact. I don’t know who made that. I don’t know the research on that, I can’t quote it, but email is the number one attack vector. Social engineering and phishing are such common attack vectors. So most corporations I’ve been a part of spend October in their annual cyber security awareness training. The DoD is no different. They give great examples of some key signs of what to look for to avoid falling victim to phishing email. The number one piece of advice that we give employees on what to look for in phishing emails is poor grammar and spelling -.but grammar is number one.


Joshua Tannehill: (24:18)

Number two is a sense of urgency. If the email’s trying to get you to do something outside of your normal processes or an accelerated timeline, that’s a red flag. As cyber security professionals, we teach our employees and customers not to click on links and suspicious emails. I know that’s counterintuitive to many of these brand email campaigns. They want employees and customers to click the link. And here I am telling people not to click links. So whenever I have some leader inside my company who wants to send an email out to all employees, we look at that email with them because we have spent so many years training our employees on what a fraudulent scam-looking email is like, and they report it to our abuse team.


Joshua Tannehill: (25:22)

I wouldn’t say I like it when a legit email is sent from a leader to the whole company, but everybody in the company is so scared of clicking phishing links now that they report the legitimate email to us. And we’re sitting there having to say, no, that’s okay. That’s a legit email. But because the person who sent that legit email to the whole company didn’t follow best practices of what to avoid, they made it look like a phishing email that we’re training our employees not to click on. And so one of the things that we tell legitimate email senders inside the company who are about to mass deliver to all employees is, don’t put links in there; instead, if you’re going to put the link, also put the file path or the SharePoint file path where people can browse to that content manually on their own without having to click a link in the email.


Joshua Tannehill: (26:21)

I don’t trust all the links because I’m a cyber security professional. So I would rather navigate. I would rather close that email and navigate my normal way to get to that content. Just like in an email with a phone number or just like someone who cold calls me and says, I’m your tax collector, you need to send money. Or, I’m the bill collector. I don’t just trust them because they cold-called me. Instead, I would like to hang up and look at the phone number on my bill, call that number, and get a secure connection manually because I don’t want to lose that money. It’s the same here: close that email, browse the content your way, the safe way and you avoid getting tricked into some phishing campaign. 


Matthew Vernhout: (27:15)

I had that same thing happen twice this week. I got a phone call from, one from my credit card company and one from an investment company. Both seemed legit, but my response was exactly what you said in both cases. Thanks for your call. I’m going to hang up and call back and make a note on my account that you called me so that whoever I get through on the support team can redirect me to you.


Joshua Tannehill: (27:42)

It’s the same with emails with links. Close the email. Thank you for the email. If I’m interested, I’ll browse to the URL I trust, which I may already have in my favorites. That’s what we’re trying to teach people. So on internal communications, we teach our leaders not to make their email look fishy. Don’t put the link in there; instead, tell them how to browse it themselves. It’s essential for the email sender community to know what you’re going to do with that information, but just be aware.


Matthew Vernhout: (28:18)

You know, there are certainly some brands that have policies of not sending links. So they send a commercial message advertising a product or service and say, please browse our website yourself. Some companies implement that. On the other hand, there are a large number of companies that say – buy my product, here’s a link please click it and follow the action.


Joshua Tannehill: (28:49)

And trust me that I’m not a criminal.


Matthew Vernhout: (28:51)

Also legitimate in most cases. From the point of view of a brand sending the message to a consumer that they have a relationship with – it is also a similar action that a fraudster would take trying to go over an account.


Joshua Tannehill: (29:08)

The behavior is the same. And that’s why.


Matthew Vernhout: (29:13)

Go ahead.


Joshua Tannehill: (29:15)

You first.


Matthew Vernhout: (29:16)

I was going to say, so that’s why one of the comments you made about understanding grammar and understanding the message, and the tone of urgency, makes a lot of sense when it comes to specifically high-value accounts, whether it’s your social media, your banking account or a work account. But would you say the same for an email from Walmart or another retailer that says, Hey, it’s our weekly flyer? You know, you get it every Tuesday at 9:00 PM or 9:00 AM, whatever the day or time? Is there not a sense of trust the consumer should have in a retailer like that?


Joshua Tannehill: (29:59)

Well, yes and no. In general, yes. But as a cyber security professional, I default to paranoia. And, with that, no, you shouldn’t have a sense of trust with all brands, and here’s why. Brands can easily be spoofed. That’s why it’s crucial that when you get that email, you check, you hover your mouse cursor over the display name because a fraudulent, criminal bad actor can make a display email look like whatever they want. But the actual sender address is going to be different. The display name could be FedEx, but the email is from a bad actor dot Russia. And so, you have to look at the display name versus the actual SMTP email address and know the difference. That’s why one of the advice I give consumers, which is also an original thought that I was proud of, is to assume fraud with an email.


Joshua Tannehill: (31:08)

I do not trust that Walmart sent it. I don’t trust that my great-grandma sent it. I don’t trust that my wife sent that email. Assume every piece of email that I get is fraud because spoofing is so common and easy to do. So I think of the analogy with the cashiers at a gas station, you go to the store, you buy a stick of gum and a Coke, and you hand the cashier a $20 bill, the first thing they do is assume fraud. They think it’s counterfeit. They hold it up to the light to look for certain clues that it’s legit, and they take a magic highlighter and highlight it to make sure that it’s legit. They do those two quick checks, and then they finish the transaction. That’s what I want people to think with emails. Even though I’ve gotten a hundred emails from cousin Bob about the fantasy football draft doesn’t mean that the hundred and one isn’t going to be a fraud. Because fraud is so easy these days, assume fraud and do those quick checks. That’s what I tell consumers.


Matthew Vernhout: (32:14)

Is it suitable for a brand and someone who operates and manages email on behalf of brands? We spend a lot of time working with them to authenticate their email. So, implementing SPF to validate their envelope addresses legitimately approved to send mail on their domain’s behalf. Same thing with domain keys, to prove ownership and content continuity between email platforms and then DMARC to add a layer of brand understanding to say reject mail that doesn’t authenticate well. When brands implement those types of things, they’re invisible to consumers. But as a security expert, does that help with your warm fuzzy feelings for brands and the importance of that? ‘Cause I do know that you are also operating an extensive email network of your own when it comes to inbound messaging. How important is that for the decision making of whether you’re going to deliver email or not?


Joshua Tannehill: (33:31)

It’s transparent to most people behind the scenes. All those things that you mentioned should be standard now. And they should be best practices. The reason I think so is that in the different meetings that I attend with the FBI or InfraGard, they mention what people want to hear from the FBI’s cyber division is what are the common threats in our state, in our sector? Every briefing I go to, the common thread starts with a business email compromise. So, if you can avoid people from mimicking your brand and spoofing your brand and authenticating as you, that’s going to be huge because these BECs are people mimicking your domain and brand and trying to pretend to be your CFO or your CEO and get, one of your unknowing lower level employees to do some out of process financial transaction, wire some money they shouldn’t. If that does happen, let your FBI office know immediately because they can recoup some of those losses. After all, they’re doing this for a living and trying to help protect consumers and businesses. So, when I hear all those DMARC and things that you mentioned, I think of how big of a threat business email compromise is and how important the authentication of your actual email is to prevent that.


Matthew Vernhout: (35:08)

Yeah. An exciting stat from the FBI back in 2019 is that 26 billion US Dollars was lost to business email compromises. As I think, I wonder if that’s just US or globally, but you know, we’re not talking small figures here. Implementing even the most basic should be standard. Every brand should be doing email authentication and doing it well.


Joshua Tannehill: (35:46)

It’s, unfortunately, the cost of doing business these days. That’s how you have to look at it.


Matthew Vernhout: (35:50)

Yeah. That goes back to your PPE example from earlier, right? It’s no longer a nice-to-do; it’s now a must-do for brands and not just for your main domain. Any domain you own, you better be doing these things.


Joshua Tannehill: (36:02)

‘Cause if you don’t, the bad criminal actors will do it for you


Matthew Vernhout: (36:05)

Absolutely. So, I think that’s where we’re going to leave people off with, right? It is from a marketing and brand protection point of view, and how to authenticate and communicate electronically with a mailbox provider anti-spam  security solution. Make sure you’re properly authenticating your mail, your corporate mail, your marketing mail, your transactional mail, and any domain that you own for your brand, whether it’s been registered defensively or you’ve acquired it through a copyright infringement, or however you’ve acquired your brand names. Make sure you’re correctly authenticating that mail because it’s your first line of defence when communicating electronically to say, these are messages that I approve, that I’m enabling to be sent on my behalf from my network, from my partner vendor network. So that’s a great statement, and I love that you said it. It’s no longer just a nice-to-have. It’s now table stakes and the cost of doing business. I love that idea.


Joshua Tannehill: (37:17)

Do you remember when seat belts – cars didn’t have seat belts in them back then? I think we…


Matthew Vernhout: (37:24)

I was alive for that, I believe. Yes.


Joshua Tannehill: (37:26)

Right? And then now you can’t get a car without a seatbelt. It’s standard. That’s how we should look at email authentication. It should be standard now. 


Matthew Vernhout: (37:33)

I agree, and a good friend has got the saying that she’s on an effort to authenticate the world.


Joshua Tannehill: (37:41)

I love it.


Matthew Vernhout: (37:42)

It’s a great initiative. If you’re listening to this, and if you’re unsure, talk to your email service provider. Talk to your reputation vendor, talk to your security vendor and ask them, am I properly authenticating? If not, what should I do? So Josh, thanks for joining us today. Had a great conversation. I love discussing cyber security, especially when we can tie it into an email. It’s an important piece that not enough brands and marketers think about all the time. So, any final closing thoughts on cyber security, things brands should be doing? Say, in 2023, if you’d do one thing, think about this. And then, if there’s any way you want our listeners to reach out, if they have questions about any of the things we talked about today, please let us know.


Joshua Tannehill: (38:36)

Yeah. Cool. Thanks, Matt, for having me. It has been an honor to meet you, work with you, and be on this podcast. My final thought from a cyber security perspective is that we’re all aware that email is the number one attack vector, business email compromise is the number one threat the FBI warns people about. Let’s take emails seriously. Emails are going to be here for a while. Let’s do our best common practices and make email security standards not just nice-to-have. That’s what I hope the final message from today is. Regarding how to reach me, I’m very active on LinkedIn. Joshua Tannehill, I did let my C I S S P expire, so it shouldn’t be Joshua Tan CISSP anymore. I’ve had that for 10 years, and I decided to go ahead and let it go. But find me, Joshua Tannehill, on LinkedIn. I would love to hear any comments, questions, or concerns from listeners. Again, finally, thank you, Matt, for the privilege of being on your podcast. It’s pretty cool, man.


Matthew Vernhout: (39:43)

Awesome. Well, again, thanks for joining us and everyone out there listening. As I said in the intro, remember, this is No Redirects November, where Netcore is talking about AMP for email and how it can help your brands with first-party data collection right from the user’s inbox. No redirect is needed. We’re doing amazingly cool things with AMP on behalf of our customers. Recently one of our customers won an award for their engaging emails and how they helped consumers interact with their brand. And like Joshua would say, no clicks. It’s a nice thing to consider when engaging with your consumers. So please remember to subscribe to the podcast if you’re not already subscribed. And check out Netcorecloud.com. We’d love to have a conversation with you about how we can help you with your email. Joshua, once again, thanks for joining me on the show


Joshua Tannehill: (40:34)

Thank you, sir. Have a good one. Bye. Happy Thanksgiving.


Matthew Vernhout: (40:38)

Thanks, you too.


Outro: (40:38)

You’ve been listening to “For The Love Of Emails” Podcast, powered by Netcore. Hit subscribe in your favourite podcast player to make sure you never miss an episode. To learn more about effective email communications and engagement through AI-powered email solutions, visit Netcore.com, the only global email engagement leader, delivering marketing ROI and value to 20 plus global unicorns and 5,000 plus brands for over two decades.

Unlock unmatched customer experiences,
get started now
Let us show you what's possible with Netcore.