Check your posts (notes, articles, etc.) are marked up with h-entry:

Success!

We found the following post h-entry on your site:

Name

Use CNAMEs for Trustworthy Links

Author

Add a photo!

<img class="u-photo" src="…" />

Steve Williams

Content

Many otherwise reputable organizations employ a bad and unnecessary practice that makes people more vulnerable to phishing attacks. These organizations send emails from and invite people to click on links to unrecognized domain names, a practice indistinguishable from a phishing attack. When you receive such an invitation purportedly from an organization you trust, you must use subjective judgment to decide whether it's for real. The organization's domain name is the primary objective tool you have to make that decision, so organizations should use their domain consistently. And that's easy to do, using a CNAME. Examples: Routine customer service notices and calls to action. Bulk email marketing campaigns. Customer service surveys. Companies often hire service providers to send bulk email to their customers or to collect responses to customer service surveys. That's understandable: Bulk email is hard, and surveys often aren't a core part of the business. Non-commercial organizations do the same: With limited resources, it makes sense to hire service providers. But when working with service providers, organizations should make the effort to use their own domain in all links, rather than the service provider's domain. Today, I received an email from Stamps.com, inviting me to complete a customer service survey. I'd like to respond, because the customer service rep I spoke to yesterday did a good job. The email contains the words "Click here to take this survey," linked to this URL: https://stamps.custhelp.com/cgi-bin/stamps.cfg/php/enduser/doc_serve.php?1=(gobbledygook)&5=31&6=1&7=6425780 The email also says "If you wish to unsubscribe from Stamps.com's customer satisfaction surveys, please click on the following link: Survey Unsubscribe" with another link in the custhelp.com domain. Here are the subjective reasons I should conclude this is actually an email initiated by Stamps.com and that the information collected will be used appropriately only by a company I trust: I did recently have a phone conversations with a Stamps.com service rep. The service rep told me to expect this email. I've never seen Stamps.com abuse customers' privacy. But objectively there's no way to know whether the email is really from Stamps.com. I've never heard of custhelp.com, even in all my dealings with Stamps.com. (When I type custhelp.com into my browser, I am redirected to rightnow.com. Ironically, the home page says RightNow CEO and Founder Greg Gianforte is "Lovin' Great Customer Experience." I don't think encouraging customers to fall for phishing attacks is a great experience. And, anyway, a phisher could have redirected custhelp.com to a recognized service provider to make the phishing domain appear more trustworthy.) Most people wouldn't worry about it. They would just follow the link based on the subjective judgment. But consider another email I received around the same time, purportedly from Wells Fargo Bank, asking me to "sign in" to "lift a restriction" on my account. The "sign in" link is to a domain other than Wells Fargo's. Is the email really from Wells Fargo? Of course not, but we all know many people would fall for it, especially if they had a seemingly-related conversation with Wells Fargo recently, as I did with Stamps.com. Are they more likely to fall for it when reputable companies are acting just like phishers? I think so. Maybe they're only a little more vulnerable as a result of this bad practice. But it's so easy to use good practice, why not do it? Web-based service providers have an obligation to support CNAMEs, and organizations should insist that they do. Stamps.com should create a CNAME, perhaps survey.stamps.com, an alias of stamps.custhelp.com, and use that CNAME in their links. RightNow should verify that the CNAME matches the gobbledygook in the query string arguments, so phishers can't use survey.stamps.com. Yes, it is common practice, even for reputable organizations, to invite people to follow links to unfamiliar domains. But it's bad practice, and it's easy to use the organization's domain name. We should all choose service providers that make it easy to use CNAMEs.

Published

URL

Add a URL! <a class="u-url" href="…">…</a>

Syndicated Copies

Add URLs of POSSEd copies!

<a rel="syndication" class="u-syndication" href="…">…</a>

Categories

Add some categories! <a class="p-category" href="…">…</a>

Your h-entries should have, at minimum, the following properties:

  • e-content — the main content of the post
  • p-name — if your post is an article with a name, use this classname.
  • dt-published — the datetime the post was published at, in ISO8601 format, with a timezone
  • u-url — the canonical URL of the post, especially important on pages listing multiple posts

It’s a common convention for the published datetime to be a link to the post itself, but they can be separate if you want.

There should also be some way to discover the author of the post — either link to your homepage (which should have your h-card on it) from anywhere within the body of the page with rel=author, or optionally embed a p-author h-card in the h-entry.

The web is an expressive medium, and as such there are many other properties which you can add to your posts. Check out the h-entry documentation for a full list.

Want to be able to use h-entry data in your code? Check out the open-source implementations.

Previous Step | Home | Next Step