BLOG

Confirming addresses for transactional mail

A colleague was asking about confirming transactional mail today. It seems a couple of big retailers got SBLed today for sending receipts to spamtraps. I talked a few weeks ago about why it’s important to let people unsubscribe from transactional email, and many of those same things apply to confirming receipts.

First, let’s look at what Spamhaus has to say. Initially they listed the reason for the SBL listing as “receipts to spam traps.” They later clarified the underlying issue.

…[T]he issue with these receipts isn’t simply that one-off receipts are being sent to typoed email addresses. That issue would be trivial if no further email were sent to those email addresses, even during the Christmas shopping season. The issue is that typoed email addresses are being associated with customer accounts and receiving all sorts of email (transactional and marketing both) without ever being confirmed. Spamhaus Statement (.pdf)

This matches very closely with what I said in my earlier post about allowing people to unsubscribe from transactional emails.

Transactional mail that is only ever a single event and where that address is not associated with an account doesn’t need to have an unsubscribe link. If it’s a one-time email, then it’s OK to not have an opt-out link. It’s OK to have an opt-out link, but not necessary.

However, transactional mail that’s associated with some sort of account and is likely to receive future emails must have a process in place to make sure that the mail is going to the right person.

A couple examples where retail stores should have confirmation in place.

Apple has an option to associate an email address with a credit card. Customers that take this step can go into any Apple store, buy something with that card and Apple will email them a receipt. This type of setup should have some process to confirm that Apple are sending the receipt to the right place.

Citibank links online banking accounts to credit or debit cards. They’ve now started offering the ability for ATM transaction receipts to be sent to the email address on file for that card. They have incorporated a verification process as part of setting up online banking, and receipts should only go to the actual customer.

There are, however, lot of retailers that collect addresses at point of sale and use those for receipts and marketing without any confirmation. Some online retailers collect email addresses and then let customers create an account with that address. They often don’t confirm these accounts, either. That may not sound so bad, creating an account is a simple step that encourages repeat purchases.

Without some sort of address confirmation in place, customers can create accounts with email addresses they don’t control. In most cases, customers can continue to use those accounts until they forget their passwords. Purchase confirmation emails and marketing mails both can be sent to unrelated 3rd parties.

Spamhaus listing companies that are sending repeated transactional emails to spamtraps means senders who don’t confirm addresses are at increased delivery risk, even when the majority of mail sent to those addresses is transactional. It’s not the content, it’s the volume. The more mail sent to an address the more important it is to make sure that the person at that address is actually the right customer. Otherwise, senders open themselves up to delivery problems. There is also the possibility that some congress person decides that receipts going to the wrong person is a problem that needs to be fixed with laws. I’m pretty sure whatever that congress person decides will be worse for both consumers and retailers than retailers confirming email addresses.

4 comments

  1. John L says

    This really can be a problem. Just today I got mail from the Nike online store for an order from a guy in Connecticut with a name similar to mine who thinks my gmail account is his gmail account. And not for the first time — he’s ordered before, I’ve cancelled it, and he just orders again with the same wrong address.

    There’s also a psychiatrist in Massachusetts who also has a similar name, for whom I’ve gotten an endless stream of confirmations, receipts, and welcome messages. Even in the absence of confirmation, it would be really nice if there were a THIS IS NOT ME button, so if they attempt to use the account again, it demands a different, perhaps correct, address.

  2. James says

    > That may not sound so bad, creating an account is a simple step that encourages repeat
    > purchases.

    And discourages the original purchase: the time between deciding to purchase and completing the process is time for the customer to have second thoughts or decide they can’t be bothered filling in all the forms.

  3. Tom Mortimer says

    Laura: thank you for getting the word out that Spamhaus is starting to crack down when transactional emails are sent to spamtraps in volume. Probably because it is the Christmas season, we are seeing a great many receipts from a few companies. We have also noticed that the email addresses that receive these electronic receipts also normally receive marketing offers and ongoing email.

    If this misdirected email were hitting only spamtraps and not actual users, we would not press the point. However, we are seeing a significant quantity of misdirected receipts and transactional emails to likely typotraps (spamtraps that are similar to legitimate email addresses). Since user typos are no more likely to generate a spamtrap than an actual user email address, we believe that real users are also being sent misdirected transactional email.

    The user who is receiving misdirected transactional and bulk email on an ongoing basis does not really care which it is: it is all annoying. And, as you note, it is especially annoying when the email contains no opt-out.

    Protecting users from unsolicited bulk email is what we do at Spamhaus. For that reason, we have started to consider misdirected transactional emails along with marketing emails. When the volume is sufficient to suggest that there is a pattern of typoed email addresses at a particular company, we are listing their IPs.

    John: your suggestion that receipts and transactional emails should contain a “this is not me” link is excellent. If you do not mind, I believe that I will pass on the suggestion.

  4. Kieran says

    I actually had exactly this situation today. I had an email from Blackberry saying that a profile had been created associated with my Gmail address. The email had a link saying ‘If you did not create or do not recognize this account, please click here to delete this BlackBerry ID’ which made it very easy to flag up the fact that the address wasn’t correct. Let’s hope more people take on this sort of idea.

Comment:

Your email address will not be published. Required fields are marked *

  • AOL compromise

    Lots of reports today of a security problem at AOL where accounts are sending spam, or are being spoofed in spam runs or something. Details are hazy, but there seems to be quite a bit of noise surrounding this incident. AOL hasn't provided any information as of yet as to what is going on.4 Comments


  • ReturnPath on DMARC+Yahoo

    Over at ReturnPath Christine has an excellent non-technical summary of the DMARC+Yahoo situation, along with some solid recommendations for what actions you might take to avoid the operational problems it can cause.No Comments


  • AOL problems

    Lots of people are reporting ongoing (RTR:GE) messages from AOL today.  This indicates the AOL mail servers are having problems and can't accept mail. This has nothing to do with spam, filtering or malicious email. This is simply their servers aren't functioning as well as they should be and so AOL can't accept all the mail thrown at them. These types of blocks resolve themselves. 1 Comment


Archives