Role accounts

laura
Industry
June 21, 2016

A question came up on a recent deliverability panel about role accounts.

What is a role account?

A role account is an email address that goes to a particular role or position rather than to a person. In many cases email to that address gets sent to a ticketing system or sent to multiple people. Sometimes the address does go to a single person. The point of role accounts is to have standardized addresses that can be contacted at most domains.

Why do people use role accounts?

Businesses use role accounts for a number of reasons.

To maintain coverage for certain addresses after hours.
To provide one point of contact that can be passed on to different employees (on call pager).
To maintain business continuity.
To route email to the appropriate departments or people.
To route email to ticketing systems.

Even businesses as small as Word to the Wise use role accounts. There are certain messages we value so much, we route those addresses to multiple people inside the company. Some sole proprietors also use role accounts to keep certain messages out of their personal inbox.

Why do many ESPs prohibit mailing to role accounts?

Because role accounts are about a position, not a person, it’s hard to guarantee there is permission associated with the subscription. In fact, even if one of the recipients opted in the role account it’s possible other recipients would see the mail as spam. It is true that some role accounts are used as personal addresses, but this is not the normal use case. On balance, blocking mail to role accounts minimizes spam complaints with very little collateral damage.
It’s not just ESPs that prohibit mail to role accounts. Some mailing list providers (Yahoogroups, for instance) prohibit adding some role accounts to accounts they host.
Yes, there are cases where role accounts are the right place to send bulk mail. Accounting mail between companies are the obvious use case. There are some small businesses that use role accounts to subscribe to lists and get business mail.

What if I need to mail role accounts?

Some ESPs allow mail to role accounts, if certain conditions are met. These conditions vary by the situation. If you’re in a place where some addresses are blocked. Be prepared to demonstrate your opt-in process and how you’re verifying the accuracy of the subscription. You may also need to submit samples of your emails and some justification for mailing the role accounts.
Different ESPs have different rules for granting exceptions. Some ESPs will not grant exceptions to their policies so you may have to find an ESP that better fits your needs.

Conclusion

Overall, role accounts are about email to a particular job function. These functions are not always good targets for marketing mail, particularly unsolicited marketing mail. This is why ESPs often prohibit mail to role accounts by default. However, as with everything in email there are some exceptions. If you have an exceptional issue talk to support or deliverability about your needs and if there are ways to alleviate their concerns.

Purchased lists and ESPs: 9 months later

It was about 8 months ago I published a list of ESPs that prohibit the use of purchased lists. There have been a number of interesting responses to that post.

ESPs wanted to be added to the list
The first iteration of the list was crowdsourced from different ESP representatives. They shared the info they had with each other. With their permission, I put it together into a post and published it here. Since then, I’ve had a trickle of ESPs asking to be added to the list. I’m happy to add any ESP. The only requirement is a privacy policy (or AUP) that states no purchased lists.
People reference the list regularly
I’ve had a lot of ESP deliverability folks send thanks for writing this post. They tell me they reference it regularly when dealing with clients. It’s also been listed as “one of the best blog posts of 2015” by Pardot.
Some 2016 predictions build on the post
I’ve read multiple future predictions that talk about how the era of purchased lists is over. I don’t think they’re wrong. I think that purchased lists are going to be deliverability nightmares on an internet where users wanting a mail is a prime factor in inbox deliverability. They’re already difficult to deliver, but it’s going to get worse.

Not everyone thinks this is a good post. In fact, I just recently got an comment about how wrong I was, and… well, I’ll just share it because I don’t think my summary of it will do it any justice.

May 2015: The Month in Email

Greetings from Dublin, where we’re gearing up for M3AAWG adventures.
In the blog this month, we did a post on purchased lists that got a lot of attention. If you’ve been reading the blog for any length of time, you know how I feel about purchased lists — they perform poorly and cause delivery problems, and we always advise clients to steer clear. With your help, we’ve now compiled a list of the ESPs that have a clearly stated policy that they will not tolerate purchased lists. This should be valuable ammunition both for ESPs and for email program managers when they asked to use purchased lists. Let us know if we’re missing any ESPs by commenting directly on that post. We also shared an example of what we saw when we worked with a client using a list that had been collected by a third party.
In other best practices around addresses, we discussed all the problems that arise when people use what they think are fake addresses to fill out web forms, and gave a nod to a marketer trying an alternate contact method to let customers know their email is bouncing.
We also shared some of the things we advise our clients to do when they are setting up a mailing or optimizing an existing program. You might consider trying them before your own next send. In the “what not to do” category, we highlighted four things that spammers do that set them apart from legitimate senders.
In industry news, we talked about mergers, acquisitions and the resulting business changes: Verizon is buying AOL, Aurea is buying Lyris, Microsoft will converge Office365/EOP and Outlook.com/Hotmail, and Sprint will no longer support clear.net and clearwire.net addresses.
Josh posted about Yahoo’s updated deliverability FAQ, which is interesting reading if you’re keeping up on deliverability and ESP best practices. He also wrote about a new development in the land of DMARC: BestGuessPass. Josh also wrote a really useful post about the differences between the Mail From and the Display From addresses, which is a handy reference if you ever need to explain it to someone.
And finally, I contributed a few “meta” posts this month that you might enjoy:

We're all targets

Last week, another email provider announced their systems had a security incident. Mandrill’s internal security team detected unusual activity and took the servers offline to investigate. While there’s no sign any data was compromised or servers infiltrated, Mandrill sent an email to their customers explaining the incident was due to a firewall rule change.
Email service providers are a high value target for hackers, even if all they have is email addresses. Selling the email addresses is extremely profitable for hackers who can either sell the list outright or sell access to the list. In addition to gaining access to the email addresses, hackers often use the ESP to send these messages essentially stealing the ESP’s reputation to deliver the spam.
It was just over four years ago when a number of major ESPs were targets of a large attack and multiple ESPs were compromised. Earlier this month, three people were arrested for their roles in the attack. While the attacks four years ago were primarily spear phishing attacks, the security incident at Mandrill shows that hackers and botnets are actively probing the ESP’s network looking for access or known vulnerabilities. Spear phishing is an attempt to gain unauthorized access to a system by specifically targeting an individual, group, or organization. The scam attempts to have the user to click a link to infect their computer and network or capture their user id and password via a fake website. The scam email may appear to be sent from the company’s security or human resources department, but the email is either forged or another user’s account has been compromised.
Just because recent arrests have been made does not mean the threat is over. Systems often change, are upgraded, and are integrated with many additional services and systems can become vulnerable. Security will never be a set and forget policy. In the last 12 months there has been two significant vulnerabilities discovered, first Heartbleed and second was POODLE. Security professionals from all industries had to react quickly to secure their systems and hackers immediately began probing for systems that were unpatched. GFI reports there were over 7,000 vulnerabilities discovered in 2014 with 24% of them being rated as high severity. Security must not only cover servers, but the transmission of the data internally and with third-party vendors, and the workstations of employees.
IT and security professionals must be ever vigilant in protecting their network and their customers data. SANS Institute provides a number of security control best practices including a document on Data Protection. The control recommendations range from quick wins to advanced considerations such as monitoring all traffic leaving the organization and being able to detect any unauthorized or unusual transfer of data, blocking access to file transfer protocols and file sharing websites, performing annual reviews of all keys, certifications, and security procedures.
One of the best ways to help the entire industry to be secure is to be transparent and open when incidents happen. Mandrill has published a blog post with the results of their investigation.