Thoughts on policy

A particular blocklist, once again, listed a major ESP this week. Their justification is “this is our policy.” Which is true, it is their policy to list under these circumstances. That doesn’t make it a good policy, or even an effective policy. It’s simply a policy.

Crafting policies

Crafting good policy starts with the question “what is the desired outcome in this situation?” Once we know the desired outcome, then we can craft a policy that reaches that outcome. Along the way, every piece of the policy is evaluated against the desired outcome: does this get us further down the path to achieving our goal?

In many ways, identifying the final goal is the most important part of crafting policy. Those who choose the wrong goal, end up with policy that doesn’t reach that goal. There are some really clear examples of that in the email space. Picking the wrong goal results in policy that meets the goal, but doesn’t necessarily do what the creators intended.

Blocklist policy

The blocklist currently listing most, if not all, of the IPs belonging to at least 2 major ESPs has a policy to increase listings based on a numerical formula. If a certain percentage of IPs in a range are hitting spamtraps, then the listing is escalated, until they list all the IPs under a ASN. This is quite aggressive listing policy. The blocklist documentation even clearly states this will block wanted mail.

This type of policy is designed to bring heavy amounts of pressure on network owners to aggressively remove spammers from their network. The problem is that because the escalations are so aggressive and because the aggressiveness blocks so much wanted mail, larger networks don’t use the list. Since the list isn’t used, there is very little pressure on any IP owner to clean up their customer base.

Compare that with a different blocklist. This blocklist doesn’t have an aggressive escalation policy. They will escalate in some cases, but in general their listings are quite conservative. They even list some IPs that don’t send mail, as a warning to the IP owner that there is some problem. Despite being less aggressive, this blocklist is much more effective at changing behaviour. Why? Because this list is widely used.

Unexpected consequences

In order for a blocklist to be effective, it needs to actually affect mail delivery. The reason the less aggressive list is more effective is due to its wider use. There isn’t a lot of persuasion in a list that blocks mail to one or two subscribers at an obscure ISP. Those two subscribers may be annoyed at their inability to receive a particular mail, but they can simply move a particular subscription to a different email address. On the other hand a list that’s used by major webmail providers and incorporated into numerous filters will have a significant impact on sender behaviour, even if that’s not their policy goals.

Policy should not be fixed

Simply having a policy isn’t enough. There have to be processes for when the policy is broken. Processes include when and how to undertake an investigation and then how to address the problem once the investigation is finished. Policies are not worth the paper they’re written on without effective enforcement.

Good policy enforcement is, in most cases, pretty simple. But inevitably policy violations arise that challenge current processes to handle in a way that further the policy goals. There are two primary ways organisations handle this. The first is to fall back on “it’s policy” and “this is what happens.” Even when the outcome is unfair or doesn’t further the underlying policy goals there is no room for discussion or modification to the policy. The second case is more fluid. Policy is not fixed and immovable. Instead, the underlying goal is fixed and immovable, and processes are changed to meet the policy goals. Of course, you don’t want to be modifying policies all the time, but when a process is inadequate to address a situation, modification should be on the table.

In the case of the aggressive blocklist, their current policies and processes are not, from an outside perspective, meeting their stated goals. Because their listing process is so aggressive and because they block mail people want to receive, the list is not widely used. Since it’s not widely used, being listed is meaningless. Companies aren’t  making changes in order to get delisted because there’s no need. I’m sure they know this, but have chosen not to modify their policies.

There are a lot of challenges to crafting effective policies and processes around those policies. Over the next few months I’ll be writing more about how to think about policies and processes that surround them.