Last week, I talked about policy, using some different blocklist policies as examples. In that post I talked about how important it is that policy evolve. One example of that is how we’ve been evolving policy related to companies that get listed on Purchased Lists and ESPs. Who is listed has evolved over time, and we’re actually looking at some policy changes right now.

Listing policy 1

The first iteration of the list was crowdsourced by deliverability people. One person mentioned they had a list they used when customers would argue “X company lets me send to purchased lists.” That list got shared and lots of folks contributed their company names. I offered to publish the list and thus the initial blog post.

• Your company was added to the list by being nominated from a small group of people.

Listing policy 2

Once the blog post went up a surprising number of companies asked to be added to the list. I was happy to add the companies but needed some criteria other than nominated by this group of people. Our policy had to evolve to cover self-nominations. Whatever the policy was it needed to be something I could easily check and verify and couldn’t take up a significant amount of time.

• Your company was added to the list by being nominated from a small group of people; or
• Your company was self nominated and your terms and conditions / acceptable use policy states you do not allow purchased lists.

At the time I created policy 2 there were some specific goals driving it. We were getting regular requests to be added to the list. I didn’t have a lot of time or energy to vet every listing. There was also some pushback from anti-spam groups on the initial post that the list wasn’t accurate. Thus, the requirement that there be a public statement on the company’s website stating public lists weren’t allowed.

Listing policy 3

There’s one company on the list we’ve been having ongoing, frustrating interactions with. They don’t seem to enforce their abuse policy at all. We’ve reported multiple customers who are spamming purchased (and “purchased“) lists and the company refuses to take any action. The same customers keep spamming us over and over again. They meet the criteria for listing – they have a public policy that says they don’t allow purchased lists. But we’re seeing ongoing mail to addresses that are either purchased or stolen.

We decided to remove strike that company from the list. That’s fine, we’re allowed to make exceptions to the policy. I also always knew that “having a public statement against purchased lists” was a bit of a weak policy. Many companies have those public statements but don’t actually stop customers from sending to purchased lists. I was sure I’d have to wrestle with this issue sooner or later.

What are the goals?

The initial goal was to post timely information based on conversations happening in the industry. There were folks who wanted the lists to be more public, so they could point their own customers at it. We met that goal.

The second goal was to allow companies to add themselves to the list with some confidence they belonged on the list.

My newest goal is to sensibly and fairly add (and remove) companies who are not enforcing their policy. But what does not enforcing their policy look like? In the case of the company we removed from the list, we have sufficient evidence that they’re not stopping spam off their network. I’m pretty convinced there are other companies on the list that poorly manage their customers, too. But we don’t have as much direct evidence against those other companies.

The questions I’m asking as I think about what a sane policy would look like include:

• what is the goal of the list now? is it to give props to companies that enforce their policies? is it simply to give companies a place to point to regarding ESPs that prohibit purchased lists?
• if the goal is to highlight companies that are actually enforcing their policies, what does ‘enforcing their policies’ look like?
• do I want to do all the vetting myself or should other people be involved in vetting?
• how accurate do I want the list to be?
• does it matter if companies get onto the list when they don’t qualify?
• what is my time availability and how does that interact with the policy requirements?
• does any of this matter?

I don’t have answers to all of the questions. I would prefer that the list be accurate and reflect only those companies that actively prevent their customers from sending to purchased lists. But how to ensure accuracy? And what counts? Does blocking mail to people who complain count? Making customers reconfirm lists?

This is one of the challenging bits of policy development. I don’t have answers, yet. At best the current policy is

• Your company was added to the list by being nominated from a small group of people; or
• Your company was self nominated and your terms and conditions / acceptable use policy states you do not allow purchased lists.
• I don’t have any direct or overwhelming evidence customers are allowed to send spam to purchased lists.

For today, that’s good enough. But I know that it’s a stop gap policy, not a long term one.

ESPs • policy • purchased lists • spamming