Compliance
How to choose an ESP based on deliverability
Despite what a lot of SEO slop will try and tell you there’s no way to measure deliverability performance across multiple ESPs in any way that’s meaningful.
Read MoreUnsubscribe vs Suppress
When someone sends a complaint to your compliance desk there are a range of things you want to do, but one thing you always want to do is ensure that the recipient doesn’t receive any more unwanted email from your customer. Or, at least, not from your network.
Read MoreConfidential to ESPs
Dear Colleagues at ESPs,
We have a problem. More specifically, YOU have a problem. You have a spam problem. One that you’re not taking care of in any way, shape or form.
Read MoreESPs need to step up their compliance game
I don’t send a lot of spam complaints generally. Mostly I block and move on. There are some companies, though, that I offer the professional courtesy of sending a complaint or a report to their abuse@ address. Former clients, friends and colleagues generally get that courtesy.
Read MoreRaising the standard
Last week news broke that Mailchimp had disconnected a number of anti-vaccination activists from their platform and banned anti-vax content. I applaud their decision and hope other companies will follow their lead in banning harmful content from their network.
Read MoreESPs are failing recipients
Over the last few years I’ve reduced the complaints I send to ESPs about their customers to almost nothing. The only companies I send complaints to are ones where I actually know folks inside the compliance desk, and I almost never expect action, I just send them as professional courtesy.
ESPs and deliverability
There’s an ongoing discussion, one I normally avoid, regarding how much impact an ESP has on deliverability. Overall, my opinion is that as long as you have a half way decent ESP they have no impact on deliverability. Then I started writing an email and realised that my thoughts are more complex than that.
Tools aren’t a luxury
I was on the phone with a colleague recently. They were talking about collecting a bit of data over the weekend and mentioned how great it was they had the tools to be able to do this. Coincidentally, another colleague mentioned that when the subscription bombing happened they were able to react quickly because they had a decent tool chain. I’ve also been working with some clients who are dealing with compliance issues but don’t have the tools they need.
Read MoreCompany responsibility and compliance
I blogged a few times recently about Zoho and their issues with malicious actors abusing their platform. They asked me to post the following statement from their CEO Sridhar Vembu.
Read MoreZoho, phishing and who’s next?
ZDnet reports that Zoho’s problems with phishing aren’t over. Their report states that Zoho is being used as a pipeline to exfiltrate data from phished accounts.
Read MoreThoughts on policy
A particular blocklist, once again, listed a major ESP this week. Their justification is “this is our policy.” Which is true, it is their policy to list under these circumstances. That doesn’t make it a good policy, or even an effective policy. It’s simply a policy.
Read MoreComplaints, contacts and consequences
Yesterday the CRM system Zoho suffered an unexpected outage when their registrar, TierraNet suspended their domain. According to TechCrunch, Zoho’s CEO says there was no notification to the company and that the company had only 3 complaints about phishing.
Read MoreCheck your abuse addresses
Even if you have excellent policies and an effective, empowered enforcement team you can still have technical problems that can cause you to drop abuse mail, and so lose the opportunity to get a bad actor off your network before they damage your reputation further.
Read MoreHow to hire an affiliate
Yesterday I talked about all the reasons that using affiliate email can hurt overall delivery. In some cases, though, marketing departments and the savvy email marketer don’t have a choice in the matter. Someone in management makes a decision and employees are expected to implement it.
If you’re stuck in a place where you have to hire an affiliate, how can you protect the opt-in marketing program you’ve so painstakingly built? Nothing is foolproof, but there are some ways you can screen affiliates.
The Blighty Flag
Back in the dark ages (the late ’90s) most people used dialup to connect to the internet. Those people who had broadband could run all sorts of services off them, including websites and mail servers and such. We had a cable modem for a while handling mail for blighty.com.
At that time blighty.com had an actual website. This site hosted some of the very first online tools for fighting abuse and tracking spam. At the same time, both of us were fairly active on USENET and in other anti-spam fora. This meant there were more than a few spammers who went out of their way to make our lives difficult. Sometimes by filing false complaints, other times by actually causing problems through the website.
At one point, they managed to get a complaint to our cable provider and we were shut off. Steve contacted their postmaster, someone we knew and who knew us, who realized the complaint was bogus and got us turned back on. Postmaster also said he was flagging our account with “the blighty flag” that meant he had to review the account before it would be turned off in the future.
I keep imagining the blighty flag looking like this in somebody’s database.
That is to say, sometimes folks disable accounts they really shouldn’t be disabling. Say, for instance:
This was an accident by a twitter employee, according to a post by @TwitterGov
Permission trumps good metrics
Most companies and senders will tell you they follow all the best practices. My experience says they follow the easy best practices. They’ll comply with technical best practices, they’ll tick all the boxes for content and formatting, they’ll make a nod to permission. Then they’re surprised that their mail delivery isn’t great.
Read MoreArguing against the anti-spam policy
Not long ago I was talking with a colleague who works for an ESP. She was telling me about this new client who is in the process of negotiating a contract. Normally she doesn’t get involved in negotiations, but the sales group brought her. It seems this new client is attempting to remove all mention of the anti-spam policy from the contract. As she is the deliverability and compliance person, the sales people won’t agree unless compliance does.
Her sales team needs props for bringing her in to negotiate a contract where the anti-spam clause is removed.
This isn’t that unusual situation. Many well managed ESPs will include deliverability and compliance personnel in negotiations if the customer indicates they want changes to the language of the anti spam clause.
On the face of thing it seems reasonable for customers to want to negotiate compliance terms. They want to protect themselves from unexpected outages. It seems irresponsible to allow a service provider to have the ability to made such a business affecting decision.
Many folks try to negotiate their way out of anti-spam clauses. Just asking for changes isn’t a big deal. However, some companies push the issue with sales and contract folks to an extreme. They threaten to not sign if the anti-spam clauses are removed completely. 
Threatening a contract over compliance issues can poison an entire working relationship. The fact is that most people who argue about anti-spam clauses and compliance issues are people who have had problems with other ESPs in the past. For better or worse, prospects that try and remove anti-spam clauses from contracts are often problem customers.
On the compliance side, if someone is pushing hard to get the spam clause removed, they think a few different things:
About the Hillary Clinton email server thing…
I was going to say something about the issue with Hillary Clinton using an email server provided by her own staff for some of her email traffic, rather than one provided by her employer, but @LaneWinree already wrote pretty much what I’d have written, just better than I would have done.
Read MoreLet's talk CAN SPAM
Earlier this week I posted about the increased amount of B2B spam I’m receiving. One message is not a huge deal and I just delete and move on. But many folks are using marketing automation to send a series of emails. These emails often violate CAN SPAM in one way or another.
This has been the law for 13 years now, I find it difficult to believe marketers are still unaware of what it says. But, for the sake of argument, let’s talk about CAN SPAM.
We gave you a chance…
Our formerly feral cat was diagnosed with hyperthyroid disease earlier this year. This week she went in for treatment with radioactive iodine. Now that she’s home, we have some minor safety precautions (mostly around keeping radiation out of landfills and minimizing our exposure) for the next 2 weeks.
In previous careers, both Steve and I have been licensed to work with radioactivity so we’ve been swapping stories. Today I remembered an incident recounted during training. One lab had ordered some radioisotope and then mistakenly thrown out the isotope with the packaging material. An honest, but very expensive, mistake. Part of the fix was to have all radiation orders go through a central office on campus. This office would handle the opening and recording of the material and then distributing it to the appropriate research lab. As Steve put it, “We trusted you but you messed up, so now we have to institute some controls.”
This actually is how a lot of email compliance is done, too. Companies are allowed to do what they’re going to do. If they do something bad, even by mistake, there is often a lot of expensive cleanup. After the cleanup, the network (either the ESP or ISP) puts in place processes to limit the chance of this kind of mistake in the future.
In the email space the processes usually involves a couple things. First, the sender needs to change their acquisition process. This change limits the bad addresses getting onto a list in the future. Second, the sender needs to address the bad part of their current list. This often involves purging and/or re-engaging non-responsive addresses.
The fixes are painful for everyone involved. But when cleanup is expensive, prevention is important.
Who pays for spam?
A couple weeks ago, I published a blog post about monetizing the complaint stream. The premise was that ESPs could offer lower base rates for sending if the customer agreed to pay per complaint. The idea came to me while talking with a deliverability expert at a major ESP. One of their potential customer wanted the ESP to allow them to mail purchased lists. The customer even offered to indemnify the ESP and assume all legal risk for mailing purchased lists.
While on the surface this may seem like a generous offer, there aren’t many legal liabilities associated with sending email. Follow a few basic rules that most of us learn in Kindergarten (say your name, stop poking when asked, don’t lie) and there’s no chance you’ll be legally liable for your actions.
Legal liability is not really the concern for most ESPs. The bigger issues for ESPs including overall sending reputation and cost associated with resolving a block. The idea behind monetizing the complaint stream was making the customer bear some of the risk for bad sends. ESP customers do a lot of bad things, up to and including spamming, without having any financial consequences for the behavior. By sharing in the non-legal consequences of spamming, the customer may feel some of the effect of their bad decisions.
Right now, ESPs really protect customers from consequences. The ESP pays for the compliance team. The ESP handles negotiations with ISPs and filtering companies. The cost of this is partially built into the sending pricing, but if there is a big problem, the ESP ends up shouldering the bulk of the resolution costs. In some cases, the ESP even loses revenue as they disconnect the sender.
ESPs hide the cost of bad decisions from customers and do not incentivize customers to make good decisions. Maybe if they started making customers shoulder some of the financial liability for spamming there’d be less spamming.
Clarification on monetizing complaints
There has been quite an interesting discussion in the comment stream of my earlier post about monetizing the complaint stream. I’ve found all the perspectives and comments quite interesting.
There is one thing multiple people have brought up that I don’t necessarily see as a problem. They assert that this idea will only work if all ESPs do it because customers can just say, “Well, Other ESP will let us do this and not charge us.” I don’t quite understand why this is an issue. Customers already do this. In fact, sometimes the assertion is actually true.
There are ESPs that let customers spam. There will always be ESPs that let customers spam. This is not new. Changing a pricing model isn’t going to change this.
As I was envisioning the monetization process, ESPs who wanted to do this could actually offer multiple tier pricing. The customer can choose a lower price point for their overall mail program, while assuming the cost of their recipients complaining. Or the customer can choose a higher price point and let the ESP absorb the cost of handling complaints. In either case, the customer would still have to meet the ESP’s standards for complaints and comply with their TOS.
Clearly I’m seeing the idea and industry differently than a lot of my readers. I’m interested to hear the thought process behind this so I can better understand the objection.
Monetizing the complaint stream
What if ESPs (and ISPs, for that matter) started charging users for every complaint generated? Think of it like peak pricing for electricity. In California, businesses can opt for discounted power, with the agreement that they are the first companies shut off if electrical demand exceeds supply. What if ESPs and ISPs offered discounted hosting rates to bulk senders who agreed to pay per complaint?
I see pricing scheme something like this.
Do you have an abuse@ address?
I’ve mentioned multiple times before that I really don’t like using personal contacts until and unless the published or official channels fail. I don’t hold this opinion just about resolving delivery issues, but also use official channels when reporting spam to one of my addresses or spam traps.
My usual complaints contain a plain text copy of the mail, including full headers and a short summary of the email address it was sent to. “This is an address that was part of a leak from…” or “This is an address scraped off my website. It’s been removed from the website since 2004” or “This address isn’t used to sign up for any mail.”
Sadly, there are a number of “legitimate” ESPs that don’t have or don’t monitor their abuse address. In some cases it’s an oversight or a break down of internal mail handling. But in most cases, it’s a sign that the ESP doesn’t actually handle abuse.
It’s frustrating to watch an ESP post long blog posts about “best practices” and “effective delivery” and “not spamming” and yet not be able to actually stop their own customers from spamming. It’s not even that I necessarily want them to disconnect their spamming customers (although that would be nice) but suppressing the address that I’ve told them was a spamtrap seems trivial. And yet, a month after my first complaint and weeks after escalating to a personal contact, I’m still getting spam.
The 5 things every ESP should do to handle spam complaints.
Where do subscribers come from?
Do you know all the ways subscribers can get on your lists?
Are you sure?
I recently used the contact form belonging to a marketing company to inform them that someone had stolen my email address from their database and I was receiving spam to the address only they had.
They had an opt-out link on the form, allowing me to opt-out of personal contact and a demo of their product. But that opt-out didn’t translate to not adding me to their marketing list.
When I contacted the person who was talking with me about the address leak, he told me it was the contact form that led to my address ending up on their marketing list. I asked, just to make sure, if I did remember to check the opt-out link. He confirmed I had, but there was an oversight when they updated their contact page and there was no opt-out for marketing mail.
I believe that the majority of delivery problems for real companies that “only send mail with permission” come from these types of oversights. The biggest problem with these oversights is how long they can go on until companies notice the effect. With the overall focus on aggregate delivery statistics (complaint rates, bounces, etc) oversights like this aren’t noticed until they cause some massive problem, like a SBL listing or a block at a major ISP.
The company involved in this most recent incident was very responsive to my contact and immediately corrected the oversight. But there are other companies that don’t notice or respond to the notifications individuals send. This leads to resentment and frustration on the part of the recipient.
Every company should have at least one person who can account for every address on their marketing list. Who is that person at your company?
Technology does not trump policy when it comes to delivery
Recently Ken Magill wrote an article looking at how an ESP was attempting to sell him services based on the ESPs ‘high deliverability rates.’ I commented that Ken was right, and I still think he is.
Ken has a followup article today. In the first part he thanks Matt Blumberg from Return Path for posting a thoughtful blog post on the piece. Matt did have a very thoughtful article, pointing out that the vast majority of things affecting delivery are under the control of the list owner, not under the control of the ESP. As they are both right, I clearly agree with them. I’ve also posted about reputation and delivery regularly.