Role accounts

laura
Industry
June 21, 2016

A question came up on a recent deliverability panel about role accounts.

What is a role account?

A role account is an email address that goes to a particular role or position rather than to a person. In many cases email to that address gets sent to a ticketing system or sent to multiple people. Sometimes the address does go to a single person. The point of role accounts is to have standardized addresses that can be contacted at most domains.

Why do people use role accounts?

Businesses use role accounts for a number of reasons.

To maintain coverage for certain addresses after hours.
To provide one point of contact that can be passed on to different employees (on call pager).
To maintain business continuity.
To route email to the appropriate departments or people.
To route email to ticketing systems.

Even businesses as small as Word to the Wise use role accounts. There are certain messages we value so much, we route those addresses to multiple people inside the company. Some sole proprietors also use role accounts to keep certain messages out of their personal inbox.

Why do many ESPs prohibit mailing to role accounts?

Because role accounts are about a position, not a person, it’s hard to guarantee there is permission associated with the subscription. In fact, even if one of the recipients opted in the role account it’s possible other recipients would see the mail as spam. It is true that some role accounts are used as personal addresses, but this is not the normal use case. On balance, blocking mail to role accounts minimizes spam complaints with very little collateral damage.
It’s not just ESPs that prohibit mail to role accounts. Some mailing list providers (Yahoogroups, for instance) prohibit adding some role accounts to accounts they host.
Yes, there are cases where role accounts are the right place to send bulk mail. Accounting mail between companies are the obvious use case. There are some small businesses that use role accounts to subscribe to lists and get business mail.

What if I need to mail role accounts?

Some ESPs allow mail to role accounts, if certain conditions are met. These conditions vary by the situation. If you’re in a place where some addresses are blocked. Be prepared to demonstrate your opt-in process and how you’re verifying the accuracy of the subscription. You may also need to submit samples of your emails and some justification for mailing the role accounts.
Different ESPs have different rules for granting exceptions. Some ESPs will not grant exceptions to their policies so you may have to find an ESP that better fits your needs.

Conclusion

Overall, role accounts are about email to a particular job function. These functions are not always good targets for marketing mail, particularly unsolicited marketing mail. This is why ESPs often prohibit mail to role accounts by default. However, as with everything in email there are some exceptions. If you have an exceptional issue talk to support or deliverability about your needs and if there are ways to alleviate their concerns.

We're all targets

Last week, another email provider announced their systems had a security incident. Mandrill’s internal security team detected unusual activity and took the servers offline to investigate. While there’s no sign any data was compromised or servers infiltrated, Mandrill sent an email to their customers explaining the incident was due to a firewall rule change.
Email service providers are a high value target for hackers, even if all they have is email addresses. Selling the email addresses is extremely profitable for hackers who can either sell the list outright or sell access to the list. In addition to gaining access to the email addresses, hackers often use the ESP to send these messages essentially stealing the ESP’s reputation to deliver the spam.
It was just over four years ago when a number of major ESPs were targets of a large attack and multiple ESPs were compromised. Earlier this month, three people were arrested for their roles in the attack. While the attacks four years ago were primarily spear phishing attacks, the security incident at Mandrill shows that hackers and botnets are actively probing the ESP’s network looking for access or known vulnerabilities. Spear phishing is an attempt to gain unauthorized access to a system by specifically targeting an individual, group, or organization. The scam attempts to have the user to click a link to infect their computer and network or capture their user id and password via a fake website. The scam email may appear to be sent from the company’s security or human resources department, but the email is either forged or another user’s account has been compromised.
Just because recent arrests have been made does not mean the threat is over. Systems often change, are upgraded, and are integrated with many additional services and systems can become vulnerable. Security will never be a set and forget policy. In the last 12 months there has been two significant vulnerabilities discovered, first Heartbleed and second was POODLE. Security professionals from all industries had to react quickly to secure their systems and hackers immediately began probing for systems that were unpatched. GFI reports there were over 7,000 vulnerabilities discovered in 2014 with 24% of them being rated as high severity. Security must not only cover servers, but the transmission of the data internally and with third-party vendors, and the workstations of employees.
IT and security professionals must be ever vigilant in protecting their network and their customers data. SANS Institute provides a number of security control best practices including a document on Data Protection. The control recommendations range from quick wins to advanced considerations such as monitoring all traffic leaving the organization and being able to detect any unauthorized or unusual transfer of data, blocking access to file transfer protocols and file sharing websites, performing annual reviews of all keys, certifications, and security procedures.
One of the best ways to help the entire industry to be secure is to be transparent and open when incidents happen. Mandrill has published a blog post with the results of their investigation.

Dealing with blocklists, deliverability and abuse people

There are a lot of things all of us in the deliverability, abuse and blocklist space have heard, over and over and over again. They’re so common they’re running jokes in the industry. These phrases are used by spammers, but a lot of non-spammers seem to use them as well.
The most famous is probably “I’m sure they’ll unblock me if I can just explain my business model.” Trust me, the folks blocking your mail don’t want to hear about your business model. They just want you to stop doing whatever it is you’re doing. In fact, I’m one of the few people in the space who actually wants to hear about your business model – so I can help you reach your goals without doing things that get you blocked.
A few months ago, after getting off yet another phone call where I talked clients down from explaining their business model to Spamhaus, I put together list of phrases that senders really shouldn’t use when talking to their ESP, a blocklist provider or an abuse desk. I posted it to a closed list and one of the participants put it together into a bingo card.

A lot of these statements are valid marketing and business statements. But the folks responsible for blocking mail don’t really care. They just want their users to be happy with the mail they receive.

Buying lists costs more than just money

I’ve been talking to a lot of companies recently who are dealing with some major delivery challenges probably related to their practice of purchasing lists and then sending advertising to every address on the list. They assure me that their businesses would be non-viable if they didn’t purchase lists and it has to be that way.
Maybe that’s true, maybe it is more cost effective to purchase lists and send mail to them. I know, though, that their delivery is pretty bad. And that a lot of the addresses they buy never see their email. And that they risk losing their ESP, or they risk being SBLed, or they risk being blocked at Gmail, or they risk bulk foldering at Hotmail. There are a lot of risks to using purchased lists.
The reality is it’s only getting harder to mail to purchased lists and it’s getting more expensive to mail purchased lists. Paying for the list is a small part of the cost of using them.
Other costs incurred by companies using purchased lists include:
1) Having multiple ESPs. There are certainly legitimate reasons for companies to use different ESPs but there is a cost associated with it. Not only do they have to pay for duplicate services, but they spend a lot of employee time moving lists and recipients around to see who might have the better delivery today.
2) Multiple domains and brand new websites for every send. Landing pages are good marketing and are normal. But some ISPs track the IPs of the landing sites, and those IPs can get their own poor reputation. To get around it, senders using purchased lists often have to create new websites on new IPs for every send.
3) Complicated sending schedules. Sending schedules aren’t dictated by internal needs, they’re dictated by what ISP is blocking their IPs or domains (or even ESP) right now.
All of these costs are hidden, though. The only cost on the actual bottom line is the money they spend for the addresses themselves and that’s peanuts. Because, fundamentally, the folks selling addresses have no incentive to take any care in collecting or verifying the data. In fact, any verification they do only cuts into their profit, as buyers won’t actually pay for the verification and data hygiene and it also reduces the size of the lists they can sell.
And, no, data hygiene companies that look for traps and bounces and “bad addresses” don’t take a bad list and make it good. They just take a bad list and make it a little less bad. If the recipients don’t want the mail, all the hygiene in the world isn’t going to get that message into the inbox.
Outsourcing address collection to list selling companies is more expensive than it looks on paper. That doesn’t stop anyone from building a business around purchased lists, though.