Thoughts on policy

A particular blocklist, once again, listed a major ESP this week. Their justification is “this is our policy.” Which is true, it is their policy to list under these circumstances. That doesn’t make it a good policy, or even an effective policy. It’s simply a policy.

Crafting policies

Crafting good policy starts with the question “what is the desired outcome in this situation?” Once we know the desired outcome, then we can craft a policy that reaches that outcome. Along the way, every piece of the policy is evaluated against the desired outcome: does this get us further down the path to achieving our goal?

In many ways, identifying the final goal is the most important part of crafting policy. Those who choose the wrong goal, end up with policy that doesn’t reach that goal. There are some really clear examples of that in the email space. Picking the wrong goal results in policy that meets the goal, but doesn’t necessarily do what the creators intended.

Blocklist policy

The blocklist currently listing most, if not all, of the IPs belonging to at least 2 major ESPs has a policy to increase listings based on a numerical formula. If a certain percentage of IPs in a range are hitting spamtraps, then the listing is escalated, until they list all the IPs under a ASN. This is quite aggressive listing policy. The blocklist documentation even clearly states this will block wanted mail.

This type of policy is designed to bring heavy amounts of pressure on network owners to aggressively remove spammers from their network. The problem is that because the escalations are so aggressive and because the aggressiveness blocks so much wanted mail, larger networks don’t use the list. Since the list isn’t used, there is very little pressure on any IP owner to clean up their customer base.

Compare that with a different blocklist. This blocklist doesn’t have an aggressive escalation policy. They will escalate in some cases, but in general their listings are quite conservative. They even list some IPs that don’t send mail, as a warning to the IP owner that there is some problem. Despite being less aggressive, this blocklist is much more effective at changing behaviour. Why? Because this list is widely used.

Unexpected consequences

In order for a blocklist to be effective, it needs to actually affect mail delivery. The reason the less aggressive list is more effective is due to its wider use. There isn’t a lot of persuasion in a list that blocks mail to one or two subscribers at an obscure ISP. Those two subscribers may be annoyed at their inability to receive a particular mail, but they can simply move a particular subscription to a different email address. On the other hand a list that’s used by major webmail providers and incorporated into numerous filters will have a significant impact on sender behaviour, even if that’s not their policy goals.

Policy should not be fixed

Simply having a policy isn’t enough. There have to be processes for when the policy is broken. Processes include when and how to undertake an investigation and then how to address the problem once the investigation is finished. Policies are not worth the paper they’re written on without effective enforcement.

Good policy enforcement is, in most cases, pretty simple. But inevitably policy violations arise that challenge current processes to handle in a way that further the policy goals. There are two primary ways organisations handle this. The first is to fall back on “it’s policy” and “this is what happens.” Even when the outcome is unfair or doesn’t further the underlying policy goals there is no room for discussion or modification to the policy. The second case is more fluid. Policy is not fixed and immovable. Instead, the underlying goal is fixed and immovable, and processes are changed to meet the policy goals. Of course, you don’t want to be modifying policies all the time, but when a process is inadequate to address a situation, modification should be on the table.

In the case of the aggressive blocklist, their current policies and processes are not, from an outside perspective, meeting their stated goals. Because their listing process is so aggressive and because they block mail people want to receive, the list is not widely used. Since it’s not widely used, being listed is meaningless. Companies aren’t  making changes in order to get delisted because there’s no need. I’m sure they know this, but have chosen not to modify their policies.

There are a lot of challenges to crafting effective policies and processes around those policies. Over the next few months I’ll be writing more about how to think about policies and processes that surround them.

 

Related Posts

Questions about Spamhaus

I have gotten a lot of questions about Spamhaus since I’ve been talking about them on the blog and on various mailing lists. Those questions can be condensed and summed up into a single thought.

Read More

Who pays for spam?

A couple weeks ago, I published a blog post about monetizing the complaint stream. The premise was that ESPs could offer lower base rates for sending if the customer agreed to pay per complaint. The idea came to me while talking with a deliverability expert at a major ESP. One of their potential customer wanted the ESP to allow them to mail purchased lists. The customer even offered to indemnify the ESP and assume all legal risk for mailing purchased lists.
While on the surface this may seem like a generous offer, there aren’t many legal liabilities associated with sending email. Follow a few basic rules that most of us learn in Kindergarten (say your name, stop poking when asked, don’t lie) and there’s no chance you’ll be legally liable for your actions.
Legal liability is not really the concern for most ESPs. The bigger issues for ESPs including overall sending reputation and cost associated with resolving a block. The idea behind monetizing the complaint stream was making the customer bear some of the risk for bad sends. ESP customers do a lot of bad things, up to and including spamming, without having any financial consequences for the behavior. By sharing  in the non-legal consequences of spamming, the customer may feel some of the effect of their bad decisions.
Right now, ESPs really protect customers from consequences. The ESP pays for the compliance team. The ESP handles negotiations with ISPs and filtering companies. The cost of this is partially built into the sending pricing, but if there is a big problem, the ESP ends up shouldering the bulk of the resolution costs. In some cases, the ESP even loses revenue as they disconnect the sender.
ESPs hide the cost of bad decisions from customers and do not incentivize customers to make good decisions. Maybe if they started making customers shoulder some of the financial liability for spamming there’d be less spamming.

Read More

January 2017: The Month in Email

Between client work and our national political climate, it’s been a very busy month around here and blogging has been light. Things show no sign of slowing down in February, so we’d love to hear from you with questions and suggestions of what you’d most like to see us focus on in our limited blogging time this month. We got a great question about how senders can access their Google Postmaster tools, and I wrote up a guide that you might find useful.

We’re also revisiting some older posts on often-requested topics, such as spamtraps, so feel free to comment below if there are topics you’d like us to address or update. One topic that comes up frequently, both on the blog and in our consulting practice, is about what to do when you’re on a blocklist. I revisited an old-but-still-relevant post on that topic as well.
On the Best Practices front, I wrote about how brands can use multiple channels to connect with customers and prospective customers to promote and enhance email delivery. I also took a moment to look back over 2016 and forward to 2017 in the realm of email security.
I continue to be annoyed by B2B spam, and have started responding to those “requests” for my time directly. Steve also wrote a long post about B2B spam, focusing on how these spammers are using Google and Amazon to try to work around reputation issues.
In case you missed it, I contributed some thoughts to a discussion on 2017 email trends over at Freshmail with my exhortation to “Make 2017 the year you turn deliverability into a KPI.”
I’m also still in the process of completing my 2017 speaking schedule, so I’m looking for any can’t-miss conferences and events you’d recommend. Thanks for keeping in touch!

Read More