Recent Posts

DMARC: an authentication framework

A new email industry group was announced this morning. DMARC is a group of industry participants, including large senders, large receivers and relevant intermediaries working on a framework to reduce the harm from phishing.
DMARC is working on a standard to allow senders to publish sending policies and receivers to act on those policies. Currently, senders who want receivers to not deliver unauthenticated email have to negotiate private agreements with the ISPs to make that happen. This is a way to expand the existing programs. Without a published standard, the overhead in managing individual agreements would quickly become prohibitive.
It is an anti-phishing technique built on top of current authentication processes. This is the “next step” in the process and one that most people involved in the authentication process were anticipating and planning for. I’m glad to see so many big players participating.

Costs and accounting for email

The decision by Cheetahmail to stop allowing customers to use email append caused a very long discussion on some of the marketing lists. One of the criticisms had to do with what a dumb “business decision” Cheetah was making.
I disagree. Appending, and other non-permission based sending cause a lot of costs to trickle down on the ESP. Many of the large ESPs have teams of 8 or 10 people working to manage delivery, deal with blocks and keep the mail flowing. In fact, I once had a client say “We want to be as clean as ExactTarget” only to choke when I told them how many people are on the compliance and delivery team at ET.
That’s not even looking at the cost of a SBL listing. One company estimated the cost of a slightly less than 24 hour block at over $1,000,000 in lost opportunity costs and in actual staff costs to deal with the listing. I know of one Fortune 20 company who had to re-engineer their entire customer and prospect databases due to a blocklist. And, yeah, that one was actually due to an append. They did an append and the append not only added a “new” address to a record where the person had previously opted out, but that person worked at a major spam filtering company. They experienced a whole world of very expensive pain.
Many ESPs are actually making a sound business decision by refusing to deal with non-permission mail, whether it be a purchased list or an appended list. The sender does not have permission to send to the addresses. That causes all sorts of delivery problems, which costs the ESPs lots of money and staff time to deal with. Most marketers won’t actually pay for the resources they use when appending or buying lists. Then they blame the ESP when their mail ends up in the bulk folder or is blocked outright.
I don’t think many marketers fully integrate the cost of dealing with a poor list into their decisions. My tweet from earlier today “If you have to “ignore all the costs associated with complaints” to find a positive ROI on opt-out mail, is there really a positive ROI? is a paraphrase of one of the things I heard.
ESPs can’t avoid those costs, they’re stuck with them. Lowering those costs by requiring senders to only send to recipients who have given permission is a smart business decision. Marketers don’t pay those costs, but if they even acknowledged them I suspect that there would be a whole lot less sloppy email marketing.

IP Address reputation primer

There has been a lot of recent discussion and questions about reputation, content and delivery. I started to answer some of them, and then realized there weren’t any basic reference documents I could refer to when explaining the interaction. So I decided to write some.
This first post is about IP address reputation with some background on why IPs are so important and why ISPs focus so heavily on the sending IP.

What are you validating?

Al throws in his own two cents on the question of real time address validation.

Can you verify email addresses in real time?

In a recent discussion about spamtraps and address lists and data collection a participant commented, “[E]very site should be utilizing a real-time email address hygiene and correction service on the front end.” He went on to explain that real time hygiene prevents undeliverable addresses and spamtraps and all sorts of list problems. I was skeptical to say the least.
Yes, there are APIs that can be queried at some of the larger ISPs to identify if an account name is taken, but this doesn’t mean that there is an associated email address. Yes, senders can do a real time SMTP transaction, but ISPs are quick to block SMTP transactions that quit before DATA.
I decided to check out one service to see how accurate it was. I’m somewhat lucky in that I created a username at Yahoo Groups over a dozen years ago but never activated the associated email address. This means that the account is shown as taken and no one else can register that address at Yahoo. But the address doesn’t accept any mail.

Information sharing and the Internet

Many years ago I was working at the UW-Madison. Madison is a great town, I loved it a lot. One of the good bits was this local satire paper called The Onion. This paper would show up around campus on Wednesdays. Our lab, like many university employees and students, looked forward to Wednesday and the new humor The Onion would bring to us.
At the same time, I was internet friends with an employee of JPL. I’d met him, like I met many of my online acquaintances, through a pet related mailing list.
One Wednesday, The Onion published an article Mir Scientists Study Effects of Weightlessness on Mortal Terror. As this was the time when the Internet consisted of people banging rocks together, there was not an online link to Onion articles. But I was sure my friend at JPL, and all his friends, would appreciate the joke. That night I stayed late at the lab and typed the article into an email (with full credit to the Onion) and mailed it off to him.
As expected, the article garnered quite a few chuckles and was passed around to various folks inside JPL. What wasn’t expected was another friend, from totally different circles, sending me a copy of that same article 3 days later. Yes, in 1997 it took three days for information to be shared full circle on the Internet.
Information sharing is a whole lot quicker now, with things coming full circle in mere seconds. But that doesn’t make the information any more reliable and true. Take a recent article in ZDNet Research: Spammers actively harvesting emails from Twitter in real-time.
ZDNet links to a study published by Websense, claiming that email addresses on Twitter were available for harvesting.
That’s all well and good, but all ZDNet and Websense are saying is that email addresses are available for harvesting. I’ve not seen any evidence, yet, that spammers are harvesting and sending to them. This doesn’t, of course, mean they’re not, but it would be nice to see the spam email received at an address only shared on twitter.
Well, I have unique addresses and an un-spamfiltered domain. I went ahead and seeded a tagged address onto twitter. We’ll see if it gets harvested and spammers start sending to it. I’ll be sure to keep you updated.

Delivery and marketing, another view

In addition to posting some of my thoughts about how delivery and marketing have different and possible contradictory constraints, I asked folks on the Only Influencers list what they thought. They had some different perspectives, primarily being marketers. One person even welcomed me to the dark side.
The general response from the marketing side of things appeared to be that ISPs need to stop actually filtering marketing email. That would resolve the problems from the marketers perspective. I don’t necessarily think that will help. I believe if marketers had unfettered access to the inbox, most inboxes would be totally un-useable.
My thinking triggered other folks to consider delivery and marketing and what drives both. George Bilbrey, from Return Path, posted an article in Mediapost looking at why good delivery is an important part of a good marketing strategy.
George points out many marketers really do act as if delivery is separate and detrimental to good marketing.

Experian CheetahMail believes that opt-out email appending is no longer an acceptable practice, and that marketers should no longer use of this practice to acquire customer email addresses. EmailResponsibly
Read More

The internet protests SOPA / PIPA

For those who don’t know, a number of major websites will be going offline tomorrow to protest SOPA and PIPA, including wordpress, reddit, Wikipedia and the cheezeburger sites. Tomorrow may be the most productive day ever on the modern internet. Google will also be linking to information about SOPA tomorrow.
I had some people ask me about the bills today and have been looking for explanations of the issues and why these laws are so problematic.

Is any data safe?

Today another major retailer announced their customer files were compromised. This company had clearly implemented some security that kept hackers from getting too much information. Passwords were hashed and credit card numbers were kept on a separate server, which does signal that the company designed with security in mind. Nevertheless, personal information was compromised.
Is there anyway to keep information safe if it’s accessible from the internet? Some of my uber-security conscious friends would say no. I am beginning to believe them.