Change is good – Make MD5 encrypted suppression files the de facto standard in your email marketing program

There is a trend happening with more stores starting to charge for plastic bags. In some places too, there are even bylaws enacted that force the store to charge for the plastic bags. Here in Montreal, for instance, a number of large grocery chain stores have also started to charge for plastic bags.

The reason behind this of course is the environment and the intended motivation behind charging per plastic bag is to get people to think more environmentally friendly way and cut down on the amount of landfill space from discarded plastic bags. With everyone’s support and compliance, thousands of cubic meters per year of landfill space could be saved. It starts with one person, then more, and then eventually becomes the accepted norm.

In the email marketing industry an analogous problem is suppression list abuse. A suppression list, of course, is a file that contains the list of recipients who have requested to be unsubscribed and as a result should never be mailed-to. All professional and legitimate email marketers carefully scrub their data files against suppression list files for campaigns. This has always been an industry best practice. There is still a lot more, however, that needs to be done. Compliance monitoring company Lashback, for instance, routinely records millions of IPs who have sent mail to suppression list files.

Suppression list abuse has a number of root causes—from the egregious to simple mistakes—but in the end has a damaging affect on the industry, company reputation & brands, and most importantly, consumer trust in email.

While you may not be contributing to the problem, you can however start contributing to the solution: MD5 encryption.

An industry best practice is to encrypt suppression list files using MD5 encryption. This is a one-way encryption algorithm that will protect the suppression list contents. It works this way:

• The subscriber list is added to the system (or is already present)
• The MD5 encrypted suppression list is also added to the system
• The system runs the MD5 algorithm on each subscriber record and compares the value with what is contained in the MD5 suppression list file
• The system blocks matching records (i.e. email addresses) from reaching the recipient.

The keyword is “one-way” which means that it is not possible to decrypt the data records. And, because it is not possible to decrypt the data records, the data remains in a much more protected state should it fall into the wrong hands. By contrast, should a clear-text suppression list file fall into the wrong hands, there is no technical barrier preventing the data from being mailed-to. Don’t think that a password protected ZIP file provides significant security. Such as “security measure” can be bypassed in little or no time, providing access to a readily mailable list.

It took me a few trips to the grocery store before I remembered to bring along my reusable plastic bags. Now, it is second nature. Make MD5 encrypted suppression list files part of your email marketing program:

• Set a project plan to convert your plan-text suppression file into MD5 encrypted format
• Ask partners to use and provide MD5 encrypted format suppression list files
• Provide and offer partners (first) with MD5 format suppression list files
• Educate the value of MD5 encrypted suppression list files to clients, employees, and business partners.

***********
Cypra Media’s CypraCommunicator solution supports both download and upload of MD5 one-way encrypted files.

Canadian Anti-spam bill: C-27 Electronic Commerce Protection Act

I made a prediction in an earlier blog post that Canada would soon have its own anti-spam law. The reality of such a law is gaining momentum.. Bill C-27 “Electronic Commerce Protection Act” had its first reading in Parliament April 24th and its second reading on May 9th after which it was referred for review to the Standing Committee on Industry, Science and Technology. No Committee date has been set yet.

The text of Bill C-27 is quite long (about 72 pages) and fairly complex, especially for legal laymen. While I think the overall direction of the bill is positive, there are parts of the bill that would benefit from improving the definitions of terms. Realistically speaking, it may take more time for clarification to come. In the case of the U.S.CAN-SPAM Act of 2003, the Federal Trade Commission only last year clarified a number of definitions and interpretations through “new rules”, including the definition of “person.”

There are too many details in the bill to analyze in this space. Those knowledgeable with the language of the CAN-SPAM Act (e.g. definitions of “sender”, “initiator”, and “routine conveyor”) will likely have some difficulty understanding the meaning of some terms and definitions in Bill C-27.

Here is a description of some of the main clauses of BillC-27 contrasted to the CAN-SPAM Act:

1 – Consent Required

“No person shall send or cause or permit to be sent to an electronic address a commercial electronic message unless (a) the person to whom the message is sent has consented to receiving it, whether the consent is expressed or implied; and…”

Affirmative consent should always be part of any email marketing program. Compared to the CAN-SPAM Act, Bill C-27 takes this view a step further by making it a legal requirement. As well, the burden of consent proof falls on the marketer.

The bill also has a section requiring that consent be obtained before installing a program on a recipient’s computer system:

“No person shall, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the person has obtained the express consent of the owner or an authorized user of a computer system or is acting in accordance with a court order.”

The above directly addresses a common spam tactic – in that software is surreptitiously installed on home computers and then controlled by the spammer to send out spam (referred to as “botnets”).

2 – Communications Scope

“Electronic message” means a message sent by any means of telecommunication, including a text, sound, voice or image message.”

The key point with the above is that the scope of the bill—unlike the CAN-SPAM Act– is not restricted to electronic communications sent to an SMTP mailbox (mailbox@domain.com) . Keep in mind that CAN-SPAM was enacted almost six years ago – an eternity in the pace of technological change.

3 – Broader Meaning of “Commercial Message”

“For the purposes of this Act, a commercial electronic message is an electronic message that, having regard to the content of the message, the hyperlinks in the message to content on a website or other database, or the contact information contained in the message, it would be reasonable to conclude it? has as its purpose, or one of its purposes, to encourage participation in a commercial activity, including …”

The key in understanding the above is “…or one of its purposes, to encourage participation in a commercial activity”. Compare this to CAN-SPAM where there is a distinction between commercial and transactional messages, where some of the legal requirements are relaxed for transactional messages (it should always be a best practice, though, to include an unsubscribe mechanism for transactional messages). While with CAN-SPAM certain organizations are exempt (e.g. religious, political) from the legal requirements, the case is different with bill C-27 where the nature of the message has to be closely scrutinized to determine the required legal compliance.

4 – Unsubscribe Mechanism and Sender’s Contact Information (Bill C-27)

“The message must be in a form that conforms to the prescribed requirements and must (a) set out prescribed information that identifies the person who sent the message and the person — if different —on whose behalf it is sent; (b) set out information enabling the person to whom the message is sent to readily contact one of the persons referred to in paragraph (a); and (c) set out an unsubscribe mechanism in accordance with subsection 11(1). (3) The person who sends the commercial electronic message and the person —if different— on whose behalf the commercial electronic message is sent shall ensure that the contact information referred to in paragraph (2)(b) is valid for a minimum of 60 days after the
message has been sent.”

Both Bill C-27 and the CAN-SPAM Act require that an unsubscribe mechanism be made available to the subscriber and that the sender’s contact information be included in the message. The important difference, however, is that with CAN-SPAM the unsubscribe mechanism must work for 30 days after the message was sent; while with C-27 this time frame has been increased to 60 days. Both C-27 and CAN-SPAM call on senders to honor opt-out requests within 10 days (a best practice, of course, is to honor opt-out requests immediately or before your next mailing goes out).

5 – Private Right of Action

The CAN-SPAM Act restricts civil action to the Federal Trade Commission and Internet Service Providers. Bill C-27, by contrast, extends this to individuals and allows for private right of action where individuals are permitted to sue senders who allegedly have violated the law.

*******
On a related permission-based email marketing subject, you are welcome to attend a free Cypra Media-sponsored webinar Tuesday, June 2nd , at 2 p.m. EDT titled, “E-Mail Deliverability: How to Get It Done”. Click to find out more information and to sign-up.

Sourcing Data from Co-Registration Sites is Like Dealing in Sub-Prime Mortgages:
Proceed at your own Risk

I don’t mean to simplify the reasons for the current sub-prime mortgage mess, but I see some telling parallels for email marketers who source data from co-registration sites.

1. Both are too good to be true.

Applicants were enticed to apply for unaffordable mortgages by the promise of low — or no – short-term interest rates and the promise of increased equity from higher and higher house prices (Buy now because it is going up!).

Similarly, sub-prime data-collection sites entice people with the promise of free stuff. What most do not say are all the steps, time, and information that the subscriber will have to provide before meeting the requirements for these gifts. Even the folks who muster the energy to complete the application process, will undoubtedly be less than appreciative when they receive seemingly endless streams of additional offers from email marketers.

2. Both follow the money.

Mortgage credit representatives are commissioned on the sales they bring in, not who they turn down – even though an appropriate rejection is positive to the bottom line in the long-run. A good mortgage company, will have a credit department that will use readily available risk metrics to scrutinize the mortgage opportunity brought in by the sales representatives.

Email marketers, however, have a much more difficult time to accurately assess the quality of subscribers and generally must rely more on the reputation of the co-registration company: How long has it been in business? Does it have good referrals? What does thesign-up site look like? Would subscribers really want to receive content from you? Most co-registration agreements are priced around the number of subscribers provided – the more subscriber names, the more revenue generated. For the co-registrar, not for you.

If you are not asking the right questions, you are not going to achieve email deliverability and marketing success. What’s worst – you risk involving yourself into legal problems (e.g. CAN-SPAM) should you not do your homework.

3. Both use bad data.

Contributing to the sub-prime mortgage crisis was that loan risk assessment checks — debt-to-income ratio, credit history, long-term prospect of meeting interest payments — were ignored. Similarly, email marketers often don’t evaluate the data suitability from a co-registration site. Is a check done to confirm that the email address is valid? Is a check done to validate the accuracy of the data (e.g. does the zip code fall in the state indicated?); how many other marketers are receiving the subscribers information?; what information is collected? What content is the subscriber truly interested in receiving? You will not cultivate a good company and IP reputation with AOL, Yahoo, and the other ISPs you are sending to if you send to the wrong people, uninterested people, or non-existent people.

4. Both are – er, sorry, no bailout for email marketers.

Sure, governments are stepping into the breach with bailouts for mortgage lenders and investment banks. But if you use co-registration names, don’t be expecting anybody to bail you out anytime soon.

###

Andrew O’Halloran is manager of privacy and ISP relations at Cypra Media, an authority in permission-based email marketing and email delivery, based in Montreal. He may be contacted at a.ohalloran@cypra.com.

In my last blog post, AOL’s Launch of Its New Reputation System, I wrote about DKIM and the role it will play in AOL’s domain sender reputation system. There is as of recently another reason to pay attention to DKIM: Yahoo now requires DKIM as a prerequisite to participate in its new Complaint Feedback Loop (CFL) program.

Internet Service Provider (ISP) complaint feedback loop (CFL) programs are one of the most important tools available to the permission-based email marketer. Registering for these programs helps ensure that you are kept in the loop whenever recipients generate spam complaints through clicking on the “This is SPAM!” button.

I can’t overstate the value and importance of registering for ISP complaint feedback loop programs – it should be done before you send out even your first message. If you choose not to sign up for such a program or ignore the feedback information, you do so at your own peril. I guarantee you that the ISP in question is monitoring spam complaint data very closely and this will affect your sender reputation (IP and/or Domain).

In a nutshell, the fewer complaints, the better your reputation; the better your reputation, the better your deliverability, and therefore the better ROI you can achieve as a result.
Complaint data – Analyze, learn, improve.

Most permission-based email marketers take the right approach and remove subscribers who complain. In fact, your email delivery system should be able to automatically process the feedback notifications and unsubscribe the complainer from your list database.

There is, however, a whole lot more information that you may want to consider from CFL information that can benefit your overall email-marketing strategy. Here are just a few examples:

• Trend Analysis: Here the idea is to look at the aggregate spam complaint data for trends. For example, a spike in complaints may signal an error somewhere such as the wrong list being used. Similarly, a sharp drop in complaints (usually a good thing!) may ironically signal a technical problem such as a blockage preventing reception of the feedback complaint notifications; a system error in processing them, etc.

• Creative Analysis: You may be sending content that recipients want to receive, but if they don’t recognize the message (e.g. poor choice of ‘From’ line, ‘Subject’, or no alt-text to describe the blocked images) they may complain. Similarly, if the opt-out link is difficult to find, the recipient may well choose the path of least resistance – clicking on “This is SPAM”.

• Segmentation Analysis: For example, you may be receiving data from many different sources. By correlating the SPAM complaint metrics to the data source, you can gain a better appreciation on each segment’s interest and preferences.

Again, the above are just some areas where complaint metric data can prove insightful – and we haven’t even touched on other performance metrics such as opens, clicks, unsubscribes, etc.!

Get in the loop!

AOL, Yahoo, Microsoft Hotmail, Comcast are among some examples of ISPs that have sender complaint feedback loop programs in place. Be warned, though, that the names of these programs, applicant prerequisites (e.g. DKIM), and processes vary according to ISP.
Navigating the registration and configuration for each ISP’s complaint feedback programs can be frustrating—particularly for those new to email marketing—but well worth the investment. Get help if you need to because in the end CFL information is vital way to keeping in touch with your reputation as a sender.

Get ready soon for AOL’s Launch of its new DKIM based domain sender reputation system

Sometime in the first half of the year, AOL will begin to implement its new DKIM based domain sender reputation system.

A reputation system works in a two-step process. The first step is authentication (who are you?) and the second is authorization. The latter basically translates into what rights of benefits that will be authorized to you as a sender. For instance, if your sender reputation is good, then you may benefit from being authorized to send higher volumes of emails; have more of those emails delivered to the inbox; etc… An analogy is the relationship between a passport and a visa. The former identifies you and the latter describes what rights you have been granted (e.g. visit country, work in the country, etc..).

DKIM

Reputation systems work in different ways. Some focus on the IP address, some on the sending domain, and others on a combination of the previous two. The exact method in which the authentication check is done relates to the underlying technology in effect such as Sender Policy Framework, SenderID, and DKIM.

Domain keys Identified Mail (DKIM) is a cryptographic email authentication method, making it possible to detect email forgery (“phishing”) by validating that the message actually comes from the domain that it claims to have come from. Signing outgoing messages with DKIM helps senders protect their domain and brand reputation against deceptive abuse by spammers.

Don’t Panic

AOL has put a lot of thought and consideration on how to roll out DKIM based domain reputation along with the current IP based reputation system. Only one system will be used at a time. If the message is signed with DKIM, then the domain reputation system will be used. If not, then the IP based reputation will be used. I am sure many computer scientist “types” will argue that a combined IP and Domain based reputation system would provide a better reputation score. This, however, misses an important consideration in that the more complicated scores are calculated; the more difficult it is to understand and/or troubleshoot; and the less likelihood senders will correctly identify problems areas and improve on them.

Change is Good

Of course, AOL is not forcing you to start signing messages using DKIM. However, don’t put it off without also thinking about the benefits you are missing out on. For one, you have a lot more flexibility in your choice of infrastructure. For example, it could mean losing a whitelisted AOL IP if your current ISP hosting company goes out of business. In this case, you basically would have to start from scratch : find a new server, build the reputation on the IP, apply for whitelisting, etc…

However, with AOL’s DKIM based domain reputation system, you don’t have to worry about such IP problems because with DKIM-based signing no “warm-up” period is required for a new server. Just bring the new server online, sign email using DKIM, and continue to send the same email volume you were sending before.

AOL has no plans to expire a domain’s positive reputation from inactivity such as what happens now with AOL’s IP based reputation system. This is of course great news for business models and organizations where email campaigns are sent on a seasonal basis or only during certain times of the year.

Make the Leap

In the end, there should not be a whole lot holding you back to at least plan to soon start signing your messages with DKIM. As a reputable permission based email marketer, you put a lot of work into developing and maintaining your company and domain reputation. Don’t let that go to waste – take advantage of DKIM to not only protect your reputation, but also to maximize deliverability.

Stay tuned for AOL to publish a DKIM FAQ on its postmaster site.

Got questions or topics you’d like to see addressed in this blog? Email me at a.ohalloran (at) cypra.com. My company’s web site is www.cypra.com.

Happy new year!
 
I’m Andrew O’Halloran, manager of privacy and ISP relations at Montreal-based Cypra Media, where we’re committed to fostering best-practice, permission-based email marketing for our clients.
  
Before joining Cypra, I was product manager at an anti-spam technology company, so I have a keen understanding of the threats and challenges businesses and consumers face in the online world, but also a strong appreciation for the high value that permission-based email marketing can bring to both these groups when practiced well.  
  
In this blog, I’ll be sharing with you some of the ways we help our clients maintain a best-practice profile, including but not limited to legal and regulatory requirements; ISP and industry changes and how they may affect; the importance of building and maintaining your reputation; and segmentation and targeting strategies that maximize (long-term) ROI. The most important message I want to convey is that a sound permission based email marketing strategy takes time, discipline, and a long-term perspective. The key is bringing all this together into a comprehensive strategy AND executing. For some it may seem a daunting challenge, but one that is very realistic to achieve – and in most cases without any change to revenue.

In the coming year, I hope my blog entries also will help you get — or remain  – on the cutting edge of best practice.

Got questions or topics you’d like to see addressed in this blog? Email me at a.ohalloran (at) cypra.com. My company’s web site is www.cypra.com.