MAPS: Only Verified Opt-In Is True Opt-InEditor's note: DM News and its sister publication, iMarketing News, offered Mail Abuse Prevention System founder Paul Vixie the opportunity to explain his philosophy and actions to marketers. This is the second and final installment.
Last week I explained why networks, servers and mailboxes were private property and, therefore, subject to rules and decisions made by their owners. I also gave some support for the view that the implicit rule governing the use of distant mailboxes was that no mailbox would ever be added to an automated distribution list without the permission of its owner.
Now I'd like to go deeper into what "permission" really means in this context. There are different ways to create distribution lists for direct e-mail marketing, some requiring more permission than others. The spectrum runs as follows:
• Reactive opt-out.
• Proactive opt-out.
• Unconfirmed opt-in.
• Confirmed opt-in.
• Verified opt-in.
Let's look at each.
Reactive opt-out is at the lowest end of the permission scale. It requires no permission before an address is added to a list, demanding instead that owners of a mailbox take reactive steps to remove themselves from each new list to which they find themselves added.
This is clearly not a scalable solution -- as well as being a clear violation of the mailbox owner's property rights. If a mailbox's address is on some list that is being sold, then the mailbox owner can expect to receive at least one mailing from every buyer of that list -- there's no end to it, no way to request removal from the master list.
In practice, mailbox owners have universally learned NOT TO REPLY to mail of this kind, requesting removal, since such replies often bounce or go unheeded, and occasionally result in EVEN MORE MAIL since their reply is used by the sender as evidence that the mailbox is actively read. Therefore, no one in the bulk e-mail business should treat lack of complaint as an indication that the recipients are happy to get the mail.
Proactive opt-out is a slight improvement, since it empowers some central agency (this could be the Direct Marketing Association, the Federal Communications Commission or the U.S. Postal Service) to maintain a list of addresses whose owners do not wish to receive any kind of unsolicited bulk e-mail. Heralded by many as the e-mail equivalent to the DMA's Mail Preference Service, this approach ignores the critical difference between e-mail and postal mail: The cost of postal mail is paid entirely by the sender, while the cost of e-mail is shared between the sender and the recipient. ANY unsolicited bulk e-mail shifts some of the cost of distribution to the recipients, and mailbox owners should not have to register their addresses with a central authority to prevent this theft of service.
Note that if there were any operational merit in this approach, then its authors would recommend a central database of addresses whose owners DO want to receive bulk e-mail; under those conditions, such mail would no longer be unsolicited. Those of us with dozens of different mailboxes will NOT suffer the burden of registering each new address in order to express a preference that has been the DEFAULT since 1970 or earlier.
Unconfirmed opt-in was once considered better than the various forms of opt-out, since a list owner would only add addresses if asked to do so by their owners. As the Internet industry matured and garnered more and more users from the nontechnical sector, unconfirmed opt-in has been abused and is no longer usable in any form.
Abuse generally consists of sending "please add me to your list" requests with forged addresses. I have been "forge-subscribed" to hundreds of lists over the years. It can take weeks to go through all the incoming mail that results from this abuse, unsubscribing from each list in turn. And in the aftermath of such an attack and cleanup, all the attacker has to do is spend five minutes rerunning the original script, and the victims are back where they started.
Unconfirmed opt-in is just not a consumer-friendly approach. Lists built with unconfirmed opt-in are public nuisances.
Confirmed opt-in is thought by some to solve the problems of unconfirmed opt-in, since after a subscription has been received and entered, an automatic reply is sent to the address that was forged on the request. This confirmation message usually gives instructions on how to unsubscribe so that the victim of a forge-subscribe attack can perform the cleanup in days or hours rather than the several weeks needed for unconfirmed opt-in. This is still an undue burden on the recipient.
Unconfirmed and confirmed opt-in also suffer from a property rights problem, since the bulk e-mail that will be received between the forged subscription and the final successful cleanup unsubscription is unsolicited. It doesn't matter that the bulk e-mailer believes the traffic was solicited. Forgeries are so common and so trivial to send that the receipt of a "please subscribe me to your list" message NO LONGER creates a presumption that bulk e-mail has been solicited.
Verified opt-in, sometimes called "fully verified opt-in," is the gold standard in permission-based bulk e-mail. The basic idea is to make these "please add me to your list" requests impossible to forge. This is often done by sending one message to the prospective new mailbox, containing some unique secret that must be entered into the bulk e-mail system to complete the subscription process and start the flow of e-mail. The secret is usually a random number or random sequence of letters, and the way to enter it is usually to click on a Web link or to reply to the verification message. Other approaches to stopping forgery include X.509 S/MIME or PGP mail, which authenticates a request by virtue of some kind of public key encryption system.
This approach has been occasionally mislabeled "double opt-in," since verification is often done with a second e-mail message (which is the subscriber's reply to the verification message). I say mislabeled because it makes no difference how the authentication is performed -- what matters is only that forgery be ruled out. A bulk e-mailer who has records showing the initial subscription request and some kind of verification of the authenticity of that request can validly presume that bulk e-mail has been solicited by the owner of that mailbox.
There is no question that fully verified opt-in is more expensive to implement and operate than any lesser approach. There's also very little debate that the sign-up rate for fully verified opt-in lists is lower as a result of the cooling-off period offered to folks who can change their mind in the few seconds, minutes or hours it will take for the verification process to complete.
However, no one can doubt the costs of handling complaints from people who never signed up or the reputation costs of being thought of as a spammer. There's also a real competitive advantage: When Wall Street looks at the marketing strengths of a company, the analysts and auditors treat the size of a fully verified opt-in list as "hard" and the size of any other type of list as "soft."
If you have a list that you did not build yourself using at least unconfirmed opt-in, you should toss it away and start a fresh one.
If you have a list built with unconfirmed or confirmed opt-in, then you should audit it by sending gentle e-mail probes to try to detect silent sufferers. If you find any silent sufferers, you should challenge the whole list -- that means sending them a one-time verification message, then deleting any address that does not respond.
Audit probes and verification challenges will be annoying to those of your subscribers who are happy with their subscriptions and don't understand why you and their other bulk e-mail suppliers keep bugging them about their subscriptions.
Following any standard less permission-oriented than fully verified opt-in means that you eventually will send unsolicited bulk e-mail, maybe just a little bit, maybe quite a lot, to people who will be annoyed because they think only a spammer would do that. This annoyance also has a cost, however intangible. The cost of being thought of as a spammer is MUCH HIGHER.
The MAPS team did not originate these rules, but rather it formalized and documented the community's age-old doctrines. It is not up to the direct e-mail marketing industry to attempt to define its own rules, but rather, to recognize and follow the rules of the Internet industry it is joining.