What's So Funny About E-Mail Authentication?
I have watched recent developments in the e-mail authentication, reputation and certification debate with some interest. Here at Q Interactive we send a lot of e-mail. Over the years, 45 million people have registered at one of our sites, and 80 percent requested to receive periodic e-mail from us. We also have spent the past year developing e-mail services for The Q Network, our publisher network, which uses registration and behavior data to deliver relevant offers to consumers with their explicit permission and a guarantee of their privacy.
First let me state that any effort to improve the deliverability of e-mail that people have requested to receive is a good thing, and any effort to block e-mail that they have not asked to receive is also a good thing. This is why we have been active supporters of SPF, Sender ID and DomainKeys Identifed Mail. We also were an early supporter of Bonded Sender (now called "Sender Score Certified"), and, though we have reservations about the cost, Goodmail seems to us like another interesting option.
Despite all of these promising open standards, however, glaring issues remain in authentication and certification that the e-mail industry has yet to address. For example, many providers of e-mail services to consumers rely on a blunt instrument to determine the legitimacy of an e-mail sender: the "This is Spam" button, which lets consumers label any e-mail in their inbox as spam with a click of their mouse.
This is Spam?
Though some see this function as a harmless way to address consumer spam concerns, Internet service providers use these consumer clicks to dictate inbox delivery policy. Many ISPs have set thresholds for what percentage of a sender's e-mails can be marked as spam by their consumers before the sender is removed from their whitelist, filtered and/or blocked.
This approach has a few problems. Namely, consumers often are confused about what the "This is Spam" button means. A recent JupiterResearch report found that 67 percent of consumers think clicking "This is Spam" is the same thing as unsubscribing from legitimate e-mail they consented to receive. In our experience, we have found that when surveyed after the fact, nearly 60 percent of consumers who marked one of our e-mails as spam told us they neither wished to unsubscribe nor intended to mark the e-mail as spam.
Less-scrupulous marketers get around ISP thresholds by rotating domains, switching IP ranges and changing "from" lines, while those of us who play by the rules, follow the laws and adhere to best practices are left to take the brunt of the policy. A full 60 percent of companies reported that such erroneous spam filters have harmed their e-mail campaigns, according to a separate JupiterResearch report.
What I find just as problematic - and most ironic - about the reputation and certification debate is that legislative and corporate initiatives have left a giant hole for non-permission-based marketers (spammers) to drive through. Nothing stops providers from getting a consumer to agree to receive "offers from third parties" and then selling those e-mail addresses to anyone who will buy them. In fact, this practice is specifically sanctioned by the following CAN-SPAM legislation passage that discusses affirmative consent:
"...if the message is from a party other than the party to which the recipient communicated such consent, the recipient was given clear and conspicuous notice at the time the consent was communicated that the recipient's electronic mail address could be transferred to such other party for the purpose of initiating commercial electronic mail messages."
This is where faux permission starts and the roach motel of e-mail marketing begins: Consumers "opt in" but they can't opt out because they have no idea which companies purchased their information and then turned around and resold it to even more companies.
This loophole lets third parties legally buy e-mail addresses and mail to them when the consumer has never heard of their company and never opted in to receive e-mails from them - while still claiming to be "opt in" compliant. Sending e-mail from a brand or company that the consumer has not given consent to sounds to me like unsolicited e-mail - the essence of spam.
What truly mystifies me is that several e-mail providers have raised more than $100 million in venture capital funds from prominent venture capital firms even though they send unsolicited e-mail to consumers who have not provided direct, affirmative and specific consent. I just don't believe it is OK for consumers to receive e-mail from a sender where the "friendly from" and return e-mail address are unknown to them.
Though authentication and reputation are vital, I suggest that the industry would be well served to address the weaknesses in how consumers report spam and how some prominent third-party e-mailers abuse the concept of permission and stretch the meaning of "opt in."