How important is policy?
Policy not only reflects but is also a product of reality. Policies are created as a reflection of what a company wants to do and how it will pursue its business. For some companies, “we will try to get away with doing no more than the law requires.” For others, it reflects what they see as required by the world at large.
Me? I’m a “world at large” kind of guy. I’ve already mentioned this, but there isn’t a point in having a policy that only hews to the minimum requirements of the law.1 You must do whatever the law requires, whether by policy or default. So, that kind of policy doesn’t serve any purpose.
When looking at the world, we find that receivers have their policies. Those policies govern what they allow their users to send out from their systems and what kinds of mail they will allow coming in from the wider world. A good example of this is Microsoft’s:
Microsoft prohibits the use of the service in any manner associated with the transmission, distribution, or delivery of any unsolicited bulk or unsolicited commercial e-mail (“spam”). You may not use the service to send spam. You also may not deliver spam or cause spam to be delivered to any Microsoft service, Web site, or customer.2
This kind of policy doesn’t require only what United States law requires. Its standard is quite a bit higher. The CAN-SPAM Act allows unsolicited commercial email within specific parameters, but this policy does not.
Understanding reputation systems
Everyone uses reputation to make decisions every day. Whether that is deciding which restaurant to get dinner from, considering how many stars an Uber driver has, which charity you will contribute to, or whether the person who sits at the other end of the conference table would be a good friend, we all use various forms of reputation metrics and monitoring to make decisions.
As a rule, most email reputation systems will start with a default status of accepting the message and delivering it to the inbox. But that default can be changed by a whole host of factors.
Those factors can be summed up in permission, cadence, and relevance. That is to say that companies who don’t get permission, who send too much (or too little), or who send messages that aren’t relevant will, over time, find themselves penalized.
That penalty can be attached to the IP address, the sending domain, a domain used for a link in the body of a message, or the text of the message itself. One large mailbox provider recently said they will attach reputational scores “to anything that we logically can.”
Figuring individual reputation damage
If a customer does not abide by the rules set by the incoming server, they can expect to be penalized. If they gain enough penalty points, they can expect their message to be redirected away from the inbox or rejected/bounced. In most cases I get called in to “please review and assist” because the customer has done something that warrants penalization.
Convincing this customer that they need to change any deviant process to comply with your policy is often challenging. There is a good chance they have made some money with the new method or have engaged in a given practice for a long time. Sometimes, it may be resolved with a pointer to something like this blog post or the M3AAWG Position on Email Appending3 to show broad industry support for the provider’s policy. Other times, it may say, “This is our policy and must be followed.”
Policy at scale: Broader issues
If enough customers are causing problems, broader penalties can be applied. Sometimes, this may happen with a single customer who has caused the same problem multiple times. Regardless, a provider’s general reputation can be determined by the bottom 20% of their customers (or what they’ll allow, even if they don’t encourage it).
It was April of 2012. Suddenly, a ripple started going through industry contacts, and an SBL number was shared. The Spamhaus Project listed all of the IP space of a particular email service provider after one of their larger accounts generated many listings over a few months. The statement on the listing said that the repeated listings without changing the customer’s behavior meant that the provider was as much a part of the problem as the customer. There were seven very broad listings and four more additional direct listings for things like web servers. The ESP’s seven listings were all taken care of by the end of the day, but what a day that must have been! Years’ worth of reputation-building work was undone in a very short amount of time.
This is what policy at scale looks like. You want to do the best job that you can for each customer. You try to bring them along and help them as much as possible. And, whenever possible, you advocate on their behalf. But, at the end of the day, policy compliance exists to protect the company, not the customer, and the larger the company, the less critical any individual customer or group of customers can be to that calculus. That means that you sometimes have to terminate a customer for failure to comply with policy no matter how much they’re paying — because chances are excellent that they are not paying enough to cover the increased support costs, increased attrition rates, and other things that would come with all customers spending around 8 hours unable to deliver their mail because their provider was considered to be a spammer.
It’s really hard to draw that line. If you can convince a customer to comply with your policy, then you get to keep the customer (and, let’s face it, their money), AND you’ve decreased the amount of spam on the Internet. If you terminate the customer, you’ve shifted the problem elsewhere. Everyone wants “the win” that comes from keeping customers and getting them to do the right thing. But, sometimes, you just can’t.
Epilogue
I once had an account executive tell me that a customer would “indemnify us” if we let them violate our policy. They wanted to know what kind of number they might be looking at to do so. I replied that we would be looking at increased support costs for an unknown period that wouldn’t be fewer than 30 days. This would lead to a loss of goodwill, a decrease in our corporate reputation among receivers, and higher attrition rates in our other business lines. So, that number would probably have to approximate the combined booking amount for all our other customers.
They decided to abide by our policy.
Footnote
- Mickey Chandler, Policy At Scale: The Purpose Of A Policy Is Protection, Spamtacular (Mar. 12, 2020), https://www.spamtacular.com/2020/03/12/policy-at-scale-the-purpose-of-a-policy-is-protection/ (last visited Mar 19, 2020). ↩︎
- Microsoft Support, Microsoft Anti-Spam Policy, Microsoft Support, https://support.microsoft.com/en-us/topic/microsoft-anti-spam-policy-e4506f97-694f-49bc-8231-cac4369afcb8 (last visited Mar 19, 2020). ↩︎
- Messaging, Malware and Mobile Anti-Abuse Working Group, M3AAWG Position on Email Appending, (2019), https://www.m3aawg.org/sites/default/files/m3aawg_apending_position_update-2019-01.pdf (last visited Mar 19, 2020). ↩︎
