spf-discuss
[Top] [All Lists]

RE: Good Domain List one step closer to reality (actually two steps)

2004-08-18 08:30:25
Seth - 

The issue is whether we intend to allow reputation services
that are paid for by senders to become a virtual necessity
to get mail reliably delivered.  

At present, for anyone running a verified opt-in mailing
list, from all my inquiries to have any reasonable delivery
rates compared to what the situation was a year ago before
passage of the CAN SPAM Act this is the present reality. 

It happens in two ways in the market. You either join an
accreditation service, or you use an accredited 3rd party
email service provider to do your mailings for you.

At present the only accreditation services available in the
market are paid.

Now, you can still get mail delivered, but due to the
volume levels and gateway filtering, delivery rates have
plummeted.

Messages are not delivered. In many cases the sender has no
real idea as to why. A lot of filtering and bouncing tells
the sender, address unknown, when this is not in fact the
case. 

You go on to write:

That would be an extremely bad thing to happen to email,
unless you are a bulk mailer with deep pockets.  This is
something that we should fight strenuously.

Let's step back and ask why are we here?

We are here in part due to:

* The need for email filtering;

* The Agreement reached in May, 2003 by CAUCE to support
TEOS;

* The decision in September, 2003 by ESPC to support LUMOS
and so Bonded Sender; 

The Email service provider coalition withdrew its total
support for Bonded Sender this spring over disagreements
concerning how the financial penalties are imposed and the
lack of transparency in dealing with complaints.

* The decision in October, 2003 by the big mail providers
to support sender paid schemes to allow the providers to
sort 'good' email from 'bad' email.

* How the American law was drafted in consultation with
industry and the regulatory agencies; and,

(There is a provision in the Act calling for an IETF
approved seal in section 11 (2))

* The decision not to implement a National Do Not Email
List.

(Which made sense without the wide spread implementation of
sender authentication.)

Do the decisions made in May, September and October of 2003
apply to domain owners who use a domain for identity
purposes, who don't run a mailing list and send personal
and business mail on a day to day basis? In my view the
logical consequence is clear.

The thinking? 

* In the absence of being able to establish a good
reputation, those caught in the grey area can either have
their mail filtered or sign up with an accreditation
service. 

* Once you establish a good reputation through the use of
an accreditation service, you can withdraw and continue on
with the reputation you have established.

The reality?

Don't know. I know that I saw this coming in October, 2003
and others saw it a year prior.

With sender authentication, this only takes us part of the
way. The other part of the loop is reputation, or sorting
'good' from 'bad.'

Since there can be no agreement on what is 'good,' as
ultimately this is subjective based on content, as well as
objective based on is the sender verified opt-in, confirmed
opt-in, unconfirmed opt-in or opt-out, apart from the use
of reputation services, there will be an ongoing need for
filtering. 

Some argue, if the list is verified opt-in the issue of content
is between the sender and the ultimate recipient. 

I happen to agree with this position. As an end user, if I have
verified my consent to receive an online newsletter,
transactional messages or commercial messages, what is the basis
of my internet access provider filtering this email?

If I want to sign up for an online porn newsletter or an online
newsletter about fine art and I have given my verified consent to
the publisher, what is the basis for the internet access provider
to check the content?

The decision whether to proceed in this direction is between the
receiving community and end users. 

If the receiving community were to say, in the case of verified
opt-in, we will not run gateway filtering checks and instead
leave content filtering to the end user, this would make it a lot
easier to sort out some of the underlying issues. 

I am not holding my breath:-)

In dealing with accreditation services, you say from the
perspective of the receiving community follow the money. 

You argue any accreditation service which takes money from
the sending community is therefore beholden to this
community and you seem to be saying except in the case of
bulk mailers with deep pockets, we should reject the use of
accreditation services.

The problem is this leads to special treatment for those
with deep pockets, unless receivers decide the use of an
accreditation service by a sender gives rise to a
presumption the sender is a spammer. 

But this is not the case. Many large corporate senders do
run verified opt-in mailing lists. Why should they be
penalized?

Receivers are going to check email through the use of
sender authentication, along with checking to see whether
the sender has a "good reputation" and depending on the
results and the receivers local policy the use of header
and content filtering.

Many senders will not be able to establish any reputation
due to lack of volume.

Receivers to protect their networks will continue to
subject these messages to header and content filtering. 

For some senders this is fine. However, some senders may
decide, since I follow best practices (verified opt-in) and
email delivery is critical, I am prepared to pay for
accreditation to reduce the risk of my messages being
rejected due to false positives and the like.

Is this appropriate? Why should accreditation services be
staffed by volunteers? Why should receivers have to pay for
this information?

In looking at the value of an accreditation service, money
is not the issue, it is the standards set by the service
and how these are enforced.

What should be the result? At present we have:

* Senders who use services which accredit volume bulk
mailers who do not use verified opt-in, but simply
unconfirmed opt-in, along with implied consent based on a
pre-existing business relationship, subjecting violators to
fines and depending on violation levels loss of
accreditation.

* Senders who use services which only accredit bulk mailers
who use verified opt-in and black list violators.

* Senders who use accreditation services which allow
receivers to access sender characteristics based on a list
of criteria.

How receivers use this information is up to receivers.

The biggest problem I have with your argument is the
postulation because the sender is paying for accreditation,
this means the accreditation service will be less than
truthful about sender characteristics. You then use this
postulation to conclude all accreditation services are
therefore tainted.

The presumption that because the sender pays means the
accreditation service will not provide accurate information
belies the reality. If this position was correct, receivers
would not even consider using these services.

It is this negative presumption which defeats the value of
the argument "follow the money." 

Further, the position only volume bulk mailers with deep
pockets should pay gives special treatment to this class of
senders.

This is the very fear of many, given the lack of legal
prohibition against sending unsolicited bulk email and the
present lack of clarity as to what is required to show
affirmative consent.

On this last point I note more and more people are coming
to the conclusion, verified opt-in is required to prove
affirmative consent.

What heightens the problem is that some internet access
services are willing to cater to bulk mailers who according
to some standards are sending solicited mail, but according
to other standards are sending spam. 

If we set up a system which only requires accreditation for
bulk mailers with deep pockets, how do you distinguish good
from bad for the rest. 

Rely upon reputation services created by volunteers and
real time block list operators operated by volunteers for
the benefit of receivers? 

Why does the receiving community expect that these
individuals should be altruistic? 

Since internet access service providers are charging users
money for access, why should these providers get access to
a real time feed for free?

Even with reliance upon reputation services, which include
real time feeds from block list operations, the position is
receivers still need to use filters.

This of course takes us full circle and reminds me of the
song "There is a whole in the buck, dear Lisa" :-)

John
 
John Glube
Toronto, Canada
 
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.737 / Virus Database: 491 - Release Date: 11/08/2004
 


<Prev in Thread] Current Thread [Next in Thread>