The Email Senders and Providers Coalition (of which I am the co-chair of the Technology committee) announced today that all members must support MD5 suppression lists by the end of the year. Most ESPs support this already, but there are still some laggards.
Download the full document at http://www.espcoalition.org/042309encryption.php
If you are an Email Marketer
Talk to your email service provider about it! Make sure that you are securing your suppression lists with MD5 and that you are not exposing your users to extra risk and yourself to unnecessary liability. Just because your ESP supports MD5 does not mean that they use it by default. In fact, most ESP's require that you ask them to turn it on.
Talk to your affiliates about it! Make sure that any affiliates who send email on your behalf know that this issue is important to you and that they need to be prepared to accept MD5 suppression lists from you.
If you are an Affiliate Marketer
Make sure you are ready to accept MD5 suppression lists. Make sure your email software or email service provider accepts MD5 suppression lists for your mailings. If your mailing software doesn't support it, you might find it helpful to use this free desktop application from UnsubCentral that lets you compare to MD5 files on your hard drive.
If you are an Email Service Provider
Make sure you support MD5 suppression lists for one-time upload, permanent upload, and for download. This means that a list owner should be able to upload an MD5 encoded file of email addresses into your system as permanent unsubscribes or just to suppress against one single mailing. It means that a list owner should be able to easily download an MD5 encoded suppression list of all the unsubscribes their list has received through your system.
Educate your customers about why they should use MD5 and how it can help protect their subscribers from spam and themselves from legal liability and deliverability challenges. By using MD5 instead of plain text, you make it less likely that a suppression list will get abused and your sending reputation gets tarnished.
How does this affect deliverability?
Lashback tracks unsubscribe compliance by IP address and if your customer's suppression files end up in the wrong hands it will reflect poorly on your IP address reputation. Lashback's UnsubScore is one component of Return Path's Sender Score – so getting a blackmark from them could affect your deliverability at many ISPs.
Last 5 posts by Joshua Baer
- Please take a minute to vote for email panels at #SXSW 2012 - September 1st, 2011
- Looking Toward The Next Generation of Delivery Solutions - May 13th, 2011
- Welcome Green Arrow! - April 21st, 2011
- Wake up! @SilverPop adds a new feature to "Snooze" instead of Unsubscribe - April 21st, 2011
- Naturally Curly Seeks Email Marketing Manager - March 20th, 2011
If you're using MD5, then I would assume that you also require all lists to have been properly swept with some sort of shared and agreed upon canonicalization.
For example, jake@mailvivo.co.uk and jAKE@mailvivo.co.uk are completely different when put into MD5.
If this isn't being done, the suppression list becomes rather easily breakable.
Full Disclaimer: I appreciate this is probably a stupid question
Jake, that's not a stupid question at all. It's very important! Even though the RFC allows for case-sensitive email addresses, most email systems do not. To be on the safe side, we recommend lower-casing all email addresses before you hash them.
I thing MD5 is really precious tool used to encrypt the email data. But make sure that MD5 cannot be decrypted, meaning an email address that is hashed, is only ever available as a hash. Therefore, no physical email addresses are compromised and consumer data is protected.