Are you using MD5 for your suppression lists? You should be.

The Email Senders and Providers Coalition (of which I am the co-chair of  the Technology committee) announced today that all members must support MD5 suppression lists by the end of the year. Most ESPs support this already, but there are still some laggards.

Download the full document at http://www.espcoalition.org/042309encryption.php

When the CAN-SPAM act was passed in 2004, it created a new requirement for email marketers to share suppression lists with other companies who do marketing on their behalf. Suppression lists are email addresses of consumers who have clicked on the unsubscribe link. Many companies just share these lists in plain text, which is very insecure and is frequently abused. Spammers steal these lists and send them more email!

Using MD5 to encrypt the email addresses before they are shared protects against spammers abusing them. This was one of the main reasons why I created UnsubCentral – to create a safe, central repository for securely exchanging suppression lists and complying with the CAN-SPAM act.

What does this mean for you?

If you are an Email Marketer

Talk to your email service provider about it! Make sure that you are securing your suppression lists with MD5 and that you are not exposing your users to extra risk and yourself to unnecessary liability. Just because your ESP supports MD5 does not mean that they use it by default. In fact, most ESP's require that you ask them to turn it on.

Talk to your affiliates about it! Make sure that any affiliates who send email on your behalf know that this issue is important to you and that they need to be prepared to accept MD5 suppression lists from you.

If you are an Affiliate Marketer

Make sure you are ready to accept MD5 suppression lists. Make sure your email software or email service provider accepts MD5 suppression lists for your mailings. If your mailing software doesn't support it, you might find it helpful to use this free desktop application from UnsubCentral that lets you compare to MD5 files on your hard drive.

If you are an Email Service Provider

Make sure you support MD5 suppression lists for one-time upload, permanent upload, and for download. This means that a list owner should be able to upload an MD5 encoded file of email addresses into your system as permanent unsubscribes or just to suppress against one single mailing. It means that a list owner should be able to easily download an MD5 encoded suppression list of all the unsubscribes their list has received through your system.

Educate your customers about why they should use MD5 and how it can help protect their subscribers from spam and themselves from legal liability and deliverability challenges. By using MD5 instead of plain text, you make it less likely that a suppression list will get abused and your sending reputation gets tarnished.

How does this affect deliverability?

Lashback tracks unsubscribe compliance by IP address and if your customer's suppression files end up in the wrong hands it will reflect poorly on your IP address reputation. Lashback's UnsubScore is one component of Return Path's Sender Score – so getting a blackmark from them could affect your deliverability at many ISPs.

Last 5 posts by Joshua Baer

Tags: , , , ,

Comments Closed

to “Are you using MD5 for your suppression lists? You should be.”

  1. Jake Holman
    April 24, 2009 at 4:24 am #

    If you're using MD5, then I would assume that you also require all lists to have been properly swept with some sort of shared and agreed upon canonicalization.

    For example, jake@mailvivo.co.uk and jAKE@mailvivo.co.uk are completely different when put into MD5.

    If this isn't being done, the suppression list becomes rather easily breakable.

    Full Disclaimer: I appreciate this is probably a stupid question :)

  2. Joshua Baer
    April 24, 2009 at 10:32 pm #

    Jake, that's not a stupid question at all. It's very important! Even though the RFC allows for case-sensitive email addresses, most email systems do not. To be on the safe side, we recommend lower-casing all email addresses before you hash them.

  3. J (Encrypted Flash Drive Guy)
    February 16, 2011 at 6:18 am #

    I thing MD5 is really precious tool used to encrypt the email data. But make sure that MD5 cannot be decrypted, meaning an email address that is hashed, is only ever available as a hash. Therefore, no physical email addresses are compromised and consumer data is protected.