Deliverability.com

This is a little late in posting, but I'm glad that it was because I have been able to sit down and think about this at great length.

Is simply posting a privacy policy good enough anymore? Is simply saying what you will and will NOT do in a privacy policy enough? It may not be.

As you may have heard now, the Federal Trade Commission (FTC) charged in their complaint Sears, Roebuck and Company and Kmart Management Corporation that it failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software application.

Users could downloaded Sears' tracking software, which monitors web activity and each user was paid $10.00 (which is a lot) if they kept it for a minimum of one month... oh and all one had to do to secure this plentiful bounty was turn over to the company every single bit of information about one's Web browsing.

Now your probably saying, so? No worries on them tracking their customers on their site. No so fast, Sears and its data collection partner also gained access to the "contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails," said the FTC. They also collected non-Web information about the user's personal computer.

Did Sears hide this fact they were collecting all this personal information? NOPE... They posted every juicy detail of what they were doing in their privacy policy and in a fifty-four (54) page license agreement for users to in GREAT detail read at their convenience. yea right! Who reads that stuff? (CYA note: I do as the Chief Privacy Officer) ;)

So, of course a few researchers noted this problem to the FTC who then charged that Sears did not "adequately disclose the scope of the tracking software's data collection."

Now, when you look at all the details involved here, Sears wasn't trying to hide the fact they were monitoring you, they weren't hijacking browsers, secretly doing drive-by installations, or anything illegal or anything unfair.  The FTC was concerned that Sears would be tracking people online for marketing purposes but hadn't clearly disclose what they're doing. Up until now, Sears's disclosures were both legally valid and commonplace. However, in the past the FTC has said in two (2) other cases that companies couldn't bury critical disclosures about the nature of adware in fine print (Zango and Direct Revenue). The Sears case here is NOT adware mind you. This is a case where the user would/should have known they were sharing personal identifiable information (PII) when they read those documents. They were ASKED to share their information if they download this program.

So what's the lesson learned here? What's the big deal to your business? Will it REALLY impact you? The simple answer in my eyes this beautiful fall morning in Texas is YES!

This settlement with the FTC shows that the FTC is watching and waiting for those who might be trying to confuse the average consumer. This means that you will need to be "hyper transparent" when your collecting, transferring, and processing PII. You can NO longer just think by posting in your privacy policy what your doing with a persons information is sufficient. You need to become "hyper transparent".

This could mean that in certain sign-up forms or marketing processes you should break out the relevant impact points of how your collecting and what your planning on doing with this information once you collect it upfront and not buried in some legal linked document. This means if you plan on doing more with transference of data that you warn the users more upfront about it. This means that if you want use their information for more than just normal out of ban use you need to be up front about it.

You get the point here? A PRIVACY POLICY IS NOT A GET OUT OF JAIL FREE CARD FOR YOUR MARKETING PROGRAMS AND PROCESSES. Never has been to be honest.

In this settlement

• Sears has agreed to destroy all data gained from the experiment and stop collecting data from any software still running in the public domain.
• If it wants to do any tracking in the future, the company has committed to "clearly and prominently disclose the types of data the software will monitor, record, or transmit.
• Any disclosure must be made prior to installation and separate from any user license agreement.
• Sears must also disclose whether any of the data will be used by a third party."

Here are the relevant links to the FTC announcements if you want to read further.

Sears Settles FTC Charges Regarding Tracking Software

FTC Approves Final Consent Order Requiring Sears to Disclose the Installation of Tracking Software Placed on Consumers’ Computers; FTC Approves Final Consent Order in Matter Concerning Enhanced Vision Systems, Inc.

-Dennis
Eloqua

Don't Just Send, Deliver!

So my friend, Fred Tabsharani of Port25 Solutions, ran an interesting interview Franck Martin from Genius.com on the future of DKIM and Domain-Based Reputation. This has been in the works for a few weeks now and really came out nice.

5 Questions with Franck Martin on the Future of DKIM and Domain-Based Reputation 

Below is my interview with Franck Martin, Email Deliverability Services Engineer at Genius.com., and contributing group member of the Internet IETF, in its effort to standardize the use of DKIM.  This interview was conducted via Skype since Franck just happens to live in Suva, Fiji. 

Q:FT - RFC 4871 (DKIM) essentially makes RFC 4870 (DomianKeys) obsolete.  In your opinion, what’s the future of DKIM and its overall traction in email industry thus far?

A:FM - The greatest thing that has come from the Internet Engineering Task Force (IETF) is that when an organization or an individual develops an Internet communication protocol, such as DKIM, the IETF makes it rock solid.  Essentially they look at it from all angles, strengthen it, and put their stamp of approval on it to basically say it has the quality of a standard. This shows its maturity and robustness as well as acceptance throughout the industry.  DKIM is not here to solve the spam problem, it’s just here to validate the domains that are taking ownership for sending the email.  DKIM is often times confused with signing.  Yes, DKIM signs some email headers as part of its process, but it does not sign the whole email.  PGP, and S/MIME are protocols that sign emails and are more complex to implement than DKIM because they require user participation.  DKIM requires only the mail administrator participation (and he/she is supposed to understand emails better than any other classic user).  DKIM also helps mitigate some phishing attacks, but here too, it will not solve phishing.  An email cannot claim to be from say ebay.com, have a DKIM signature related to ebay.com and not be validated back to ebay.com, providing that ebay states, via Author Domain Signing Practices (ADSP) or other means, that all their email will have their own DKIM validation. Unfortunately, it is not that simple, because the recipient mail server needs to perform various checks with the information that DKIM, ADSP and other tools provide.  I could send an email claiming to be from ebai.com and be DKIM validated back to ebai.com, and a lot of users may not recognize that ebai.com is not the same domain as ebay.com.

Q:FT - Have we reached an inflection point with DKIM?

A:FM - For the moment it’s the big players that are implementing DKIM.  If you want to have a FBL through any of the ISPs, then DKIM is a requirement.  For the smaller players, the value will come through the implementation of tools like SpamAssassin.  SpamAssassin is adding rules so that emails which pass the DKIM signature may be whitelisted.  A recent study done by Cisco shows there has been a strong growth of emails using DKIM.  It is more complex to identify DKIM use, because it is not like SPF, querying domains does not indicate the potential use of DKIM like SPF does.  Author Domain Signing Practices (ADSP), another IETF initiative, is a complement to DKIM.  It essentially adds information to the validation process to specify the policy of using DKIM for a domain name. If you receive an email that does not include a DKIM signature, you can check the domain name.  If it states that all emails will have DKIM, then you can safely drop/trash that email.   SpamAssassin is also implementing such rules.  There is another value of DKIM.   For instance when a bank sends you an email, you can validate the domain of the bank, but how do you know it truly is a bank?  A well-known industry association could include their DKIM validation as a third party which would provide a more influential path for reputation.  Finally with IPv6, IP based reputation has some serious challenges to overcome due to the database size required to contain all possible IPs. Domain based reputation may be the only way to have email work over IPv6.  At Genius.com we strongly support the adoption of DKIM (we use it too of course), and personally, when I was on the board of the Internet Society (which is strongly linked to the IETF), I supported its Trust and Identity initiative (which includes promoting DKIM adoption).

Q:FT - We’ve noticed that email headers from large companies utilize multiple modes of email authentication.  Some in fact are using all four—DKIM, SPF, Domain Keys, and SenderID. Is this redundant? Can we now officially call DKIM the standard?

A:FM - DomainKeys is becoming obsolete. Since Yahoo is moving to DKIM, there is no more reason to use DomainKeys.  Organizations such as MAAWG and ESPC require at least one form of signing and DKIM is one recommended method.  It is likely to become a requirement quickly because of various industry reputation organizations.  SenderID does not seem to have traction anymore, but SPF is a different story.  First for a sender, SPF is very easy to implement because all you need is to add one record to your DNS, and SPF provides a unique functionality in that if you want to know all the servers that a particular domain is sending from, you can use SPF to acquire a list of IP addresses. This is helpful when you try to figure out if you are blocking any IPs when a customer complains he is not receiving emails from the email address of his mother.  This shows there is a need for this type of information.

Q:FT - Regarding the early adoption with domain-based reputation by ISPs, where in the email header will these reputation effects be based?   

A:FM - My understanding is that it’s in the d= string, where the domain reputation will be based.   Organizations will use this domain as a reputation filtering mechanism when checking against DNS records (ADSP) and past behavior.  Essentially, what do we know about this sender (or domain)? As I understand, per IETF RFC, only the d= should be the criteria for reputation analysis.  Again, each ISP may treat this differently, and ongoing testing is taking place.  Because each ISP has different business rules with domain-based reputation, the IETF is trying to confirm to various implementers what is the intent of the standard.

Q:FT - Will there still be a need to warm-up IPs and establish a reputation through ISPs before sending large quantities of email?

A:FM - Since each ISP has its own filtering systems, warming up IPs would probably still be required to a certain extent.  Since DKIM naturally links to domain reputation, and since DKIM will help domain-based reputation, it will be faster to warm up IPs but we still have to exercise caution given that each ISP has its own set of business policies.  Now, on a side note, because we move to domain reputation, it will be useful to know who is behind each domain. On its side, ICANN is trying to limit bad behavior with domain registration such as “domain tasting.”   Domain tasting it is a practice where you can register a domain and drop it within the grace period without having to pay for it.   It allows people to use domains to send emails from and switch to another domain after a few days, making it difficult to track the source of the emails and which entity is responsible for that domain. There are other concerns with domain registration, but that's another issue. However, we have be certain that DKIM does not become an ICANN issue, because too many people are trying to bloat ICANN's mission. DKIM is an email administrator tool and may become a requirement but I don't think we will see in the future any major player, dare to drop any emails which does not include DKIM.

Franck has gone on record to say that when I visit Fiji, he will have an exotic Fijian cocktail waiting ☺

Fred Tabsharani

------

-Dennis
Eloqua

Don't Just Send, Deliver!

This report, based on Pivotal Veracity’s meetings with top ISPs, provides an overview of  the ISPs moving to domain-based reputation, their authentication plans, and critical insights and changes to white listing, volume throttles, and use of clicks and opens in filtering algorithms.

Its now available for download from their site (free, no registration required)

Key Take-Aways:

• Reputation is and will remain of your own doing & not that purchased from a 3rd party! Reputation is still within your control and will remain so. You do not need to pay someone to have a good reputation (nor will it do any good) and paying someone won’t save you from a bad one. Almost universally, your reputation is driven by Spam Complaints, Unknown User Rates, and Spam Trap/ Honey Pot Rates (mailing to old expired addresses). 
• 

Domain-based Reputation is here! A number of top ISPs including Yahoo & AOL are moving to augment IP-based reputation systems with portable Domain-based reputation systems for those mailers using DK/DKIM authentication.  This is a hugely important development and one that will be welcomed by legitimate mailers. This means, ISPs will “attach” (compute) your Spam Complaint Rate, Unknown User Rate, and Spam Trap Rates to your Domain (this will be the domain you are authenticating which for most mailers will be the friendly from domain)  in addition to your IP.   Switching IP addresses? With domain-based reputation ..you get to keep (for good or bad) your reputation. 

• Authenticate with DK/DKIM! With the exception of Hotmail which is still sticking to its proprietary “Sender ID” authentication model, the authentication method of choice by all the other leading ISPs is DK/DKIM.  If you are not already ..authenticate !  You need to authenticate in order to take advantage of domain-based reputation and other ISP services such as Yahoo’s feedback loop.  You’ll find extensive resources on authentication within the Pivotal Veracity knowledge base.

-Dennis
Eloqua

Don't Just Send, Deliver!

Note: This post was originally published on The Email Zoo on August 17, 2009.

-----

The White House just sent me spam.

As a guy in the email industry, I don't toss the S-word around lightly. However, that was my immediate reaction when an email from "David Axelrod, The White House" landed in my inbox last week.

Now, let me be clear. From a CAN-SPAM perspective, this was not spam. It was unsolicited, but not illegal. The CAN-SPAM Act of 2003 does not require mailers to prove opt-in; instead they must provide the ability to opt-out. Also, political emails are exempt (<--This may be debatable).

That being said, CAN-SPAM is the legal framework. It does not comment on "best practices" or even more basic, "doing what is right." Some people who received this email from "David Axelrod, The White House" clearly were not happy. I don't know the background on Major Garrett, but he seemed less then happy (or maybe he was just stirring the political pot). As Fox News says, "...you decide." 

Besides the fact that this clip is entertaining - no matter what side of the aisle you are on - it brings up some interesting questions:

• Did the White House rent a list or used forwarded email addresses?
• **How - if at all - will they address this issue? Send an apology email? Issue a formal press release? Will Obama talk about it?
• Are the email rules different for the government?
• Does anyone care that they are not following sound email marketing best practices (see comments below)?

**Since this report/video was released last week, the White House has responded: "White House will change e-mail rules" A quick critique of why this email failed from a design perspective:

 

1. From Name:. I don't know who "David Axelrod, The White House" is. I had to google him. Okay, now I "remember" - he's the Senior Advisor to President Obama. Who would take the time to look that up? Also, all I can see in my gmail inbox is "David Axelrod, The..." Verdict? Delete/Spam.

2. Subject Line: "Something worth forwarding" looks, smells, and tastes of spam. It might as well have said, "Send $1,000,000 to the Central Bank of Nigeria." Verdict? Delete/Spam.

3. Length/Copy: Lots of text, lots of scrolling. No call to action above the fold. Nothing to entice me to read beyond my initial scan. Verdict? Delete/Spam.

4. "Please don't reply": I wrote about this back in my Bronto days: http://blog.bronto.com/2008/11/21/donotreadthispost/. Blasting out an email to me and then telling me I can't reply is not engagement. Verdict? Delete/Spam.

----

Did you receive the same email in your inbox last week? Did you have similar thoughts? Did you read it or delete it? Did you mark it as spam or junk? Did you have the same reaction to the content as I did? How about the video clip?

DJ Waldow Director of Community, Blue Sky Factory

Part 1 - 9 basics and beliefs.

You need the basics to really ruin your email program and it just so happens that this is your lucky day. I have compiled a list of 9 essential beliefs or “the basics” to get you started. Dig in and let the downfall begin.

First and foremost, you need to understand that you are the king/queen of email marketing and your program is superior to all other email programs. Subscribers need to understand this and you need to communicate that on a regular and consistent basis.

Second, revenue is king in email.  Don't worry about what the subscriber wants..worry about what your company wants..which is revenue!! Forget about how your subscriber thinks about your company if you send them an email everyday....they are bound to buy something eventually.  Who cares if they opt out as you can just go out and find another subscriber who will LOVE to contribute to the bottom line.

Third, you need to realize that you send email blasts....not communications, not campaigns....but blasts. You tee up lists and blast the folks in hopes of them doing what you want them to do. Who cares if it sounds like you are going to engage in a world war against your subscribers, its just email right? Of course, since your program is the best you should have a near 100% conversion and anything less than that is unacceptable. Blasting people with emails is not really a bad thing to say..heck its not as if I am shooting them, blowing them up or spraying and praying on them right?

Fourth, take all of the best practices you learn about in blogs and white papers etc...print them out and use them as paper airplanes in the office or as starter logs for your fireplace. In fact..why read anything at all that could better your program. Who needs people telling you what to do all the time right? Why invest the time trying to better your program anyway?  Best practices are for losers because your program is the best.

Fifth, people WANT your email. In fact, they are sitting around just waiting to get your latest mail bomb. Who cares what you send them..I mean they signed up for your program and they should be grateful to get what they get. Send them a new email every day if you can which is easy right? Your superhuman and this email thing is easy.

Sixth, hire a loser to run your email bazooka program. A recent study just came out that said 3 monkeys in a lab were able to send out emails and run a program. All they did was put some pictures on a template, push the button, blasto it was sent and the revenue just came pouring in. Can't afford a loser or a monkey, grab Brad or Brenda from the mail room..heck they deal with mail all day long and email and mail sound the same. Don't have a mail room either....tell Suzy or John in the marketing department to handle email from now on. What is one more hat for them to wear right?

Seventh, get an ESP that can send email. Who cares if their UI or support sucks...just make sure that they can tee up your email shots for the cheapest price. Don't forget to chose those ESP's that love to put their logo's on the bottom of each email they send.....that won't bother you since your email program kicks butt and your subscribers won't find that annoying.

The eighth rule is the best. $99 is a heck of a price to pay for 4 million opt in names. Why grow your list organically when you can get 4 million people who have OPT IN to receive YOUR special offer.  Remember this, the bigger your list, the bigger the payoff!!  Revenue is the name of the game baby.  Don't forget to negotiate that free set of steak knives with your order.

Ninth and most importantly...let the CMO or President or someone above you tell you what and how to run your email program. Since monkeys can do this job, who better than someone who has never done or understand email tell you how to run this awesome program you have. Surely their expectations for success will be easily achievable and in fact you be asking them to challenge you within 3 months.

Remember, these are just the basics in how to ruin your email program. In future posts, I will be sure to go into more detail on some really great ways to totally mess it up.

For now..just sit back and relax..your email program is running just fine without you. In fact, take the rest of the day off and forget to QA your weekend email as I bet its perfect anyway.

***The How To Ruin Your Email Marketing Program series was inspired by a book I just finished reading entitled “How to ruin your life” by Ben Stein. Most inspirational books have a way of communicating the same theme with different words and for some crazy reason I was able to draw a lot out of of Ben's book. If you find this sort of post even remotely inspiring, let me know as I will be happy to continue.***

Nice to have so many new launches from deliverability vendors lately.

This has been in beta for some time now while the kinks are worked out between the two systems to ensure that complaints generated on Tucows are handled through the Return Path registration handling for their feedback loop system. ...

The FBL signup form is here and the RP blog here.

To quote Alex Rubin, RP's Vice President - Business Development:

I am very pleased to announce the public launch of the Tucows feedback loop. Return Path clients have had the benefit of participating in a private beta of the Return Path feedback loop since August 20. It is now available for the rest of the email universe at: http://fbl.hostedemail.com.

Tucows is the third-largest wholesale domain registrar, providing Internet services, through its wholesale division known as OpenSRS, for more than 8 million domains. Tucows hosts millions of email inboxes on its OpenSRS Email Service. This feedback loop will cover all of those inboxes.
...

They go on to annouce the other ISP FBLs also hosted by RP.  Pretty soon, RP will have a monopoly on outsourced FBLs.  Is Blue Tie paying attention? 

Chris Wheeler
Director of Deliverability, Bronto Software

Here at Deliverability.com, we like to leak information to the world as we get it in hopes of spurring debate and helping educate folks interested in email marketing (and obviously deliverability) in general.

As part of that, Pivotal Veracity unveiled its latest product announcement today in a special insider's meeting - the Mailbox IQ, or, as they're fond of acronyms, MIQ.  In short, they'll go live tomorrow (9/9/09 - clever date based marketing) with a tool which will allow a sender to access "customer level tracking of email deliverability, rendering and reputation across mobile, social, search and traditional web and software-based email platforms."

Using special technology to fingerprint emails tying them back to a specific sender and their campaign, this service will tell you exactly where it landed, in what folder and via which email client.  This shifts the conversation from seed testing as a predictive tool for getting a default disposition (fancy term for where the mail would land with a pristine and not customized ISP inbox) rather to a recipient performance based tool showing where the email actually landed, as PV claims.

It will be interesting to see how this plays out.  They claim to have several large beta clients already using this (both ESP and single sender) so now it's just a matter of seeing how the data pans out for the rest of the community.

PV MIQ Site here.  And official (early) press release here.

Let us know your thoughts!

Chris Wheeler
Director of Deliverability, Bronto Software

Wow, what a summer... As your probably already feeling it, it's quite difficult getting back into the normalcy of things these past weeks after that nice long holiday. For Jennifer and I, kids started school these past few weeks, a lot of the email/privacy alliances and coalitions are spinning up their regular meeting schedules, I'm trying to get back into habit's of blogging producing/research on a regular schedule, and today September 1, 2009 is the day that many new laws either federal or state will take effect and will have some sort of impact on your work and personal lives.

For us here in Texas, there are SEVERAL new laws taking effect today (wear your seatbelt no matter where you’re sitting in the car. Don’t talk on a cell phone in a school zone. Put your kid in a car seat if the child is 8 years old or younger and not taller than 4-foot-9, etc) that will have an impact on us as citizens, but if you haven't been monitoring there are also a few new federal ones that will have an impact on your marketing process

The biggest one that you might have heard is the new Federal Trade Commissions (FTC) rule covering unwanted "Robocalls".The new requirements are a part of the larger FTC's Telemarketing Sales Rule (TSR) that begins September 1, 2009 prohibiting prerecorded commercial telemarketing calls to consumers, or robocalls, unless the telemarketer has obtained permission in WRITING from consumers who want to receive such calls. This was announced a year ago by the FTC.

 The rules look something like this.

• If you send robocall, telemarketer must have permission IN WRITING before calling the target
  
• If your a seller or telemarketer and you transmit without written permissions, the fine is $16,000 per call.
• it DOES prohibit robocalls even if you have previously done business before with them
• the pre-recorded call must tell the user how to opt-out st the start of the message
• provide an automated opt-out mechanism that os voice or keypress-activated
• If your pre-recorded message is left on an answering machine or voicemail, it must also provide a number that connects to the automated opt-out system.

The new regulations will not affect consumers' ability to continue to receive calls that deliver purely "informational" prerecorded messages notifying recipients, for example:

• that their flight has been cancelled
• they have a service appointment, or similar messages

Such purely "informational" calls are not covered by the TSR because they do not attempt to sell the called party any goods or services. Others not covered and by no surprise are politicians, banks, survey's, debt collectors, health care/prescription refill messages, telephone/utility carriers, and most charitable organizations.

After September 1, sellers and telemarketers who transmit prerecorded messages to consumers who have not agreed in writing to accept such messages will face penalties of up to $16,000 per call.

Calls made by humans will still be allowed, but not if the phone number is on the National Do Not Call Registry.

After September 1, consumers who receive prerecorded telemarketing calls but have not agreed to get them should file a complaint with the Commission, either on the donotcall.gov Web site or by calling 1-888-382-1222.

If you want all the details about the robocalls regulations please read the Federal Register Telemarketing Sales Rules Final Rule Amendments. The FTC also published a site that helps business comply with the TSR's which is very lengthy, but should answer most of your burning questions that I did not touch on here like telemarketing calls to business.

Your now asking why I'm telling you about this and it doesn't impact digital communications like email? Think really hard now........

How many of you send out an email invite to a customers about something like a conference or webinar and then follow-up with a robocall telling the user to look for the email? For some of you, the email open rates are significantly higher than those that did not get the robocall in these situations and thus you regularly use this process. Can you still use this process? Probably not.

-Dennis
Eloqua

Don't Just Send, Deliver!