Principles of Email Sender Reputation
An ESPC Position Statement
This positioning statement is intended to clarify the governing principles of email sender reputation, as well as guide providers of public or private reputation services on the meaning and utility of these principles.
The Email Sender and Provider Coalition (ESPC) is a cooperative of leading companies in the email industry. We reaffirm our belief that the elimination of abusive email practices – known variously as spam, spoofing and phishing – is essential to enhancing confidence in email as a safe and reliable medium for both communication and commerce. We also believe that a positive reputation should reward senders who apply best practices with resulting inbox delivery of their email messages.
As first advanced in our "Project Lumos" white paper (2003), the ESPC believes that establishing email sender accountability is the best way to fulfill the goal of enhanced confidence in email. Sender accountability is achieved through two interlocking concepts: (1) Authentication, which establishes the identity of an email sender; and, (2) Reputation, which associates the results of a sender’s policies and practices with the authenticated identity of that sender.
Legal and Technical Compliance
As prerequisites to viable email reputation systems, the ESPC believes that senders must: first, be compliant with all applicable laws governing email; and second, authenticate their email so their reputations can be reliably established and associated with their behavior. For their part, reputation service providers (RSPs) should ensure that all senders participating in their programs comply with both legal requirements and industry authentication protocols. As stronger authentication methodologies provide more reliable ways to identify senders, the ESPC recommends the adoption of such standards by both senders and RSPs.
The ESPC further believes that reputation ratings must be solely based on objective and observable behavior on the part of senders, and that the providers of such ratings should ensure that their standards, methodologies and results are transparent and open to all program participants, other senders and receivers. In addition, sender reputations must be assigned to the most specific address or domain in use, such as that of a sub-domain, rather than a corporate top-level domain or that of an email service provider (ESP).
Principles of Sender Reputation
The ESPC’s principles are listed here in order of importance:
- Recipient Feedback. Direct feedback on sender practices from the recipients of their email messages should be the cornerstone of any determination of reputation. Feedback data can be captured in various ways, including an automated 'feedback loop' from a user interface provided by an ISP or an email or other notice directly from the recipient. With the increased tendency of recipients to use the 'junk button' to unsubscribe even from consent-based email, receivers are encouraged to capture more granular data in their feedback loop mechanisms (e.g. complaint reason), and to adopt standardized categories in their reporting so legitimate senders can improve recipient satisfaction and minimize future complaints. RSPs should then more heavily weigh such granular feedback and other direct recipient communications above undifferentiated forms of feedback (junk button).
- Sender Identity. RSPs are encouraged to use authentication to associate a reputation with the domain used for messaging or line of business responsible for messaging, rather than an IP address. While a reputation should be established for the lowest level entity possible (e.g. sub-domain), parent companies and service providers should be held accountable for the actions and reputations of sub-domains within their control, and seek to ensure the continuity of the domain names and IP addresses used. Credit should be given to those senders who maintain consistent use of their domain names and IP addresses
- Bad Addresses. Senders should compile their lists from reliable sources and exercise reasonable controls over their registration and list maintenance processes to ensure the integrity of their email lists. Mailing to addresses that do not exist can be attributed to a variety of causes – from inadequate data capture or bounce management practices to forgery or use of illicit list sources. Receivers and RSPs should seek to distinguish between list management and serious permission problems. For example, the term "spamtrap" should differentiate between addresses that never existed ("honeypots") and email addresses that once existed but have since closed ("stale" addresses). The incidence and frequency of mailings to honeypots should adversely affect a sender’s reputation more so than mailings to stale addresses (see "Bounce Management" below).
When scoring honeypots and stale addresses, the ESPC encourages receivers/RSPs to:
- Treat (e.g. score) honeypots more severely than stale addresses.
- Report at least aggregate counts of honeypots vs. stale addresses reached. Where possible, include information about the problematic addresses reached, the IP address the mail was sent from, and/or other information that will allow mailers (especially ESPs hosting multiple senders) to identify the source of the problems and take corrective measures.
- Bounce Management. Senders should exercise proper bounce management by promptly removing addresses returned as permanent errors (as determined by RFCs 2821 and 3463) by an ISP or other receiver. The reputation of senders who continually mail to permanently inaccurate addresses (hard bounces) should be negatively impacted if the addresses are not removed and/or source of the problem not remedied. Receivers are encouraged to provide accurate and informative error codes, such as a 5.7.1 error code for a policy violation.
Legitimate companies greatly cherish their brands and customer relationships. They continually strive to apply email best practices so as to protect their investments in both assets. The ESPC strongly advocates the adoption of these sender reputation principles –and their consistent application— so as to ensure that reputation ratings appropriately recognize such senders and improve the email medium for the benefit of all parties.
Reputation service providers (RSPs) objectively monitor the performance of email senders and warrant the reputations of those deserving unencumbered delivery of their messages to receivers and other interested parties. Some RSPs may also certify sender policies and practices, provide reputation rating services, offer best practice consultation, or facilitate ISP remediation and reputation repair.
The most specific address or domain name is widely considered to be the "envelope" (aka: "mail-from") domain name as per RFC 2821.