Whitelisting – A partial solution to Inbox Woes?

Things have become a little more tenuous in the email ecosystem of late. What was once a given, inbox placement is now hard fought.

Way back in the year 2000, blacklists had so many false positives, inadvertently (and sometimes intentionally (vertently?)) blocking email from legitimate senders that the notion of whitelisting sprang up with the creation of Habeas.com.


Habeas was based upon the concept that the presence of their trademarked headers, a haiku, indicated a sender that they vouched for. Copying the headers was trivially easy, of course, but Habeas threatened to sue anyone who copied them without permission, and they did so, a couple of times, suing Avalend, Intermark Media, BigDogSecrets.com, Clickbank, and Keynetics. In the interests of transparency, I was the North American Product Manager of Habeas.

However, offshore spammers found it trivially easy to forge the headers, and being outside the short arm of the law, Habeas switched to whitelisting based upon the presence of an IP on a published DNS service soon after competitor Bonded Sender launched in 2002. Originally an offshoot of SpamCop, then a division of IronPort, Bonded Sender had one advantage over Habeas -- a large receiving site, Hotmail, actually used their published whitelist.

Bonded Sender did have one disadvantage: theirs was a model wherein sender clients would deposit a sum of money with the company (ergo ‘bond’), which would be ‘fined’ for spamtrap hits and complaints. In other words, without effective compliance, they inadvertently became a ‘pay to “spam”’ service. I will qualify that comment by noting that nowhere near all the Bonded Sender customers were spammers, but some were, and they considered the bond payments as the cost of doing business.

In 2005, Return Path Inc. bought Bonded Sender from IronPort, re-launched it in 2006 as Sender Score Certified, and rebranded it again in 2010 as Return Path Certified. They dropped the bond, and charge a flat fee based on volume, and eventually bought the nearly bankrupt Habeas. Again, in the interest of transparency, I was the Director of Certified Compliance for Return Path.

Presently, Return Path operates two whitelists, Certified, which is used by Comcast, Yahoo! Hotmail, and dozens of other sites to make decisions based upon inbound email, and Safe, which is used by SpamAssassin to give a modest bump in scoring to email. Along the way, Return Path began to apply other complain metrics and spamtrap feeds against senders to evaluate the performance of a given IP, and then added Hotmail’s Sender Reputation Data (SRD) to the mix.

While not exactly engagement data, SRD is a Hotmail/MSN program wherein select users are re-presented with their email and asked to label it Ham (good mail) Spam, or Phish, and good engagement means good SRD scores. Votes are tallied and a score held against an individual IP and the aggregate client grouping of IPs. The acceptable level for bad SRD is currently 50%.

Other erstwhile competitors have sprung up, including DNSWL.org (2005), German blacklisting service UCE Protect’s whitelisted.org (2007), hardware filtering service Barracuda’s EmailReg.org (2008), and blacklist Spamhaus’ Spamhauswhitelist.com service, but their overall receiver footprint and sender use is fairly slender, particularly when compared to Return Path’s Certfied. As well, hardware-based whitelisters Goodmail came and went, used by AOL & Yahoo!, they were eventually dropped by Yahoo! for performance reasons, and went bankrupt soon after.

ISPs and receiving sites AOL, Yahoo! And Verizon (and many others) offer their own whitelisting programs at no cost – Word To The Wise has a terrific page that has links to them all, as well as public Feedback Loops (FBLs) so that senders can monitor complaints about their streams.

So where does all this whitelisting leave a sender? Is the inbox guaranteed? Yeah right, as if!

Tune in next time, for an engaging discussion about graymail, priority inboxes, and how big receivers like Yahoo!, Gmail, and Hotmail are taking a pretty dim view of mail their users ignore.

2 comments:

Sridhar said...

So much has changed in the email world that Whitelisting is a mirage for the sender. One thing you can be sure - if you are on a Whitelist you are not on the blacklist. Is that the only thing it guarantees? :)

Rene said...

Speaking of Germany, don't forget the Certified Senders Alliance, which works pretty well imho. :)