Policy at scale: Figuring reputational damage

How important is policy?

Policy not only reflects and is a product of reality. Policies are created as a reflection of what a company wants to do and how it will pursue its business. For some companies, that means “we will try to get away with doing no more than the law requires.” For others, it is a reflection of what they see required by the world-at-large.

Me? I’m a “world-at-large” kind of guy. I’ve already mentioned this, but there really isn’t a point in having a policy that only hews to the bare minimum requirements of the law ​(Chandler 2020)​. You have to do whatever the law requires whether that’s by policy or default. So, that kind of policy doesn’t really serve any purpose.

When looking at the world at large, we find that receivers have their own policies. Those policies not only govern what they allow their own users to send out from their systems but also what kinds of mail that they will allow coming in from the wider world. A good example of this is Microsoft’s:

Microsoft prohibits the use of the service in any manner associated with the transmission, distribution, or delivery of any unsolicited bulk or unsolicited commercial e-mail (“spam”). You may not use the service to send spam. You also may not deliver spam or cause spam to be delivered to any Microsoft service, Web site, or customer.

​(Microsoft Corporation n.d.)​

This kind of policy doesn’t require only what United States law requires. It’s standard is quite a bit higher. The CAN-SPAM Act allows for the use of unsolicited commercial email within certain parameters but this policy does not.

Understanding reputation systems

Everyone uses reputation to make decisions every day. Whether that is deciding which restaurant to get dinner from, considering how many stars an Uber driver has, which charity you will contribute to, or whether the person who sits at the other end of the conference table would be a good friend, we all use various forms of reputation metrics and monitoring to make decisions.

As a rule, most email reputation systems will start with a default status of accepting the message and delivering it to the inbox. But that default can be changed by a whole host of factors.

Most of those factors can be summed up in the ideas of permission, cadence, and relevance. That is to say that companies who don’t get permission, who send too much (or too little), or who send messages that aren’t relevant will, over time, find themselves penalized.

That penalty can be attached to the IP address, the sending domain, a domain used for in a link in the body of a message, or, indeed, the text of the message itself. One very large mailbox provider recently said that they will attach reputational scores “to anything that we logically can.”

Figuring individual reputation damage

If a customer does not abide by the rules set by the incoming server they can expect to be penalized. If they gain enough penalty points then they can expect that their message will be redirected away from the inbox or rejected/bounced. The vast majority of the cases that I get called in for the purposes of “please review and assist” happen because the customer has done something which warrants penalization.

Convincing this customer that they need to change any deviant process changes in order to comply with your policy is often a challenging proposition. There is a good chance that they have made some money with the new method or that they have been engaged in a given practice for a long time. Sometimes, it may be resolved with a pointer to something like this blog post or the M3AAWG Position on Email Appending ​(M3AAWG 2019)​ to show broad industry support for the provider’s policy. Other times, it may be a matter of having to say “This is our policy and it must be followed.”

Policy at scale: Broader issues

If enough customers are causing problems then there are broader penalties that can be applied. Or, sometimes this may happen with a single customer who caused the same problem multiple times. Regardless, a provider’s general reputation can generally be determined by the bottom 20% of their customers (or, what they’ll allow, even they don’t encourage it).

It was April of 2012. Suddenly a ripple started going through industry contacts and an SBL number was shared. The Spamhaus Project had listed all of the IP space of a particular email service provider after one of their larger accounts had generated a number of listings over a period of a few months. The statement on the listing said that the repeated listings without any change in the customer’s behavior meant that the provider was as much a part of the problem as the customer. There were a total of seven very broad listings along with four more additional direct listings for things like web servers. The ESP’s seven listings were all taken care of by the end of the day, but what a day that must have been! Years’ worth of reputation building work was undone in a very short amount of time.

This is what policy at scale really looks like. You want to do the best job that you can for each customer. You try to bring them along and help them as much as you can. And, whenever possible, you advocate on their behalf. But, at the end of the day, policy compliance exists to protect the company, not the customer, and the larger the company the less important any individual customer or group of customers can be to that calculus. That means that you sometimes have to terminate a customer for failure to comply with policy no matter how much they’re paying — because chances are excellent that they are not paying enough to cover the increased support costs, increased attrition rates, and other things that would come with all customers spending around 8 hours unable to deliver their mail because their provider was considered to be a spammer.

It’s really hard to draw that line. If you can convince a customer to comply with your policy then you get to keep the customer (and, let’s face it, their money) AND you’ve decreased the amount of spam on the Internet. If you terminate the customer, all that you’ve really done is shift the problem elsewhere. Everyone wants “the win” that comes by keeping a customer and getting them to do the right thing. But, sometimes you just can’t.


I once had an account executive tell me that a customer was willing to “indemnify us” if we would let them violate our policy. They wanted to know what kind of number they might be looking at in order to do so. My reply was that we would be looking at increased support costs for an unknown period of time that wouldn’t be fewer than 30 days. And that this would lead to a loss of goodwill, our corporate reputation among receivers, and higher attrition rates in all of our other lines of business. So, that number would probably have to approximate the combined booking amount for all of our other customers.

They decided to abide by our policy.


  1. Chandler, Mickey. 2020. “Policy at Scale: The Purpose of a Policy Is Protection.” Spamtacular. March 12, 2020. https://www.spamtacular.com/2020/03/12/policy-at-scale-the-purpose-of-a-policy-is-protection/.
  2. M3AAWG. 2019. “M3AAWG Position on Email Appending.” M3AAWG. January 2019. https://www.m3aawg.org/sites/default/files/m3aawg_apending_position_update-2019-01.pdf.
  3. Microsoft Corporation. n.d. “Microsoft Anti-Spam Policy.” Microsoft. Accessed March 18, 2020. https://support.office.com/en-us/article/Microsoft-Anti-Spam-Policy-e4506f97-694f-49bc-8231-cac4369afcb8.
Mickey Chandler