A colleague was asking about confirming transactional mail today. It seems a couple of big retailers got SBLed today for sending receipts to spamtraps. I talked a few weeks ago about why it’s important to let people unsubscribe from transactional email, and many of those same things apply to confirming receipts.
First, let’s look at what Spamhaus has to say. Initially they listed the reason for the SBL listing as “receipts to spam traps.” They later clarified the underlying issue.
…[T]he issue with these receipts isn’t simply that one-off receipts are being sent to typoed email addresses. That issue would be trivial if no further email were sent to those email addresses, even during the Christmas shopping season. The issue is that typoed email addresses are being associated with customer accounts and receiving all sorts of email (transactional and marketing both) without ever being confirmed. Spamhaus Statement (.pdf)
This matches very closely with what I said in my earlier post about allowing people to unsubscribe from transactional emails.
Transactional mail that is only ever a single event and where that address is not associated with an account doesn’t need to have an unsubscribe link. If it’s a one-time email, then it’s OK to not have an opt-out link. It’s OK to have an opt-out link, but not necessary.
However, transactional mail that’s associated with some sort of account and is likely to receive future emails must have a process in place to make sure that the mail is going to the right person.
A couple examples where retail stores should have confirmation in place.
Apple has an option to associate an email address with a credit card. Customers that take this step can go into any Apple store, buy something with that card and Apple will email them a receipt. This type of setup should have some process to confirm that Apple are sending the receipt to the right place.
Citibank links online banking accounts to credit or debit cards. They’ve now started offering the ability for ATM transaction receipts to be sent to the email address on file for that card. They have incorporated a verification process as part of setting up online banking, and receipts should only go to the actual customer.
There are, however, lot of retailers that collect addresses at point of sale and use those for receipts and marketing without any confirmation. Some online retailers collect email addresses and then let customers create an account with that address. They often don’t confirm these accounts, either. That may not sound so bad, creating an account is a simple step that encourages repeat purchases.
Without some sort of address confirmation in place, customers can create accounts with email addresses they don’t control. In most cases, customers can continue to use those accounts until they forget their passwords. Purchase confirmation emails and marketing mails both can be sent to unrelated 3rd parties.
Spamhaus listing companies that are sending repeated transactional emails to spamtraps means senders who don’t confirm addresses are at increased delivery risk, even when the majority of mail sent to those addresses is transactional. It’s not the content, it’s the volume. The more mail sent to an address the more important it is to make sure that the person at that address is actually the right customer. Otherwise, senders open themselves up to delivery problems. There is also the possibility that some congress person decides that receipts going to the wrong person is a problem that needs to be fixed with laws. I’m pretty sure whatever that congress person decides will be worse for both consumers and retailers than retailers confirming email addresses.