Can You Pass an E-Mail Reputation Audit?

The auditors are coming! The auditors are coming!

This time, they don’t want your tax records. Instead, they’ll scrutinize every nook and cranny of your email policies and procedures to determine whether you’re a reliable emailer or a despicable spammer.

Unlike your average trip to the tax collector, though, this audit can actually do you some good.

In recent years, anti-spam efforts have moved steadily away from domain and content blocking. Reputation management and accreditation by recognized white-hat agencies count more heavily toward getting your email delivered.

Accompanying that movement are third-party auditing and accreditation firms that specialize in assessing your performance as an emailer based on your subscription, delivery, and privacy practices.

TRUSTe, Habeas, and Return Path/Bonded Sender are the best known of these firms. All three use a battery of tests and questionnaires that measure what you say you do as an emailer and how you perform in the email space.

It’s no simple chat over coffee. After you pass a preliminary certification quiz, Habeas scrutinizes your email operations with over 50 questions. TRUSTe uses a 15-page self-assessment.

After you finish the auditing process, you may feel as if you really did go through a tax audit, perhaps a root canal. Yet measuring your reputation and seeking third-party accreditation are steps to consider if you’re serious about boosting your delivery rate and maximizing email return on investment (ROI).

A reputation audit can reveal where you’re vulnerable to blacklisting or blocking because of a program weakness. It could reveal you failed to secure your network against computer worms, Trojan horses, and other malicious invaders, for example.

An accreditation procedure evaluates your email program against its best practices. If you pass, your email messages receive an accreditation, such as a special code, recognized by participating ISPs. The code allows your messages to bypass their filters and go straight to recipients’ inboxes.

Whether you anticipate using the services of one of these companies or not, you should know how your email practices and policies would stack up in an audit.

Try our 22-question mini-audit. It’s based on actual self-assessments. (Caveat: “yes” isn’t always the correct answer. It could mean you’re using methods that violate the accreditation company’s standards.)

E-Mail Address Collection

  1. Do you use an email service provider to send email? If not, do you own the IP addresses you use to send email? List all.
  2. Does your organization use any of the following sources to collect email: list brokers, third-party marketing lists, co-registration offers, or permission transferred from affiliates or third parties?
  3. Can you provide proof of consent for names and email addresses acquired through co-registration offers, including date, time, originating IP address, and Web page URL?

Privacy Notices

  1. Where on your Web site do you notify subscribers about the kinds of email you’ll send them: prominently above the form where email addresses and personal information are taken; below the form but above the submit button; below the form; on a privacy page linked from the registration page; or no explicit explanation provided?
  2. How do you notify users of changes in your email policies and practices: email, Web page, other, or none?

Online Consent

  1. How do you collect consent from recipients to send commercial or promotional email: double opt-in, opt-in with verification; opt-in; pre-selected option with verification; or other?
  2. How do you collect consent to share email addresses with third parties or affiliates: double opt-in, opt-in with verification; opt-in; pre-selected option with verification; or other?
  3. How do you determine whether third parties who provide you email addresses have obtained their users’ consent: in writing; reviewed their consent method; reviewed the URL where the third party obtained consent; or other?
  4. Do you send commercial or promotional email based on prior business relationships but without prior consent?
  5. Do you require users to accept your commercial or promotional email as a condition of doing business with you?


  1. Do you have a procedure to manage email bounces and update the status of repeatedly bouncing email?
  2. Is your company registered at Network Abuse Clearinghouse?

Unsubscribe Process

  1. Does every email message you send to your mailing list include an unsubscribe link that’s functional for at least 30 days after the message is sent?
  2. How soon do you process unsubscribe requests after receipt?
  3. Which unsubscribe mechanisms do you provide: click on a link in the email message; click on a link, then follow instructions on Web page; reply to message with unsubscribe request; log in to online account-management page; use offline methods; or other?
  4. Do you maintain an email-address suppression list? If so, how often do you run your mailing lists against your suppression list: before each email campaign, daily, or other?

Subscriber Information Management

  1. How can users update their subscription information and personal information?
  2. How do you verify the identity of a subscriber who wants to update his subscription or personal information provided at registration?


  1. Outline the steps you’ve taken to secure your system against open proxies, open relays, and transmission of viruses, worms, Trojan horses, and so forth over your network or IP addresses.
  2. How do you secure your database containing email addresses and other information obtained at sign-up?


  1. Do you associate information collected through log files, cookies, Web beacons, or other tracking technology with individual email addresses?


  1. Does your email program fully comply with the CAN-SPAM Act, as well as with Michigan and Utah child protection regulations?

How did you do? If you’ve updated your email program to follow industry best practices, you probably came out OK. If you spotted a weakness, you can start working on it now.

In a future column, we’ll outline several of the most common failings these audits turn up and how you can overcome them before the auditors arrive.

As always, keep on deliverin’.

Want more email marketing information? ClickZ E-Mail Reference is an archive of all our email columns, organized by topic.

Related reading

Flat business devices communication with cloud services isolated on the light blue background.