Using Pre-vetting to Protect your Self-serve ESP Platform
When the Certified Senders Alliance asked me to participate in a webinar about best practices for email onboarding, I jumped at the chance. It’s such a nuanced topic with so many ways to creatively and easily keep email service providers (ESPs), especially self-serve models, reputable and successful.
While of course I believe watching the entire webinar is a good idea because it’s filled with a ton of info, I know lots of people like a TL;DR situation. The webinar recording is at the very bottom of this post, but for those who want the quick and dirty about what we talked about, what some major takeaways are, and what advice we shared, let’s get into it.
Pre-vetting is essential
Pre-vetting is absolutely critical to the success and security of self-serve ESP models. Without a solid plan in place, your ESP’s reputation is deeply at risk. That said, it can be difficult to figure out what rules you want to implement, how you intend them to work, and what you expect the outcome to be.
Let’s get into it.
What is pre-vetting?
In a self-service ESP model (sometimes referred to as a “freemium” model), customers can sign up and start sending within a few minutes or hours without talking to sales.
The volume and likelihood of fraudulent signups is typically higher than with ESPs supporting enterprise customers due to the quick nature of the signup process. Self-service ESPs must have mechanisms and processes in place to very quickly check a variety of data points and gauge the level of risk associated with each new signup.
Is it legitimate or some variety of spammer or fraudster?
Should you let them access your platform to start sending email (with or without restrictions) or not?
You need answers.
Why pre-vetting matters
Your ESP customers are relying on you to ensure their email program won’t be negatively affected by the sending activities of your other customers. If everyone sends from the same IP pools, or the same IP range, or is sharing a DKIM domain and you’re not effectively protecting your platform, spammers and fraudsters can severely impact performance for everybody…even your best senders.
It’s incredibly challenging for your customer-facing teams to explain to your best and biggest senders that their emails are blocked because Sally Sillysender got a little too excited and blasted to her whole list… which, by the way, she likely purchased.
They’ll want you to “just fix it.” Unfortunately, it’s not so easy to do within the timeframe they’re expecting.
How pre-vetting works
Most ESPs collect and analyze a combination of internal and third-party signals in an attempt to determine the legitimacy of each new signup, as well as its likelihood of negatively affecting the ESP’s sender reputation.
Each data point is assigned a positive or negative score, allowing the ESP to calculate each new signup’s risk score.
In some cases, new accounts are provisioned (or rejected) automatically due to the signup vetting score.
In other cases, additional questions are asked to assess the new signup’s use-case and risk level more closely before making a decision. This can be a manual or automated process depending on the ESP. For most, it’s a mix of both.
Most ESPs have automation in place to very quickly check a variety of data points to the risk level of each new signup. But fraudsters work hard to hide their more obviously spammy traits, so there’s often a heavy dose of human oversight and involvement in this process, too.
As your company grows, the amount of signups you’re dealing with also grows. Eventually, the time and costs involved in having a human review every signup are not scalable, so you’ll need to automate as much of the process as possible to continue delivering quick, accurate, and consistent provisioning decisions to each new signup coming in.
For example, provisioned accounts can have rate limits and/or other restrictions applied while you assess the new account’s sending activities and statistics to determine if the initial vetting was accurate. New senders can also be routed to various shared IP pools based on risk score.
IP pool assignments and sending restrictions can be adjusted at a pre-specified time, volume and/or statistics threshold.
Metrics to watch
There is no such thing as a smoking gun metric. Sorry, friends. As with most things in email, it’s all about doing a lot of little things right to make a big impact.
For self-service customer vetting, that means gathering as many relevant data points as you can and looking out for anything amiss. Connection IPs from countries where the company doesn’t operate, conflicting information, repeat signup attempts, indicators of bad sending activity. Anything.
I’ve always closely watched domain age, geo-location, geo-velocity (IP versus location), and device fingerprints for reputation and activity. I highly value the community feedback offered by E-HAWK, telling you things like if an address or domain has signed up for multiple ESPs or been flagged as a bad actor.
Recognizing the patterns of good and bad behavior within your new signups and tweaking your scoring algorithm will help you improve your process over time, allowing you bring in more potentially good senders while fending off the bad.
Things to watch
Repeat signups who are testing your system for vulnerabilities. These folks can be relentless in trying to figure out how they can secure an account on your platform without restrictions. There are often patterns to their signups (same connection IPs, account naming conventions, website styling, answers to questions, etc.) Ask your compliance team about this. I’m sure they’ve got some funny stories they could share about patterns they’ve detected.
Login stuffing, attempting to gain access to customers’ accounts with usernames and password credentials they’ve stolen elsewhere…In this case, they’re banking on your customers using the same PW across multiple companies. And once they’re in, they’ll steal contact lists and/or use the account to send spam or phish.
Fraudsters can be very tricky. Look for anything that stands out as odd.
A wild card: AI
ChatGPT. Trust me, I’m as annoyed writing this as you probably are reading it. But just recently, we’ve started seeing a rash of signups at SocketLabs with responses coming straight from the machines. They’re pretty easy to spot so far, but these could become harder to detect with a human eye over time.
Working for an ESP? Train your teams handling provisioning (and anything support-related, really) on how to look out for responses generated by AI and create processes — manual or automated — for how you will detect and react to them.
Things to avoid when pre-vetting
If automated actions to restrict a new signup’s ability to send are not met with an action to remove those restrictions, you could be impacting new customer conversion rates. Have a process in place (automated or manual) to balance your scales.
Discovered a new abuse vector? Nice work, eagle eye! But resist the urge to immediately adjust your scoring algorithm. Making changes to how your provisioning process works without fully considering the effects downstream can have painfully unintended consequences.
For example, if you allow lower-quality signups in the door without having rate limits and mechanisms in place to catch abuse and quickly cut it off, you could be looking at HOURS of expensive overtime and customers who are more likely to churn. Not to mention, plenty of sender reputation issues to clean up, which may affect future acquisition rates.
So, slow your roll. “Measure twice, cut once” as they say.
Learn more about pre-vetting
We talked about many of these metrics, factors, and approaches for pre-send customer vetting in the webinar.
Look out for more tips from this session coming soon, focused on new customer onboarding and post-send vetting techniques to protect your email platform as an email service provider.
Can’t wait? Check out the entire webinar recording, where I was joined by Raymond Dijkxhoorn, founder of SURBL and CTO of E-HAWK, Jakub Olexa, Founder & CEO of Mailkit, and the Director of the CSA, Julia Janßen-Holldiek.
Catch the recording here!