How to run a mail sending service that will probably never send spam
I have written any number of times before that mail sending services could take steps that would make sure almost no spam would be sent through them, but they don't bother (eg on Amazon, on modern mailing list services in general and earlier). However, I have not written down my view of these steps, partly because I have considered them obvious in the community in general. For various reasons, I now feel like writing these steps down. So here is an incomplete list of obvious steps to take that would mostly gut sending spam through such a service.
In no particular order:
- Charge people a decent amount of money for your service, possibly
with a deposit up front. Don't have a free or a cheap tier,
because it attracts the wrong sort of customer (Patrick McKenzie has written at length on how too-low
or free pricing is a bad idea in SaaS in general).
- Force people to put their address lists on your service, not just
funnel their email through in bulk sending. Forced uploads allow
you to scan the address list in advance to look for known warning
signs, such as definitely nonexistent domains or known-bad
addresses that never accept your email.
- Require all email addresses submitted to you by a particular customer
to be confirmed. The gold standard would be confirming separately
for every alleged mailing list the customer sets up; the silver
standard is confirming once when the customer first submits the
address as part of any list and then assuming that the customer has
the right to use that address in other lists. As part of requiring
confirmation, provide an extra link that communicates to you 'I have
never heard of these people and I do not know why they have my email
address'. Even a moderate level of use of this link is a warning sign.
It should go without saying that having more than a trace level of bounces or email rejections during confirmation should be a big warning sign.
Probably the silver version is the most realistic, since these days customers may not have distinct 'mailing lists' as such, if they're using you to deliver event-based notifications to people's email and so on.
(Even sending an initial notification email to people saying 'your address has been added to our system by <customer>' would be a step forward. These days a mail sending service could claim it was a GDPR requirement.)
- Run all submitted mailing list messages through all of the available
free open source anti-spam and anti-virus systems, and perhaps
at least one of the commercial ones. If any of the systems flag the
message, don't send the email and surface this in an alert both to
the customer and to your abuse handling team.
(It's not a service to the customer to let them send out email that you know will trip spam alerts for some recipients. Legitimate customers will likely thank you for such a pre-check service, and may even want a way to submit draft messages to it.)
- Make it trivial for people to report unsolicited email and spam, and to 'unsubscribe'.
- Pay attention to bounces, SMTP rejections in general, unsubscribes,
and spam complaints. Mine them for addresses to add to your list of
warning addresses. Rejections after SMTP DATA are probably an
especially bad warning sign, because they suggest it was content
filtering that caused the rejection.
(As part of this, you should obviously recognize and parse the various SMTP 4xx and 5xx messages that major email providers use when they're dealing with questionable email messages. But this is so obvious that I suspect that any mail sending SaaS that wants to be successful is already doing it.)
I'm assuming as a baseline that you will do things like accept bounces and replies and properly implementing SMTP. These days you may want SPF, DKIM, or DMARC in order to pacify various large email providers who are getting increasingly insistent on it, but that's more in the realm of 'competently operating a commercial service'.
I'm pretty confident that any mail sending service that implemented all of these would send almost no spam, and I'm reasonably confident that it would still have a business. But of course it wouldn't have a business that's as big as you'd get by not bothering to do some of these things (especially confirming email addresses), and it would cost more to operate, and you wouldn't have as many customers because a certain number of the more shady people would stay away (as would all of the cheap people).