Admission Criteria Pertaining to the participation of bulk mailers in the Certified Senders Alliance (CSA) 2014-03-19 Page 1 of 9 Version 1.09
1 Preamble This document describes the criteria for adding bulk senders to the CSA as defined by eco Association of the Internet Industry e.v (eco). in cooperation with the Anti Spam Task Force and the Deutscher Dialogmarketing Verband (DDV - German Direct Marketing Association). Fulfilling the criteria does not guarantee delivery of emails to the addressed users, as ISPs can inhibit messages and actions for reasons of network security and stability, and the emails may therefore not be acknowledged. 2 Required Admission Criteria a. Names and IP addresses of all outgoing mail servers shall be provided regardless whether these are to be white-listed or not, the sender shall provide in detail which IPaddresses are to be white-listed and which are not. The use of mail servers that are not supposed to be white-listed is admissible only in the following cases: aa. New customer mailings if the number of mailings does not exceed 3 and the first mailing did not take place over 2 months ago. bb. Mailings destined exclusively for circles and markets that are not subject to the European Union laws pertaining to personal data processing and electronic communication; this shall not apply if the recipient email address is assigned to one of the participating ISPs in the CSA. A mailing is the act of mailing at the same time an email with essentially the same content to a previously determined group of receivers. The sender has to explain the use of mail servers that are not supposed to be whitelisted to the CSA in writing; the reasoning given by the sender is legally binding for the sender. 2014-03-19 Page 2 of 9 Version 1.09
Consent b. Emails are only sent to receivers who have given their consent to receive these emails according to section 7, paragraph 2, number 3 UWG (Act Against Unfair Competition) - (opt in) - or have a business relationship with the advertiser, and the conditions according to article 13 section 2 of the European Parliament and Council Directive 2002/58/EU on Privacy and Electronic Communication are met. (Direct advertising of the sender s own products or services of a similar nature; indication of the free-ofcharge possibility to disallow use of the email address, both at the time of request of permission and in every usage of said email address.) c. The consent to receive advertisements through email has to be given separately. The receiver must either click/mark a box or otherwise give a comparatively clear declaration of consent to receive advertisements via email. This declaration may not be part of other declarations (such as agreeing to terms and conditions.) d. The receivers must give their consent actively through a conscious act. Pre clicked/pre marked boxes may not be used. In the case that permission has not been clarified either in writing or electronically, a written confirmation is required from the address owner. The possibility to disallow the permission at any time must be clearly indicated at the time of requesting permission. The indication must also include information on how to disallow permission, and who to contact in order to do this. Email format e. The contracting entity- that means the contracting partner of the sender of an advertisement must be clearly recognizable. Every sent email shall contain an easily noticeable about us ; either in the text or through a direct link. The about us section shall contain the following information: aa. name and address of the sender, for legal entities in addition to name and address the legal form of the entity, authorized representative and the Commercial Registry, Association Registry, Partnership Registry or Cooperative Society Registry they are registered with, as well the appropriate registration number. bb. contact information, at least a valid telephone number or an electronic contact form, as well as email address and 2014-03-19 Page 3 of 9 Version 1.09
cc. if there is a value added tax identification number according to section 27a of the value added tax act or a business identification number according to section 139c of the tax code, this number shall be provided. Further reaching information obligations, for example according to section 5, paragraph 1 of the Telemedia Act (Telemediengesetz TMG) remain untouched f. Each email must contain an option to withdraw permission to send any further emails. Cancellation must be possible for the receiver, without having to know access data (such as login/password). Exceptions may be admissible in single cases as special cases occur in the administration of the offering party; see point 2v regarding List- Help. Cancellations must be processed promptly. g. Neither the sender nor the commercial character of the message may be obscured or concealed in the header or the subject header of the email. Obscuring or concealing is taking place when the header and subject header are composed in such a way that the receiver cannot get any or can get only misleading information about the actual identity of the sender or the commercial nature of the message before the message is opened and read. h. When using email addresses that the sender or his customers received from third parties, the sender or his customer is obligated to make sure before the advertisement action is taken that only receivers who have given their consent according to these criteria are emailed; a consent that not only refers to mailings sent by a third party but also by the sender himself or the sender s customer. i. The retrieval of address data for third parties (such as through co sponsoring) should be transparent to the user. More so, address data retrieved in such a way should only be used for a mailing if aa. the companies for which the address data is generated were named individually, transparently, and categorized by industry, and bb. the access to the list of companies was clearly possible and easy for the users, and cc. the number of companies or persons for whom the address data was collected is reduced in a way that excludes the forwarding of user data to an unreasonably large circle of third parties and that allows the user to easily comprehend the consequences and the extent of his consent as well to easily control the legal handling of his data. 2014-03-19 Page 4 of 9 Version 1.09
For clarification purposes we would like to point out that the companies for which the address data is generated may not forward this address data to third parties without a special consent from the user to do so. Technical Configurations j. The sender s servers must be technically secure (e.g. firewall, no open relays, no backscatters, constantly monitored server, etc.) k. Each sent email (composition and configuration) as well as the sending of the email (envelope communication in the SMTP dialogue) must always be in accordance with RFC standards. The following RFCs amongst others are authoritative: 821,2142,2821,2822. l. The sending IP address mail server respectively the IP address which gives an email to the Internet Service Provider must be reverse-resolvable via PTR. The entry must be in the form of a FQDN (Fully Qualified Domain Name.) The used FQDN must clearly point at an A-record (ARR) to the IP Address of the MTA. The used FQDN entered in the DNS must be noted in the SMTP dialog (envelope communication) with the HELO/EHLO command. m.the whois information of the IP-address or of the related FQDN must clearly reference to the certified sender. Moreover, the IP-addresses and FQDN reachable contact email addresses as well as easy to find general abuse email addresses must be included in the WHOIS (see also RFC2142, RFC3013 section 2.5 and current guidelines/ best practices of the RIRs and registries). n. The sender has to set up a separate abuse/complaint or feedback loop email address for the IP-addresses he uses and communicate it to the CSA (freely definable ROLE account with the purpose of receiving as the case may be automated complaints or requests from ISPs or receivers). The ability to process ARF (see RFC5965 and X- ARF 1 is required. Furthermore, a feedback loop address (sender ROLE account responsible for receiving questions from ISPs) and the phone and email address of a contact person for complaints must be provided. Response time for complaints must not exceed 24 hours on business days. o. The sender must have sole control over the outgoing mail servers. 1 See http://www.x-arf.org for detailed information. 2014-03-19 Page 5 of 9 Version 1.09
p. The outbound email servers named by the sender may only be used for the mass mailing or respectively automated sending. Ideally, it should be possible to for instance be able to assign specific campaigns/mailings to certain dedicated systems. q. The sender must remove email addresses from the mailing list after three hardbounces. 2 r. For MAIL FROM address indicated in the SMTP communication between email servers an SPF From record must be kept which allows the SPF system on the receiver side to perform an SPF test (where applicable, the sender is also to implement an SRS procedure). The SPF record must end in ~all or -all. Please also follow the guidelines under the recommendations on sender ID entries under 3.g. s. An SPF-HELO entry for the FQDN of the sending email server must be made and should if possible- end with -all (when ~all is not doable), equivalent with the entered information in 2l. t. Regarding the MAIL FROM address recorded in the envelope communication between email servers, an additional and possibly marked lowest priority MX record and an A record must exist for its domain name part and both point to the sending email server. u. The DKIM procedure (DomainKeys Identified Mail) 3 is to be implemented for all servers/ip addresses to be certified at the latest by the time of successful certification through the CSA. The domain used in the DKIM d= tag must be shown in a Whois entry either as the certified sender of a relevant customer thereof. v. The email header must contain an List-Unsubscribe-Link (see RFC23692) 4. The named links must enable an easy unsubscribe at least at the list level. The unsubscribe from list header contains at least one HTTP-link. The sender can send the user a confirmation email informing of the successful unsubscribe. Exceptions to this obligation can be claimed when it is not possible to unsubscribe in the above mentioned way and sending an automated email is not necessary or possible due to the type of service. The complaint hotline shall decide in these exceptional cases. 2 Email server status codes that begin with a 5 are to be classified as hard bounces. See RFC 3463 3 See http://www.dkim.org 4 See also http://en.wikipedia.org/wiki/verp and http://www.list-unsubscribe.com/ 2014-03-19 Page 6 of 9 Version 1.09
In the case of an exception, a List-Help link (see RFC 2369) must be added to the header. The link must lead to a help or login site which explains to the recipient how to un-subscribe from further mailings, or why this is not possible on legally binding grounds, and these grounds are to be named. w. A list ID header (see RFC2919) must be included in the sent emails which makes it possible to transparently comprehend the list of receivers (receiver circle) and a clear reason for the mailing. If it is possible by the type of mailing (for instance advertising mailing), the mailing campaign should be conclusive. x. At the latest two weeks after successful certification, the sender is to add an X-CSA- Complaints header. The header line is to read: X-CSA-Complaints: whitelistcomplaints@eco.de. The fulfilment of this criteria is to be confirmed for the CSA through a test mailing to seeds@helpdesk.certified-senders.eu. y. DKIM Failure Reporting by the recipient must be enabled through entries or extensions in the relevant DNS records. DKIM Failure Reports must be received by the certified sender or the customer thereof (see RFC 6651). z. SPF Failure Reporting (for SPF-MFROM and SPF-HELO) by the recipient must be enabled through entries or extensions in the relevant DNS records. DKIM Failure Reports must be received by the certified sender or the customer thereof (see RFC 6652). 3 Recommended Admission Criteria / Double Opt-In a. It is recommended to collect user data over the internet preferably through the double-opt-in (DOI) method. The DOI as understood by the CSA agreement describes a procedure through which an email that explains the consent to receive emails (consent email) is sent to the recorded email address and the receiver confirms his/her consent by answering the consent email or clicks on a link confirming his/her consent. Only after receiving the confirmation from the recipient is the sender entitled to use the confirmed email address. If the consent is not given in due time, the data connected to the email address must be deleted. A DOI which only verifies the email address and does not explicitly verify consent (for instance for lottery games verifying the address to send the price) would not qualify as a DOI in this sense. 2014-03-19 Page 7 of 9 Version 1.09
The confirmation email may not contain advertisements or any other contents. The CSA participants commit to only calling the procedure used by them a DOI if it fulfils these requirements. b. It is recommended to already inform the user about the sending email address when they are requesting a service, for example a newsletter request, to enable the addressee to make an addition to their address book. c. It is suggested to include the date and newsletter subscription IP in the email header to help the user to remember signing up. Moreover, the sign up information should be repeated in the body of the email as well. This should include the signed up email address, sign up date and the website on which the receiver signed up. d. It is suggested that for each from-sender-address (their email domain respectively), under certain circumstances, an additional MX record for the sending IP-address with possibly the lowest priority is included in the email headers. e. It is recommended not to conduct mailings to new customers exclusively through mail serves that are not white-listed. f. It is recommended to implement a sender ID record for the PRA email address identified in the header of the receiver which allows a PRA sender ID test on the receiver side. When sender ID entries are made, they have to be made in a clearly defined form spf2.0/pra. g. HTML formatted emails should generally be expanded with a text part (MIME). This should contain unsubscribe and newsletter information because the receivers cannot always receive HTML formatted emails properly. h. It is recommended to insert a valid sender address so that the receiver can contact the sender by hitting reply. Should this not be the case, it is recommended to at least include a -reply to- address. i. The collection of address data for third parties (through co-sponsoring for example) should be transparent to the user 5. Especially address data collected in this manner should only be used for a mailing if the number of companies or person for whom address data was collected does not exceed 10. 5 Cf. the required admission criterion under section 2.i 2014-03-19 Page 8 of 9 Version 1.09
j. It is recommended to evaluate the DMARC 6 procedure and to implement the corresponding DNS records on the sender-side so that ISPs as recipients can check the received emails according to the predetermined parameters. When the procedure is implemented, the reporting email addresses must be specified in such a way that reports send by ISPs are processed by the certified sender or the customer thereof. 4 Legality a. The sender is responsible that the mailing is conducted legally and that the contents of sent emails are not against the law. b. The sender also assumes responsibility for the legal requirements and lawful implementations of the criteria laid forth in this document to be applied to each and every email, for example that the IP address of the requestor is in the header line. 5 Subject to Change eco reserves the right to change the criteria with six weeks notice. The bulk sender has the right to terminate the agreement in this case. Should that happen, already paid dues shall be prorated and refunded. 6 See http://www.dmarc.org 2014-03-19 Page 9 of 9 Version 1.09