It was a big deal, just about a year ago. AOL announced that it would be implementing Goodmail CertifiedEmail, an accreditation service. The service has been operating, according to Goodmail, since May of 2006.
The way it works is that Goodmail sets technical and business criteria for e-mail senders. Those who qualify can pay a per-message fee to send specially signed messages that will be escorted around the standard AOL spam filtering procedures. The messages appear in the AOL client with a special display saying that they are certified as being from the purported sender.
A grass-roots stink was made, engineered by the Electronic Frontier Foundation. Go to DearAOL.com, the home page for the anti-Goodmail revolution, to get their side of it in their own words, but my summary is that the EFF argued that a financial interest in accreditation, and particularly one that had a per-message fee, gave AOL perverse incentives that would result in a degradation of quality in spam filtering.
There are almost 46,000 signers to their petition (although a large number of these signers have names like “buy vicodin online” and “parts corolla” and link to spam sites).
Once it made money on each certified message, AOL would have no incentive to maintain its whitelisting service. As a result, small senders of bulk mail, such as small nonprofits, would find their messages blocked and themselves pressured to pony up money to Goodmail and AOL.
I always thought it was a specious argument. AOL insisted that the revenue cut from Goodmail was bound to be puny and that it was supporting Goodmail not for the direct monies but to decrease its false positives with big commercial senders. This made, and continues to make, sense to me.
So whats happened over the last year? If its really nine months since AOLs been sending out CertifiedEmail, then we should have seen something by now. I decided to ask the major players for their impressions and was surprised that nobody was all that anxious to talk.
AOL and Goodmail, it seems, dont want an annual round of controversy. All AOL would say is that its on target, whatever that means, and that the process by which senders get themselves on the whitelist has gotten simpler, not more difficult.
The requirements are interesting, in that they force the sender to think about both policy and technical considerations, but it all looks doable for all but very small senders (“An organizations mail servers must send a minimum of 100 e-mails per month to maintain whitelist status”). Theres actually a large overlap between AOLs rules and the rules set by Goodmail in its Acceptable Use and Security Policy (here in PDF form).
I asked Goodmail, and it didnt have much to say either, besides its claim that it has “just over 300 sending brands using CertifiedEmail—this in just about half a year of availability.” Incidentally, it also claims to have gone live on Yahoo Mail in December. This is where things got a little confusing.
First, Goodmail says that it “went live … in December at Yahoo,” but Yahoo tells me that “we recently started testing a CertifiedEmail system which includes transactional e-mails from trusted institutions.” A small exaggeration perhaps, beefing up a test into a deployment.
How much Goodmail is
I also checked in with the American Red Cross, which was famously used by both sides as an example in last years Goodmail Flame Wars. Goodmail set up preferential treatment for nonprofits (it turned out to be cheap as opposed to free) and told me recently, as part of the earlier statement about over 300 sending brands using CertifiedEmail, that “[w]e also have a number of nonprofits, such as American Red Cross, Americans for the Arts, Lukemia and Lymphoma Society, and National Center for Missing and Exploited Children, and approximately 80 governmental agencies, ranging from municipal organizations up to federal agencies.”
When I spoke to the American Red Cross they said that they had been working on setting up Goodmail (not a simple process) and were almost ready to start, but hadnt in fact done so.
My final test was my sister, a heavy AOL user, who tells me that she hasnt seen anything that sounds like “CertifiedEmail.” It could just be that she doesnt use the right brands, or perhaps she just hasnt noticed the CertifiedEmail stuff. But shes smart and observant and I would think shed remember it, especially in as much as its designed to be noticed. More likely, there isnt a whole lot of CertifiedEmail out there yet.
Goodmail does claim that by the end of this quarter (March 31, I assume) at least 90 percent of AOLs 22 million users should have seen a CertifiedEmail.
Im skeptical, especially since the only bank I see in its list of brands is KeyBank—banks were supposed to be the perfect CertifiedEmail customers. I suspect the problems are similar to the Red Cross: Setting up Goodmail on a large e-mail list is not a trivial task—nor should it be—and the real volume is probably not far away.
So it may be too early to judge Goodmail completely, but I still argue that the absence of any evidence of the catastrophe predicted by the DearAOL crowd shows that it was just bad science fiction to begin with.
The clearest response I got was from Danny OBrien, activism coordinator at the EFF, who agrees its too early to draw conclusions. He points out, as I had realized on my own, that AOLs business model underwent a revenue transplant over the last year. He argues that as subscription revenues decline, AOL will be more and more tempted to get what it can out of other sources like Goodmail, especially if Goodmail is successful. Its still speculative, but its a better argument than they had last year.
OBrien worries generally about the point “where Goodmail [or other for-pay certification systems that share with the ISP] starts picking up smaller, commodity ISPs and it becomes collectively harder for senders [to] object to the idea of switching to a pay service.”
OBrien shouldnt worry so much. A major part of the Goodmail value proposition is that CertifiedEmail messages appear markedly different from uncertified messages in the client. AOL and Yahoo can do this, as can others with a proprietary mail client, such as GMail. But the typical ISP account that uses SMTP and POP3 and where the user is probably using one of a dozen versions of Outlook or Outlook Express, or perhaps a Mac or Eudora or any of numerous other potential e-mail clients, has no easy mechanism for delivering the software changes to make this possible.
Those users are no better-served by Goodmail than by more conventional accreditation services like Habeas. This difference also helps to explain why it makes sense for Goodmail to share revenue with its clients.
Im still bullish on accreditation and Goodmail, although changes to e-mail do seem to take frustratingly long times. There are plenty of open- and standards-based efforts in this area and related ones, such as the Domain Assurance Council, which is attempting to standardize access to reputation services.
And in the very long term I think that e-mail is the wrong venue for opt-in communications anyway. The sooner all that moves to RSS, which is a pull system from which users can unsubscribe when they wish, the better.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer