One of the biggest concerns we hear from marketers about do-not-email (DNE) lists is how to secure them -- not just from random hackers but from rogue affiliates, as well as staffers at a third-party suppression service.

In this second half of our special report on creating and managing DNE lists, we'll cover: securing your list, protecting against accidentally contacting people on the list, in-house management versus outsourcing to a suppression service. Plus you'll find a list of vendors and a link to Part I at the end.

Security concerns for DNE lists

Your house mailing list is one of your biggest assets, but your DNE list is solid gold compared to it. Why? Because it's full of live addresses owned by people who care about them. (What an irony! Your cleanest list is made up of people who don't want anything from you.)

You don't want to hand over your DNE list with the email addresses showing. Even encrypting data might not prevent an unauthorized person from decrypting it.

Don't rely on a password-protected Web site, either. Passwords won't do you much good if they don't expire after they get used, if everybody has the same password, or if a disgruntled affiliate or employee has access to it.

Solution? You may want to use an outside vendor to manage DNE lists. That vendor can run multiple mailing lists against each other without revealing data to other parties that don't need the information. The sophisticated companies are using match-code technology or a process called "hashing" to code data in a way that the original data can't be detected.

More data on these companies below...


What if Somebody Wants to Resubscribe?

This is another question we hear over and over, because it's a gray area in the CAN-SPAM law.

Some conservative marketers have taken it to mean that they will never, ever send anything to that address anymore, and any queries from a DNE-list address will go unanswered.

Unless the Federal Trade Commission's impending regulations say differently, we'll say that you can return a DNE-list address to active status, but only if you take extreme care and log all contacts showing who contacted whom first.

If you get a new subscription request from a DNE-list address, you'll have to treat it differently from standard requests. Your email vendor can also suggest alternatives based on your operating systems, but here are two possibilities:

-- At your Web site, requests coming from DNE-list addresses from a Web form can trigger a warning page or pop-up alert reminding users that they had previously opted out of email and asking them to confirm the request.

If you get an affirmative, remove the address first from your DNE list and then proceed with the subscription process.

-- Email subscription requests would trigger an autoresponder message with the same warning and confirmation request that would go on a Web page. You might have to override your DNE protection in order to send that email, though.

Requests that come from alternative channels -- point-of-purchase forms, customer-service dealings, etc. -- you'll have to handle almost case by case. Again, your database manager or email vendor might suggest a method.

We can't tell you exactly how to do it, because it will depend on how your list software works and how you have configured it to check against your DNE list for matching addresses and prevent accidental mailings.

How Does a DNE List Affect Viral Marketing?

You can't stop your subscribers from forwarding your email messages from their own email programs. If they use your forward-to-a-friend or email-to-a-friend systems, then you become the sender. If the email goes to someone who has opted out, you could be in big trouble.

As with getting resubscribe requests, you will have to intercept that forward, either with a Web form or an email autoresponder, denying the forward because the address is on your DNE list.

This procedure applies to all of your timed notices, too, even those as benign as birthday or anniversary acknowledgments. Nothing goes out unless it runs through your DNE list first.

Your system should ping your DNE list first and respond accordingly if it finds a match.

Being this cautious will hurt you if your lead-acquisition or sales-generating programs depend on forwarding. On the other hand, you haven't lost much, because those addresses don't want to hear from you, anyway.

In-House or Outsourcing?

First, before you start searching for someone to manage your list, grab your email broadcast vendor to see what it's doing to create and manage in-house DNE lists.

Some bigger shops, such as Digital Impact, Silverpop and EmailLabs, and major list brokers such as NetCreations, either have gone ahead and created a service, as an add-on or a standard feature, or are developing one.

How you run your business will also determine whether you can manage your list in-house or find it better to outsource.

One major loyalty marketer, which emails special offers to its 10-million-address house list on behalf of its advertisers, also uses affiliates to acquire new members.

All of the emails it sends to its own list use the company's name either as the sole sender or as a dual sender with the advertiser's name. The company manages that DNE process in-house, accounting for 95% of its business.

Acquisition campaigns it runs with affiliate partners make up the remaining 5%. For those campaigns, it uses a third-party suppression service, which scrubs the DNE list against the affiliates' own lists.

The less complex your email program is, the more likely you can manage with an in-house program. If you work with affiliates, collect addresses from multiple channels, rent lists or email third-party offers along with company news and newsletters, an outsourced service will make your life easier.

If you decide to outsource, you'll want to quiz prospective vendors closely on turnaround time, list security, cost structure and integration with other applications, such as sales lead generation, contact management or customer service and relationships.

How to Pick a Vendor: 14-Question Checklist

Ready to outsource? This niche of the market is young but growing, with companies offering different approaches and at different cost levels.

Your first step is to develop a shortlist of three to four prospective vendors:

-- Start at the Web sites of some well-established email-service providers or list brokers to see if they offer stand-alone suppression services.

-- Review the sample list of vendors in the resource list below.

-- Search the Web using keywords such as "email suppression" or "suppression services."

-- Ask your email vendor, IT or marketing staffs for recommendations.

Got your list? Now, ask these questions:

#1. Are you bonded?

#2. What physical security and data back-up do you provide?

#3. How do you secure my list from unauthorized users once I send it to you?

#4. How do you code the data to prevent affiliates from figuring out who's on my DNE list?

#5. Who has access to my data and for how long?

#6. In what form do you deliver the data to my affiliate?

#7. What format do I use to upload data?

#8. How fast can you turn around my list?

#9. How do you structure fees, and what are they?

#10. Do you retain my list in your database or drop it after you scrub my partner's list?

#11. Do you remove the opt-outs that come in from my partner's campaign?

#12. What third-party auditing services do you use to verify your privacy and security practices?

#13. What's your background in the email industry? What other services or companies are affiliated or associated with this one? Who are the company leaders and what are their backgrounds?

#14. Can you integrate this system with my sales or CRM applications?

Resource list: Four Suppression-service Vendors

Note: This is only a sample list. MarketingSherpa.com doesn't endorse any of the vendors listed. Search the Web using keywords such as "email suppression" or "CAN-SPAM suppression" to bring up more vendors.

UnsubCentral.com
http://www.UnsubCentral.com/
Joshua Baer, CEO
This new company is an independent offshoot of Austin, Texas-based SKYLIST, an email-services provider.
Services: One-stop opt-out management service, including list scrubbing, DNE list hosting and integration, reporting.
Fees: $250 set up, $250 monthly plus $25 per merge/purge

CANComply (in development; beta testing)
http://www.cancomply.com/
Steve Webster, president
Offshoot of email services provider iPost.
Services: Consent Manager tracks and manages opt-out list. Mailflow Manager manages outbound email for compliance. Beta testers welcome: email mailto:cancomply@ipost.com
Fees: Consent Manager, $2,495 annual flat rate. Mailflow Manager, $495 annual license for plug-in (open-source plugin for sendmail free but no tech support). iPost hosted database, $4,995 annual flat rate, 10 million records max.

Pica9
http://www.pica9.com/
Kevin Groome, CEO
Marketing services company
Services: Manages DNE lists for companies sending to relatively low-volume email lists, such as sales people, travel agencies, etc.
Fees: $2,500 set-up, $200 to $300 to create custom templates, send fee per email of 2-3 cents

CAN-SPAM Compliance Company
http://www.can-spamcompliance.com/
Michael O'Brien, CEO
Services: Opt-out list management, message review for compliance, consulting and reporting
Fees: $250 to $500 monthly.

Also, here's a link to the first part of this report:
How to Create, Manage, & Use a Do Not Email List for Protection from CAN-SPAM Lawsuits:
http://www.marketingsherpa.com/sample.cfm?contentID=265