warmbox/docs/11-esp-compliance-playbook.md

3.9 KiB
Raw Blame History

ESP Compliance Playbook

How to avoid Google, Microsoft, and Yahoo flagging Warmbox as an abusive or detectable warmup service.

Threat model

ESPs detect warmup services via:

Signal Detection vector
Volume spikes Sudden send increases
Machine cadence Sends every N minutes exactly
Identical content Same body hash across mailboxes
Artificial pools Known warmup IP/domain clusters
100% engagement Every message opened/replied
Bad pool hygiene High bounce rate in network
Missing auth SPF/DKIM/DMARC failures
Spam complaints User marks as spam

Warmbox mitigations

1. Own satellite pool (phase 1)

User controls all mailboxes. No unknown third-party addresses. Lower pool-toxicity risk than public warmup networks.

2. Human-like scheduling

  • Send windows (business hours)
  • Random jitter 45180 min between sends
  • 48h volume cap +20%
  • Weekend volume reduction (optional)

3. Realistic engagement

  • Reply rate 3045%, not 100%
  • Some messages: rescue + read, no reply
  • Varied AI content with validation
  • Threaded replies with proper In-Reply-To

4. Content hygiene

  • Plain text, no links/pixels in warmup
  • No placeholder templates
  • Industry-appropriate language
  • No sales spam triggers

5. Authentication

Pre-flight checks before campaign start:

Check Required
SPF record Pass or warn
DKIM signing Pass or warn
DMARC policy Present (p=none minimum)
Reverse DNS Warn if missing

POST /mailboxes/:id/dns-check (future)

6. Volume discipline

Rule Value
Max warmup sends/day/mailbox 50 hard cap
Recommended max 40
New domain age before warmup 14 days recommended
Never stop warmup during cold sends Maintenance mode 20%

7. Auto-pause

Trigger Action
Bounce rate >5% Pause campaign
Spam rate >30% (3 days) Pause + alert
Auth errors Mark error, stop
Complaint signal (future) Immediate pause

8. Peer network (phase 3 only)

If added:

  • Verify DNS on every peer mailbox
  • Remove bouncing addresses within 24h
  • No cross-tenant data leakage
  • Rate limit peer assignments
  • Monitor pool spam rate aggregate

Provider-specific guidance

Google Workspace / Gmail

  • Use app passwords or OAuth
  • Enable Postmaster Tools
  • Target spam rate <0.1% (alert at 0.3%)
  • Avoid connecting consumer Gmail accounts with suspicious bulk patterns
  • [Gmail]/Spam rescue is user-owned mail — acceptable

Microsoft 365 / Outlook

  • Enable IMAP/SMTP auth
  • Respect sending limits (~30/min, ~10k/day)
  • Monitor SNDS (future)
  • Junk folder rescue

Yahoo

  • App password required
  • Lower daily limits than Google
  • Watch Bulk folder

What Warmbox is NOT

  • Not a cold email sender — don't blast prospects through warmup
  • Not a link tracker — no pixels in warmup phase
  • Not a shared bot network — own satellites first

Operators must:

  • Own or control all connected mailboxes
  • Comply with provider Terms of Service
  • Not use warmup to deceive recipients (warmup is internal engagement only)

Document in Terms of Service before SaaS launch.

Compliance checklist (pre go-live)

  • SPF/DKIM/DMARC verified on primary domain
  • Domain age ≥14 days
  • Recipe = Grow, duration ≥30 days
  • Reply rate ≤45%
  • ≥4 satellites assigned
  • AI validation enabled
  • Send window configured
  • Postmaster Tools connected (Gmail)
  • Test campaign 48h with 2 sends/day before full ramp

Rumor: "ESPs detect warmup services"

Partially true. ESPs detect patterns, not brand names. Mitigation is behavioral realism + own pool + auth + volume discipline — not hiding that warmup exists.

Warmbox should be undetectable as a low-quality bot network, not invisible as a product.