What is CSA (Certified Senders Alliance)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
CSA stands for Certified Senders Alliance. It is a whitelist program run jointly by eco, the largest internet industry association in Europe, and the DDV (Deutscher Dialogmarketing Verband, the German dialogue marketing association). If you send commercial email into Germany, Austria, or Switzerland, CSA is the name you keep hearing in deliverability reports.
Think of it like a paid TSA PreCheck for email. You apply, you pay an annual fee, you sign a contract that binds you to a specific list of technical and legal rules, and in return your IPs get added to a feed that participating mailbox providers consume. When your mail shows up, those providers know it came from a vetted sender, so they skip some of the filtering they would otherwise apply.
The participating providers list matters more than the brand. CSA feeds into 1&1, GMX, Web.de, T-Online (Deutsche Telekom), Freenet, mail.com, and a long tail of regional German and European mailbox providers. Those domains together cover the majority of consumer inboxes in the DACH region (Germany, Austria, Switzerland). Gmail, Outlook, and Yahoo do not use CSA. If your audience is US or UK only, the certification will not move your numbers.
What you actually have to do to get certified
The CSA admission criteria are public and they are stricter than what most US senders are used to. The short version:
- Valid SPF, DKIM on every message, and an aligned DMARC record. See What is RFC 7489 (DMARC)? for the policy side.
- Confirmed opt-in (also called double opt-in) for every address on a marketing list. A web form submit is not enough. The recipient has to click a confirmation link before you can mail them.
- A working List-Unsubscribe header, including the one-click POST version from RFC 8058.
- A complaint rate under 0.1 percent at participating providers, measured over a rolling window.
- A bounce rate that stays in normal ranges. Repeated hard bounces to the same address get you flagged.
- A physical postal address and a valid imprint in every message, which is a German legal requirement (the Impressumspflicht), not a marketing nicety.
- A signed contract that gives CSA the right to audit you and revoke certification if you stop following the rules.
The rules are reviewed regularly. The current version is published on certified-senders.org and the eco complaints office handles abuse reports against certified senders.
What you get back
Two things. First, your mail is more likely to reach the inbox at participating providers, because their filters give CSA traffic a benefit of the doubt that uncertified senders do not get. Second, when something does go wrong, you get a faster escalation path. Most German mailbox providers will not talk to a random sender about a deliverability problem. They will talk to CSA.
The certification is not magic. If your complaint rate spikes or you start mailing purchased lists, you lose the cert, and the providers stop trusting your IPs. CSA polices its own list, which is the whole point. A whitelist that lets bad senders stay on it is worthless to the providers consuming the feed.
Where it fits among other standards bodies
CSA is a regional industry program. It is not a global standard. M3AAWG publishes best-practice papers that the whole industry references, the IETF writes the RFCs that define how SMTP, SPF, DKIM, and DMARC actually work, and CSA enforces a compliance program tied to a specific geographic market. They overlap in subject matter but they do different jobs.
If you send into the DACH region and you are not certified, ask yourself why your complaint rate, opt-in process, and authentication are not already at CSA standards. Those are the bar for any serious commercial sender, certification or not. The cert is the proof, not the work.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.