[dbc]

I don't have any advice for software to use, buy I do suggest you use something other than your production DNS domain and mail server for sending out these messages. Even if all of them opt-in, some of your recipients will mark your messages as spam and that mail server/domain will start to show up on blacklists. If your production domain is xyzcorp.com, maybe you should register xyzcorp-messages.com for this activity.

[pbhjpbhj]

This sounds like really bad advice to me. If one were going to set up a spam/phishing operation then the first thing would be to choose a domain like xyzcorp-messages.com. I'm sure that the blacklists look at domain age and prior performance too. Anything marked spam from a brand new domain, which appears to be a phishing domain, that has no history of not spamming associated with its ownership is surely going to pop into a blacklist faster.

You have some evidence experience to back up your suggestion?