What You Need to Know About DMARC and Deliverability

Bronto's Chris Truitt explains how DMARC works, how it impacts deliverability and he outlines things to consider when configuring your DMARC record.

Spam Museum Welcomes 100,000th Visitor

From the not-just-email department: Local TV station KAAL-TV reports that the Hormel Spam Museum in Austin, Minnesota welcomed its 100,000th visitor last week. Her prize? 200 can of Spam. Yum.

Yuck: iCloud Calendar Spam

Are you one of the many millions of unlucky souls receiving spammy calendar invites? Apple is apparently aware of and working to address this type of thing, according to the iMore blog. But if you can't wait for that, the Verge has a few suggestions on what you can do about it.

Virgin Media is so rustic and artisan you get to hand-sort your own spam

Can't beat that headline. UK ISP Virgin Media is having a few problems with its spam filters, reports the Register. Previously hosting user mailboxes on Google-managed systems, the ISP was forced to bring it back in house after Google stopped selling the service to ISPs. Apparently, hilarity has ensued.

Good news for senders: Instead of blocking mail outright, suspected spam will now be routed to the spam folder. Sounds like ISP users will be able to identify spam and non-spam to the ISP, to help improve the filter over time.

A quick search suggests that @ntlworld.com and @blueyonder.co.uk are probably the relevant Virgin Media email domains affected by this issue. I'll update this post if I learn more.

MegaRBL DNSBL FUBAR

Over on the Word to the Wise blog, Laura Atkins explains what happened with that spate of short-term MegaRBL DNSBL listings you may have noticed last week.

AOL FBL Sending Address Changing

The AOL Postmaster Blog reports that on January 16, 2017, the from address for AOL feedback loop complaints will change from
scomp@aol.net to fbl-no-reply@postmaster.aol.com

AOL Postmaster Lili Crowley reports that this change is being implemented at the same time as they implement DKIM signing of all complaints sent.

AOL seems to be timing the change to occur after the busiest part of the Holiday email season has passed.

Putting Spam to the culinary test

Time for a distraction. The Staunton (VA) News Leader reports on the Virginia Military Institute's Spam challenge, wherein chefs are tasked to "create an entree and two sides using only five mystery ingredients and anything from the pantry, which was comprised of items that would have been available to the World War II-era home cook." Spam croquettes, anyone?

Holiday Season Tip: Don't Experiment

Hey, November and December are a big, important time period for online retailers. Lots of people always ask me what they should do to minimize the risk of deliverability problems during this period. Keeping in time that ISP email volumes are up (way up), ISP staff managing unblocking requests are probably getting more requests than usual, and that they all have holidays they're going to go on at some point. There's not always going to be a backup contact able to help. Responses are going to be slower. Maybe even less forgiving, out of frustration.

So what is the one most important thing you can do to make sure you don't have to deal with any of this? Avoid surprises. This isn't the time of the year to experiment. Don't add a new list. Don't buy a list. Don't mail a seven year old list that you just found in the back of a cabinet (that really happened). New lists, new data sources, anything you haven't been mailing to recently already, that adds new risk. Without knowing the reputation history of mailing to these "new to you" subscribers -- and how they're going to react to your mail in particular, you're opening yourself up to deliverability trouble.

Avoid that trouble. Don't start changing things now. Get through the season before adding more variables to what you're doing.

Gmail Updated on iOS

Google announced an updated version of the Gmail email client for iOS devices today. The big new enhancements seem to be "undo," "swipe to archive or delete" and a faster search function. There does not appear to be any support at all for list-unsubscribe functionality, which Gmail's Android client appears to have. Poking around in the new version of the iOS app, I can't get it to trigger any sort of action based on the list-unsubscribe header whatsoever. Strange, given Gmail was long a driver of this functionality.

Email and the 2016 Presidential Election

Just a few more days until the election, and then everybody can calm down and get back to their normal lives, I hope.

Every time I read the Washington Post, I see another article about email servers or weird DNS server activity. It's tiring.

I don't have the strength or energy to debate folks about the Hillary Clinton email server saga, so I'll just link back to this Word to the Wise post from July where Steve Atkins quotes Lane Winree on how plausible the explanation for the HRC email server scenario actually was. I do personally find it quite plausible. Of course, some commenters disagree, but security best practices aren't a monolith now, nor were they then.

Then there's this whole question of whether or not a Trump owned/managed server was communicating with a Russian bank. One of the people quoted in the Salon article is Paul Vixie. I worked for Paul around 15 years ago. We're not friends, but I generally think of him as a smart guy. Unfortunately, the more I read about this, the more it smells like this was probably just an email service provider running a dedicated outbound email server for marketing campaigns for some business of Trump's. The traffic could just be "typical ESP stuff" -- click tracking connections, image hosting lookups, performing DNS-based authentication checks, etc. and I could pretty much see a few really smart DNS nerds getting confused and thinking something more nefarious was afoot. I think the folks at the Intercept probably agree with me.

So, little to see on one hand and nothing to see on the other. Back to work, everyone.

Barracuda (was) down

Founded in 2003, Barracuda Networks provides anti-spam and security-related hardware and services and was believed to have more than 150,000 clients as of 2014.

Looks like if Barracuda hosts your spam filtering or mail services, you might not be receiving email right now. Multiple folks are telling me that they're having trouble connecting to Barracuda servers to deliver mail. The Register (UK) has mention of Barracuda downtime today as well.

As of 2:26 pm Eastern Time on Wednesday, November 2, 2016, Barracuda's status website says: "Investigating - Customers are experiencing delays with inbound message delivery. Outbound is unaffected.  [...] Engineering and Operations teams are still working to resolve delays in mail delivery."

Update: November 3, 2016: "Barracuda Networks is still continuing to see a large number of inbound connections from unverified sources for customers using Essentials for Email Security and Cloud Protection Layer. We have successfully filtered and are actively monitoring the situation while taking the appropriate actions when needed. Email processing has returned to normal. Previously delayed emails are now being accepted and processed."

Now you can read your email on Xbox One

Jess Nelson of MediaPost's EmailMarketing Daily shares news of the first-ever email client for the Xbox: MailOnX. Though, designers, I wouldn't necessarily start worrying about focusing your email marketing design efforts on Xbox as a platform JUST yet.

Beware: Student loan forgiveness spam

SC Magazine shares details of a Symantec report identifying student loan forgiveness spam as a path for the unwitting to get infected with malware. Particularly timely, given all the news lately about for profit colleges shutting down, leaving ex-students wondering what comes next with regard to their loans.

These spammers aren't very discriminating with whom they're targeting, based on the never-valid addresses I'm seeing the spam come in to. I called the number in one of the spams last Friday and talked to a very unhelpful young lady who didn't want to tell me anything about the unwanted mail she was somehow connected to. But at least I perhaps kept her from scamming somebody for a few minutes.

Not only should you be careful not to believe promises made in these spam messages, but even if they weren't spammers, you apparently still shouldn't be paying for debt consolidation or student loan discharge help.

And remember, no legitimate company is ever going to ask for payment in the form of an iTunes gift card.

Obama Administration Says Text-Spam Law Is Constitutional

Wendy Davis of MediaPost reports on a challenge to the TCPA (Telephone Consumer Protection Act), the US law that is the basis of US prohibition against unsolicited text messaging. The challenger: Facebook. The defender: the government. Read more about it here.

Yahoo! Mail: No Forwarding for you

It is being reported that Yahoo! Mail has disabled the ability for users to enable email forwarding. If you already have the feature enabled, you might be fine. But if not, there's no turning it on now. Conspiracy theorists say it's a play to keep people from leaving Yahoo. I'm not so sure. Is anything ever that simple? What do you think? Read more about it at TechCrunch or Fortune.

Update (October 14, 2016): Yahoo! Mail forwarding has been restored.

Checking an SPF record with the Kitterman SPF Validator

If you received an email message in your Gmail inbox, Google provides easy-to-read authentication results, showing you if the email message in question properly passed SPF authentication.

But what if you want to check a proposed SPF record, a potential change, to see if it is going to work, before implementing it in DNS? Here's how I do that.

DNS consultant and smart guy Scott Kitterman has a useful-and-simple page of tools for SPF Querying and Validation. Go to this page. Scroll down to "Test an SPF record." Fill out the form, submit it, and his checking tool will tell you if the proposed SPF record passes validation.

Let's do this with my xnnd.com domain. I want to test this as a potential SPF record: v=spf1 ip6:2607:f2f8:a760::2 ip4:167.88.36.240 ip4:162.244.29.202 ip4:206.125.175.2 ip4:184.105.179.157 ip4:174.136.106.18 include:_spf.google.com ~all

I'm going to use 162.244.29.202 as my sending IP address, it's my primary email server currently.


For the MAIL FROM address, I put in the return-path (MFROM) address that my mailing list uses. For the HELO address, I put in what I think my server's name is from its mail software configuration. (If you're not sure, just put in bounce@(domain) in Mail From, and (domain) in HELO Address. If I had done that here, it would be bounce@xnnd.com and xnnd.com.)

Then hit the "Test SPF Record" button and you'll get a response something like this one:


The important bit we're looking for here is "Results - PASS sender SPF authorized." That tells us that this SPF record is correct, and that mail with a message from of delivowner@xnnd.com will properly authenticate when sent from IP address 162.244.29.202, if I were to implement this SPF record in DNS.

If I was getting an error or I had typo'd something, I could hit the "back" button in my browser, make corrects, and test again.

Best practices for parked domains

A few months ago, I posted about "SPF Lockdown," a simple way to use an SPF (sender policy framework) DNS record to tell the world that a given domain sends no mail.

Email/anti-abuse industry group M3AAWG has some useful guidance that goes even further. Back in December 2015, they published a white paper entitled "Protecting Parked Domains Best Common Practices." It covers what I refer to as SPF lockdown, and it additionally instructs you on how to configure appropriate DKIM and DMARC DNS entries to both ensure that your non-mailing domains are as secure as possible, and enable you to receive reports about bad guys misusing your domain.

You can download the white paper here.

AOL announces Alto, new mobile email app

On Thursday, AOL launched iOS and Android versions of "Alto," a "proprietary email intelligence engine built to analyze and restructure the mountain of valuable data buried across multiple inboxes," aka a fancy new email client with time-saving email-sorting functionality built in.

AOL aims to help you simplify dealing with massive amounts of emails, by having the Alto engine automatically organize messages into "stacks" based on message type. 

You don't have to be an AOL email user to use Alto. The Alto email client supports email accounts from AOL, Gmail, Yahoo!, Outlook, iCloud, Outlook, Exchange and "any other IMAP email provider."

Do we need another email client? I guess I'll download and test this one out and see, but I'm not holding out that it's going to be a magic replacement for my iOS Mail (of which I am a heavy user). I'll be curious to see if it renders emails any differently. I'm sure that'll give designers fits, if so.


For more about Alto, read the Fast Company article, check out the AOL press release, or click on over to the Alto Mail website.