Now you can read your email on Xbox One

Jess Nelson of MediaPost's EmailMarketing Daily shares news of the first-ever email client for the Xbox: MailOnX. Though, designers, I wouldn't necessarily start worrying about focusing your email marketing design efforts on Xbox as a platform JUST yet.

Beware: Student loan forgiveness spam

SC Magazine shares details of a Symantec report identifying student loan forgiveness spam as a path for the unwitting to get infected with malware. Particularly timely, given all the news lately about for profit colleges shutting down, leaving ex-students wondering what comes next with regard to their loans.

These spammers aren't very discriminating with whom they're targeting, based on the never-valid addresses I'm seeing the spam come in to. I called the number in one of the spams last Friday and talked to a very unhelpful young lady who didn't want to tell me anything about the unwanted mail she was somehow connected to. But at least I perhaps kept her from scamming somebody for a few minutes.

Not only should you be careful not to believe promises made in these spam messages, but even if they weren't spammers, you apparently still shouldn't be paying for debt consolidation or student loan discharge help.

And remember, no legitimate company is ever going to ask for payment in the form of an iTunes gift card.

Obama Administration Says Text-Spam Law Is Constitutional

Wendy Davis of MediaPost reports on a challenge to the TCPA (Telephone Consumer Protection Act), the US law that is the basis of US prohibition against unsolicited text messaging. The challenger: Facebook. The defender: the government. Read more about it here.

Yahoo! Mail: No Forwarding for you

It is being reported that Yahoo! Mail has disabled the ability for users to enable email forwarding. If you already have the feature enabled, you might be fine. But if not, there's no turning it on now. Conspiracy theorists say it's a play to keep people from leaving Yahoo. I'm not so sure. Is anything ever that simple? What do you think? Read more about it at TechCrunch or Fortune.

Update (October 14, 2016): Yahoo! Mail forwarding has been restored.

Checking an SPF record with the Kitterman SPF Validator

If you received an email message in your Gmail inbox, Google provides easy-to-read authentication results, showing you if the email message in question properly passed SPF authentication.

But what if you want to check a proposed SPF record, a potential change, to see if it is going to work, before implementing it in DNS? Here's how I do that.

DNS consultant and smart guy Scott Kitterman has a useful-and-simple page of tools for SPF Querying and Validation. Go to this page. Scroll down to "Test an SPF record." Fill out the form, submit it, and his checking tool will tell you if the proposed SPF record passes validation.

Let's do this with my domain. I want to test this as a potential SPF record: v=spf1 ip6:2607:f2f8:a760::2 ip4: ip4: ip4: ip4: ip4: ~all

I'm going to use as my sending IP address, it's my primary email server currently.

For the MAIL FROM address, I put in the return-path (MFROM) address that my mailing list uses. For the HELO address, I put in what I think my server's name is from its mail software configuration. (If you're not sure, just put in bounce@(domain) in Mail From, and (domain) in HELO Address. If I had done that here, it would be and

Then hit the "Test SPF Record" button and you'll get a response something like this one:

The important bit we're looking for here is "Results - PASS sender SPF authorized." That tells us that this SPF record is correct, and that mail with a message from of will properly authenticate when sent from IP address, if I were to implement this SPF record in DNS.

If I was getting an error or I had typo'd something, I could hit the "back" button in my browser, make corrects, and test again.

Best practices for parked domains

A few months ago, I posted about "SPF Lockdown," a simple way to use an SPF (sender policy framework) DNS record to tell the world that a given domain sends no mail.

Email/anti-abuse industry group M3AAWG has some useful guidance that goes even further. Back in December 2015, they published a white paper entitled "Protecting Parked Domains Best Common Practices." It covers what I refer to as SPF lockdown, and it additionally instructs you on how to configure appropriate DKIM and DMARC DNS entries to both ensure that your non-mailing domains are as secure as possible, and enable you to receive reports about bad guys misusing your domain.

You can download the white paper here.

AOL announces Alto, new mobile email app

On Thursday, AOL launched iOS and Android versions of "Alto," a "proprietary email intelligence engine built to analyze and restructure the mountain of valuable data buried across multiple inboxes," aka a fancy new email client with time-saving email-sorting functionality built in.

AOL aims to help you simplify dealing with massive amounts of emails, by having the Alto engine automatically organize messages into "stacks" based on message type. 

You don't have to be an AOL email user to use Alto. The Alto email client supports email accounts from AOL, Gmail, Yahoo!, Outlook, iCloud, Outlook, Exchange and "any other IMAP email provider."

Do we need another email client? I guess I'll download and test this one out and see, but I'm not holding out that it's going to be a magic replacement for my iOS Mail (of which I am a heavy user). I'll be curious to see if it renders emails any differently. I'm sure that'll give designers fits, if so.

For more about Alto, read the Fast Company article, check out the AOL press release, or click on over to the Alto Mail website.

Not receiving Yahoo FBL Confirmations? What to do

ISP Feedback Loops (FBL) are valuable for email senders and email service providers (ESPs). It provides valuable information on who is complaining about your mail. Not only does it (usually) allow you to unsubscribe people who complain, preventing them from lodging any additional black marks against your sending reputation, but it allows you to roll aggregate stats that can tell you which lists or list segments are causing your deliverability problems. List two has a 150% higher complaint rate than lists one and three? Then list two needs some attention, and quick, before those complaints cause you to get blocked or sent to the spam folder when attempting to send to Yahoo subscribers.

Signing up for the Yahoo FBL is a pretty straightforward process. You just submit your new domain to Yahoo via their Yahoo's ISP Feedback Loop form, along with some simple information about who you are and where complaints should be sent. As the final step, Yahoo will send an email message containing a verification code to the "postmaster" mailbox at the domain you are attempting to register. This proves that you have control over the domain, and that you're not trying to sign up somebody else's domain without their knowledge or consent.

Yahoo requires that you receive this email message, retrieve the verification code, and paste it into the Yahoo FBL registration form.

Sometimes folks don't receive that important email message, and are then unable to complete the FBL registration. If that happens, here's what to do.

In almost every instance where I hear of someone not receiving a Yahoo FBL verification code email, it has been due to one of two problems:

  1. You can't actually receive any mail at that postmaster address, so the verification code email is bouncing. This is easy to test. Go to an outside email client (Yahoo or Gmail), and send a message to postmaster@ (your domain). Does the message bounce? Does the message reach you in the inbox? Does it go to a mailbox that you can access? If you can't find this message, you've got a problem to fix before you can sign up for the Yahoo feedback loop.
  2. Your mail server is rejecting the verification code email message because the from line used by Yahoo is too long. In particular, this affects users of the PowerMTA platform. Laura Atkins explains why this happens and how to fix it, over on the Word to the Wise blog.

This is a question I get asked fairly regularly, so I hope you find this little blog post on the topic to be useful.

Note: To participate in Yahoo's Feedback Loop, there is a prerequisite: You must authenticate all mail by signing it with DKIM (DomainKeys Identified Mail). Keep in mind that your email platform must sign the mail with the "d=" and that complaints will not be sent about any messages that lack a DKIM signature.

Additional Note: From talking to folks at multiple email service providers, it sounds as though Yahoo does not always send back all complaints. I don't have information on why that is, but I would consider it a "fact of life" and something senders just have to deal with, from what I am hearing.

Spam Resource on Facebook

Hey, I hope you'll come over and "like" the Spam Resource page on Facebook. I'm hoping that eventually we can use it as a place for folks to ask questions and share info, maybe to inspire future blog posts. Thanks in advance!

DMARC Support in Mailman

Mailman is a very popular open source mailing list management software package. It's been around for a long time -- since the late 1990s, according to Wikipedia. Sites using Mailman to manage discussion lists were negatively impacted by the roll-out of DMARC, specifically when big ISPs (starting with Yahoo and AOL) began to implement "p=reject" DMARC policies, meaning legitimate mailing list mail, most commonly posts from Yahoo or AOL users, would start to be rejected by ISPs who filter based on DMARC policy.

Google Groups and Yahoo Groups both implemented header changes to workaround the then-new DMARC issue, by (and I'm simplifying here, forgive me) making the mailing list the sender of the message, as opposed to the prior method, which was that the person who submitted the post to the mailing list was considered the sender.

Mailman has done the same. All the way back in 2014, Mailman 2.1.16 included a feature called "from_is_list," that, when enabled, rewrote the email headers to help admins deal with restrictive DMARC policies.

Mailman version 2.1.18 takes it a step further, giving you a set of options under the label of "dmarc_moderation_action." This feature provides five different "actions": Accept, Munge From, Wrap Message, Reject, and Discard. My suggestion is to select the "Munge From" action.

Some mailing list managers are pissed about DMARC and want to keep users at DMARC-publishing domains away from their mailing lists, so they've chosen the "reject" or "discard" actions. That's not very friendly to end users.

The authors and team behind mailman put it thusly: "Mitigating the effects of the DMARC reject policy are difficult. All known mitigation techniques break some user expectations and/or degrade the user experience. Still, it's incumbent on the Mailman developers to try to reduce the pain our users feel, and to provide some options for site and list administrators who find themselves caught in the middle."

If you don't take any action here, you're leaving a subset of your potential subscribers out in the cold. Making them second class citizens, unable to participate in the mailing lists you're hosting. Be kind, and don't beat up Yahoo users because of a domain policy that Yahoo choose to implement (and that Yahoo user is stuck dealing with). I strongly recommend that you enable the "Munge From" action under "dmarc_moderation_action."

Gmail to Support Responsive Design + More

Litmus recently shared news that is sure to make email designers light up with glee: "On August 31, 2016, Gmail began supporting the CSS property display: none;. And today, Gmail announced they will begin supporting <style> and media queries later this month." Read all about it here.

Ken Magill: Time to switch to COI/DOI

Industry reporter Ken Magill has changed his mind. Long advocating against required double opt-in, he has now come around and suggests that it is time to implement it. Read more over at Magill Report.

Subscription Mailbombing: Must Read

SendGrid's Paul Kincaid-Smith's has a post up this morning about the "tsunami of unwanted email" generated by the bad guys out there using botnets to subscription bomb (aka harass) people and why you should secure subscription signup forms.

The bad news is, this abuse causes problems for otherwise good email senders. You didn't cause it, but you'll get caught up in it, if you don't take precautions. If you have an email signup form out there in the wild, it's time to add a bit of security to it to prevent the pain you'll run into if and when you get Spamhaus blacklisted because your signup page got abused.

TL;DR? If you have an email signup form, you need to enable COI/DOI (double opt-in) and also add a CAPTCHA-like process (reCAPTCHA is recommended), or else when the botnet bad guys get to you, they're going to sign lots of people up to your lists who don't want to be there, and pain is sure to follow.

Gmail providing easy-to-read Auth Results

This is pretty slick. When is the last time you selected "View Source" in Gmail to look at the raw headers and body content of an email message? As of a couple of days ago, Google has added some nice new info to this feature, showing an easy-to-understand summary of authentication results. In this example, it's highlighting that SPF, DKIM and DMARC are all working correctly.

This is all info you could find by looking through the email headers. But it's nice to see it called out in this way; it saves some digging and gives you a very clear understanding of how the Gmail platform sees the message.

List Unsubscribe in Apple's iOS 10

As I mentioned before, Apple has provided support for the "list-unsubscribe" header in the built-in mail client on the latest version of their mobile platform, iOS 10. Now that iOS 10 has been released to the world, I've reviewed how this process works and put together what I think you need to know.

Doing the Math on Purchased Lists

Back in 2014, MailChimp published data showing what happens when you mail to purchased lists. Though it is now a couple of years old, it's still solid research and quite relevant today.

Bye bye, SmartScreen

Microsoft recently announced that on November 1, 2016, they will stop generating updates for Microsoft Exchange's "SmartScreen" spam filters used in Microsoft Exchange Server and the Outlook (Windows) desktop client. Read more about it here.

What does this mean? This is probably a good thing. These were primarily content-related filters and content filtering isn't really "where it's at" when it comes to best practices with regard to spam filtering nowadays. I believe that this ultimately will drive users to newer solutions that are probably going to be more focused on sending reputation, meaning that us deliverability and email technology-related folks will eventually no longer have to deal with Outlook desktop client spam folder issues, which were often a confusing outlier when reviewing email deliverability results.

Click here to read more on this topic, from Laura Atkins of Word to the Wise.

Deliverability Problems: What You Can't Fix

If you're having deliverability issues, I can tell you from my experience that you aren't really going to be able to get back to the inbox if any of the following types of subscriber list sources are in play: