Great work, MAAWG!

On March 10th, the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) published a new version of the Senders BCP (Best Common Practices) document -- a solid overview and set of recommendations on how to not be a spammer.

They're not particularly rough or tough recommendations to follow. If you're not a spammer, you're probably following most or all of them already. They outlay good/better/best recommendations for opt-in permission. They explain that email append is unacceptable. They say that subscribers should never unknowingly end up on a mailing list. It should always be easy and simple to unsubscribe. Be transparent in what you do as a sender. Again, this is not earth shattering stuff, but it is good to see it published in a good industry forum, in an easy to digest format.

Do these recommendations matter? Yeah, because just about every mailbox a sender is going to want to send mail to is hosted by an ISP or company represented in M3AAWG. It's a pretty clear guide to what the rules are.

(H/T: Josh over at Word to the Wise)

DMARC & Mailing Lists: A Roundup

In 2014, Yahoo and AOL both implemented strict "p=reject" DMARC policies on their primary domains. This presented challenges to both AOL/Yahoo users and various service providers. Yahoo implemented this new DMARC policy in February. AOL implemented the sample policy in April.

In particular, this makes delivering mail more challenging for discussion mailing list providers. A number of them have had to implement header changes to "play nice" with DMARC restrictions.

Running your own mailing list manager? Here are my suggestions on message checks and header changes that you should consider implementing into your discussion list software. They approximately mirror what Google and Yahoo have implemented. (And some savvy commercial groupware/list management software publishers were quick to implement similar changes.)

Some mailing list managers have decided to reject signups from users at AOL and Yahoo. I recommend against taking this stance; your list of rejection domains is only going to grow as additional ISPs and domain owners implement DMARC policies similar to what AOL and Yahoo have done.

Yahoo is not likely to roll this back any time soon. They find their new DMARC policy choice to have been a success. AOL likely feels the same way.

Additional Frequently Asked Questions:
Ask Al: Is my personal domain affected by DMARC?
Ask Al: Should I add a DMARC record to fix the Yahoo issue?

If you run the mailing list manager software Mailman, here you'll find information on how to configure Mailman to work within the confines of DMARC restrictions.

Keep in mind, if you implement any DMARC-related DNS changes for your domain, be sure to test! If you do DMARC wrong, you're setting yourself up to have your mail rejected.

Spamhaus Sued for Libel in UK

Ken Magill has the story on initial filings regarding the lawsuit brought by Craig Ames and Robert McGee against Spamhaus in the United Kingdom.

Engagement Affects Deliverability

Ever dealt with a scenario where you were struggling to get a client's mail out of the spam folder at Gmail and back into the inbox? Maybe not for you, maybe not always, but in my experience, improving engagement, restricting sends to only engaged subscribers, has been a big part of what fixes that type of issue.

Others might have a different opinion. Good for them!

But that's what has worked for me, numerous times, helping numerous senders. So I, and others, will continue to trumpet it. Intelligently, of course.

House Introduces Email Privacy Bill

Read all about it over at The Hill. My question is, does this thing have a chance of going anywhere, based on the current gridlock in Congress? I'm doubtful, but we will see.

Amazon Starting Email Service

According to multiple sources, Amazon is starting up a cloud-hosted email service. Called WorkMail, it looks as though it'll be price competitive to similar offerings from Microsoft and Google. Looking into my crystal ball, I assume they'll get some adoption in 2015. What does this mean to you, dear sender? Get ready, because eventually you'll have a new platform to send to, with a potentially new set of spam and reputation filters to contend with. Let's stay tuned and see if this takes off, shall we?

Microsoft Updates Use of List Unsubscribe Header

What is a list-unsusbcribe header, you might ask? It's an email header, typically hidden from the end user, that includes information that allows the MUA (mail user agent; meaning your email client, email reader, or webmail platform) to submit an unsubscribe request on your behalf. This is typically linked up to an "unsubscribe" button in a webmail provider's user interface. If you see an "unsubscribe" button or link in the Gmail or user interface for a given email message, that message likely contains a list-unsubscribe header.

The header itself is defined in RFC 2369 from 1998. It's very common for email service providers and list management tools to provide support for this header; and if you're building any sort of new tool or list mail sending service, I would recommend including it. Doing so makes it just as easy for a subscriber to click "unsubscribe" as it does for them to click "report spam." Making it easier to unsubscribe means you're likely to garner fewer spam complaints, and thus your deliverability and sending reputation will be at least slightly higher than they would have been without this functionality.

There are two methods of specifying how to unsubscribe a subscriber using the list-unsubscribe header. There's the HTTP method, and the MAILTO method. The HTTP method implies that when it is time to request unsubscribing of that particular user, a particular web page will be visited. The URL would typically include all of the parameters necessary to denote which subscriber, for which sender, is requesting to be unsubscribed. The MAILTO method implies that when it is time to request unsubscribing of that particular user, an email message will be generated to the email address specified in the list-unsubscribe header. (The destination email address typically would include all of the parameters necessary to denote which subscriber, for which sender, is requesting to be unsubscribed.)

A few days ago, Melinda Plemel of Return Path clarified that Microsoft is now only utilizing the MAILTO method and that they are not supporting the HTTP method at this time. (It is implied that Microsoft properties previously supported both the MAILTO method and the HTTP method, but I don't have a lot of experience with the HTTP method myself and I was not able to confirm this.)

TL;DR? Implement a list-unsubscribe header, or make sure your email platform provides one. If you're building it yourself, only implement the MAILTO-based functionality, as it is the most broadly supported. (I'm aware of multiple ISPs supporting the MAILTO method, but I am not aware of any others that are or were supporting the HTTP method, other than Microsoft.)

Ask Al: Help! AHBL is blocking inbound mail!

Mickey writes, "I'm being blocked by AHBL. I own a tax and accounting firm. We send out two newsletters per year to our existing clients using an ESP. We give our clients every opportunity to be removed from the list if they so choose. We do not and have not spammed ever. How did I get blocked by AHBL? No one is able to send me email. Please help. If I did something wrong let me know what. I have no clue and I need my emails working again."

Mickey, if nobody can send email TO you, that strongly suggests that something is up with YOUR mail server. When I tried to send you email at your domain, the message bounced back to me with this error message: "550 5.7.1 has been blocked by AHBL."

What this means: Your mail server, or your ISP's spam filtering system, is configured to use the spam filtering blacklist called AHBL. Unfortunately, that blacklist announced that they were shutting down, way back in April 2014. At the end of 2014, the publisher of AHBL moved the blacklist to a sort of "wildcard mode," meaning that anybody who was previously using the AHBL blacklist as a spam filter is now blocking all mail.

That means you -- your mail server, set up by you, your IT consultant, or your ISP, have to go into your mail server's configuration settings and remove any references to AHBL. Once that is done, you will be able to receive mail again.

All mail server administrators should remember to check their mail server spam filter settings periodically. When's the last time you checked to see which blacklists you are using? Are you sure all of those blacklists are still active and publishing? There's a section over on my blacklist information website all about dead DNSBLS -- make sure you're not using any blacklist shown there, or you could run into troubles like this.

Yahoo Shuts Down Its Email Service In China

As reported on TechCrunch and elsewhere, Yahoo's Chinese email service is no more. Warned all the way back in April, current users of the Chinese version of Yahoo! Mail were given the opportunity to transition their accounts to Alibaba's email service, Alimail.

As of January 1st, any attempt to mail a user at the or domains is rejected with a "550 relaying denied" error message.

If you run an email service that maintains a filter of dead ISPs or dead domains, I recommend adding and to your "dead domains" list or similar. There's no point allowing mail to be sent to those domains, as no mail will be successfully delivered.

There is nothing to indicate that users will automatically have the same username at Alimail that they had in Yahoo! Mail, so it likely is not safe for senders to just try to automatically update addresses in their email lists.

Third party post-purchase research emails: spam?

My wife and I were lucky enough to be able to purchase a new car earlier this year. It's a nice car and we love it. But ever since then, seemingly once a month or so, I get a survey request related to automobiles and the automotive industry. Some from known entities, some from unknown entities. A number of them are coming from third parties that I didn't specifically hand my email address to.

The anti-spammer in me tells me that these emails are spam. Somebody I don't recognize is sending me list mail or bulk mail, to an address that I did not give to them.

But when talking with clients or potential clients I have had a lot of them try to tell me that this kind of mail is expected and that it's not spam.

For the moment, forget about who's right or wrong here.

Consider this: Just about all of those surveys have gone to my Gmail spam folder, including the most recent one. Why? Poor sender reputation, I think. Why? I would guess that perhaps I am not the only one questioning why I'm receiving mail from somebody I didn't give my email address to. I didn't report this mail as spam, but it sure looks like enough other people are reporting this sender's mail as spam and thus, making it near impossible for them to reliably get to the inbox.

That's the practical consideration. Not whether or not you think what you're doing is legal or expected or common or necessary; what recipients think is given greater weight. Enough weight that it can bog down your sender reputation.

That's why a mail stream or marketing program or survey program probably just doesn't work without clear cut permission. Regardless of what you think is right or wrong, your opinion (and my opinion) is only a tiny part of the equation.

Now Hiring: Word to the Wise

It sounds like consultancy Word to the Wise is growing! Laura Atkins is looking to hire a Deliverability Specialist to "perform technical investigation into client email systems, reviews messages sent by clients, and make recommendations based on analysis of the client’s email programs." Interested? Click here to learn more.

Is a wireless domain?

First published in 2005, the FCC's Wireless Domains list was intended to be a list of domains associated with mobile devices (cell phones, pagers, etc.) and that senders of commercial messages were to avoid those messages unless appropriate consent was obtained for each recipient. It sounds like a simple "don't spam me" list, but the form of consent referenced "must include the subscriber’s signature, which may be in digital or electronic form as allowed under the federal E-Sign Act and state counterparts" and the FCC has said that the burden of proof to resolve any complaint rests squarely on the sender, so the net was that most email service providers prohibited their clients from sending to those domains, unless the client implements verifiable consent compatible with the E-Sign Act or similar. (A longer discussion on what constitutes appropriate consent might make sense here but I don't have the time to dive deep and my focus today is more on the domain landing on the list, see below.)

Email industry insiders noted that the domain had landed on the FCC wireless domains list sometime in the past few days, meaning that if this procedure were to be followed, email services providers would have thirty days at max before they would be forced to restrict their clients from sending mail to subscribers at Yahoo Mail's primary domain name.

That's potentially a big deal! Thankfully, it seems to be recognized as an error and is being addressed. I know that both the FCC and Yahoo have been notified of this and my understanding is that it is likely to be resolved very soon, meaning that it probably won't be necessary for a bunch of senders to suddenly stop sending mail to their subscribers. Whew!

(Update: has been removed from the FCC Wireless Domains list.)

Interesting SBLs is back

Ever seen the @InterestingSBLs twitter account? It's kind of interesting and occasionally entertaining. It highlights various SBL entries that its anonymous author finds "interesting" by whatever criteria that may be. Because it's an ESP? An ESP's client? A Fortune 500 company? Not sure, but all have appeared there. My own employer has occasionally been called out on it, as have others. Some representatives of some companies have gotten really upset over being mentioned by that Twitter account, but not me. To me, it's really just a synopsis of a public record. And good companies occasionally have Spamhaus issues, too-- not just bad companies. It tells me it's something "interesting" to go look at, not that so-and-so is a scumbag spammer. If you or your company gets mentioned there, take a deep breath and look into it.

There are often big gaps between when @InterestingSBLs posts, but he or she seems to have been active as recently as just over a week ago.

If that doesn't interest you, there's always the Spamhaus SBL "Latest Entries" page, showing you what has been recently entered or recently removed into Spamhaus's main blacklist. This can be pretty interesting. I once knew an alleged spammer who spent most of his day hitting "refresh" on this page every few minutes, looking to find that partners in (alleged) crime may have been caught in the Spamhaus cross hairs.

Keep in mind that all Spamhaus SBL entries are effectively public information. Spamhaus does not password protect or otherwise obviously restrict access to the listing information available on their website. (I'm not necessarily making a case for whether or not they should be public or not, just noting how it is today.)