Most federal departments aren’t using DMARC: Wyden

Found on the Sophos Naked Security blog:  Senator Ron Wyden (D-Oregon) contacted the US Department of Homeland Security in a July 18 letter where he 'asked the agency to “take immediate steps” to mandate that all federal agencies implement DMARC (Domain-based Message Authentication, Reporting and Conformance), an email authentication, policy, and reporting protocol launched in 2012 that helps prevent email domain spoofing.' He noted that DMARC has been implemented by very few government agencies to date.

This is good to see, and one hopes it helps drive DMARC adoption. It's not a phishing cure-all, but I still think it's an important step in the fight to reduce the risks around email forgery.

AOL: Reputation corrected and request denied

Check out the reply I received in response to a recent AOL Whitelist Request submission:
Subject: Reputation corrected and request denied
Your Whitelist request, with the confirmation code X, has been denied. 
The requested IP address(es) is receiving temporary failures due to poor reputation. We have corrected the reputation and this should help in better delivery of mails. Please monitor the spam complaints via the feedback loop and re-apply for Whitelist after you have built a good 20-day history on your IPs. Also, check the reputation of the IP before opening the ticket at: https://postmaster.aol.com/ip-reputation.
Feedback Loop Request form can be found at: https://postmaster.aol.com/fbl-request
Have you seen this one before? I haven't. I think it's really cool, though. It explains what they've done and what you need to do, if you want to get whitelisted at AOL.

Here's what they're saying:
  1. Your sending IP address doesn't have a great sending reputation today.
  2. But, AOL has reset the sending reputation of your IP address, giving you another chance to build a good reputation.
  3. They're telling you to keep your nose clean (build a good reputation) for at least 20 days before applying for whitelisting.
  4. They're reminding you to sign up for AOL's ISP Feedback Loop.
Seems pretty straight forward to me. I wish all ISP responses were this clear and easy to understand. Good job, AOL!

Text to Image ratios in email

Laura Atkins of Word to the Wise explains: "The text to image ratio is not going to make or break delivery." I've certainly had people try to tell me that they think the secret to inbox placement is based on a certain specific text-to-image ratio. Like Laura, I know that this is not true, and I am happy to link to her excellent explanation of how this all works.

Verizon Email Transition Update

From Network World, here is an update on the winding down of Verizon's email service, which I previously reported on here. When is the transition happening?
"Once customers are notified, they are presented with a personal take-action date that is 30 days from the original notification. If you happen to miss the deadline and still want to retain your address, you can choose Option 1 and switch over to AOL.  
"Based on the current rate of migration it looks like Verizon will probably get through all of the customer notification waves by mid-summer. At that point, the company will assess when the platform might be entirely wound down."
Note: Like I mentioned before, keep in mind that subscribers can indeed keep their verizon.net email if they like. It'll just be handled by AOL's systems and user interface going forward.

Network World says that "Verizon controls 4.5 [million] Verizon.net email accounts, and [Verizon] figures about 2.3 million of them are active." Active meaning that they have been accessed in the last 30 days.

June 26, 2017 Update: As related to me and others by AOL, the Verizon mailboxes that remain have now been transitioned to AOL's mail servers.

New Anti-Phishing Protection in Gmail on Android

Gmail app users on Android, rejoice -- Google just added phishing protection. If you try to click on a link deemed to be problematic, you'll get warned: “The site you are trying to visit has been identified as a forgery intended to trick you into disclosing financial, personal, or other sensitive information,’ the notice states. “You can continue to [the link] at your own risk.”

Read more about it over at the Consumerist.

Why list-unsub doesn't let you "opt-down"?

If you're familiar with the "list unsubscribe" functionality, support for which is implemented in Apple's iOS Mail Client, as well as Gmail and Outlook.com, you might wonder why these implementations might not allow you to land at a preferences page when clicking on the link. Clients have certainly asked me why they aren't allowed to add a step in the middle of this process -- instead of just logging the unsubscribe request, can't they ask the subscriber if they might want to receive fewer emails (opt-down instead of opt-out) or otherwise adjust their preferences, instead of losing them?

The problem here, is differing expectations between marketers and internet service providers (ISPs).

Microsoft's Terry Zink explains specifically why Outlook.com does not support the HTTP method of list-unsubscribe (which would potentially allow driving to a preferences page instead of just capturing an opt-out): Because it's their user interface, and it's up to them (Microsoft) to ensure that their users have the best experience possible, and they really intend this to be a simple "unsubscribe" and nothing more. He explains that #1 the experience is really supposed to be "you are unsubscribed," not click this checkbox or hit this button, and #2, he explains their concerns over the potential for a third-party interface not necessarily spinning up properly, resulting in a poor subscriber experience, and an unlogged unsubscribe request.

Jump on over to Terry Zink's blog post where you can read it in his own words. That, in a nutshell, is why it works the way it does, at least as far as Microsoft's Outlook.com platform is concerned.

Orange UK Email Closure

United Kingdom-based ISP Orange (now part of Everything Everywhere aka EE) has announced that they are shutting down their email service as of May 31, 2017. This affects users at these domains: orange.net, orangehome.co.uk, wanadoo.co.uk, freeserve.co.uk, fsbusiness.co.uk, fslife.co.uk, fsmail.net, fsworld.co.uk, fsnet.co.uk. This does not affect non-UK Orange email users.

Follow this link for more details.

New DMARC Record Lookup Tool

If you use the DNS tools over on XNND, you might notice that the DMARC record lookup feature now links to a new DMARC record lookup tool, kindly provided by Steve Atkins of Word to the Wise. Thanks, Steve!