Friends in high places?

If you're looking for something ranty to read today, head over to Slashdot, where Bennett Haselton goes off at length about how his messages got spamblocked by Yahoo and Hotmail due to something related to bad/blacklisted domains in the body of his email messages.

Email is Not Anonymous

Just ask former CIA Director Gen. Davis Petraeus. And truth be told, 99.9% of the time it doesn't even require the FBI's help to figure out where that email message actually came from.

Ask Al: What of the MAPS RBL?

Jerry writes, "I have a question about spam of all things. I'm on the client side now at company X and I am talking with their email group about opt-in permission. I'm learning they're not exactly worried about the opt in status of the customers getting their promotional emails.

I remember from back in the day that the MAPS RBL was the main group going after people who didn't respect opt-in permission. Has the RBL relaxed its stance since the last time I did promo emails so many years ago? Do spam complaints no longer carry the threats they  once did?

I know our company is purchasing lists for prospecting. How do we avoid getting blacklisted? We just need to more closely verify that these people have opted-in, right?"

Jerry, thanks very much for your question.

Confirmed Opt-in in the Wild

Every once in a while I have to inform somebody that it is necessary to move their signup process to confirmed opt-in (aka double opt-in) to fix a delivery or blacklisting issue. Not everybody wants to do it. Some folks will tell me that they shouldn't have to do it because nobody else in the whole world does it.

Turns out, that's just not true.

I run across lots of sites utilizing COI/DOI as part of their email list signup process. Here's one I ran across today: Cook Brothers, a large discount retail store located here in Chicago. They claim to "Stack em Deep and Sell em Cheap." Not sure if that's true, as I haven't checked the store just yet. But having just signed up for their email list, I can tell you that it does indeed utilize confirmed opt-in. Check it out for yourself.

Email Append Gone Wrong

Way back in June 2012 on the Strongmail blog, Deliverablity Strategist Sean Wirt shared a tale wherein he was email appended in to mailings from a credit union somewhere in the US.

What we seem to have here is a financial institution guessing at somebody's email address and adding them to a mailing list or notification process without his explicit consent. What if they started sending him overdraft notifications? They'd be providing the consumer's personal information and data to the wrong person, an unrelated third party.

That's pretty scary.

Sean says the moral of the story is, "Don't append!" I couldn't agree more.

More Misdirected Messages

In what may become a recurring theme, Consumerist reports today about a financial institution sending daily emails to somebody who is not actually a customer of that institution.

If you're sending valuable transactional notifications via email, here are a few questions that I think you should be asking yourself:
  • How do you verify that the owner of an email address is truly the person who submitted that email address?
  • What are your company's policies and procedures for addressing these kind of issues when they occur?
  • Do your customer service representatives know of these policies and are they able to assist when the aggrieved subscriber contacts your company?
When you ask yourself these questions about your own company, what answers do you come up with?

Thinking about this kind of issue gives me the screaming heebie-jeebies. I hope there isn't anything in any of those email messages that could be considered personally identifiable information.

COPPA in the news

In the US, the Children's Online Privacy Protection Act (COPPA) is the guiding legislation with regard to how to market to children. This includes email marketing, so it's important that email senders ensure compliance and aren't found to be doing anything that might result in marketing to children without a parent's consent.

COPPA is in the news today. The Minneapolis Star-Tribune reports that "a coalition of nearly 20 children's advocacy, health and public interest groups plans to file complaints with the Federal Trade Commission [today] asserting that some online marketing to children by [five] well-known companies violates [COPPA]."

I can't speak to the merits of the complaint, as I don't have all the facts. But it does highlight to me that if you're guiding marketing for a big brand or other well-known company, it's very important to make sure one stays away from anything that can be perceived to violate this law. By my reckoning, the FTC has levied fines against and/or come to costly settlements with at least eight different companies due to alleged COPPA violations.

No Permission = Bad Experience

Yesterday I got an email purporting to be from an ex-coworker of mine, from a couple of companies ago. "Dear Al," it said. "[Person] has asked for your help. [...] [Person] has personally asked you to take 30 seconds out of your busy day today and help him/her by submitting a quick professional rating. [Person] is counting on your help."

The Transactional Unsub

Is there ever a good reason as to why you, email sender, might want to include an unsubscribe link in your transactional email messages? Why yes, yes there is. This isn't the first time I've seen somebody have to resort to publicly crying "uncle" due to the deluge of misdirected transactional notifications.

July 30, 2012 edit: Here's another example of a misdirected transactional email message causing some recipient grief. It's sad to see the retailer can't do more to make this stop.

Guest Post: Canada's New Anti-Spam Bill - Is Anyone Listening?

Today's guest post comes to us courtesy of Kevin Huxham, Director of Deliverability at CakeMail, creators of an email marketing application for small and medium-sized businesses, based in Montreal, Canada. Kevin has more than twelve years working in various email-related roles on both the sending and receiving sides of the industry. He has been around since the early days at CakeMail and helps clients manage their delivery, fight abuse, educates them on compliance, reputation and engagement. Prior to this he worked for 6 years at one of the largest ISPs in Canada. Rumour has it he also knows his way around the golf course and has a single digit handicap! Fire away, Kevin!

Transactional Spam: It Happens

Under US law, it is not mandated that transactional email notices must contain an unsubscribe link. But is it a bad idea to include one anyway? If you don't include an unsubscribe link, you run the risk of sending that mail to the wrong person and leaving them with no way to make that unwanted mail stop. And that quite validly considered spam by the recipient! That person receiving that message didn't opt-in to it, didn't sign up for it, and isn't a registered customer. You shouldn't have sent it to them in the first place, but the very least you can do is give them a way to make it stop.

I've seen transactional notices both go to the wrong people and to spamtrap addresses. And let me tell you, I know from experience that a savvy spam filterer like Cloudmark is not necessarily going to give you a free pass on spamtrap hits just because your messaging is transactional. If you want to remain on the good side of entities like that, you need to make sure you're doing things like validating addresses, respecting bounces and suppressing non-responding addresses. And let's not forget, make sure your support knows how to handle a "this is the wrong person" email issue.

SMS Spam in the News

SMS (text messaging) spam is frustrating, and blatantly illegal. Sadly, it's not always easily prosecuted, as the bad actors engaging in this practice often hide behind redirectors, falsehoods, and pseudonyms. So it is always a gleeful moment when I read of somebody tracking and filing suit against an SMS spammer. If the allegations are true, Gregorio A. Tejera, Lazaro W. Diaz-Fernandez and Jose Leyva are going to be on the hook for some serious monetary damages.

Aside: It's been years since I've heard somebody talk about the Rodney L. Joffe v. Acacia Mortgage Corporation precedent. I wonder if it will be mentioned in this case.

Defining Persimmon

Are you a persimmon-based email marketer? In case you're wondering, a persimmon is the edible fruit of a number of species of trees in the genus Diospyros.

Change your LinkedIn Password

According to Return Path and Next Web, LinkedIn was hacked today and the bad guys were able to steal passwords for about 4% of their userbase, affecting approximately 6.5 million accounts. Are you one of that 4%? Let's not find out; go change your LinkedIn password as soon as possible. Also, if you used that same password elsewhere, be sure to change your password on those other sites as well.

This perhaps isn't specifically a deliverability-related event, but everybody professional I know in the email space seems to utilize LinkedIn heavily, so I wanted to help get the word out.

Defining Permission

There's this phrase out there called "permission-based email marketing." Not everybody understands what it means. And certainly, some folks purposely misuse the terminology, in an attempt to hide the fact that their practices may be at odds with true informed consent. (Bad actors regularly misuse terminology; there's currently a Spamhaus-listed "data compiler" who incorrectly seems to think that "data cleansing" means "mailing to a big list of invalid addresses and spamtraps to see what bounces.")

To that end, I wanted to share how I define "permission-based." I believe that permission-based means:
  • Recipients are told at the point of sign up who is going to mail them and how often.
  • The statement regarding whom will be mailing you is not buried in a privacy policy, legal agreement or set of terms and conditions.
  • Recipients don't end up on a list accidentally; their email address ends up only on any list(s) that they intended to sign up for.
  • The opt-in process is not "forced" on all visitors to your site -- I'm not sure that it's truly permission-based if you require that sign somebody up for a list, just so they can access your site or download your whitepaper.
  • Email addresses are not appended, bought or sold.
  • The "affirmative consent" standard found in the US Federal "CAN-SPAM" law is met.
These are all important, but allow me to call your attention to the last point. From the perspective of the spam-receiving consumer, CAN-SPAM is an imperfect law. After all, it doesn't prohibit spam. It in fact allows a sender to send unsolicited commercial email (aka "spam"), as long as you follow a few simple rules. Regardless of this flaw, there's a very useful bit buried within -- the "affirmative consent" standard. It actually provides a useful definition of what constitutes opt-in. It states:

"The term 'affirmative consent', when used with respect to a commercial electronic mail message, means that- (A) the recipient expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the recipient's own initiative; and (B) if the message is from a party other than the party to which the recipient communicated such consent, the recipient was given clear and conspicuous notice at the time the consent was communicated that the recipient's electronic mail address could be transferred to such other party for the purpose of initiating commercial electronic mail messages."

In plain language, this means that the informed consent standard is met if the signup was initiated by the subscriber, consent was requested and given, and that the subscriber is being told who they are going to receive mail from, if it is not the party to which they provided their email address. (I'm not necessarily excited by the allowance for data transfer, but if it's going to happen, "clear and conspicuous notice" is a pretty good way to do it.) That, to me, is how you define a process as permission-based.

(Want to read more thoughts on permission? Laura Atkins has a round-up here.)

Double Opt-in in the Wild

I signed up for electronic billing statements from Verizon Wireless this morning, and was pleasantly surprised to find that they use a confirmed opt-in (double opt-in) process that requires that you validate your email address before you can receive your billing statements via email. As I am sure it is very important to Verizon Wireless that these messages always get delivered, it's good to see that they're taking the care to validate the addresses to ensure that they're truly valid, not invalid or spamtrap addresses.

How Subscriber Complaints Affect Inbox Placement

Over on the Return Path blog, Joanna Roberts explains how spam complaints ("report spam" clicks) at the big ISPs and webmail providers can damage your sending reputation, and offers up ideas on what you can do to prevent these kinds of issues.

Engagement – Buzzword, or a rule to live by?

In the third part of this on-going series, Neil Schwartzman explores the current landscape of the email delivery world.

As regular readers may recall, in my early posting “You Get the Deliverability You Deserve” I made mention of a 2010 international consumer survey conducted by industry group MAAWG. It had some distressing results for senders of commercial email. Basically, end-users don’t place a whole lot of importance on marketing email; at best, they are lukewarm to the efforts.



In July 2010, Google announced a new facility to Gmail, the ‘Priority Inbox’. The service began allow users to separate mail into ‘important’ and ‘everything else’, based upon what their users actually read, and reply to. It allows users to assign graduated levels of importance to emails, and the analytics are cumulative, becoming more accurate over time.

On October 03, 2011 Hotmail launched their own volley in the War (their phrase) on Graymail, noting that half the email in the average inbox is marketing email, and only 14% email people actually want, at least according to MAAWG’s survey, namely, messages from friend and family.

Original at : 

Hotmail deployed a new auto-categorization (‘newsletter’), and a single-click unsubscribe to help users dig themselves out of their email hole.

So what’s a poor marketer to do in this day and age? Send more mail? That’s the tactic Neiman Marcus takes, according to the recent article “Stores Smarten Up Amid Spam Flood” in the Wall Street Journal – they, incredibly, sent 534 emails to each of their subscribers last year, a 30% increase over 2007. They have begun to track of unsubscribe rates. Gee, really?

In light of the Hotmail and Gmail initiatives, it would seem that people are so inundated with email that they don’t bother to unsubscribe, certainly a portion of subscribers use the ‘This is Spam’ button as a way to make email go away. One wonders if Neiman Marcus are also looking at FBL reports, and unsubscribing complainants. They might want to put two and two together; provided one uses proper disclosure of content and frequency at sign-up, and garners proper Opt-in consent, Unsubs + FBL complaints = (a subset of ) un-engaged recipients.

So what is this new engagement thing everyone is talking about? George Bilbrey of Return Path called it “The New Frontier In Deliverability”, but that was back in 2009, and even then George made note that engagement wasn’t a new concept, receivers had long been tracking clicks and opens and making them part of the filtering matrix. They have just been given a bump up in importance, of late.

Smart marketers track how many users open and click through a given piece of email, but why stop there?

A truly savvy sender will record the electronic record of the entire lifecycle of a given subscriber, from start to end. This will help with analysis on how engaged a recipient is, and provide solid to refute accusations of spamming by a blacklist or a law enforcement agency.

Some data-points to consider as fundamental would be:
Retaining a screenshot of the signup page including disclosure language (if you are using co-registration ensure that the sign-up page makes explicit mention of your brand, and confirm those addresses with recipients!). This makes for handy reference should anyone ever question the validity of a sign-up!

Demographic info (age, wealth, location)
Also, date & time-stamps (with GMT offset), and the IP from which traffic is seen should be recorded for these activities:

Subscription
Click-through
Purchases
Complaints
Unsubscribe
Message opens (opens are notoriously misleading in that there are still a significant number of email clients that have a preview pane that downloads images when a user selects the message; they may look at it an immediately discard the mail; That isn’t an engaged user. 

The freemail providers have stated outright that engagement, the amount a recipient interacts with the messaging you send, is a determining factor if email is inboxed, deprioritized, or even bulked.

Downgrading of a group of recipients can eventually splay out to impacting the deliverability of others in your mail stream. If only a few of your recipients click through on your email for long periods of time, you can expect to see fewer and fewer ending up in the inbox, as receiver algorithms do their thing. Give them a reason to click – super discounts, contests, more enticing subject lines and content should all be considered a regular part of your mailings. Ask friends and family to review your work (and measure their engagement over time) – is it really that interesting or are you just too involved to realize that your mail stream is BORING?

By the way: Seed lists testing inbox placement might, or might not effectively measure lack of engagement; while they are still useful for more egregious issues with a campaign (badly designed content, a blacklisted domain) a sparse smattering of a dozen or two addresses in a list of tens of thousands may have deprecated accuracy as to the actual delivery of your mail, which may be better for those that do click on the mail, and worse for those that don’t for a long time.

Recipients have said they don’t place a high priority on marketing at the best of times. It is incumbent on senders to ensure that they get at least one open per quarter per recipient, and begin to cull those that aren’t engaged out of the main mailing list, to an ‘infrequent’ segment to which you mail only occasionally, if at all.

What does your email address say about you?

My wife and I enjoy eating out for dinner fairly often, and it can get kind of spendy. On a whim, I started searching for ways to save money while dining out, and stumbled across this service called Savored. Looks like a neat way to save some money-- I've just registered, but I have yet to try it.

I was reading through their blog and found this wonderful post, "What does your email address say about you?" In it, they share demographic and engagement metrics of their email list, broken down by domain. Key takeaway: AOL users are old, but loyal. Young people, they love them some Gmail. AT&T, Comcast, and Roadrunner subscribers most heavily interact with Savored's email messages, but they indicate that this doesn't directly correlate to an increase in bookings.

Read the Comments

Read this one comment in particular, from somebody who is currently blacklisted by Spamhaus.
Some choice excerpts:
  • By the way, over time, Spamhaus has blacklisted many of the Fortune 500 for simply using email as a marketing channel
  • But why do so many in this industry feel that the email channel should be somehow held to a higher standard than other direct marketing channels?
  • The reason for our Spamhaus listing is due to the fact that we clean, update and refresh our database every 45-60 days.
I think these statements stand well on their own that I'll just leave it at that.


Neutraceutical Spammer Sentenced to 2 Years

John Levine shares his tale of the sentencing of Brian McDaid, "Neutraceutical" spammer. Looks like it is indeed possible to get jail time for violating CAN-SPAM.

MAAWG: Internet Police?

I just read in Mediapost's Online Media Daily that the debate over email append got heated at the recent MediaPost Email Insider Summit. Jordan Cohen, vice president of business development at Pontiflex, was direct: "[Email append] is not really okay to do."

He cited industry group MAAWG's condemnation of email append, saying that MAAWG had a de-facto stake in defining "law" when it comes to email practices. Another speaker took issue with that statement, sarcastically asking the room, "Who here thinks that MAAWG is the law?"

Jordan's message is sound, though perhaps a bit too nuanced to cram into 140 characters (he later mentioned this on Twitter), or to fit into a sound byte during that panel discussion.

MAAWG is not a law enforcement body, duh. So what is MAAWG? It's an industry association of a whole bunch of companies involved in (among other things) email. Stakeholders abound. Not just companies maintaining email infrastructure (but lots of those), but also, a lot of companies providing marketing services or marketing support. Check out the roster for yourself.

And this whole group, this large constituency of email stakeholders got together and discussed email append at length, and came up with this widely reported, widely supported public statement saying that they don't think email append is a good practice.

Consider this: when a bunch of smart people, representing a large group of the stakeholders involved in keeping email operating as a successful medium and communication channel, come together to take a stance on a practice like this, it's wise to take heed. It's wise to listen, even if you might not agree. Maybe there's something you can learn from their stance, or how they came to take that point of view. I think there are lots of reasons why this group came to this decision. Various people I've talked to have told me why they've come to identify append as a bad practice. The mailbox providers involved have explained to me that they know that it is mail their users don't want. And, I've read various marketer-conducted surveys showing that subscribers themselves will say that this is a kind of mail they do not want. And, I know how many other unseemly or unethical things potentially make money without being a wise or repeatable best practice. And, if I had a dollar for every append-driven deliverability issue I've been called upon to help undo the damage from, I'd be a very rich man. And, the list goes on. A list comprised of both things I've experienced myself and heard explained to me by very smart folks.

So, to scoff and say "c'mon, this isn't law!" or to complain that competitive interest is to blame ("of COURSE he would say that!") is nothing but a distraction, to be ignored. It doesn't make any sense, anyway. There are multiple valid reasons to consider email append a bad practice, and trying to dismiss it as just one guy's opinion perhaps makes for a good Twitter fight, but out here in the real world, there's a lot more to it.

CASL Slips to 2013

The Financial Post reported last week that Canada's new anti-spam law won't actually take effect until 2013.

(Hat tip: EmailKarma.net)

SMS Spam: Google Voice is Helpful

That we can now report SMS spam to various wireless carriers is a good thing, but the process is still overly complicated and I'm doubtful that enough people take the time to report SMS spam received. I have Verizon Wireless, and the spam reporting robot gets confused and, for example, won't accept a spam report about a message received from a short code. One hopes that gets addressed at some point in the future, and that something, somewhere happens to give us end consumers some confidence that something useful is actually being done with the complaints received.

Spam Complaints Matter

When you're fighting spam, you reach out to a lot of different people. If you received spam and you're savvy enough, you send it to the ISP from whence it originated, and ask them to take action to make the spam stop. If you work for an ESP or a blacklist group, you might reach out to the sender and ask them to prove that this person opted-in, with details, in order to resolve the "he said, she said" situation inherent to most spam complaints.

A flippant, but true, response.

Almost every time a sender I'm talking to is dealing with a Spamhaus issue, they ask me, "Why now? Why did I get blacklisted today, when I've emailed this very same list three times previously." The answer I have, might be kind of flip, but I think it's appropriate: "Do you get a ticket every time you speed?"

5 Design Tips That Will Lower Your Spam Scores

Reputation is where it's at -- that's what I tell clients. After all, the vast majority of ISP spam filtering engines are fueled by data relating to your sending reputation -- complaints, bounces, and engagement. But even with that, people still often ask about content, which isn't necessarily my area of expertise. So, instead of telling you whether or not it's safe to use the word "free" in a subject line (it is), allow me to link you to this smart article by IBM's Len Shneyder: 5 Design Tips That Will Lower Your Spam Scores.

Whitelisting – A partial solution to Inbox Woes?

Things have become a little more tenuous in the email ecosystem of late. What was once a given, inbox placement is now hard fought.

Way back in the year 2000, blacklists had so many false positives, inadvertently (and sometimes intentionally (vertently?)) blocking email from legitimate senders that the notion of whitelisting sprang up with the creation of Habeas.com.

Inside the Gmail Kimono: A Whole Lotta Nothing?

Gmail yesterday announced and unleashed a new way of doing things. They will finally tell users why stuff is in the spam folder, and there has been a lot of excitement in the sending world that there will finally be some clarity at Gmail as to their bulking policies. All told, there is, and there isn't.

Why did Gmail junk that message?

Gmail now tells you why it decided to junk a particular email message. Looking at my voluminous spam folder, every piece of spam I've received seems to have the reason "Why is this message in Spam? It's similar to messages that were detected by our spam filters." That's not necessarily all that insightful to me personally, but from reading this CNet article, it seems that other reasons are possible.

Send Less Mail, Make More Money

Sounds crazy, doesn't it? Representatives from fashion designer Nicole Miller shared that unsub rates have dropped and revenue jumped, all thanks to reducing send frequency, from three emails each week down to one single weekly email.

This shows that that over-saturating your recipient base causes subscriber fatigue; it makes those subscribers less interested in what you're selling.

At its extreme, you can end up reducing a recipient's mail box to a pile of smoking rubble. Last week I tested a signup process for a potential client. One form submission with one checkbox, and 72 hours later, I had received 94 follow up email messages. Not surprisingly, 85% of them went to the Gmail spam folder.

Who invented email?

Not this guy, apparently. Writes Gizmodo: "Shiva Ayyadurai didn't invent email—he created "EMAIL," an electronic mail system implemented at the University of Medicine and Dentistry in Newark, New Jersey. It's doubtful he realized it as a little teen, but laying claim to the name of a product that's the generic term for a universal technology gives you acres of weasel room. But creating a type of airplane named AIRPLANE doesn't make you Wilbur Wright."

Interestingly, 1978, the year Mr. Ayyadurai claims to have invented email, was also the year a young Gary Turk sent the first piece of spam.

You Get the Deliverability You Deserve

You might know Neil Schwartzman. In his long and active career in email and anti-abuse, he once-upon-a-time handled compliance issues for Return Path certified senders,  has consulted with other senders looking to comply with Canada's recent anti-spam legislation, and has long been one of the driving forces behind anti-spam advocacy group CAUCE. Now a member of the sender community via his new role as VP of Receiver and Sender Relations for Message Bus, I'm excited to be able to share some blog space to invite him to share what's on his mind. -- Al Iverson

Do I Deserve This? (Part 1)

I was out with a bunch of email geeks for Dim Sum, the weekend after M3AAWG in San Francisco, and after savaging several typical public policy whipping posts, like big pharma, drug research and public medicine, the conversation ended up, inevitably, on email and commercial senders.

My friend Mike Hammer made a stunning comment. Mike works for a very large sender, who has had their difficulties with getting their email to the inbox over the years.

Mike quipped: “We get the deliverability we deserve."

Does Hotmail use the SBL (Spamhaus Block List)?

Yep, Hotmail does indeed use the Spamhaus SBL as part of their spam filtering and blocking system. I received a report yesterday of this specific SMTP error response received: "550 OU-001: Mail rejected by Hotmail for policy reasons. If you are not an email/network admin please contact your Email/Internet Service Provider for help. For more information about this block and to request removal please go to: http://www.spamhaus.org."

Hotmail has posted more information about the different types of blocks a sender can receive over on their Sender Troubleshooting page.

A wizard did it.

Did a wizard do it? No, it was engagement.

Mickey Chandler: "If you already have a good program, then mailing inactives isn’t likely to hurt you much. On the other hand, 6 or 8 times per month I’ll see a client who is having their mail delivered to the bulk folder trim their sends back to their most highly engaged recipients and things start appearing in the inbox again. The reason why isn’t magical, it’s engagement."

It's not all spam, is it?

Over on the Mainsleaze blog, Catherine Jefferson points out that the Obama campaign is sending mail both to an address she purposely signed up to receive their mailings, and also to a spamtrap address.

What does a reputation system do with that? What should it do with that? If it's a reputation system that deals with just individual spamtrap hits, then that IP address is now tagged as having a bad reputation, because it hit a spamtrap address. But it's also sending wanted mail at the same time. A blacklist operator or an ISP postmaster might go either way on this -- you're hitting my spamtraps -- so I'll block you. But maybe my users will complain, so maybe I can't block it.

It's a bad situation for a sender to be in. They're sending mixed reputational signals. If you're really about staying in the inbox, shouldn't you be staying away from mixing bad lists or bad data into that good, wanted mail stream? I think you should.

What's DMARC?

Return Path's Sam Masiello explains: "The genesis of DMARC was actually a private partnership between PayPal and Yahoo! and Google. They worked together in 20007 and 2008, respectively, to create a communication channel that would allow Google and Yahoo! to block all email purporting to be from a PayPal domain. It had a huge positive impact. At one point they were blocking, on average, 200,000 phishing messages a day."

DMARC takes these private agreements to the next level, creating a "scalable communication channel between every sender and every receiver and has the power to substantially reduce the damage of phishing."

DMARC appears easy to implement. It's not risk free, though. It can be used to instruct receivers to block or bulk email messages that fail or lack authentication, so a sender needs to be careful to ensure that all mail is properly authenticated. And be prepared for the oddball edge cases where authentication might fail unexpectedly.

The nerds in the crowd might recognize this as sort of a second try at ADSP, a DKIM authentication add on that was intended to accomplish something similar.

Update: Commenter Robert Mathews provided this link with an explanation of what makes DMARC different than ADSP. Thanks, Robert!

Address Validators: What are you Validating?

Laura Atkins wrote this really good post yesterday talking about email address validation, asking the question, "Can you verify email addresses in real time?" In it, she highlights her poking at a specific address verification service, immediately finding an example of how it identifies a specific handle of hers as a valid address when it isn't.

I've talked about email address validation for a long time now. Specifically, the pitfalls-- why it doesn't really do what you think it does; why it gets you blocked as a spammer by ISPs. Since 2007 (actually, longer), I've been warning people that the most common email validation methodology involves noisy SMTP transactions that land you on an ISP's "bad guy" radar. It started with SMTP VRFY, which just about every ISP now disables outright. To get around that, validation services (and spammers) moved to "faking it" via a series of SMTP commands. They walk through a sequence of MAIL FROM and RCPT TO commands (identifying who you might be trying to send a message to) without issuing a corresponding DATA command (meaning you never actually transmit a message to send). If the RCPT TO command fails, then it's a bad address. The recipient, the person you're trying to validate, never receives the message and never is the wiser. All good, right?

Wrong. When you do this, ISPs notice. You're a blazing red alarm that you might be a spammer, potentially up to no good. ISPs have long ago decided that this is spammer behavior, and they'll block you. I know from experience that Hotmail, in particular, considers this akin to a dictionary attack -- which may or may not be an accurate term for it, but that is what Hotmail has decided, so it's something you've got to deal with.

But let's set aside the technical and policy limitations that prevent this from being a success. Let's pretend everybody allowed this. When you perform this address validation, when it doesn't get blocked, what are you actually validating?
  • A verification service isn't going to know if an address is a spamtrap. It'll say that a spamtrap is a valid address, in that it accepts mail.
  • A verification service isn't going to know if the recipient is the right recipient. It's not like a double opt-in (aka confirmed opt-in) process. It does no verification of consent.
  • And some verification services provide false positive responses (as Laura Atkins was able to demonstrate)
So when you subscribe to an email address verification service, what are you actually buying, exactly? It sounds like you're buying a best guess that the address won't bounce....which you could have figured out yourself if you sent the subscriber a welcome message after they signed up.

Where's the value here? I'm not seeing it.

If the email’s legal, it can’t be spam. Can it?

Answering an important, and often-raised question by senders finding themselves blocked, Mark Brownlow explains that no ISP is going to let your mail through just because it is CAN-SPAM compliant. Read all about it here.

CheetahMail "Gives Up" Email Append

Over on the Email Responsibly blog, Experian CheetahMail's Ben Isaacson explains "that Experian CheetahMail believes that opt-out email appending is no longer an acceptable practice, and that marketers should no longer use this practice to acquire customer email addresses."

For those of us banging the best practices drum every day, this is fantastic news. For an email service provider like Cheetah, who has seemingly engaged and supported the practice for many years, to stand up and say yeah, it's played out, don't do it, this has to signal a major shift in the industry.

Some, but not all, email service providers have banned use of email append for some time now, and a rallying cry disaffected clients, when told not to utilize it, was often "but company X would let us do it!" The list of company Xs that would allow that sort of thing has just shrunk significantly today.

ETA 1/25/2012: Ken Magill covered this in the Magill Report this week.

Still Delicious in 2012

Link-sharing site Delicious may have changed owners last year, but my account is still alive and chock full of deliverability-related links. Click here to check it out.

Append a keyword to a URL if you want to bookmark a certain section. For example, if you want to bookmark all of my links to Comcast or Gmail-related info, you would want to bookmark http://delicious.com/deliverability/comcast or http://delicious.com/deliverability/gmail.
 

A Heck of an Oops

On December 28th, the NY Times sent an email, intended to go to about 300 people, out to over eight million email subscribers. At first, Times employees said it didn't come from them; it's forged, it's spam, ignore it. Many of us started to review the message source, noting proper email headers, proper links, email authentication, etc., noting that the email sure-as-heck looked to us like it was legitimately sent by the Times. Right about the same time I reviewed those headers, and came to the conclusion that it had to be legit, the Times clarified that it was an oops, and they did really send it.

That was one heck of an oops. Enough of one to actually make the mainstream media, where I'm sure you've all read about this already.

Jim Romensko gave me a good laugh today, which is why I'm posting this. Like him, I'm dying to know, what happened to the person who pulled the trigger on that email send? Is that person still employed? Sadly, the Times isn't telling.

Is this type of error career suicide? What do you think?