Ask Al: What of Senderbase?

Emanuel writes: "I need assistance with Senderbase. What ISP report to Senderbase? Is there a way to view Senderbase complaints? We add all ours IPs in the feedback loop, but not in the feedback loop of Yahoo. Is it possible that the lack of a Yahoo feedback loop is the problem?'

Emanual, I'm sad to say that it has been a very long time since I have run into client issues that I believe to relate to Cisco's Senderbase. I don't know if Yahoo complaint data is fed to them, to be honest. But I'll throw the question out here and we'll see if someone else out there has some other ideas. Feel free to share your thoughts in comments, and thank you in advance!

List-unsubscribe on Gmail: Frequently Asked Questions (FAQ)

Google has long provided support for the list-unsubscribe header (as defined in RFC 2369) in Gmail. It is listed in their bulk sender guidelines as "strongly recommended." Meaning that if you're a good guy sender, it is expected that you will implement support for this functionality.

5 Reasons List-Unsubscribe Concerns Are Overblown

Over on the Litmus blog, Chad White shares why marketers shouldn't panic or try to disable the list-unsubscribe header on their email messages. Great insight, and the research aligns with what I've been seeing as well.

Microsoft breaks DKIM signature?

It's kind of rare, but not rare enough. Every now and then I hear of a client who is seeing intermittent DKIM failures at Microsoft Outlook.com/Hotmail properties. A Delivery Team Lead for one of the bigger ESPs posted about this on the Mailop list recently, looking for feedback and thoughts. The discussion that ensued seemed to come to a consensus that there are (rare) times when Microsoft may be modifying message content slightly, and thus causing the DKIM signature to break.

What You Need to Know About DMARC and Deliverability

Bronto's Chris Truitt explains how DMARC works, how it impacts deliverability and he outlines things to consider when configuring your DMARC record.

Spam Museum Welcomes 100,000th Visitor

From the not-just-email department: Local TV station KAAL-TV reports that the Hormel Spam Museum in Austin, Minnesota welcomed its 100,000th visitor last week. Her prize? 200 can of Spam. Yum.

Yuck: iCloud Calendar Spam

Are you one of the many millions of unlucky souls receiving spammy calendar invites? Apple is apparently aware of and working to address this type of thing, according to the iMore blog. But if you can't wait for that, the Verge has a few suggestions on what you can do about it.

Virgin Media is so rustic and artisan you get to hand-sort your own spam

Can't beat that headline. UK ISP Virgin Media is having a few problems with its spam filters, reports the Register. Previously hosting user mailboxes on Google-managed systems, the ISP was forced to bring it back in house after Google stopped selling the service to ISPs. Apparently, hilarity has ensued.

Good news for senders: Instead of blocking mail outright, suspected spam will now be routed to the spam folder. Sounds like ISP users will be able to identify spam and non-spam to the ISP, to help improve the filter over time.

A quick search suggests that @ntlworld.com and @blueyonder.co.uk are probably the relevant Virgin Media email domains affected by this issue. I'll update this post if I learn more.

MegaRBL DNSBL FUBAR

Over on the Word to the Wise blog, Laura Atkins explains what happened with that spate of short-term MegaRBL DNSBL listings you may have noticed last week.

AOL FBL Sending Address Changing

The AOL Postmaster Blog reports that on January 16, 2017, the from address for AOL feedback loop complaints will change from
scomp@aol.net to fbl-no-reply@postmaster.aol.com

AOL Postmaster Lili Crowley reports that this change is being implemented at the same time as they implement DKIM signing of all complaints sent.

AOL seems to be timing the change to occur after the busiest part of the Holiday email season has passed.

Putting Spam to the culinary test

Time for a distraction. The Staunton (VA) News Leader reports on the Virginia Military Institute's Spam challenge, wherein chefs are tasked to "create an entree and two sides using only five mystery ingredients and anything from the pantry, which was comprised of items that would have been available to the World War II-era home cook." Spam croquettes, anyone?

Holiday Season Tip: Don't Experiment

Hey, November and December are a big, important time period for online retailers. Lots of people always ask me what they should do to minimize the risk of deliverability problems during this period. Keeping in time that ISP email volumes are up (way up), ISP staff managing unblocking requests are probably getting more requests than usual, and that they all have holidays they're going to go on at some point. There's not always going to be a backup contact able to help. Responses are going to be slower. Maybe even less forgiving, out of frustration.

So what is the one most important thing you can do to make sure you don't have to deal with any of this? Avoid surprises. This isn't the time of the year to experiment. Don't add a new list. Don't buy a list. Don't mail a seven year old list that you just found in the back of a cabinet (that really happened). New lists, new data sources, anything you haven't been mailing to recently already, that adds new risk. Without knowing the reputation history of mailing to these "new to you" subscribers -- and how they're going to react to your mail in particular, you're opening yourself up to deliverability trouble.

Avoid that trouble. Don't start changing things now. Get through the season before adding more variables to what you're doing.

Gmail Updated on iOS

Google announced an updated version of the Gmail email client for iOS devices today. The big new enhancements seem to be "undo," "swipe to archive or delete" and a faster search function. There does not appear to be any support at all for list-unsubscribe functionality, which Gmail's Android client appears to have. Poking around in the new version of the iOS app, I can't get it to trigger any sort of action based on the list-unsubscribe header whatsoever. Strange, given Gmail was long a driver of this functionality.

Email and the 2016 Presidential Election

Just a few more days until the election, and then everybody can calm down and get back to their normal lives, I hope.

Every time I read the Washington Post, I see another article about email servers or weird DNS server activity. It's tiring.

I don't have the strength or energy to debate folks about the Hillary Clinton email server saga, so I'll just link back to this Word to the Wise post from July where Steve Atkins quotes Lane Winree on how plausible the explanation for the HRC email server scenario actually was. I do personally find it quite plausible. Of course, some commenters disagree, but security best practices aren't a monolith now, nor were they then.

Then there's this whole question of whether or not a Trump owned/managed server was communicating with a Russian bank. One of the people quoted in the Salon article is Paul Vixie. I worked for Paul around 15 years ago. We're not friends, but I generally think of him as a smart guy. Unfortunately, the more I read about this, the more it smells like this was probably just an email service provider running a dedicated outbound email server for marketing campaigns for some business of Trump's. The traffic could just be "typical ESP stuff" -- click tracking connections, image hosting lookups, performing DNS-based authentication checks, etc. and I could pretty much see a few really smart DNS nerds getting confused and thinking something more nefarious was afoot. I think the folks at the Intercept probably agree with me.

So, little to see on one hand and nothing to see on the other. Back to work, everyone.

Barracuda (was) down

Founded in 2003, Barracuda Networks provides anti-spam and security-related hardware and services and was believed to have more than 150,000 clients as of 2014.

Looks like if Barracuda hosts your spam filtering or mail services, you might not be receiving email right now. Multiple folks are telling me that they're having trouble connecting to Barracuda servers to deliver mail. The Register (UK) has mention of Barracuda downtime today as well.

As of 2:26 pm Eastern Time on Wednesday, November 2, 2016, Barracuda's status website says: "Investigating - Customers are experiencing delays with inbound message delivery. Outbound is unaffected.  [...] Engineering and Operations teams are still working to resolve delays in mail delivery."

Update: November 3, 2016: "Barracuda Networks is still continuing to see a large number of inbound connections from unverified sources for customers using Essentials for Email Security and Cloud Protection Layer. We have successfully filtered and are actively monitoring the situation while taking the appropriate actions when needed. Email processing has returned to normal. Previously delayed emails are now being accepted and processed."

Now you can read your email on Xbox One

Jess Nelson of MediaPost's EmailMarketing Daily shares news of the first-ever email client for the Xbox: MailOnX. Though, designers, I wouldn't necessarily start worrying about focusing your email marketing design efforts on Xbox as a platform JUST yet.

Beware: Student loan forgiveness spam

SC Magazine shares details of a Symantec report identifying student loan forgiveness spam as a path for the unwitting to get infected with malware. Particularly timely, given all the news lately about for profit colleges shutting down, leaving ex-students wondering what comes next with regard to their loans.

These spammers aren't very discriminating with whom they're targeting, based on the never-valid addresses I'm seeing the spam come in to. I called the number in one of the spams last Friday and talked to a very unhelpful young lady who didn't want to tell me anything about the unwanted mail she was somehow connected to. But at least I perhaps kept her from scamming somebody for a few minutes.

Not only should you be careful not to believe promises made in these spam messages, but even if they weren't spammers, you apparently still shouldn't be paying for debt consolidation or student loan discharge help.

And remember, no legitimate company is ever going to ask for payment in the form of an iTunes gift card.

Obama Administration Says Text-Spam Law Is Constitutional

Wendy Davis of MediaPost reports on a challenge to the TCPA (Telephone Consumer Protection Act), the US law that is the basis of US prohibition against unsolicited text messaging. The challenger: Facebook. The defender: the government. Read more about it here.

Yahoo! Mail: No Forwarding for you

It is being reported that Yahoo! Mail has disabled the ability for users to enable email forwarding. If you already have the feature enabled, you might be fine. But if not, there's no turning it on now. Conspiracy theorists say it's a play to keep people from leaving Yahoo. I'm not so sure. Is anything ever that simple? What do you think? Read more about it at TechCrunch or Fortune.

Update (October 14, 2016): Yahoo! Mail forwarding has been restored.

Checking an SPF record with the Kitterman SPF Validator

If you received an email message in your Gmail inbox, Google provides easy-to-read authentication results, showing you if the email message in question properly passed SPF authentication.

But what if you want to check a proposed SPF record, a potential change, to see if it is going to work, before implementing it in DNS? Here's how I do that.

DNS consultant and smart guy Scott Kitterman has a useful-and-simple page of tools for SPF Querying and Validation. Go to this page. Scroll down to "Test an SPF record." Fill out the form, submit it, and his checking tool will tell you if the proposed SPF record passes validation.

Let's do this with my xnnd.com domain. I want to test this as a potential SPF record: v=spf1 ip6:2607:f2f8:a760::2 ip4:167.88.36.240 ip4:162.244.29.202 ip4:206.125.175.2 ip4:184.105.179.157 ip4:174.136.106.18 include:_spf.google.com ~all

I'm going to use 162.244.29.202 as my sending IP address, it's my primary email server currently.


For the MAIL FROM address, I put in the return-path (MFROM) address that my mailing list uses. For the HELO address, I put in what I think my server's name is from its mail software configuration. (If you're not sure, just put in bounce@(domain) in Mail From, and (domain) in HELO Address. If I had done that here, it would be bounce@xnnd.com and xnnd.com.)

Then hit the "Test SPF Record" button and you'll get a response something like this one:


The important bit we're looking for here is "Results - PASS sender SPF authorized." That tells us that this SPF record is correct, and that mail with a message from of delivowner@xnnd.com will properly authenticate when sent from IP address 162.244.29.202, if I were to implement this SPF record in DNS.

If I was getting an error or I had typo'd something, I could hit the "back" button in my browser, make corrects, and test again.

Best practices for parked domains

A few months ago, I posted about "SPF Lockdown," a simple way to use an SPF (sender policy framework) DNS record to tell the world that a given domain sends no mail.

Email/anti-abuse industry group M3AAWG has some useful guidance that goes even further. Back in December 2015, they published a white paper entitled "Protecting Parked Domains Best Common Practices." It covers what I refer to as SPF lockdown, and it additionally instructs you on how to configure appropriate DKIM and DMARC DNS entries to both ensure that your non-mailing domains are as secure as possible, and enable you to receive reports about bad guys misusing your domain.

You can download the white paper here.

AOL announces Alto, new mobile email app

On Thursday, AOL launched iOS and Android versions of "Alto," a "proprietary email intelligence engine built to analyze and restructure the mountain of valuable data buried across multiple inboxes," aka a fancy new email client with time-saving email-sorting functionality built in.

AOL aims to help you simplify dealing with massive amounts of emails, by having the Alto engine automatically organize messages into "stacks" based on message type. 

You don't have to be an AOL email user to use Alto. The Alto email client supports email accounts from AOL, Gmail, Yahoo!, Outlook, iCloud, Outlook, Exchange and "any other IMAP email provider."

Do we need another email client? I guess I'll download and test this one out and see, but I'm not holding out that it's going to be a magic replacement for my iOS Mail (of which I am a heavy user). I'll be curious to see if it renders emails any differently. I'm sure that'll give designers fits, if so.


For more about Alto, read the Fast Company article, check out the AOL press release, or click on over to the Alto Mail website.

Not receiving Yahoo FBL Confirmations? What to do

ISP Feedback Loops (FBL) are valuable for email senders and email service providers (ESPs). It provides valuable information on who is complaining about your mail. Not only does it (usually) allow you to unsubscribe people who complain, preventing them from lodging any additional black marks against your sending reputation, but it allows you to roll aggregate stats that can tell you which lists or list segments are causing your deliverability problems. List two has a 150% higher complaint rate than lists one and three? Then list two needs some attention, and quick, before those complaints cause you to get blocked or sent to the spam folder when attempting to send to Yahoo subscribers.

Signing up for the Yahoo FBL is a pretty straightforward process. You just submit your new domain to Yahoo via their Yahoo's ISP Feedback Loop form, along with some simple information about who you are and where complaints should be sent. As the final step, Yahoo will send an email message containing a verification code to the "postmaster" mailbox at the domain you are attempting to register. This proves that you have control over the domain, and that you're not trying to sign up somebody else's domain without their knowledge or consent.

Yahoo requires that you receive this email message, retrieve the verification code, and paste it into the Yahoo FBL registration form.

Sometimes folks don't receive that important email message, and are then unable to complete the FBL registration. If that happens, here's what to do.

In almost every instance where I hear of someone not receiving a Yahoo FBL verification code email, it has been due to one of two problems:

  1. You can't actually receive any mail at that postmaster address, so the verification code email is bouncing. This is easy to test. Go to an outside email client (Yahoo or Gmail), and send a message to postmaster@ (your domain). Does the message bounce? Does the message reach you in the inbox? Does it go to a mailbox that you can access? If you can't find this message, you've got a problem to fix before you can sign up for the Yahoo feedback loop.
  2. Your mail server is rejecting the verification code email message because the from line used by Yahoo is too long. In particular, this affects users of the PowerMTA platform. Laura Atkins explains why this happens and how to fix it, over on the Word to the Wise blog.

This is a question I get asked fairly regularly, so I hope you find this little blog post on the topic to be useful.

Note: To participate in Yahoo's Feedback Loop, there is a prerequisite: You must authenticate all mail by signing it with DKIM (DomainKeys Identified Mail). Keep in mind that your email platform must sign the mail with the "d=" and that complaints will not be sent about any messages that lack a DKIM signature.

Additional Note: From talking to folks at multiple email service providers, it sounds as though Yahoo does not always send back all complaints. I don't have information on why that is, but I would consider it a "fact of life" and something senders just have to deal with, from what I am hearing.

Spam Resource on Facebook

Hey, I hope you'll come over and "like" the Spam Resource page on Facebook. I'm hoping that eventually we can use it as a place for folks to ask questions and share info, maybe to inspire future blog posts. Thanks in advance!

DMARC Support in Mailman

Mailman is a very popular open source mailing list management software package. It's been around for a long time -- since the late 1990s, according to Wikipedia. Sites using Mailman to manage discussion lists were negatively impacted by the roll-out of DMARC, specifically when big ISPs (starting with Yahoo and AOL) began to implement "p=reject" DMARC policies, meaning legitimate mailing list mail, most commonly posts from Yahoo or AOL users, would start to be rejected by ISPs who filter based on DMARC policy.

Google Groups and Yahoo Groups both implemented header changes to workaround the then-new DMARC issue, by (and I'm simplifying here, forgive me) making the mailing list the sender of the message, as opposed to the prior method, which was that the person who submitted the post to the mailing list was considered the sender.

Mailman has done the same. All the way back in 2014, Mailman 2.1.16 included a feature called "from_is_list," that, when enabled, rewrote the email headers to help admins deal with restrictive DMARC policies.

Mailman version 2.1.18 takes it a step further, giving you a set of options under the label of "dmarc_moderation_action." This feature provides five different "actions": Accept, Munge From, Wrap Message, Reject, and Discard. My suggestion is to select the "Munge From" action.

Some mailing list managers are pissed about DMARC and want to keep users at DMARC-publishing domains away from their mailing lists, so they've chosen the "reject" or "discard" actions. That's not very friendly to end users.

The authors and team behind mailman put it thusly: "Mitigating the effects of the DMARC reject policy are difficult. All known mitigation techniques break some user expectations and/or degrade the user experience. Still, it's incumbent on the Mailman developers to try to reduce the pain our users feel, and to provide some options for site and list administrators who find themselves caught in the middle."

If you don't take any action here, you're leaving a subset of your potential subscribers out in the cold. Making them second class citizens, unable to participate in the mailing lists you're hosting. Be kind, and don't beat up Yahoo users because of a domain policy that Yahoo choose to implement (and that Yahoo user is stuck dealing with). I strongly recommend that you enable the "Munge From" action under "dmarc_moderation_action."

Gmail to Support Responsive Design + More

Litmus recently shared news that is sure to make email designers light up with glee: "On August 31, 2016, Gmail began supporting the CSS property display: none;. And today, Gmail announced they will begin supporting <style> and media queries later this month." Read all about it here.

Ken Magill: Time to switch to COI/DOI

Industry reporter Ken Magill has changed his mind. Long advocating against required double opt-in, he has now come around and suggests that it is time to implement it. Read more over at Magill Report.

Subscription Mailbombing: Must Read

SendGrid's Paul Kincaid-Smith's has a post up this morning about the "tsunami of unwanted email" generated by the bad guys out there using botnets to subscription bomb (aka harass) people and why you should secure subscription signup forms.

The bad news is, this abuse causes problems for otherwise good email senders. You didn't cause it, but you'll get caught up in it, if you don't take precautions. If you have an email signup form out there in the wild, it's time to add a bit of security to it to prevent the pain you'll run into if and when you get Spamhaus blacklisted because your signup page got abused.

TL;DR? If you have an email signup form, you need to enable COI/DOI (double opt-in) and also add a CAPTCHA-like process (reCAPTCHA is recommended), or else when the botnet bad guys get to you, they're going to sign lots of people up to your lists who don't want to be there, and pain is sure to follow.

Gmail providing easy-to-read Auth Results


This is pretty slick. When is the last time you selected "View Source" in Gmail to look at the raw headers and body content of an email message? As of a couple of days ago, Google has added some nice new info to this feature, showing an easy-to-understand summary of authentication results. In this example, it's highlighting that SPF, DKIM and DMARC are all working correctly.

This is all info you could find by looking through the email headers. But it's nice to see it called out in this way; it saves some digging and gives you a very clear understanding of how the Gmail platform sees the message.

List Unsubscribe in Apple's iOS 10

As I mentioned before, Apple has provided support for the "list-unsubscribe" header in the built-in mail client on the latest version of their mobile platform, iOS 10. Now that iOS 10 has been released to the world, I've reviewed how this process works and put together what I think you need to know.

Doing the Math on Purchased Lists

Back in 2014, MailChimp published data showing what happens when you mail to purchased lists. Though it is now a couple of years old, it's still solid research and quite relevant today.

Bye bye, SmartScreen

Microsoft recently announced that on November 1, 2016, they will stop generating updates for Microsoft Exchange's "SmartScreen" spam filters used in Microsoft Exchange Server and the Outlook (Windows) desktop client. Read more about it here.

What does this mean? This is probably a good thing. These were primarily content-related filters and content filtering isn't really "where it's at" when it comes to best practices with regard to spam filtering nowadays. I believe that this ultimately will drive users to newer solutions that are probably going to be more focused on sending reputation, meaning that us deliverability and email technology-related folks will eventually no longer have to deal with Outlook desktop client spam folder issues, which were often a confusing outlier when reviewing email deliverability results.

Click here to read more on this topic, from Laura Atkins of Word to the Wise.

Deliverability Problems: What You Can't Fix


If you're having deliverability issues, I can tell you from my experience that you aren't really going to be able to get back to the inbox if any of the following types of subscriber list sources are in play:

7 Common Deliverability Myths Busted

Kayla Lewkowicz of Litmus breaks it down: Seven common deliverability-related assumptions that just aren't true. She explains whether or not it's OK to use FREE in a subject line, or is Yahoo to blame when Yahoo blocks your mail, and provides even more solid explanations on how things actually work over here in deliverability-land. Great post!

Dead email domain: facebook.com

A representative of Facebook confirmed for me that the email service handling mail for facebook.com email addresses is no more. PC Mag had previously shared that FB was warning users back in April that this was coming.

Thus, it is now safe to block, reject, unsubscribe or otherwise filter out all mail to the facebook.com domain. I have no clue what they'll do with it in the future, but if it was me, I'd let it bounce for a while, then turn it into a spam trap domain, feeding spam filters or blacklists. If they have the same idea, you'll definitely want to stay away.

Do you need COI/DOI? Probably.

In case you've been living under a rock, or you've been lucky enough to not be affected, here's the deal: Some bad guys, probably Russian or Eastern European, have decided to mail-bomb unsuspecting folks by signing them up for many hundreds or thousands of mailing lists. The bad guys built a tool that either searches for or has a list of signup forms at many hundreds or thousands of websites. The bad guys then submit many email addresses to those forms.

The net result is, if you're on the wrong end of this attack, your mailbox gets filled up with a bajillion newsletters. Some from big brands. Some from small brands. Some from companies you've heard of. Some from non-profits you've never heard of.

Yahoo: Deferring Inbound Connections Today

Since about 6:00 am eastern this morning, Thursday, August 25, Yahoo has been deferring delivery attempts from almost everyone ESP or mail platform I'm hearing from. My guess is that there's a spam filter update issue or system capacity issue over at Yahoo. As far as we can see, almost all inbound mail is affected. Inbound connections are timing out, or giving unexpected TS01 errors, or giving "temporarily deferred" errors.

Stay tuned, I'm sure the good folks at Yahoo are on it and will address the issue as soon as possible.

Where do I get a new IP address?

Someone asked me the other day, where can they get a new IP address? Their current IP address is "blacklisted" at Yahoo and Hotmail, I was told. It's easy enough to get a new domain name, but what about the IP address?

They let me know that their deliverability was suffering and that getting this fixed was very important to them.

I had to ask, though, why do they think the new IP address wouldn't have deliverability issues? Deliverability issues are reactive. Something has to have happened to make the ISP take a dim view of your mail, of your IP address. You don't just get blacklisted because your IP address contains a "7" in it. Something has to change in your sending or list hygiene practices. Are you engaging in email append? Are you buying lists? Are you sending to very old data?

Until you figure out what's causing the "blacklisting" and actually fix that, don't expect a new IP address to just magically fix everything. What will happen is, you'll try to warm that IP address up, it'll seem to go okay for perhaps a few weeks, but then you'll start to see the same issues on the new IP address that you saw on the old IP address.

It's kind of like changing your shirt because it's got blood on it. If you've got a bloody wound, changing your shirt doesn't actually close the wound.

Gmail now requiring SPF or DKIM

Google just announced that if a message received at Gmail cannot be authenticated by way of either DKIM or SPF, the user interface is going to show a question mark in place of the sender's avatar or logo. Click here to learn more.

Yahoo, AOL to both be owned by Verizon

Verizon announced today that they are buying (most of) Yahoo for 4.8 billion dollars in cash. Back in 2015, they purchased AOL for 4.4 billion dollars. This means that three different email receiving platforms are now owned by one entity: Verizon. It's hard to saay what becomes of the Verizon, AOL and Yahoo! Mail platforms in the future. Since purchasing AOL, Verizon seemed to continue to invest in the AOL mail platform, and some Verizon email users were transitioned to AOL infrastructure. But now that Verizon will own both the AOL and Yahoo! Mail email platforms, both of which I suspect are pretty robust, there could be some internal competition regarding which email platform ends up being the primary one used across all users. Or would they keep both the AOL and Yahoo! Mail platforms running separately? We will see.

TL;DR? Verizon now owns both Yahoo and AOL. Future impact to senders unknown, sit back and stay tuned.

Edited to add: Here's another take on how the consolidation of the two platforms could go, courtesy of Litmus's Chad White.

Spamcop: Declines to send reports to ESPs

If you work the abuse desk for an email service provider, you've undoubtably gotten spam reports from angry Spamcop users who think that your ESP, your employer, is "refusing" Spamcop reports.

Steve's Co-Reg Inbox Saga

Periodically I create a virgin Gmail account and sign it up for something, to see what other kind of stuff might end up in the inbox. On February 22, 2010, I clicked on a single "free ipad" co-reg marketing ad, and left the checkboxes checked. I watched the mail coming in for a while, but then forgot about it.

Wired on Email Reputation

Word to the Wise's Laura Atkins is quoted in this article from Wired, "Mailchimp Sends a Billion Email a Day. That's the Easy Part." It's not a bad primer on Email Reputation 101, and why you can't just shovel spam at ISPs and except them to take it.

Author Klint Finley explains: "What many people don’t realize is that today’s spam filters don’t just scan an email for questionable keywords, like references to pharmaceutical products or porn. Nor do they look merely at the email address of the sender. Crucially, they also look at the servers sending the email. Most of today’s biggest email services, such as Gmail, Yahoo Mail and Outlook.com, use reputation scoring to rank the likely spamminess of a server that’s sending an email. Think of it as a sort of credit rating for email senders."

Read more >>

What is SPF Lockdown?

I've been asked this question pretty regularly: How do I tell the world that a certain domain of mine isn't valid for sending email? What about typo domains, bad domains? How can they configure things to tell the world that no legitimate mail should have this domain in a from address?

Apple iOS 10 to support List Unsubscribe

Various online sites are reporting that Apple's iOS operating system version 10 is going to add support for the list unsubscribe header found in many email messages. In case you're wondering, it does sound like this unsubscribe feature supports the "mailto" version of the list unsubscribe functionality. A reddit user posted an example of a generated unsubscribe request here. I'm unclear as to whether or not it will support the "http" version of the list unsubscribe functionality.

The beta version of iOS 10 was released just yesterday, and the full public release is expected to happen sometime this fall.

FBI Raids Spammer Outed by KrebsOnSecurity

Another spammer put under the microscope! Brian Krebs reports on the FBI arrest of Michael A. Persaud, reported to be one of the world's top ten spammers.

Sanford Wallace gets jail time for FB scam

Ah, Sanford Wallace. 1990s spammer, widely blocked and blacklisted, one of a few big bad spammers who made the rest of us realize that spam was a real problem and that we had to do something about it.

Way back in 1999, in a Usenet discussion thread about Sanford, one of my fellow spam fighters asked this question: "My question would be when Wallace is going to find another loophole that allows him to cost-shift his advertising? If he could find a way to print flyers and get them glued onto everyone's car, then sue them for removing them, I'd bet that he'd do it. He's just that kind of scumbag."

Uh, well, here's something. "Last August, Wallace admitted to compromising around 500,000 Facebook accounts, using them to send over 27 million spam messages through Facebook's servers, between November 2008 and March 2009."

When is a phish not a phish?

How about, when the email is actually legitimate? But, how do you know, if the company isn't using their brand or company name in the from address? John Levine shares a scary example of what turns out to be a legitimate email, just with really, really poor branding. It makes me seethe, because it goes against everything we're supposed to be teaching end users to know about how to tell a good email from a bad one. (For more on what phishing is, click here.)

Can't send to Dad, sorry.

"Send to Dad by Sunday midnight!" the email's subject line exclaims. My father is currently in hospice care. He isn't reading a lot of emails. He probably doesn't need this valuable offer.

This reminds me a lot of the multiple "Don't miss out on Mother's Day reservations" emails from last month. My mother was cremated at the end 2014, so she probably doesn't need a reservation.

But please keep reminding me of the past and pending deaths of people dear to me, marketers! It's thoroughly endearing-- kind of like an un-ending emotional colonoscopy.

My mother passed away right around Thanksgiving in 2014. When Thanksgiving rolls around, that doesn't itself get me down. It's the explicit reminders that marketers blast via email and Facebook on those couple of holidays that actually suck.

It only took about a year after our last dog died to get the vet to stop sending us "it's time for Solly's checkup!" reminders.

You'd think marketers would do better at making it easy to stop this kind of thing.

They don't, though.

Internet, Web Enjoy One Final Day As Proper Nouns

I have never liked capitalizing internet or web, previous versions of the AP Stylebook be damned. I guess I'm some sort of trailblazer or something, because now my way is the right way, because the latest version of the AP Stylebook says it is no longer appropriate to capitalize the words internet or web.

Putting the "free" myth to bed

Word to the Wise's Laura Atkins, like me, often gets asked about words to avoid in subject lines. Is it OK to use the word "free" in a subject line? I read that causes spam filtering! Not true, Laura patiently explains. Like Laura, I've been trying to explain that to people for years, myself. Back in 2007, I wrote:

"Since when did the world "free" become a bad word?" The answer is: It didn't. It's not. The vast majority of spam content filters don't do anything so simplistic as to filter or block a message just because it contains the word "free." Don't be afraid to use the word "free." If you're not sending spam, it's not likely to get you blocked.

Still true today.

Scott Walker's got a list for you

Why does it seem like all politicians are spammers?
Want to spam everybody who signed up for emails from Wisconsin governor Scott Walker during his failed presidential bid? That'll cost you $10,500. Makes me wish I had signed up for his email list, so I could see what kind of junk he's allowing people to send through today.

Boy, that'd make me mad if I signed up for his email list and started getting random ads for unrelated things. I don't know about you, but I try not to give my email address out to people who plan to share, sell, or repurpose it after the fact.

What is phishing?

Not this kind of fishing.
Somebody asked me recently, what is phishing? Instead of re-inventing the wheel, allow me to link to a few of the resources already out there that explain what phishing is and why it is a problem.

What is phishing? From Wikipedia: "Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication."

From Microsoft: "Phishing email messages, websites, and phone calls are designed to steal money." Included are examples of what a phishing scam in an email message might look like.

And here is more information from the FTC's Consumer Information site.

Outlook.com (Microsoft Windows Live Hotmail) Issues Today

I'm hearing from multiple sources that some mail to outlook.com / live.com / hotmail.com recipients is being delayed / deferred unexpectedly today.

ETA: Issues seem resolved. Not quite sure when they cleared up.

Yahoo, Gmail and Spam in the news

Yahoo and Gmail both hit the news this past weekend, and not for great reasons.

Protect Your Brand and Reputation

Today's guest post comes from deliverability consultant extraordinaire, my friend Josie Garcia. Take it away, Josie!

Did you know that senders are in control of many more reputation and vulnerability factors than ESPs?

Cisco PIX/ASA: Disable SMTP Fixup

Over on the Mailop list, a postmaster shared his tale of woe involving sending mail to a small set of recipients whose mail server is behind a Cisco PIX firewall.

Verizon.net moving to AOL

Some or all of verizon.net mailboxes are going to move to infrastructure hosted by AOL.

Google Postmaster Tools: Domain vs. IP address Data Thresholds

Today's guest post is from Brian Curry, Manager of Deliverability, for Merkle Inc.. Take it away, Brian!

Since July of 2015, Google rolled out a shiny new tool for the Deliverability community to poke around and nerd out. We all know Google hasn’t always been the most transparent to Senders, so while we play with our new Gmail toy, we start to notice small things that perhaps give us clues into Google’s mind.

Google Postmaster Tools: Not receiving data?

A few different folks have reported to me that when accessing Google Postmaster Tools, they were seeing this message being displayed instead of data:

No data to display at this time. Please come back later. Postmaster Tools requires that your domain satisfies certain criteria before data is available for this chart. Refer to the help page for more information.

B2B Spam is Dumb and You're Dumb and This Other Guy is Dumb, too

Every so often somebody approaches me to ask me if B2B spam is OK now, because they get B2B spam at their work address. Everybody gets it, they presume, thus it must now be acceptable. Or it was always acceptable and those deliverability guys were just trying to mislead them before.

Microsoft Outlook.com / Hotmail Deliverability Troubleshooting

Here's my top five tips for deliverability success when sending to Microsoft’s Outlook.com / live.com / Hotmail email platform:

I'm blocking all mail from .top

I'm blocking all mail from the new .top TLD, because I'm getting absolutely pummeled with spam from a spammer or small group of spammers rotating through .top domains, trying to hide who they really are. You might want to avoid the .top TLD for email purposes right now; since the only samples I can see are bad things, you won't be in very good company.

UnsubCentral: Anybody home?

I emailed your support address five days ago and haven't heard back. Are you out there? Please get back to me. Thanks!

Gmail: Top 5 Deliverability Do's and Don'ts

Want solid inbox delivery at Gmail? Here's what you need to do (and not do) in 2016:

Best Email Frequency?

How often should you email your subscribers? Every 37 minutes.

Just kidding.

Researchers help shut down spam botnet that enslaved 4,000 Linux machines

(A very old CBL logo.)
Click on over to ArsTechnica if you want to learn more about the specifics of this particular spamming botnet army. The interesting bit (for me, anyway) is that the infected machines monitored the Spamhaus CBL blacklist and would request removal if found to be listed. That's pretty amazing; does this count as the machines being alive? Joking aside, I wonder how one catches and notes these robotic blacklist removal requests.

Spamhaus to indicate DROP status via DNS

In addition to the blacklists we all know and respect, Spamhaus maintains two other special lists: The DROP (Don't Route Or Peer) and EDROP (Extended Don't Route Or Peer) lists.

Outlook.com Inbound Email Issues

It looks like Hotmail done gone and blowed up again.

I am seeing multiple reports that mail server connection attempts to hotmail.com / outlook.com recipients are either timing out or resulting in mail to legitimate users is being rejected with a "554 Transaction Failed" error. This appears to be affecting at least one large email service provider, and probably others.

For some folks, it has been happening since before noon central time on Wednesday. I personally just started to see it on my own mail server around 5:00 pm on Wednesday. As of this writing (6:30 pm), it's still happening.

This is what makes it tricky for an ESP's bounce handling. You can't just assume that any old hard bounce means that a recipient must be invalid, when an ISP could (and occasionally does) fall down, go boom.

Update: This issue seems to have been resolved sometime after 7:00 pm central time on Wednesday, April 6th.

Don’t Be Afraid to Say Buh-Bye

Over on the Bronto Blog, Waynette Tubbs reports shares a client's experience with email list stagnation, re-engagement, and how to deal with letting go. It's a smart marketer that can delete 30% of the email list the right way and end up seeing positive gains!

Get rid of that dead weight! They're not untapped marketing opportunities; they're deliverability anchors subtly sinking your inbox rates.

Here's why I unsubscribed

I really like my 2014 Lincoln MKZ. It's sort of the one flashy thing I own. I don't have a big house or wear fancy clothes, but I enjoy my nice ride. And I was really happy with my purchasing experience at Napelton Lincoln in Glenview, just outside of Chicago.

Since I have since moved to Minnesota, I obviously have had to find a new dealer to take the car to for service and maintenance. Well, the new dealer uses some system that sends automated email notifications. It keeps emailing me to tell me it's time for 35,000 mile maintenance. But there is no 35,000 mile scheduled maintenance for this car. Lincoln's own website says the next maintenance is due at 40,000 miles.

But I can't get their system to stop telling me to come in, and I don't see any way to update them or give them feedback about it. And if I even did call them on the phone, do you think they're going to have some way to update their marketing automation campaign just for me? Probably not.

So...I am forced to unsubscribe. Sorry, local Lincoln dealer, but I guess the honeymoon is over and the mismatched maintenance schedule in your marketing automation program is to blame.

Mail.ru announces additional DMARC domain restrictions

Mail.ru just announced that they're moving the domains mail.ua and corp.mail.ru to a restrictive "p=reject" DMARC policy on March 29, 2016.

They previously announced that they were moving domains to "p=reject," beginning with the domain my.com this month. They indeed have moved my.com to a "p=reject" DMARC policy.

Future Mail.ru domains to be updated include bk.ru, inbox.ru, list.ru and mail.ru. Stay tuned.

What is an ISP Feedback Loop (FBL)?

Back in January, spam/abuse fighting industry group M3AAWG published an excellent overview of exactly what constitutes a feedback loop, and they even included a helpful list sharing all of the feedback loops that they are aware of at the time of publishing.

Images off by default?

Dear readers, what email clients still block images by default?
  • Gmail shows images by default. 
  • Yahoo Mail shows images by default.
  • Microsoft Outlook.com (Hotmail) shows images by default.

Who doesn't show images by default nowadays? What percentage of recipients use clients or providers that block images by default? The data I and others have handy seems to be pretty dated.

What's your experience? Feedback welcome; please leave a comment! And thanks.

How to Optimize Your SPF Record


Steve Atkins of Word to the Wise just released a cool new tool: SPF Minimizer. Over on the Word to the Wise blog, he explains how it works and provides an extremely insightful explanation of do's and don'ts when it comes to SPF, aka Sender Policy Framework.

Yahoo Mail not accepting inbound mail

I'm seeing multiple reports of this today-- it sounds pretty widespread. Mail to Yahoo is being deferred due to an internal system issue on the Yahoo side of the connection. My own MTA logs are filling with "451 4.3.2 Internal error reading data" errors.

Reports on the Mailop mailing list suggest that the issue started around 7:00 am US central time on Sunday, March 20th.

Update: As of 1:50 pm US central time, I see that some mail must be getting through for some folks. My primary Yahoo seed mailbox is populated with a new message every few minutes or so. But volume is a lot lower than usual and mail is still backed up on my sending server.

Final update: Multiple sites are reporting that as of about 2:00 pm US central time, Yahoo seems to be accepting all mail again. My queues are empty and all of my earlier-sent test messages have now been delivered to my Yahoo seed mailbox.

New: Check Auth Status with XNND

Need to check the authentication status of your email sends? Wondering if you've got TLS, DKIM, and SPF configured properly? Here's an easy way to tell. Using your email platform or email service provider, send a message to authentication@wombatmail.com. Then, after a few minutes have passed, your email message will be added to the list of messages over on the XNND Authentication Page at http://xnnd.com/authentication/ and you'll be able to see whether or not your mail message was signed with a working DKIM signature, whether or not it passed SPF authentication, and whether or not TLS was used during mail transport. Any questions or feedback? Feel free to drop me a line in email or in comments.

Yep, that's about right.


H/T: @mattindy77

Sender ID Doesn't Matter in 2016

Sender ID didn't actually come on a cassette tape.
Once upon a time, Sender ID was a sort of Hotmail-specific version of Sender Policy Framework (SPF). It used to be valuable and necessary to maximize your chances at getting solid inbox deliverability at Hotmail. There used to be these tricks you had to do; like, if mail was being silently discarded at Hotmail, you'd have to manually submit your Sender ID record to them via a webform, and we knew that this would eventually lead to improved deliverability.

But that's all super old news at this point. Hotmail -- I mean Outlook.com -- has long switched over to checking DKIM and SPF like so many other large email and webmail providers.

There's no harm if you're still publishing a Sender ID record, but if you're planning to set one up when configuring your new domain, don't bother. SPF and DKIM are where it's at in 2016.

The spam map of the United States

Over on Betanews, Ian Barker asks: "What do California and New York have in common? They're both major centers of spam email according to new research, between them accounting for almost half of spam sent in the US."

Over here on Spam Resource, I ask: What do Utah and Michigan have in common?  Two things.

First, according to that Betanews article referencing data from Comodo Threat Research Labs, these two states both make the top five list of states as sources of spam. Utah is third and Michigan ranks fourth.

Next, both states were convinced to implement "Child Protection Registry" services over ten years ago. Register your child's email address, and all good, legal, ethical senders of mail advertising anything "grown up" in nature (think alcohol and cigarettes, for starters) will be sure to scrub those addresses out of their list. The net, it was proposed, is that minors in those two states would be spared from receiving email advertising for products they're not supposed to have access to until adulthood.
Interesting idea. Except that the implementation of it was pretty awful. "Painfully bad," wrote Return Path way back then. The scrub process cost money and was clunky. Perhaps it is still clunky, but instead of bothering with it, lots of compliance folks started suggesting just asking, at the time of signup, what state a subscriber is in, and if they answer with Utah or Michigan, don't send to them if you advertise or sell those kinds of products. So I haven't personally heard of anybody having to go through the scrub process in years. (Have you?)

The only upside was perhaps for the company chosen to run the registry in both states (Unspam) -- maybe they made some money from it.

But it didn't do a damn thing to stop spam, because, as predicted by many, only good guys who wanted to comply with the law would follow through (or avoid those two states). All the bad guy spammers who probably already break the law, who don't care about permission, they keep on spamming adults and children alike.

Correlation is not always causation, and these two data points don't really overlap. But it does seem that both states biffed it two different ways when it comes to stopping spam.

Small scale, unsolicited, and sustainable...

My friend and deliverability colleague Josie Garcia sent me this picture yesterday. It's a picture of her printout of a specific page from this blog, from sometime around a hundred years ago. Specifically, it's a post from 2007, where I replied to and rebutted a "cheeky" marketing guy who thought that whole permission thing was overrated. "It's document shredding day here, but I'm keeping this gem," Josie mentioned.

Mr. Cheeky popped up at the time to tell me that he was doing great. He indicated that his "small scale, unsolicited and sustainable" non-permission model was working wonders for him. But what about since then? Not surprisingly, he seems to have moved on to a new career; his blog is long shuttered. But my friend reminds me that what I posted back in 2007 remains solid advice now: Permission rules. If you don't respect permission, you're a spammer, dummy. Forget insults and bad feelings, no permission means you're going to have problems getting your mail delivered to the inbox reliably.

Why listen to us? Josie and I have only been doing this sort of thing for something like fifteen years. Meanwhile, every year, some new cheeky marketing dude wanders by, trying to tell everyone that, all the data and history and experience notwithstanding, permission is suddenly overrated and they've found the One True Other Way...yet mysteriously, they don't seem to be in it for the long haul.

Hmm. Wonder why.

SPF Still Matters in 2016

SPF (Sender Policy Framework) still matters in 2016. Lots of folks might be authenticating with DKIM now, but SPF is a useful fallback mechanism and in my oh-so-humble opinion, everybody sending email with their own domain name should publish an SPF record.

An SPF record is primarily used to publish a list of IP addresses or network ranges. You're telling the world that those IP addresses are allowed to send mail using that domain in the from address.

The $64,000 question: Dash all or Tilde all?

  • Ending the SPF record with "-all" tells the world "I'm confident that any other mail using my domain, coming from other IP addresses, must be forged; treat it harshly.
  • Ending the SPF record with "~all" tells the world "I'm mostly but not entirely confident that any other mail using my domain, coming from other IP addresses, is probably forged; examine it more closely."

Which is better? Using "-all" used to seem to improve deliverability a bit more than using "~all." Though I haven't personally tested that in a long time, I'd lean toward using "-all," unless you have concerns that you might have missed some of your sending IP addresses.

"But SPF is worthless," occasionally a spam fighter will cry. Not true! SPF is very useful in a whole other way: whitelisting! Run an ISP or a blacklist, and you want to make sure you don't block legitimate mail from Yahoo or Gmail outbound IP addresses? Use their SPF record as a whitelisting guide to make sure you don't reject mail from those IP addresses. SPF works very well for that.

Want to tell the world that your domain doesn't send any mail and that it's safe to assume any mail sent using this domain is forged? Publish a "v=spf1 -all" SPF record; that's exactly what it will tell anyone who checks and respects SPF records. Lots of domains publish this type of SPF record; I've found it useful as part of a domain validity check process, based on the assumption that if the domain doesn't send mail, it probably doesn't accept mail. It has served me well so far.

Useful Tools: You can use XNND to lookup an SPF record. The Authentication section on Wise Tools will help you break down that SPF record in more detail. Here's a very useful suite of SPF-related tools, published by Scott Kitterman.

(What about Sender ID? Does that still matter? No. Microsoft Hotmail / Outlook.com was the only one who cared about Sender ID, and no longer check for it.)

Edited to Add: You'll want to read Mickey Chandler's followup post, Drafted for the wrong fight.

Email inventor Ray Tomlinson dies

Without the work of Ray and so many others, would I even have a career today? Rest in peace, good sir.

Spamhaus Releases "Worst TLDs" List

Don't go rushing out to buy a domain name under the ".download" TLD (top level domain) just yet; Spamhaus says just over three quarters of registered domains under that new TLD are bad news. This kind of data tends to lead spam filterers to treat all mail from that TLD as spammy; guilt by association means good luck trying to get your mail delivered to the inbox reliably.

International Yahoo Domains to get DMARC "Reject" Policy

You may recall that Yahoo initially implemented a "p=reject" DMARC policy back in April, 2014 for their primary yahoo.com domain name. (And AOL did the same for aol.com shortly after.) This changed the email landscape significantly. Now, nearly two years later, the email landscape is a different one. Email discussion lists needed updating to keep up, but even with limitations inherent, many of us consider DMARC to be a successful tool in the spam and/or fraud fighting arsenal.

Yahoo implemented a "p=reject" DMARC policy for their ymail.com and rocketmail.com domains in November, 2015.

Today, Yahoo announced on the DMARC-Discuss mailing list that they are implementing a p=reject DMARC policy for forty-six different Yahoo international domains on March 28, 2016.

Update: On Monday, March 7th, Yahoo updated the list, adding sixteen additional domains. The full list is below.

Let's Talk About Leadgen & Payday Loans

Over at Spamtacular, Mickey Chandler explains why he, like so many other smart deliverability people (including myself) take issue with lead generation and payday loan senders. The example he cites is a pretty egregious example of sharing and horribly misusing individuals' data. YUCK.

Prune Inactive Subscribers: Y/N?

MailChimp recently published a smart, data-driven take on how best to deal with inactive subscribers, suggesting that keeping them around makes the most sense.

It's not bad advice, but there's a few very important asterisks to add to it.

Nobody told the little robot that mailing inactives causes bulk foldering. :(
If you can get mail to those unengaged subscribers, then I'm sure that MailChimp's guidance is sound. But here are three common scenarios where mailing inactive subscribers are going to cause you deliverability heartburn. If you can't get to the inbox, you mail won't get noticed, and you're not going to get any revenue benefit from mailing inactive subscribers. Nor are you going to get much revenue benefit from your engaged subscribers, since they're now not seeing your mail in the inbox. Thus, you have to weigh the potential revenue benefit versus the deliverability risk. In these three scenarios, the risk is too great and I believe it outweighs any potential benefit.
  1. Asterisk: If you're seeing bulk foldering at ISPs like Yahoo and Gmail, keeping inactive subscribers around is a bad idea. Meaning: We know that these ISPs (and some others) look at engagement as a data point that feeds into the anti-spam equation. You've got enough issues overall that the unengaged subscriber pool is able to have a noticeable, negative impact on your inbox delivery. To fix: Attempt to re-engage, and then suppress, unengaged subscribers.
  2. Asterisk: If your inactive segment contains a bunch of subscribers that are very old, ones that you haven't mailed in a very long time, mailing these is a bad idea. Meaning: Any data you haven't regularly mailed is going to put your ability to get to the inbox at risk when you next mail it. A common kind of spamtrap involves recycling old addresses, making them bounce for 12-18 months before reconfiguring them to feed directly into a spam filter or blacklist. If you sit on a list without mailing it for 18+ months, you're going to have a higher spamtrap hit count than if you mailed it regularly and removed addresses that bounced. Mailing very old list data is a common source of Spamhaus, Cloudmark and other blacklistings. To prevent: Don't send mail to very old lists. If it's been out of commission for 18+ months, it's not safe to mail.
  3. Asterisk: If you've ever had problems with a big anti-spam blacklist like Spamhaus, failing to purge inactive subscribers is a really bad idea. Meaning: The type of bad addresses that got you in trouble with Spamhaus the first time, spamtraps, are hidden within your inactive subscriber segment. You typically are allowed a pass or two to attempt to re-engage those inactive subscribers when remediating the Spamhaus issue, but if you continue to mail inactive subscribers past that point, Spamhaus will see you "hitting" their spamtrap addresses again and you'll be back in hot water. To prevent: Attempt to re-engage, and then suppress, unengaged subscribers. Don't continue to send to unengaged subscribers after the re-engagement attempt.

Outlook.com (Microsoft Windows Live Hotmail) Issues Today

I'm hearing from multiple sources that some mail to outlook.com / live.com / hotmail.com recipients is bouncing unexpectedly today. Errors include dropped connections and "554 Transaction failed" bounces.

Microsoft is aware of the issue and is working on it.

Don't trust those bounces until things are fixed; I see mail to legitimate hotmail.com subscribers on my own mailing lists getting rejected unexpectedly.

(Update: As of approximately 2pm US Central time on Thursday, February 18th, Microsoft is reporting that the issue is resolved.)

Outlook.com Got a Big Update Today

Lifehacker and Litmus both tipped me off to the fact that Outlook.com email users got quite a significant update to their user interface today. You can read all about it here and here.

In case you don't remember, this of course used to be called Microsoft Live Hotmail. Users were transitioned to Outlook.com back in 2012.

(Update: Laura Atkins of Word to the Wise let us know that Outlook.com also now has a new URL to visit if you're a sender experiencing blocks and would like to request that blocking be removed. That URL is https://sender.office.com/ )

Mail.ru to Adopt p=reject DMARC Policy

Today on the DMARC-Discuss mailing list, a representative of Mail.ru announced that they plan to move to a restrictive p=reject DMARC policy.

They plan to start with the domain my.com, moving this domain to a p=reject DMARC policy on March 1, 2016. They plan to move other Mail.ru domains (mail.ua, bk.ru, inbox.ru, list.ru and mail.ru) to a p=reject DMARC policy in the future, but have not announced dates.

If you run software that applies a special handling to certain domains, now would be a good time to update that software with these domains, if it is something that must be manually updated. Or better yet, time to ensure that your mailing list software or mail forwarding processes are updated to automatically deal with a p=reject DMARC policy as needed.

Yahoo and AOL have implemented a p=reject DMARC policy for some of their domains, and Gmail has announced plans to do so in the near future. A member of the AOL Postmaster Team has offered suggestions on how to modify mailing list software to handle users at domains with a restrictive DMARC policy, and I have also offered my own suggested best practices for mailing list management software.

How to track ISP delays

Hey, your mail was delayed. Was it delayed inside of the ISP, or was it queued up in your ESP's outbound mail server waiting to connect to Yahoo or Gmail? Here's how to tell.

Contest Signups for Lead Generation: The Good and the Bad

Today's guest post is from deliverability professional Chris Truitt. Here's his take on the impact contest signups have on your deliverability and campaign success.

An ever more popular method of lead generation is through contest offerings. You may have seen such offers at your favorite retail stores or in shopping malls. A few times per year I stumble across a nice shiny new car that I can win. All I need to do is sign up with a valid email address and perhaps be open to receive a few sales calls. This strategy proves very effective to bring in leads, but there’s one problem. The dangling carrot of a new car or new smart phone instantly makes your email offering a byproduct. If you’re not emailing customers to tell them they won, interest in whatever you’re selling instantly diminishes. The ‘win a free ‘insert product here’’ will certainly bring in leads, just not necessarily leads that are interested in what you have to sell.

The astute marketer recognizes the futility of initiating a broad contest offer for the purposes of lead generation. A wide pool of prospects that are only interested in winning usually leaves you with a high number of spam complaints, bounces from contacts that enter fake addresses and little to no conversion rates. The result is your domain reputation took a hit from all of the complaints and bounces your content campaign rendered and your content is far more likely to land in the spam folder. This is not to say that marketers have abandoned this practice entirely. Instead, a more targeted approach has been adopted.

Instead of adopting such as wide approach, like an iPhone give away, offer something that you actually sell in the contest. Even better, make everyone that enters the contest a winner in some form or another. While you obviously can’t give everything away on the shelf, you should certainly have a single grand winner and offer the other contacts a discount for the same product or one that is similar. This is far more compelling and this strategy directly connects the prospects to the items you have stocked on the shelf. You are left with an engaged list of interested prospects that you can market to with your domain reputation intact.

What happened to McAfee and Postini?

Slashdot asked the other day, "Why Are Major Companies Exiting the Spam Filtering Business?" It sounds a bit like they're trying to take two events and define them together as a trend, but I don't think that holds up under scrutiny.

I guess they've got a point about MXLogic. MxLogic was purchased by McAfee in 2009. McAfee was bought up by Intel in 2010. And now Intel has announced that McAfee's Software-as-a-Service anti-spam solution will be shut down in January, 2017. They're recommending Proofpoint as an alternative solution. So they certainly seem to be saying bye-bye.

But they also talk about Postini. Google purchased Postini in 2007. They later announced that they were shutting down Postini, with users to be transitioned to Google Apps by sometime in 2015. This, to me, is somewhat less of a surprise -- I think it was obvious that Google purchased Postini to shore up its own anti-spam efforts, and I'm sure whatever Google felt was useful about Postini probably made its way into Gmail or Google Apps' own spam filtering functionality. So Postini didn't really disappear so much as become some tiny little hidden bit of Google.

Spam filtering still seems like a big, lucrative deal to me. It's certainly a selling point for Google Apps, and other B2B and B2C providers spend lots of money on perfecting spam filtering. Thus, I don't think that it's accurate to say that something must be up here, that "big companies are exiting the space," because it only really seems like Intel is the one saying they don't want to be a part of that space. What do you think, dear reader?

Reference: Yahoo Email Domains

Sometimes it comes in handy to know all of the common domains associated with a given Internet Service Provider (ISP) or webmail provider.

I believe these are all of the most common email domains associated with Yahoo! Mail, according to what I can recall, with help from this Port25 forum post.

Yahoo Domains:
yahoo.com
ymail.com
rocketmail.com
yahoo.co.uk
yahoo.fr
yahoo.com.br
yahoo.co.in
yahoo.ca
yahoo.com.ar
yahoo.com.cn
yahoo.com.mx
yahoo.co.kr
yahoo.co.nz
yahoo.com.hk
yahoo.com.sg
yahoo.es
yahoo.gr
yahoo.de
yahoo.com.ph
yahoo.com.tw
yahoo.dk
yahoo.ie
yahoo.it
yahoo.se
yahoo.com.au
yahoo.co.id

Anybody got any others that I've missed? Feel free to share in comments and I'll update this list.

Reference: AOL Email Domains

Sometimes it comes in handy to know all of the common domains associated with a given Internet Service Provider (ISP) or webmail provider.

I believe these are all of the common email domains associated with AOL Mail, according to what I can recall, with a few more found on the AOL Mail Wikipedia page.

AOL Domains:
aim.com
aol.com
aol.co.uk
aol.de
aol.fr
aol.com.au
aol.com.mx
aol.com.ar
cs.com
compuserve.com
love.com
games.com
wmconnect.com
wow.com
ygm.com

Anybody got any others that I've missed? Feel free to share in comments and I'll update this list.

Checking Email Content with SpamAssassin

Initially created by Justin Mason in 2001, the open-source SpamAssassin spam filter is pretty widely used. It's not in use directly at the top tier of ISPs like Yahoo, Hotmail and Gmail, but it does seem to be used by various second and third tier providers, B2B sites, hobbyists and educational institutions. And even though this filter isn't exactly the same as the filters in use at, say, Gmail, there's likely some truth to the theory that "what SpamAssassin suggests may be spammy, other filters may find spammy as well." Great minds think alike, to some degree, the theory goes. Thus, some folks find SpamAssassin to be a valuable tool to check to get some idea if their email messages might be considered spammy.

Want to check your email against SpamAssassin? Postmark has this tool where you can copy-and-paste your message headers and content, or use an API call, to check a message against the SpamAssassin filter. SpamScoreChecker.com will give you an address to send an email message to, and then allows you to click through to see the scoring results. IsNotSpam.com is another tool that works similarly.

10 Simple List-Building Tips

Here are ten simple list building tests that I keep in my pocket, to share with folks when they ask. Some are better than others, but most of them are easy, no-brainer things that anybody running a site trying to build a list of subscribers should be doing.

Making it Easy to Unsubscribe (#2)

Back in my e-commerce days, we used to use this "one weird trick" to help reduce spam complaint rates: We put a prominent "click here to unsubscribe" link at the top of the email message. No need to scroll down to the footer to unsubscribe. What happened? Spam complaints went down, unsubscribes went up a little, then down over time.

In this context, that was a very good thing. These were emails sent to people who signed up via a double opt-in (confirmed opt-in) process, a free trial software download registration. A lot of them just wanted the free product and were quick to complain about the mail they received as a result. Even though it was double opt-in, even though it was clearly spelled out at the point of capture.

Of course, an easy unsubscribe is NOT a substitute for permission. You can't just buy some list and start mailing it and say "but it's easy for people to unsubscribe." That's the kind of thing that'll get you blacklisted by Spamhaus or get your ESP account terminated for violating ISP and ESP permission requirements.

But if you make it as easy to unsubscribe as it is to hit "report spam," you're likely to get a net positive impact to your sending reputation.

Does anyone at AT&T netops read Spam Resource?

That's a novel way to request unblocking: Boing Boing's Cory Doctorow recently posted a request for an AT&T representative to help assist with getting his mail server unblocked.

Feedback Loop (FBL) Resources from M3AAWG

Industry group M3AAWG (the Messaging, Malware and Mobile Anti-Abuse Working Group) just published an overview of what ISP Feedback Loops (FBLs) are and how they work. They've also included a comprehensive list of known ISP Feedback Loops. Click here to check them out.

Making it Easy to Unsubscribe (#1)


Found on the web: Gina Lofaro explains the user experience of finding it hard to unsubscribe. What galls me is that the list owner actually decided it was wise to argue the law with an angry subscriber. Knock that off! If she wants off the list, say OK, thank you, and it has been handled. She might not be a lawyer, but neither are you, and if you want to have any hope of selling her something ever again, maybe don't be snotty to her when she needed your help. And the subscriber is actually right -- that email SHOULD have had an unsubscribe link or option specified in the email message.

Love that e-card.