Stop using NJABL! Now!

I just replied to an email from a guy who thinks I'm blocking his mail. I'm not, because I don't run a blacklist or a spam filter, and haven't done so for years. I would have loved to have helped guide him in the right direction, but my reply to him bounced because his mail server is misconfigured to use the NJABL blacklist.

The NJABL blacklist has been dead for almost five years.

If you still have it in your email server configuration, you're now going to block a lot of wanted mail. Because the domain's name servers just changed and they have a wildcard entry that now has the effect of "blacklisting the world."

You were warned...almost five years ago.

Characters in the local part of an email address

Need a "common sense" breakdown showing you what characters should be allowed in the username part (local part) of an email address? This handy guide from Jochen Topf covers exactly that.

It doesn't EXACTLY align with RFCs, but when you look at it from a common sense perspective, I agree with his categorization of each character. This would be a good thing to reference if you were building your own email capture form. (I'd probably also reject the "maybes" for an email capture form, but not reject them in an MTA configuration. Some of the "maybes" show up in bounce addresses somewhat regularly, but are almost never found in legitimate end user email addresses.)

How to win friends and influence people?

Not like this.

I'm not quite sure who Wonderland Collective are, but when somebody asked them why they are sending unsolicited email, they decided to complain back, instead of apologizing.

But wait, there's more! Be sure to read the whole thread. I sort of assume at some point they'll be changing their tune and apologizing. Unless they prefer to be blacklisted. I wonder if they did something that could get them into enough trouble that they'd even get fined? I'm not sure, as I don't know enough about what's happening here. But sending unsolicited spam, then barking at people who ask you to stop, sure doesn't seem to me like a good way to run a business.

4 Holiday Deliverability Tips

Here's "4 holiday deliverability tips to get your emails delivered every time" from Sam McNeil from WhatCounts. Solid advice.

Allow me to add a fifth: Now is not the time to experiment. Don't dig out that old list, triple your volume or decide to warm up a new IP address in the middle of the season, if you can help it. As WhatCounts suggests in tip #3, some things are better addressed before you get here.

Or, to put it another way, now is not the time to do something that might blow up your sending reputation.

ISP representatives are getting overwhelmed for requests for remediation and have holiday vacations planned, both leading to slow responses. And enough of them are probably tired of people asking for special favors, especially when not really warranted (can you unblock my mail that has really bad stats?), that This Is Not The Time For Funny Stuff. The less your success relies on a human's personal intervention at an ISP, the better off you are.

Report: ‘Trump’ most common spam term during run-up to elections

What was the most common term in spam in the run-up to the mid-term elections? "Trump," says Proofpoint.

Does Germany require COI/DOI?

What is COI/DOI? It's just address validation and permission verification -- you send a welcome or verification message and the recipient has to click on a link to prove they want the subscription. And it's not a new thing, here's me talking about it on this very blog fifteen years ago.

Note: I think the terms "double opt-in" and "confirmed opt-in" are interchangeable. I find that most of the time, internet security and anti-spam folks call it COI, and marketers and some deliverability folks (like me!) call it DOI. When doing so, they refer to the same process of requiring an active response to the initial welcome or verification email.

There are a lot of good reasons to implement COI/DOI, but today's specific question is -- does Germany "require" it? Ultimately this is a legal question, and I'm not a lawyer, so I'm not qualified to answer legal questions. But I can share and link to what other folks have said on this topic, so that's what I will do.

First, Litmus has this excellent article on international opt-in requirements that they published in 2016. They say: "German courts have decided that a single opt-in process is not sufficient proof of prior consent. They argue that  a person other than the owner of an email could have entered the address in a form. Even though there is no law that explicitly requires a double opt-in in Germany, 45% of German brands have adopted this process as best practice—just to be on the safe side."

I am told that the case law referenced in the Litmus article is a good place to start for understanding where the COI/DOI requirement comes from. If you can speak the language, I suggest diving into the linked Teradata case study for more information.

This 2012 article from the German E-Mail Marketing Tipps blog may be getting a bit dusty, but suggests a similar answer: "Double opt-in is not legally mandated in Germany. But it is recommended in many scenarios. Without a well-documented DOI you may not be able to prove permission, depending on the judge."

This Lexology article from 2014 says, "2013 guidelines advise a double opt-in for consent provided electronically."

The Certified Senders Alliance, a centralized European whitelist provided this brief guidance in 2017: "DOI: if not now, then when?!" For more detail, this CSA/ECO guide (see section 2.10) provides additional guidance.

German law firm "IT-Recht Kanzlei" who seems to focus on IT law, published this guidance in August 2018: E-Mail-Marketing 2018: What changes in the DSGVO regarding newsletters?

And finally, what do ISPs say? Here's one example of a reply from a German-based ISP that a friend was kind enough to share with me. The ISP said, "As you surely know the sender needs to have recipients Double-Opt-in/Closed-Loop-Opt-in confirmed before mailing to German residents to comply with the German Bundesdatenschutzgesetz."

Got any additional information or links to share? Feel free to leave information in comments below.