Abusix: 8 ways on how ESPs and DNSBL providers can collaborate better

Steve Freegard, Sr. Product Owner Abusix Intelligence recently shared his thoughts on how ESPs can better position themselves with regard to blocking list (DNSBL) issues.

He recommends segmenting traffic by IP address, using different subdomains or domains for each customer, limiting your SPF record, make sure your bounce handling actually works, and more. It's good advice. Find it here.

BIMI testing and BIMI adoption tracking

Here's a few cool BIMI tools I've come across lately or have used previously.

Red Sift recently announced a cool new tool. Their new "BIMI Radar" website tracks the global adoption of BIMI. It's pretty cool! Check it out here.

Looking to check your current BIMI record, or for help to generate the record? 

BIMI Group has a tool for that, as does Mailkit and EasyDMARC. I've got a very simple BIMI record lookup tool as well.

PowerDMARC has an excellent overview of what it takes to create a proper DMARC record -- and they include a walkthrough of the SVG logo requirements and how to save your logo image file properly.

For more information about the Verified Mark Certificate (VMC) requirement and how to obtain one, here's more information from DigiCert and Entrust. Also, Mailkit is offering pre-registration for the a Verified Mark Certificate, you can sign up for that here.

Bonus: Verizon (AOL/Yahoo/Verizon) just launched a BIMI overview section on their Developer Network site. Check it out!

BIMI: ISP Support as of March 2021

It's been a while since I've posted a BIMI status update, so let's get right to it...

BIMI, if you do not remember, is a new standard being adopted by multiple internet services providers (ISPs) to allow senders to facilitate the display of a sender's logo along side email messages, when displayed on a mobile device or in webmail. Some ISPs and mail clients have had a sender logo display function for a while now (one example is Gravatar), but BIMI attempts to standardize and regulate this process across the email ecosystem.

Here's the current status of BIMI Support at large ISPs, email hosting and webmail providers:

1. Verizon: Yes, supports BIMI.
2. Microsoft: No support announced.
3. Gmail: Support announced, and is believed to be in beta.
4. Fastmail: Noted as having support (here) but I have no more details at this time.
5. "Considering" BIMI Support: Comcast and Seznam.cz. (More info here.)

Verizon Media (AOL/Yahoo/Verizon). Has support for BIMI. For a logo to display, the following conditions must be met: A BIMI record exists which points to a valid logo in SVG format, a DMARC policy of quarantine or reject is in place, the mailing is sent to large number of recipients (bulk mail), and they see sufficient reputation and engagement for the email address. They also have a contact address for questions/issues (click here and search for "BIMI" on the page).

Microsoft Outlook.com (Hotmail). Microsoft has not announced any support for BIMI. A competing system called "brand cards" has possibly been abandoned; multiple folks have told me that they have been unable to get enough information on how to implement a "brand card." There's no opportunity here until something changes.

Gmail. In July 2020, Google announced their intent to support BIMI. My understanding is that they are in a (closed) pilot phase. Google appears to be requiring that senders implement a Verified Mark Certificate (VMC), available from DigiCert or Entrust (and possibly others). It sounds like obtaining this VMC will require that a sender have trademarked their logo, which could be a significant barrier for smaller or hobbyist senders.

So what should you do now? Here's what I would recommend large marketing senders do:

1. Make sure all email you send is authenticated with both SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) authentication. (All mail -- not just bulk or newsletter mail. Your ESP, corporate email platform (or both) should be able to help you do that.)
2. Implement DMARC, perhaps working with a vendor like Agari, Valimail, ProofPoint or Red Sift. A DMARC-savvy email security vendor can help you properly configure email authentication, configure DMARC failure monitoring, show you how to read DMARC failure reporting, and give you confidence that you're not going to break anything if you implement a restrictive DMARC policy.
3. Move to a restrictive "p=reject" DMARC policy after your DMARC reporting shows that you properly authenticate all of your mail streams. Don't do this just for the future logo opportunity -- do it because it makes it harder for bad guys to send fake mail pretending to be from your email domain name.
4. Trademark your logo. (Will this be required in the future? I have no data, but if I were a betting man ... and I am ... I suspect that yes, this will be required in the future.)
5. Wait and see what develops next in the ongoing saga that is BIMI.

And now you know as much (or maybe more) about BIMI than I do. I hope that helps!

Now hiring: Braze

Customer engagement platform Braze is hiring! They are looking for a new deliverability consultant with 3-5 years experience to help serve their west coast US customers.

For more information, check out that job posting here.

I'm pretty sure that the position can be remote, even though the posting lists New York City.

If you plan to apply, please contact Braze's Phil Schott before doing submitting your application. He can be reached at philschott@gmail.com.

Spamhaus updates lookup tool

Anti-spam group Spamhaus, publishers of various widely-used blocking lists (including the SBL), has recently updated their blocking list lookup tool. Previously this was "Blocklist Removal Center," now replaced with their new "Reputation Checker" site that will still allow you to lookup an IP address or domain, but now attempts to provide you with additional, useful information related to any blocklistings found.

For more information, head on over to Spamhaus's announcement of the update.

Let's report some spam!

Need assistance reporting spam? I can help with that. Check out these Spam Resource articles that help to explain how to parse and report spam that you've received:

• Help! I got spammed! What should I do?
• What IP address sent me that email message?
• Full headers: What are they and how to access them
• How to find ISP Contact Information
• ESP Abuse/Spam Contact List
• Reporting Spam to Apple from your iCloud Mail account
• Reporting spam with Outlook on iOS

Visitors to Spam Resource will now find all of these articles linked in the left navigation under the "Reporting Spam" section. I hope you find these tips useful! Feel free to let me know what other spam reporting questions you might have in comments or via email.

Now hiring: Sendinblue

Self-service email platform Sendinblue is looking to hire somebody to add to their deliverability team in Paris. Could that be you? This person would handle and manage deliverability technical aspects and projects related to delivery, deliverability, compliance and anti-abuse. They are looking for someone with strong technical affinities (if possible, with PHP skills), to be able to understand existing algorithms and behaviors and to be able to propose alternatives/improvements. Code writing is not required. They ask that you not be afraid of complex algorithms and that you have experience managing technical projects.

Click here for more information about this job opening.