Do you care about WHOIS?

There's an effort underway within ICANN where the net result could be that publicly-available domain ownership info is no longer available under any circumstances. Does that strike you as the best way to go? I personally don't think it is. WHOIS is a valuable forensic tool for security researchers and spam filterers.

Does a business have a right to privacy on the internet? I say no. If you're a company in the real world, your company registration is public knowledge. If you're a company on the internet, shouldn't that registration information be at least as available?

If WHOIS matters to you, please consider joining the "Next-Generation gTLD Registration Directory Services to Replace Whois" ICANN group and sharing your opinion, voting in the surveys they publish, and responding to the questions people may ask about why WHOIS matters.

Verizon Users: Leave, or move to AOL

As reported last May, the Verizon email user transition to AOL continues, with Verizon now announcing that they have decided to "close down our email business."

Existing email users have two options:

  1. Continue to use their email address, but it will be hosted by AOL Mail.
  2. Give up their email address and find a new email/webmail provider.

From a deliverability perspective, I think it is safe to assume that most of the Verizon email infrastructure is being retired, and that the email address domain lives on a just another of the AOL email domains (like,,,, etc.) There likely won't be any difference in reputation or filtering systems between and mailboxes, when the transition is fully complete. This could be subject to change, so stay tuned.

Update: Laura Atkins of Word to the Wise rightly points out that there's no timeline or deadline published anywhere in this Verizon notice. When exactly will Verizon shut it all down? We shall see.

June 26, 2017 Update: As related to me and others by AOL, the Verizon mailboxes that remain have now been transitioned to AOL's mail servers.

Password Reset Emails: Best Practices

I've been thinking about best practices for password reset emails lately. Instead of trying to re-invent a wheel that other folks have already capably designed, I'll just highlight a couple of thoughts and link to some more detailed info from a couple of folks with have good insight to share.

The most important thing to remember, I think, might be this: Always reset, never remind. Meaning, don't email a password to the user. It could spit out the password to the wrong person, if abused. Also, aren't your passwords one-way encrypted? Don't store it in the clear, don't send it out in the clear.

A close second: Make sure your emails don't look like phishing. Everything should properly authenticate with SPF and DKIM. Your domain should have a DMARC policy in place. Lock that domain down, to make it harder for faked password resets (or other notifications) to get through to the inbox.

And finally, delivery speed really matters -- though busy email systems can often still deliver emails pretty quickly, you will find that delivery delays due to poor reputation will absolutely kill you here. This highlights why you need to keep your nose clean with your marketing emails -- so your reputation is stellar enough that the same communication channel is open and available to you for very quick delivery of very important user notifications, like password reset emails.

AOL, Yahoo, Gmail (and possibly other ISPs) seem to delay delivery of inbound email when a sender's reputation is only so-so. And you can't always try to segregate that mail to work around the issue. You might not have enough transactional mail volume to warrant a dedicated IP address just for notifications. And your domain name is going to be the same across all types of email, assuming you want to stick solidly to your primary brand and its domain.

Microsoft's Troy Hunt has put together an excellent number of suggestions on the topic of resetting your password,  and Postmark's Garrett Dimon dives deeper into the email side of this equation. They're both worth reading.

New IP ranges

Microsoft's Terry Zink announced yesterday on the Mailop list that Microsoft is combining the infrastructure for (Hotmail) and Office 365. As part of this infrastructure update, Microsoft is letting the world know that soon, all (hotmail.*, live.*, msn.*, etc.) consumer email traffic will originate from IP addresses in the ( - network range. Folks running spam filters will want to update their systems accordingly.

AOL User Mike Pence

I usually try to avoid getting too political around these parts, but this one I just can't resist.

Turns out, then-Indiana governor Mike Pence was a big fan of using his personal AOL email account for state business.

That can't be right, can it? After all, that party sure made a big fuss about another party's presidential candidate using personal email for business purposes.

Indeed, the Indy Star and USA Today report that "Pence fiercely criticized Clinton throughout the 2016 presidential campaign, accusing her of trying to keep her emails out of public reach and exposing classified information to potential hackers."

Yet, "[While] Indiana Gov. Eric Holcomb's office released more than 30 pages from Pence's AOL account, ... [the office] declined to release an unspecified number of emails because the state considers them confidential and too sensitive to release to the public."

Strange how politicians attack rivals over things they themselves engage in, isn't it?

IBM Patents Out-of-Office Reply functionality

The United States Patent and Trademark Office has granted patent number 9,547,842 to IBM for an "Out-of-office electronic mail messaging system." What? I don't even.