Al Iverson’s Spam Resource: 2018

How to win friends and influence people?

Not like this.

I'm not quite sure who Wonderland Collective are, but when somebody asked them why they are sending unsolicited email, they decided to complain back, instead of apologizing.

But wait, there's more! Be sure to read the whole thread. I sort of assume at some point they'll be changing their tune and apologizing. Unless they prefer to be blacklisted. I wonder if they did something that could get them into enough trouble that they'd even get fined? I'm not sure, as I don't know enough about what's happening here. But sending unsolicited spam, then barking at people who ask you to stop, sure doesn't seem to me like a good way to run a business.

4 Holiday Deliverability Tips

Here's "4 holiday deliverability tips to get your emails delivered every time" from Sam McNeil from WhatCounts. Solid advice.

Allow me to add a fifth: Now is not the time to experiment. Don't dig out that old list, triple your volume or decide to warm up a new IP address in the middle of the season, if you can help it. As WhatCounts suggests in tip #3, some things are better addressed before you get here.

Or, to put it another way, now is not the time to do something that might blow up your sending reputation.

ISP representatives are getting overwhelmed for requests for remediation and have holiday vacations planned, both leading to slow responses. And enough of them are probably tired of people asking for special favors, especially when not really warranted (can you unblock my mail that has really bad stats?), that This Is Not The Time For Funny Stuff. The less your success relies on a human's personal intervention at an ISP, the better off you are.

Report: ‘Trump’ most common spam term during run-up to elections

What was the most common term in spam in the run-up to the mid-term elections? "Trump," says Proofpoint.

Does Germany require COI/DOI?

What is COI/DOI? It's just address validation and permission verification -- you send a welcome or verification message and the recipient has to click on a link to prove they want the subscription. And it's not a new thing, here's me talking about it on this very blog fifteen years ago.

Note: I think the terms "double opt-in" and "confirmed opt-in" are interchangeable. I find that most of the time, internet security and anti-spam folks call it COI, and marketers and some deliverability folks (like me!) call it DOI. When doing so, they refer to the same process of requiring an active response to the initial welcome or verification email.

There are a lot of good reasons to implement COI/DOI, but today's specific question is -- does Germany "require" it? Ultimately this is a legal question, and I'm not a lawyer, so I'm not qualified to answer legal questions. But I can share and link to what other folks have said on this topic, so that's what I will do.

First, Litmus has this excellent article on international opt-in requirements that they published in 2016. They say: "German courts have decided that a single opt-in process is not sufficient proof of prior consent. They argue that a person other than the owner of an email could have entered the address in a form. Even though there is no law that explicitly requires a double opt-in in Germany, 45% of German brands have adopted this process as best practice—just to be on the safe side."

I am told that the case law referenced in the Litmus article is a good place to start for understanding where the COI/DOI requirement comes from. If you can speak the language, I suggest diving into the linked Teradata case study for more information.

This 2012 article from the German E-Mail Marketing Tipps blog may be getting a bit dusty, but suggests a similar answer: "Double opt-in is not legally mandated in Germany. But it is recommended in many scenarios. Without a well-documented DOI you may not be able to prove permission, depending on the judge."

This Lexology article from 2014 says, "2013 guidelines advise a double opt-in for consent provided electronically."

The Certified Senders Alliance, a centralized European whitelist provided this brief guidance in 2017: "DOI: if not now, then when?!" For more detail, this CSA/ECO guide (see section 2.10) provides additional guidance.

German law firm "IT-Recht Kanzlei" who seems to focus on IT law, published this guidance in August 2018: E-Mail-Marketing 2018: What changes in the DSGVO regarding newsletters?

And finally, what do ISPs say? Here's one example of a reply from a German-based ISP that a friend was kind enough to share with me. The ISP said, "As you surely know the sender needs to have recipients Double-Opt-in/Closed-Loop-Opt-in confirmed before mailing to German residents to comply with the German Bundesdatenschutzgesetz."

Got any additional information or links to share? Feel free to leave information in comments below.

How to Recover from Email Marketing Mistakes

Whoops! Email launch error. Wrong content? Wrong list? Broken images? Exposed mail merge variables? What do you do? Litmus's Chad White helps you break it down with a series of simple questions.

The future of email?

From Dot Magazine: Email has been around a long time now, but it’s still got a lot of life left in it. Marcel Becker from Oath explains how email will evolve in the future.

(Oath, if you don't recall, is the company managing the AOL and Yahoo Mail platforms.)

H/T: Anthony Chiulli.

Reference: All AT&T Email Domains

AT&T has a Postmaster site, but it doesn't contain a comprehensive list of their inbound email domains. However, they do have a help page for AT&T users looking to configure their email client, and it does list all of their inbound email domains.

Sender ID? No, don't bother.

Back in 2016 I pointed out that Sender ID no longer matters. It's still true today!

Indeed, the RFCs for Sender ID are being moved to "historic" status -- indicating it's not an active standard.

Howto: Create a Gravatar brand icon

Recently I talked about how to make your brand image icon show up when sending to Gmail recipients. Today I'll talk about how to do the same for a different set of smaller ISPs and email clients.

Gravatar is a system owned by the folks behind Wordpress that allows you to upload an image or photo that is then linked to an email address. The primary use of the system is to show user icons for commenters on Wordpress blogs, from what I can tell.

Howto: Make your brand icon display in Gmail

Looking to make your brand's logo show up next to emails you send to Gmail recipients, but you're not sending from a Gmail account? I think I've figured out how you can do that. Read on.

Inbox by Gmail: Bye bye

Do you use Inbox by Gmail? If so, you've got until March 2019 to enjoy it before it shuts down.

H/T Delivery Counts.

Spam in a post-GDPR world?

Spam levels are down a bit, according to various reports. Is GDPR to thank? Truth be told, Spamhaus says, that GDPR actions taken by legitimate companies sending legitimate mail might have reduced the amount of mail they send, wanted or unwanted, but those companies weren't the biggest sources of spam to begin with.

The real issue, Spamhaus says, is that GDPR is "hampering organizations from effectively stopping career cybercriminals from defrauding innocent people."

Why? Because good guys fighting the bad actors sending bad mail utilize WHOIS data to help identify and track those bad actors. The effective gutting of data in WHOIS in response to GDPR impedes that good work, as shared by John Levine.

This isn't news to me. Hiding or redacting domain ownership has long been a pain point for anti-spam and internet security folks.

Test Authentication Here

I finally repaired my long-broken DKM/SPF/TLS checker, you can find it here.

It's time to re-engage!

A re-engagement campaign is where you beef up your subscriber engagement (the open/read/click percentages in a sender's stats) by asking existing subscribers to click on a link to show that they're still alive, often followed by retiring/suppressing addresses who don't respond. (That suppression step boosts your engagement rates which makes you a better sender in the eyes of many ISPs, and it also helps you leave spamtrap addresses behind, so if you're having spamtrap or blacklist issues, it's very important.)

How do you do it? What should you consider? MailChimp has a solid high-level overview. Some bits are MailChimp specific, but it's still a good place to start, regardless of which ESP or email platform you use.

Need examples of compelling re-engagement content? HubSpot's got you covered, with ten great examples of effective re-engagement emails.

A site called "Essence of Email" has another dozen examples you should check out.

MailChimp also links to this Really Good Emails site which has a ton of re-engagement campaign example emails.

Note: What marketers call a re-engagement campaign, anti-spam folks would call a permission pass or reconfirmation email.

Scunthorpe Redux

Well, it looks as though we haven't solved the Scunthorpe Problem just yet, according to Natalie Weiner, whose last name still gets blocked by filters. Read more about it over on Slashdot.

Gotta love content filtering.

Previously.

List Bombing: History and Prevention

Mapp Digital Senior Deliverability Specialist Tom Ellengold has posted a brief, but useful, overview of the list bombing issue faced by so many senders and email service providers of late. If you're not familiar with the issue, it's definitely worth a read.

Thank you for signing me up!

Since I last posted, my new address sample2018box@gmail.com has received 105 different emails from 80+ different senders. Thank you for your help signing it up to email lists, and feel free to sign it up for more!

I tried to sign up some myself. I had trouble with a few attempts. Looks like you actually have to sign up for HBO or Showtime to get their emails (boo, no lead-gen?). And a handful of folks actually are utilizing double opt-in, which is great to see. Thanks, Cinemark, CBS News, Gear Wrench Tools, Aldi Austria (Hofer), Publix Grocery Stores, and Jersey Mike's Subs for actually verifying email addresses before assuming they're valid.

In case you're wondering, CBS News seems to use Mapp Digital (aka BlueHornet), NBC News seems to use Sailthru, and I have no idea what ABC News uses because they haven't sent any emails yet, even though the address is signed up.

Let's track!

Hey there! Want to help me with a fun project? Sure you do!

I'm tracking different emails from different brands, senders, companies, and email services providers. Want to help give me more samples to play with?

Just add my new special address sample2018box@gmail.com to your list, your client's list, or submit it on various websites you visit. I won't report the mail as spam. I'll probably even open and read some of the mail. Maybe even click on a link or two.

Sign it up for a newsletter. Register it for a rewards account. Use "forward to a friend" to send it something. Do whatever you want.

That address again is sample2018box@gmail.com and thanks in advance for adding it to email lists!

Google moves gmail.com to "quarantine" DMARC policy (for subdomains)

Gmail warned us that a more restrictive DMARC policy was coming, didn't they? That warning came all the way back in 2015. They said that "p=reject" was coming. Maybe it still is -- we're not there yet, but this appears to be a step in the right direction.

Today's update: For subdomains under gmail.com and googlemail.com, they've implemented a "quarantine" DMARC policy.

Still, this change has a significant impact on senders. If you send mail with from address of (something)@gmail.com or (something)@googlemail.com through an outside (non-Gmail) email platform like an ESP, that mail is likely to get delivered to the spam folder. I jumped the gun a bit on this one -- today, this doesn't affect your sending as (something)@gmail.com.

They're not the first to implement a DMARC "quarantine" policy for some part of their domain. Apple did the same thing back in July. Mail.ru went to "p=reject" back in March. And of course OATH (AOL and Yahoo) started this trend, implementing a "p=reject" policy for their main domains way back in 2014.

Edit: Ha ha, fingers sometimes move faster than brain. To clarify, this applies to subdomains of gmail.com -- i.e. bounces.gmail.com, server.gmail.com, etc. The DMARC policy for the top level of gmail.com and googlemail.com is still p=none. My bad for suggesting otherwise.

The 250ok Deliverability Guide

Email deliverability monitoring firm 250ok just released "the 250ok Deliverability Guide" and it provides a solid getting started point for the concepts behind deliverability, email authentication, sending reputation and best practices. It's a free download and you can find it here.

Apple Moves to "Quarantine" DMARC Policy

If you monitor these things, you might have noticed that Apple's consumer email domains (iCloud domains) -- mac.com, me.com and icloud.com -- have moved to a "p=quarantine" DMARC policy. This means that if you have an email address in these domains, your ability to send outbound mail using an email service provider or other, non-Apple email platform to send mail, deliverability won't look so good. Mail may not be blocked outright (Apple didn't move to "p=reject") but moving to "p=quarantine" means it's much more likely that your mail could end up in the spam folder.

What to do if you have a mac.com, me.com or icloud.com email address: Continue to send mail, but only from your proper email client on your Mac or iOS device.

What not to do: Don't try to use an ESP to send mail with a from address in the mac.com, me.com or icloud.com domains. It'll fail necessary authentication checks and Apple's DMARC policy will drive most ISPs to put your mail in the spam folder.

I think this is a good move for Apple and a good move for people who hate phishing and spoofing. Making it harder for bad guys to misuse your domains is a good thing.

Reference: VMG Domains List (Verizon, Microsoft, Google)

They were once called MAGY (for Microsoft, AOL, Google and Yahoo). Then came OMG (Oath, Microsoft, Google), because AOL/Yahoo were called "Oath" for a time. Now AOL/Yahoo/Verizon are called "Verizon Media Group," so we'll now call this the "VMG Domains List." This includes what you used to call AOL, Yahoo and Verizon. It also covers the Microsoft consumer webmail "OLC" (Outlook Consumer) domains, which I tend to call Hotmail or Outlook.com. And let's not forget Google's very popular Gmail platform.

Need a list of all the consumer webmail domains for each of these providers? Here you go.

Dead email domain: tesco.net

Did you know that UK Retailer Tesco offered email service? Me neither, but I'm not their target demographic. I assume they did or do offer internet service and that the email service perhaps went along with that.

Anyway, as of June 27, 2018, the email service at tesco.net is no more. Users are advised that if they have set up email forwarding, it will continue to work until October 10, 2018. If users had not set up email forwarding before the shutdown on June 27, they are out of luck.

Tesco has published a FAQ that you can find here.

What should senders do? It sounds like there's a chance a few tesco.net users are still receiving mail by way of having it forwarded to some other address. If you want to try to keep in touch with as many of those people as possible, it might be wise to target tesco.net subscribers with a "please update your email address" campaign before October 10th. There is no way for senders to automatically know what the updated address for a tesco.net subscriber will be; the subscriber will have to choose to tell you.

After October 10th, it's time to stop sending mail to tesco.net, as that mail will not get through to any real people. And continuing to send to a dead domain can lead to you hitting spamtrap addresses, if they later repurpose the domain to become a spamtrap domain. Or if they let the domain lapse and somebody else picks it up.

H/T: Arnaud Clément-Bollée

The secret to disconnecting? Email does it better.

This Wall Street Journal article points out that "disconnecting" from your always-connected online life when you want to go on vacation would be a whole lot better if SMS had an "away" message feature (as they called it in AOL Instant Messenger and Internet Relay Chat), or as we like to call it in email land, an "out of office" reply. And they're right. And your old friend email has got you covered, better than those newer technologies do.

Google Hangouts? You can set a status message but nobody ever reads it. Apple Messages? No such feature. The WSJ author suggests a cumbersome workaround to try to allow you to respond to Apple Messages with a sort of half-manual "go away" reply macro, but it doesn't sound that great.

I never thought I'd say this, but here we are: When are we going to get "Out of office" replies for SMS? I want that.

To me, this is just another reminder that email is useful. Once upon a time I thought OOO email auto-replies were uncool, but this article got me thinking, and it reminds me that I've been neck-deep in the corporate world long enough to see the value in making sure that people know immediately that you're not going to be able to respond to their request in a timely manner.

Return Path launches Universal FBL

If you manage ISP Feedback Loop (FBL) subscriptions for a set of sending IP addresses, you'll like this.

Return Path just launched what they call a "Universal FBL," an ISP Feedback Loop signup and management process that encompasses almost every single ISP FBL known to humankind.

RP currently manages 18 different ISP Feedback Loops, from the looks of it. In the past, when you have a new range of sending IP addresses come live, you had to register that new range of IP addresses with each one of those FBL registration pages separately. No more! Now you can combine it all into one subscription, one configuration, so that when you have a new IP address range go live, it takes just a few minutes to add your new range to all 18 different feedback loops.

Read more about this here.

Note: This is something that ESPs and ISPs sign up for; this is not something that end users or individual marketing senders would typically sign up for. If you use an ESP to send your mail, work with that ESP to ensure that they've enrolled your IP addresses and domains into all possible ISP feedback loops.

Happy birthday, spam (the good kind)!

The news is so chock full of horrible stuff lately that you might be struggling to look for something positive to celebrate this Independence Day. I know I am. Spam to the rescue! America's favorite canned meat turns 82 years old just one day later, on July 5th. Read how it became an American cultural icon.

A spam score of 33.8!

Since I've enabled a "reject" DMARC policy on my domains, I've been reviewing the various failure reports that come in to see what crazy spam those crazy spammers might try to send. Amazingly, they are willing to try to send some really bad stuff to see if it gets through.

The email problem no one is talking about: mistaken identity

Mashable's Chris Taylor talks about the problem of misdirected emails. A good read and it helps to expose a real issue that I don't think many people stop and consider.

I'll add my own questions here. What if, because of this, a sender is exposing PII (personally identifiable information) to a random third party? Couldn't that lead to some sort of legal liability at some point? How does a recipient stop emails like that? Are you, as a sender, putting a "this is not me" link in your transactional messages?

I have a bunch of spamtrap domains. One of them is a typo variation of a very popular ISP domain. The number of misdirected order confirmations and password reset requests it gets is ... staggering. If I was a bad guy, think of all the bad things I could do with that information being fire-hosed directly to me. I could probably take over hundreds of Instagram accounts. I could probably cancel or redirect orders from online stores. Or worse.

More reasons why you can't just assume that any email address given to you is correct.

XNND.com is 11 years old today

I've long had a little banner at the bottom of my xnnd.com DNS tools site that says "since 2008" but it looks like I'm going to have to change that. Looking through my notes, the site actually launched eleven years ago today!

XNND exists because back then there was a commonly used "DNS stuff" site out there that I felt like was trying to scare people into buying services from them and I didn't like it, so I decided to put together my own little DNS lookup site that was bullshit-free and simple to use. I registered the domain on June 14th, 2007 and then launched the site on June 17th.

I redesigned the site recently to make it a bit easier on the eyes. And yep, that's all done with HTML tables, like it was built in 1997 instead of 2007 or 2018.

I've had to erase and reload the server so many times, I don't even know how much traffic it really gets. But it seems to be a busy little guy, and I hope folks continue to find it useful.

I've got setting up a server to be XNND.com down to a science. Every time there's any sort of hint of a security or hardware issue, I just nuke the whole thing and populate a new installation. Sometimes servers crash, sometimes weird stuff happens, and I've even had one hosting provider just up and disappear from the internet.

Special thanks to Don Berryman and Steve Atkins who were very helpful with bits of code and hosting when it was first getting up and running.

Revisiting Spam, the Documentary

Remember this blast from the past? Back in 2007, email expert John Levine sat down with Canada's CBC News to be interviewed for what became "Spam, the Documentary." It wasn't widely available in the US then, but appears to be viewable on YouTube right now.

How much has spam changed since 2007?

Gmail's Promotional tab: How to escape

How do I keep my email messages out of Gmail's Promotional tab? This is a common question lately. Is there one common answer? Ask six different people, and you'll get six different answers. And I'm not sure which answer is the best one, so I'll collect them here and we can all learn together.

Here's the updated DOOM WARNING that appears on a suspicious message in the new Gmail user interface. But why, I ask, would it appear on this particular message that I received? The message in question fully authenticates, it was sent from a reputable ISP, and it was an email message from my city government. It's an email list that I've opted-in to.

They use an ESP that uses a group of IP addresses to be shared among all clients, so I assume what happened is that the shared reputation has gotten dinged by some bad sender doing something wrong sometime prior to this send. It sucks, though, because this message isn't actually dangerous and the warning is probably going to freak people out.

Locking down your unused domains

Here's a neat DMARC trick that I would have implemented sooner, had I read MAAWG's "Best Practices for Parked Domains" document a little closer back when it came out back in late 2015. But back then, I wasn't as DMARC savvy as I was now.

Anyway, the trick is this: If you have a domain that doesn't send mail, here's how you lock it down -- publish DNS records -- that tell the big ISPs that any mail pretending to be from that domain should be rejected, because it is illegitimate.

To do that, you'll want to configure two DNS records for your domain.

First, create an SPF record for your domain. This is a TXT record that goes at the top level of your domain. In it, paste this text: "v=spf1 -all" (without the quotes). A domain that sent email would use this record to specify what IP addresses are allowed to send mail on this domain's behalf. Since there are none, we're leaving it entry. The "dash all" directive at the end tells ISPs to treat mail from IP addresses not listed here as very suspicious. I call this SPF lockdown and I've talked about it before.

Second, create a DMARC record for your domain. This is a TXT record as well, called _dmarc and when you create it, paste the following text: "v=DMARC1; p=reject;" (without the quotes). This tells ISPs to reject unauthenticated mail purporting to be from your domain name. Most people, when setting up a comprehensive DMARC record, set up reporting addresses to receive failure reports, and include that information in the DMARC record. You don't have to do that, though. Save yourself the time and don't worry about that. (Want to see an example DMARC record? Here's mine.)

The DMARC record is the new part of the trick, and it's an important bit.

Together, with those two DNS records, you're pretty well covered to tell ISPs that this domain doesn't send any mail (or technically, that any forged mail purporting to be from this domain should be rejected -- and since you send no legitimate mail from this domain, any mail seen at all is going to be forged, and therefore, rejected).

Spammers have a long history of forging domain names in spam. This simple little process makes your unused domain name much less useful to spammers. If they spoof that domain name in spam, most of that mail will get rejected. Smart spammers might even check to see if a domain publishes a "reject" DMARC policy and avoid ones that do.

Spam Cannibal blacklist is dead

Multiple folks reached out to me overnight to let me know that the SpamCannibal DNSBL has blown up, ~~that they have effectively "listed the world," resulting in mail admins blocking all mail if they use this DNSBL in their mail server configuration~~. I talked to the operator of the list, who let me know that Spam Cannibal is permanently shut down and that the domain must have expired. More over on DNSBL.com.

May 31, 2018 update: The operator of Spam Cannibal is working with some smart folks to shut down the blacklist in perhaps a more graceful fashion. The list is no longer being updated and is retired; you should still remove it from your mail server configuration.

Spam recall: For real!

Remember how Outlook had that horrible "Recall" function that didn't work because anybody with a brain could just force quit Outlook to prevent it from deleting the original message? This has nothing to do with that. If you still use Outlook (I don't) and if that feature still exists (I have no idea), don't use it. When observed, it is a strong indicator that the person hitting the recall button doesn't know how real SMTP email works.

Anyway...

There is an honest-to-god real SPAM recall at the moment. The USDA is recalling 228,000 pounds of Hormel's deliciously salty and fatty good stuff because there may be metal bits embedded in the meat. Here's more info. I need to go check my cupboard; I usually keep a can on hand because it does well when you fry it up with eggs in a pinch as a sort of substitute bacon.

Whoops! Cyberlogic DNSBL Broken

Looks like the anti-spam blacklist at dnsbl.cyberlogic.net has listed the entire world. More info can be found here.

Smells like GDPR Season

And that's not even all of them.

AOL: No More Whitelisting

As AOL and Yahoo continue their transition into one platform, things were bound to change over time. As a result of this ongoing consolidation, AOL no longer offers whitelisting of sending IP addresses. Though the form still seems to be up at the moment, any submissions seem to get a reply from the AOL Postmaster robot saying, "Whitelisting is no longer offered or needed for mailing to AOL. If you see delivery issues please sign up for a Feed Back Loop at: https://postmaster.aol.com/fbl-request"

As the net effect here is that AOL seems to be moving onto Yahoo's platform -- if you're wondering how to troubleshoot AOL delivery issues today, the general deliverability guidance for Yahoo is probably your best place to start.

For now, it seems as though the AOL Feedback Loop is still in effect. I do suggest registering for it as long as it is still possible, but also, be sure to sign all mail with DKIM and register with the Yahoo FBL as well, so AOL users are covered on both sides of the possible feedback loop equation.

Unroll.me to close to EU users

As mentioned on Slashdot, TechCrunch is reporting that unsubscription service Unroll.me is saying that EU users are no longer welcome, claiming that it's not possible to comply with GDPR.

Vodafone Ireland: vodafone.ie is a dead email domain

Even though the Vodafone Ireland domain vodafone.ie has six active MX records, this appears to be a dead email domain, and I suggest you suppress all vodafone.ie addresses from any email lists.

Vodafone appears to have announced this closure in 2014. The original announcement no longer appears to be online (nor in the Internet Archive), but here's a discussion forum thread on the topic. Based on this information, it appears that email service for the vodafone.ie domain ceased on October 18, 2014.

None of the six MX servers is responding to connections after repeated testing.

Vodafone New Zealand similarly shut down their email service in 2017.

Reference: Apple email domains

What are Apple's email domains, in case you were wondering? For end consumers, customers who have registered for Apple IDs and/or email accounts, those domains are:

Lycos Mail: Free accounts to be eliminated

Remember Lycos Mail? No? Then you're probably under 40 years old. What I didn't remember is that it still existed. But while it shall continue to exist, current users enjoying email service from Lycos Mail for free are being asked to leave as of May 15, 2018. It's not quite the same as shutting down the domain overall, but I'm guessing that 90+ percent of their user base was on a free plan, so it does suggest that soon, most mail to lycos.com addresses will start bouncing. You can read more about it here.

It looks like Lycos Mail is hosted by OpenSRS (Tucows), which has an active Return Path-managed ISP Feedback Loop. I'm guessing Lycos got tired of footing the outsourcing bill for free users. If you're an ESP and you start to see lower complaint volume from your OpenSRS feedback loop after May 15th, that could be why.

This weekend: Gmail spam, from me, to me

"9 to 5 Google" reports on a new spam run that seems to have found and exploited some sort of loophole in Gmail spam filtering. Anybody else get hit with this? I did; starting last night, I got upwards of 40+ spams like this, falsely purporting to be from me, sending to me, and getting through to the Inbox. Google says they've fixed it and the spams don't appear to be getting through to my inbox any more, which is good. This is just spam; I have no reason to suspect a security breach of any kind. Some spammer just got lucky testing some old school spam filtering rule that people perhaps haven't been tripping in a while.

I guess it also tells me that I come to rely on Gmail's spam filtering pretty heavily. It generally does such a good job that a failure that lets something slip through, if even only for a day, is enough to make me see a bunch of spam that I normally wouldn't. So I am actually going to say thank you, Google, both for your overall good job in Gmail spam filtering, and for responding to this issue so quickly.

40 Years of Spam

Recognizing the upcoming 40th anniversary of spam (the bad kind), Forbes shares 25 facts you may or may not have known about everybody's least favorite kind of email messages. There's a couple of nits possibly worth picking there for accuracy's sake, but it's mostly an interesting trip down memory lane.

H/T: Multiple folks.

Cloudflare Launches 1.1.1.1 DNS Service

Cloudflare just launched their own public DNS service. To try it, simply configure your computer to use the DNS servers 1.1.1.1 and 1.0.0.1. Then your computer's DNS lookups (the internet's mapping of domain names to IP addresses) will route through Cloudflare instead of through your ISP.

This is being described as a privacy-focused tool, even though Cloudflare is getting access to gobs of data and traffic and could be doing stuff with that data. But if it's fast and works well, and your ISP's DNS servers don't work so well, it might be something to try.

There are actually a number of other DNS services like this out there.

Google Public DNS is perhaps the most well known one. (It's the one I use most often.) To use their service, you set your DNS server settings to use 8.8.8.8 and 8.8.4.4.

There's also OpenDNS and Quad9 that are intended to help block bad stuff.

And you can find even more services like that here. With all these options, does a savvy geek even need to run their own DNS server nowadays?

Though, I'm not sure it's safe to try to query DNSBLs (anti-spam blacklists) through these DNS services. It's entirely possible that some DNSBLs block them as they may appear to be overwhelmingly large sources of traffic. (Or possibly a DNSBL might like this if the DNS service effectively acts as a cache for them; but I don't have any data on this.)

Message Header & Message Checking Tools

Need a tool to parse message headers? Trying to break down how long it took to hand off an email message between servers?

Check out this tool from Microsoft, and this tool from Google. Both do basically the same thing -- you paste in the email headers and it will parse them, giving you a breakdown of how much time it took between each server hop.

Here's another Google tool you should bookmark. It lets you decode blobs of Base64-encoded content. Sometimes you'll find this handy when viewing the source of an email message and running into content encoded in this way. I just used it to decode an odd bounce message yesterday.

And here's another thing that a coworker shared with me -- Mail Tester helps you check your emails against SpamAssassin in an easy-to-use way. Check it out!

April 20, 2018 Update: Here's another neat tester: This widget from Litmus tells you what Gmail tab a message gets delivered into.

Goodbye, goo.gl

Did you use goo.gl to shorten links in email newsletters or text versions of emails? Looks like the ability to do that is going away. Doesn't every ESP or email platform have its own click tracking or URL rewriting mechanism by now? And using third party URL shorteners has long been sort of a mixed bag, anyway.

What is Microsoft BCL?

Now that Microsoft has merged their Office365 and Hotmail/Outlook.com platforms, this should apply to anybody sending to either platform. Microsoft calculates a "BCL" (Bulk Complaint Level) for a sender's IP address or sending domain name. (Which? I'm actually not sure at the moment. Let's assume both for now.)

The BCL score is a 0-9 score, where higher basically means "sent by a bulk sender, and more spammy." See this Microsoft Technet article for more details.

How do I tell what my BCL score is? Select "View Message Source" on an email message received at Microsoft Hotmail/Outlook.com. Find the "X-Microsoft-Antispam" header. Here's an example:

X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(5000109)(4604075)(4605076)(610169)(650170)(651021)(8291501071);SRVR:CY1NAM02HT241;

That first entry -- BCL:0 tells us that this message is from a sender that has a BCL score of zero. (This message is not from a bulk sender.)

What do those other entries mean? PCL means "Phishing Confidence Level" per this document. So it's good to see that is zero. The rest? I'm not sure. I'll share more as I learn more.

Please Hire Mike Teixeira!

My esteemed industry colleague Michael Teixeira is looking for an opportunity in the anti-abuse or email fields. Got something suitable that you’d like to interview him for? I hope you'll consider him. He and I have something in common – we’ve both worked spam issues for MAPS (Mail Abuse Prevention System-- the first anti-spam blacklist group) – me, for a time before Trend Micro acquired MAPS, and Mike, after.

PSA: Time to update your ReCAPTCHA

Google's "ReCAPTCHA" API-based user validation process is very popular. So popular, that internet users are running into warnings here and there on the web, suggesting that it's about to stop working on some websites.

The reason? The V1 version is deprecated and about to be retired. It's going to stop working at the end of March, in just a couple of weeks from now.

The problem? Lots of sites have yet to update from V1 to V2. What happens to those sites on March 31st? I'm not sure, but it probably won't be a good thing.

What's the connection to email? Why am I posting about this?

Because Cloudmark is running V1 of the ReCAPTCHA. The spamrl.com spam filtering service is running the old version, too. The SURBL blacklist's lookup page, too. (Though SURBL just fixed theirs.)

There's probably a lot of other sites out there running the old version of ReCAPTCHA, as well. Do you use ReCAPTCHA on any of your websites? Have you upgraded to the latest version? If not, the time to do so is NOW.

Fun fact: Gmail has two domains

Did you know? Gmail actually has two domains. They are gmail.com and googlemail.com. The latter was used primarily in Germany from the launch of Gmail up through some time in 2012. At first, the Gmail trademark was taken by somebody else in Germany. Looks like it may have also been an issue in the UK up until sometime in 2010.

Google does not otherwise use "localized" domains elsewhere. There are no Gmail users at the email domains gmail.ca, gmail.co.uk, or anything like that. Just gmail.com and googlemail.com.

DMARC: sp= policy not always needed

I've started to search for and catalog big brand DMARC records to look for ideas and suggestions, and also to develop some best practice recommendations.

One thing I'm seeing quite often is that a big company will put "p=reject" and "sp=reject" in the same DMARC record. In this scenario, the "sp=" setting is actually not needed-- it is extraneous.

The "p" setting is for your choice of DMARC setting. The "sp" setting is for your choice of DMARC setting for any subdomains. If you don't set "sp" then the "p" policy is applied to any subdomains. So the only reason you would want to add "sp=" is if you want to specify a different policy for subdomains. If you want to give this domain and any subdomains the same policy, you don't need to include the "sp=" directive.

In short, there's no need to add "sp=" unless you want subdomains treated differently. Why would you add the "sp=" setting? If you don't have any legitimate subdomains, you could set your domain policy to "p=none" (safer for the main domain) but "sp=reject" (more restrictive for subdomains) to tell the world that any subdomains seen should be bounced (because they wouldn't authenticate properly, because you in theory don't have any subdomains).

Here's an easy guide to the variables present or optional in a DMARC record. This seems worth bookmarking.

250ok on DMARC adoption among top US colleges

Matt Vernhout of deliverability monitoring service provider 250ok reports that US colleges are slow to adopt DMARC. I'm not totally surprised; my personal observation is that the financial sector and top tier ISPs/webmail providers seem to be leading the DMARC charge. But I do agree with 250ok that it's time for higher ed to get schooled on DMARC.

File under obvious? Engagement rules!

A bunch of friends have been forwarding around this link to an article from "EContent" entitled "Research Finds Email Senders with Strong Subscriber Engagement Are Likely to See Less Email Delivered to Spam"

On one level, duh.

But also, on another level, it's great to see this supported with research. There are always people out there who doubt what we in deliverability see and explain every day. Sometimes you even run into people like that one guy who ran that agency that went under whose whole shtick was telling people to do the opposite of what deliverability consultants said. It was bad advice, and that kinda thing gets tiring after a while.

So I'm very happy to see Return Path data and analysis supporting what I know to be the best path.

Go straight to the source (here) to get access to the full report.

Howto: Disable your Gmail spam folder

I have a few Gmail accounts set up where I programmatically download all the mail so that I can generate a report showing information about each message. Sometimes, some of the email messages I receive and want to report on go to the spam folder. I could download mail from the spam folder, but instead, I figured it would be easier to just configure my Gmail account so that no mail goes to the spam folder.

It's easy to do that. Here's how:

1. In Gmail, go to Settings.
2. Under Filters and Blocked Addresses, click on "Add new filter."
3. In the To field, type "me" (without quotes).
4. Click on "Create filter with this search."
5. Select "Never send it to Spam."
6. Click on the "Create Filter" button to save and activate your new filter.

This will prevent almost all inbound mail to you from going to the spam folder. A few types of messages, mostly malformed ones, might slip through, but I'm OK with that.

This isn't something you'd want normally, but there are a number of use cases where this can come in handy, so I figured I would share it with all of you.

Note that any mail already in the spam folder is not going to magically get moved to the inbox. This only affects new mail as it comes in.

Best US cell carrier for phone spam protection? T-Mobile.

I'm curious to dig into the methodology here to look for limitations, but so far so good. Money reports on a recent study to compare spam identifying/blocking functionality of the top four US cell carriers. T-Mobile came out on top as far as identifying or blocking Scam/Fraud and Telemarketing/Spam calls.

I had T-Mobile years ago and was generally happy; though when my wife and I were forced to move back to Minnesota to deal with family issues, we would have had reception issues outside of Minneapolis, so we went with Verizon. That chapter is now behind us, and so now that we're basically steady in a big city here in Florida, maybe it's time to change. Spam call blocking matters to me; what do you all think, dear reader?

Ask Al: Group mail is being blocked, what do I do?

Recently, a reader wrote in with the following question:

I host an email group of about 450 people who share a common autoimmune medical condition. I send/receive email through a Gmail account set up in Windows Live Mail on a home PC. My ISP is RCN. Recently, any emails sent to any group member using an AOL or Verizon.net account are being blocked by AOL. I sent an email to AOL asking to not be blocked and my request was denied with little feedback as to why. I was then pointed to recent changes concerning DMARC and FBL. I generated an AOL account just for those members to get the information they need but this is an awkward way to send emails, using two separate accounts.

Gmail: Filtering mail into folders

Somebody recently asked me how does one set up folders in Gmail, and how does one then filter mail into those filters? Setting up filters and folders (labels) makes Gmail much more usable; makes my very busy email stream much more manageable.

Here's how you do it, courtesy of Wikihow.

Gmail & B2B Spam

A client recently reminded me of Gmail's yellow bar that explains why a message went to spam. I decided to pull up the last few spams out of my spam folder and check the yellow "why" bar.

b2b-leadgen.com: Why is this message in Spam? It's similar to messages that were detected by our spam filters.

verizones.com: Why is this message in Spam? We've found that lots of messages from verizones.com are spam.

mail-leadiro.com: Why is this message in Spam? We've found that lots of messages from mail-leadiro.com are spam.

trainingdoyens.com: Why is this message in Spam? We've found that lots of messages from trainingdoyens.com are spam.

If Gmail says that these three sending domains seem to be spammy, who am I to argue?

(If you recognize your company name there, maybe it's time to reconsider your B2B strategy. I never signed up for your emails. Send a lot of mail to people who didn't sign up for it, and that's what happens.)

AOL/Yahoo Transition Update: AOL DMARC & FBL Reports

AOL Postmaster Lili Crowley posted an update yesterday to the AOL Postmaster Blog regarding the future of DMARC and FBL reports from the AOL platform.

Here's my summary of that information:

For DMARC reports: AOL is saying that the MX records for their domains are in the process of being transitioned from AOL inbound email servers to new email servers. As each domain's MX record is transitioned, AOL will no longer send DMARC reports for that domain. Any DMARC reports for that domain will now come from Yahoo.

(These are reports that you get from other ISPs, when you have a DMARC record in place that specified that reports should be sent providing information about DMARC failures. Most people feed these into a DMARC-specific automation platform for parsing and reporting. Not everybody has this / does this.)

For ISP Feedback Loop reports (spam complaints): AOL is saying that currently, FBL reports for AOL users on AOL domains will continue to come from AOL. But, at some point in the (very?) near future, these AOL users' mailboxes will be transitioned to new infrastructure. When that happens, AOL FBL reports from that user will cease. That user is now covered by Yahoo's Feedback Loop, and if that user reports an email message as spam, it will be handled in accordance with Yahoo's FBL process.

In my estimation, it's very likely that the transitioning of all AOL users' mailboxes to new infrastructure will take some amount of time. It seems quite likely that there will be a period of time when some of those AOL users are on AOL infrastructure (resulting in AOL FBL traffic) while you see some other AOL users sending in complaints via the Yahoo FBL process.

If you sign all mail with DKIM authentication, and you register your domains with Yahoo's FBL system, you should be all set. If not, it's time to get that process going.

List-Unsubscribe header: You need it!

Allow me to distill this very insightful article from Word to the Wise down to four simple points:

Microsoft wants you to include the list-unsubscribe header. And today, you'll want to use the "mailto" version, not the "http" version.
If you don't, Microsoft is going to make it very easy for Hotmail/Outlook.com subscribers to BLOCK your mail, when in fact they perhaps only wanted to unsubscribe.
If subscribers BLOCK your mail, they're not going to get any followup transactional mail, which isn't great. Or if they opt-in again later, they won't receive that new mail.
It's unclear whether or not this BLOCK action registers some sort of negative reputation market against a sender, but I suspect it does.

I've seen some folks complain that the list unsubscribe header is bad and that it should be removed, because it makes it too easy for recipients to unsubscribe from a company's marketing email messages. Well, here's a very significant downside that can apply to you if you don't have (or if you remove) the list-unsubscribe header from your email messages.

How Email Works

Source: nixCraft on Facebook

Isleton Spam Festival: There's still time

You've got just over two weeks until it's time for Isleton, California's Spam Festival. The February 18th affair has in the past offered up treats like SPAM Fudge, SPAMbalaya, and -- good lord -- a SPAM-eating contest? Read all about it here. Be sure to drop me a line if you happen to attend.

AOL Announces Mail System MX Changes

As expected, AOL announced yesterday that the MX records for their domains are being updated:

As AOL and Yahoo come together under the OATH umbrella, we will merge the mail infrastructure serving our consumer brands.

As a first step, starting this week, the majority of AOL's MX records will point to our new combined servers. This should be transparent to any sender as those servers will operate in simple pass-through mode. This means senders with established FBLs will continue to receive them from our AOL mail infrastructure.

While we do not foresee any issues, you are welcome to reach out to the AOL postmaster team at https://postmaster.aol.com if you should encounter anything.

Over the next few months we will continue to make adjustments as we further combine our systems. Watch this space for additional notes in the future.

Thanks to the folks at AOL/Yahoo/OATH for taking the time to make a public statement about this. Transparency is a good thing, and this is much appreciated.

Reference: Time Warner/Road Runner/Spectrum Email Domains

Sometimes it comes in handy to know all of the common domains associated with a given Internet Service Provider (ISP) or webmail provider.

I believe these are all of the common, legitimate email domains associated with Time Warner (TWC) / Road Runner / Spectrum Cable ISP properties as of January, 2018.

Using ClamAV? Update Now

ClamAV is a popular open source anti-virus engine, that among other things, is popularly used to scan emails on Linux/Unix systems for bad stuff. There's talk of a vulnerability out there relating to PDFs (source in German, but Google translate worked well) and users are advised to update to the latest version. I recommend reading the ClamAV-Users mailing list to figure out what's up with that latest version; it sounds like there is some confusion or a potential issue -- some users are attempting to download the latest 0.99.3 version but are getting beta code, not final production code. It's all a bit confusing and I'm hoping that admins running ClamAV will be able to decipher it all a bit better than I'm able to from afar.

More Transitions: AOL/Yahoo Consolidation

Remember how I said that I thought 2018 would be the year of consolidation?

First you had the Microsoft platform consolidation, the merging of their Office 365 and Hotmail platforms. A lot of senders are still dealing with issues around that transition.

Now we're getting word that AOL and Yahoo are going to begin to merge their platforms, starting in February. Step one: Inbound mail to the AOL domains will now be handled by the Yahoo inbound mail servers.

2018 is going to be a wild ride.

H/T: Word to the Wise

History Repeating: Challenge/Response again?!

At least one mailing list operator on Mailop is reporting that he's receiving mail from something called BitBounce. It sounds like some combination of crypto-currency based "pay to send email" thing (remember Hashcash? Or is this more like e-postage?) where you attempt to limit spam by requiring each individual sender to pay some extra fee (which doesn't really work unless the whole world buys into the model) and "challenge/response" email filtering wherein you attempt to limit spam by spamming back to the sender a requirement that they click on a link and do a little dance to prove they're human. Which still doesn't work very well, not back when I talked about it in 2014, not back when I talked about it in 2006.

Whaaaaat? This nonsense again? Nobody reads the history books anymore, do they? Kids today...

Canada and Japan joining forces to stop spam

The Canadian Radio-television and Telecommunications Commission (CRTC) has signed an agreement with Japan’s Ministry of Internal Affairs and Communications. The two groups pledge to work together to "combat unsolicited commercial electronic messages." It sounds like they'll be sharing information to trace spamming bad guys across borders. The agreement came into force on January 1st, 2018.

The CRTC further indicated that it "has entered into similar bilateral agreements with the United Kingdom’s Information Commissioner’s Office, the United States Federal Trade Commission, the United States Federal Communications Commission, the New Zealand Department of Internal Affairs and the Australian Communications and Media Authority."

For more information, here's the CRTC's announcement and press release.

You use 2FA for your Google account, right?

If so, eventually you'll end up replacing your phone, and you might need a guide on how to transfer that 2FA code generation from the current phone to the new phone. How do you do that? Gizmodo's Field Guide has you covered.

They also explain how to do this with Apple and Microsoft accounts, as well.

You DO use 2FA (two factor authentication), right? Please do. It can perhaps be imperfect, but I've personally seen it save the day when people have tried to nefariously access the email accounts of my friends (and even my own account).

Dead email domain: alltel.net

A reader wrote in asking me if anybody was home at the email domain alltel.net.

I performed a handful of checks to see:

Does the domain have an A record? No. We're getting a server failure response or server not found response.
Does the domain have an MX record? No. We're getting a server failure response or server not found response.
Does that MX or A record answer as a mail server when you try "telnet (hostname) 25"? Doesn't matter, can't find either.
Search the web -- what do I find? Two things: First, Matt Vernhout blogged about this domain shutting down back in 2009. Second, here's information from an AT&T message board suggesting maybe the domain still worked in 2016.

According to this timeline, Windstream seems to have indeed picked up much of the Alltel user base at some point in the past through M&A, but AT&T may have later acquired some of the Windstream properties back later? Confusing. But regardless, the domain certainly seems dead today. There's no point in sending to it, and if you've got alltel.net subscribers on your list, then something is funny. Is your list old? Are you sure it's all people who recently opted-in to receive email from you?

TinyLetter: Don't freak out just yet!

Slate reports that popular email service provider Mailchimp plans to phase out TinyLetter, the neat simple newsletter service they have owned since 2011. It sounds like people are jumping the gun on freaking out, though. Mailchimp says that things will change eventually but they actually don't seem to have pulled the plug on the thing yet, or even announced when they might do so.

So stay calm, Tiny fans! Mailchimp even says that even if/when they roll TinyLetter back up into Mailchimp, "it will still have the same super-simple newsletter building functionality, but it’ll be refreshed and updated for improved user experience."

More on "Smart Unsubscribing"

I mentioned recently that Google has implemented a feature wherein they'll suggest to "Inbox by Gmail" users that the user may want to unsubscribe from communication from a sender under certain circumstances. Turns out Yahoo Mail does something similar. Tom Sather explains in more detail over on the Return Path blog.

Challenges in 2018?

It's the first working day of the new year. What do you think are going to be some of the challenges we face in the realms of email and deliverability this year?

Here's three concerns that are on my mind for 2018:

Continuing platform consolidation. Microsoft started merging their Outlook.com (Hotmail) and Office 365 Outlook email platforms in 2017. From the outside, things didn't always seem to go so smoothly, and indeed, are perhaps not today all that smooth in some cases. Some senders were seeing unexpected blocking with confusing (or no) error messages, for example, and the receiving systems appeared as though they were perhaps overwhelmed. That's potentially still ongoing for some folks today.

And then we have to look forward to a potential merger between the webmail systems of Yahoo and AOL. Now that they're owned by the same company, it makes sense to assume that they would standardize down to one single webmail platform. That's a whole lot of mailboxes and data to transfer (in either direction) and I admit that I'm a little nervous wondering about how things will go if/when they pull that off. (It's not that I think the Oath people are dumb, by any means. Very smart folks-- I just wonder about the scale of such a platform merge.)
Getting serious about DMARC. I might have called 2015 the year of DMARC, as it was all over the news, but 2018 is the year all should start implementing DMARC. Too many folks are ignoring it until they run into problems. Implementing it while something bad is happening can be tougher (like trying to do math while the building is burning) and it takes some finesse and technical skill to ensure that you're doing it right, which is why I think you should partner with a DMARC specialist service instead of trying to do it yourself.

And don't send mail that wouldn't pass DMARC, even if you don't have a DMARC record set up or policy enabled. My very non-scientific observations suggest that at least one large webmail provider will effectively give you a modest positive delivery boost if your mail is DMARC-compatible and a modest negative deliverability drop if your mail isn't DMARC-compatible.

And it goes without saying that in 2018, you should no longer use a from address domain that you don't control or own.
More Stringent Filtering. This past holiday season (Q4), a lot of folks saw a higher-than-expected amount of inbound mail being deferred by multiple large webmail providers, possibly because their systems were overwhelmed with so many senders attempting to send so much mail. I'm sure that to some degree, those platforms will be looking to beef up their inbound mail capacity, but that can get really expensive really quickly, and they aren't likely to endlessly scale up to accept all the mail that every sender in the world cares to send. That means that those providers are probably going to have to look to other means to keep their systems up and stable, and that suggests to me that spam filtering could become more stringent. If you don't have enough resources to accept all the mail, you're going to try to figure out which senders are the better senders and accept their mail first. The not-as-good senders might not get as much mail through, or perhaps even be locked out outright. ISPs and spam filters constantly stack rank senders against each other and this is just yet another example of how they could choose to do that. It's not that different than the way things work today, just keep in mind that what is allowed as far as practices and percentages is likely to be tightened up.

What that means for a sender is, keep your nose clean. Practices that were edge case and perhaps OK a few years ago (old lists, low engagement, etc.) are going to be problematic today. Don't just keep on skating along on what you've been doing for years. Instead, be forward looking and ensure that you're fully on top of everything when it comes to permission and best practices.

Let's regroup in about 350 days and see how things turned out, shall we? I'm sure there will be another five or more big considerations that hit us in 2018 that we didn't consider up front.