Remember how Outlook had that horrible "Recall" function that didn't work because anybody with a brain could just force quit Outlook to prevent it from deleting the original message? This has nothing to do with that. If you still use Outlook (I don't) and if that feature still exists (I have no idea), don't use it. When observed, it is a strong indicator that the person hitting the recall button doesn't know how real SMTP email works.
Anyway...
There is an honest-to-god real SPAM recall at the moment. The USDA is recalling 228,000 pounds of Hormel's deliciously salty and fatty good stuff because there may be metal bits embedded in the meat. Here's more info. I need to go check my cupboard; I usually keep a can on hand because it does well when you fry it up with eggs in a pinch as a sort of substitute bacon.
Whoops! Cyberlogic DNSBL Broken
Looks like the anti-spam blacklist at dnsbl.cyberlogic.net has listed the entire world. More info can be found here.
AOL: No More Whitelisting
As AOL and Yahoo continue their transition into one platform, things were bound to change over time. As a result of this ongoing consolidation, AOL no longer offers whitelisting of sending IP addresses. Though the form still seems to be up at the moment, any submissions seem to get a reply from the AOL Postmaster robot saying, "Whitelisting is no longer offered or needed for mailing to AOL. If you see delivery issues please sign up for a Feed Back Loop at: https://postmaster.aol.com/fbl-request"
As the net effect here is that AOL seems to be moving onto Yahoo's platform -- if you're wondering how to troubleshoot AOL delivery issues today, the general deliverability guidance for Yahoo is probably your best place to start.
For now, it seems as though the AOL Feedback Loop is still in effect. I do suggest registering for it as long as it is still possible, but also, be sure to sign all mail with DKIM and register with the Yahoo FBL as well, so AOL users are covered on both sides of the possible feedback loop equation.
As the net effect here is that AOL seems to be moving onto Yahoo's platform -- if you're wondering how to troubleshoot AOL delivery issues today, the general deliverability guidance for Yahoo is probably your best place to start.
For now, it seems as though the AOL Feedback Loop is still in effect. I do suggest registering for it as long as it is still possible, but also, be sure to sign all mail with DKIM and register with the Yahoo FBL as well, so AOL users are covered on both sides of the possible feedback loop equation.
Unroll.me to close to EU users
As mentioned on Slashdot, TechCrunch is reporting that unsubscription service Unroll.me is saying that EU users are no longer welcome, claiming that it's not possible to comply with GDPR.
Vodafone Ireland: vodafone.ie is a dead email domain
Even though the Vodafone Ireland domain vodafone.ie has six active MX records, this appears to be a dead email domain, and I suggest you suppress all vodafone.ie addresses from any email lists.
Vodafone appears to have announced this closure in 2014. The original announcement no longer appears to be online (nor in the Internet Archive), but here's a discussion forum thread on the topic. Based on this information, it appears that email service for the vodafone.ie domain ceased on October 18, 2014.
None of the six MX servers is responding to connections after repeated testing.
Vodafone New Zealand similarly shut down their email service in 2017.
Vodafone appears to have announced this closure in 2014. The original announcement no longer appears to be online (nor in the Internet Archive), but here's a discussion forum thread on the topic. Based on this information, it appears that email service for the vodafone.ie domain ceased on October 18, 2014.
None of the six MX servers is responding to connections after repeated testing.
Vodafone New Zealand similarly shut down their email service in 2017.
Reference: Apple email domains
What are Apple's email domains, in case you were wondering? For end consumers, customers who have registered for Apple IDs and/or email accounts, those domains are:
Apple says: If you created an iCloud account on or after September 19, 2012, your email address ends with @icloud.com. If you created an iCloud account before September 19, 2012, or moved to iCloud with an active MobileMe account before August 1, 2012, you have both @me.com and @icloud.com email addresses. If you had a working @mac.com email address as of July 9, 2008, kept your MobileMe account active, and moved to iCloud before August 1, 2012, you can use @icloud.com, @me.com, and @mac.com email addresses with your iCloud account.
For corporate email, Apple's email domain in apple.com. They don't appear to use localized email domains like apple.co.uk or apple.fr. They do use sub-domains under apple.com (like support.apple.com) for various services, including email. But they have a wildcard MX record for all sub-domains, so it's not easy to tell what's valid or not. That might mean they accept misdirected mail to sub-domains and use it to feed their spam filtering (spamtraps).
- mac.com
- me.com
- icloud.com
Apple says: If you created an iCloud account on or after September 19, 2012, your email address ends with @icloud.com. If you created an iCloud account before September 19, 2012, or moved to iCloud with an active MobileMe account before August 1, 2012, you have both @me.com and @icloud.com email addresses. If you had a working @mac.com email address as of July 9, 2008, kept your MobileMe account active, and moved to iCloud before August 1, 2012, you can use @icloud.com, @me.com, and @mac.com email addresses with your iCloud account.
For corporate email, Apple's email domain in apple.com. They don't appear to use localized email domains like apple.co.uk or apple.fr. They do use sub-domains under apple.com (like support.apple.com) for various services, including email. But they have a wildcard MX record for all sub-domains, so it's not easy to tell what's valid or not. That might mean they accept misdirected mail to sub-domains and use it to feed their spam filtering (spamtraps).
Lycos Mail: Free accounts to be eliminated
Remember Lycos Mail? No? Then you're probably under 40 years old. What I didn't remember is that it still existed. But while it shall continue to exist, current users enjoying email service from Lycos Mail for free are being asked to leave as of May 15, 2018. It's not quite the same as shutting down the domain overall, but I'm guessing that 90+ percent of their user base was on a free plan, so it does suggest that soon, most mail to lycos.com addresses will start bouncing. You can read more about it here.
It looks like Lycos Mail is hosted by OpenSRS (Tucows), which has an active Return Path-managed ISP Feedback Loop. I'm guessing Lycos got tired of footing the outsourcing bill for free users. If you're an ESP and you start to see lower complaint volume from your OpenSRS feedback loop after May 15th, that could be why.
It looks like Lycos Mail is hosted by OpenSRS (Tucows), which has an active Return Path-managed ISP Feedback Loop. I'm guessing Lycos got tired of footing the outsourcing bill for free users. If you're an ESP and you start to see lower complaint volume from your OpenSRS feedback loop after May 15th, that could be why.
This weekend: Gmail spam, from me, to me
"9 to 5 Google" reports on a new spam run that seems to have found and exploited some sort of loophole in Gmail spam filtering. Anybody else get hit with this? I did; starting last night, I got upwards of 40+ spams like this, falsely purporting to be from me, sending to me, and getting through to the Inbox. Google says they've fixed it and the spams don't appear to be getting through to my inbox any more, which is good. This is just spam; I have no reason to suspect a security breach of any kind. Some spammer just got lucky testing some old school spam filtering rule that people perhaps haven't been tripping in a while.
I guess it also tells me that I come to rely on Gmail's spam filtering pretty heavily. It generally does such a good job that a failure that lets something slip through, if even only for a day, is enough to make me see a bunch of spam that I normally wouldn't. So I am actually going to say thank you, Google, both for your overall good job in Gmail spam filtering, and for responding to this issue so quickly.
I guess it also tells me that I come to rely on Gmail's spam filtering pretty heavily. It generally does such a good job that a failure that lets something slip through, if even only for a day, is enough to make me see a bunch of spam that I normally wouldn't. So I am actually going to say thank you, Google, both for your overall good job in Gmail spam filtering, and for responding to this issue so quickly.
40 Years of Spam
Recognizing the upcoming 40th anniversary of spam (the bad kind), Forbes shares 25 facts you may or may not have known about everybody's least favorite kind of email messages. There's a couple of nits possibly worth picking there for accuracy's sake, but it's mostly an interesting trip down memory lane.
H/T: Multiple folks.
H/T: Multiple folks.
Cloudflare Launches 1.1.1.1 DNS Service
Cloudflare just launched their own public DNS service. To try it, simply configure your computer to use the DNS servers 1.1.1.1 and 1.0.0.1. Then your computer's DNS lookups (the internet's mapping of domain names to IP addresses) will route through Cloudflare instead of through your ISP.
This is being described as a privacy-focused tool, even though Cloudflare is getting access to gobs of data and traffic and could be doing stuff with that data. But if it's fast and works well, and your ISP's DNS servers don't work so well, it might be something to try.
There are actually a number of other DNS services like this out there.
Google Public DNS is perhaps the most well known one. (It's the one I use most often.) To use their service, you set your DNS server settings to use 8.8.8.8 and 8.8.4.4.
There's also OpenDNS and Quad9 that are intended to help block bad stuff.
This is being described as a privacy-focused tool, even though Cloudflare is getting access to gobs of data and traffic and could be doing stuff with that data. But if it's fast and works well, and your ISP's DNS servers don't work so well, it might be something to try.
There are actually a number of other DNS services like this out there.
Google Public DNS is perhaps the most well known one. (It's the one I use most often.) To use their service, you set your DNS server settings to use 8.8.8.8 and 8.8.4.4.
There's also OpenDNS and Quad9 that are intended to help block bad stuff.
And you can find even more services like that here. With all these options, does a savvy geek even need to run their own DNS server nowadays?
Though, I'm not sure it's safe to try to query DNSBLs (anti-spam blacklists) through these DNS services. It's entirely possible that some DNSBLs block them as they may appear to be overwhelmingly large sources of traffic. (Or possibly a DNSBL might like this if the DNS service effectively acts as a cache for them; but I don't have any data on this.)
Message Header & Message Checking Tools
Need a tool to parse message headers? Trying to break down how long it took to hand off an email message between servers?
Check out this tool from Microsoft, and this tool from Google. Both do basically the same thing -- you paste in the email headers and it will parse them, giving you a breakdown of how much time it took between each server hop.
Here's another Google tool you should bookmark. It lets you decode blobs of Base64-encoded content. Sometimes you'll find this handy when viewing the source of an email message and running into content encoded in this way. I just used it to decode an odd bounce message yesterday.
And here's another thing that a coworker shared with me -- Mail Tester helps you check your emails against SpamAssassin in an easy-to-use way. Check it out!
April 20, 2018 Update: Here's another neat tester: This widget from Litmus tells you what Gmail tab a message gets delivered into.
Check out this tool from Microsoft, and this tool from Google. Both do basically the same thing -- you paste in the email headers and it will parse them, giving you a breakdown of how much time it took between each server hop.
Here's another Google tool you should bookmark. It lets you decode blobs of Base64-encoded content. Sometimes you'll find this handy when viewing the source of an email message and running into content encoded in this way. I just used it to decode an odd bounce message yesterday.
And here's another thing that a coworker shared with me -- Mail Tester helps you check your emails against SpamAssassin in an easy-to-use way. Check it out!
April 20, 2018 Update: Here's another neat tester: This widget from Litmus tells you what Gmail tab a message gets delivered into.
Goodbye, goo.gl
Did you use goo.gl to shorten links in email newsletters or text versions of emails? Looks like the ability to do that is going away. Doesn't every ESP or email platform have its own click tracking or URL rewriting mechanism by now? And using third party URL shorteners has long been sort of a mixed bag, anyway.
What is Microsoft BCL?
Now that Microsoft has merged their Office365 and Hotmail/Outlook.com platforms, this should apply to anybody sending to either platform. Microsoft calculates a "BCL" (Bulk Complaint Level) for a sender's IP address or sending domain name. (Which? I'm actually not sure at the moment. Let's assume both for now.)
The BCL score is a 0-9 score, where higher basically means "sent by a bulk sender, and more spammy." See this Microsoft Technet article for more details.
How do I tell what my BCL score is? Select "View Message Source" on an email message received at Microsoft Hotmail/Outlook.com. Find the "X-Microsoft-Antispam" header. Here's an example:
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(5000109)(4604075)(4605076)(610169)(650170)(651021)(8291501071);SRVR:CY1NAM02HT241;
That first entry -- BCL:0 tells us that this message is from a sender that has a BCL score of zero. (This message is not from a bulk sender.)
What do those other entries mean? PCL means "Phishing Confidence Level" per this document. So it's good to see that is zero. The rest? I'm not sure. I'll share more as I learn more.
The BCL score is a 0-9 score, where higher basically means "sent by a bulk sender, and more spammy." See this Microsoft Technet article for more details.
How do I tell what my BCL score is? Select "View Message Source" on an email message received at Microsoft Hotmail/Outlook.com. Find the "X-Microsoft-Antispam" header. Here's an example:
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(5000109)(4604075)(4605076)(610169)(650170)(651021)(8291501071);SRVR:CY1NAM02HT241;
That first entry -- BCL:0 tells us that this message is from a sender that has a BCL score of zero. (This message is not from a bulk sender.)
What do those other entries mean? PCL means "Phishing Confidence Level" per this document. So it's good to see that is zero. The rest? I'm not sure. I'll share more as I learn more.
Please Hire Mike Teixeira!
My esteemed industry colleague Michael Teixeira is looking for an opportunity in the anti-abuse or email fields. Got something suitable that you’d like to interview him for? I hope you'll consider him. He and I have something in common – we’ve both worked spam issues for MAPS (Mail Abuse Prevention System-- the first anti-spam blacklist group) – me, for a time before Trend Micro acquired MAPS, and Mike, after.
PSA: Time to update your ReCAPTCHA
Google's "ReCAPTCHA" API-based user validation process is very popular. So popular, that internet users are running into warnings here and there on the web, suggesting that it's about to stop working on some websites.
The reason? The V1 version is deprecated and about to be retired. It's going to stop working at the end of March, in just a couple of weeks from now.
The problem? Lots of sites have yet to update from V1 to V2. What happens to those sites on March 31st? I'm not sure, but it probably won't be a good thing.
What's the connection to email? Why am I posting about this?
Because Cloudmark is running V1 of the ReCAPTCHA. The spamrl.com spam filtering service is running the old version, too. The SURBL blacklist's lookup page, too. (Though SURBL just fixed theirs.)
There's probably a lot of other sites out there running the old version of ReCAPTCHA, as well. Do you use ReCAPTCHA on any of your websites? Have you upgraded to the latest version? If not, the time to do so is NOW.
The reason? The V1 version is deprecated and about to be retired. It's going to stop working at the end of March, in just a couple of weeks from now.
The problem? Lots of sites have yet to update from V1 to V2. What happens to those sites on March 31st? I'm not sure, but it probably won't be a good thing.
What's the connection to email? Why am I posting about this?
Because Cloudmark is running V1 of the ReCAPTCHA. The spamrl.com spam filtering service is running the old version, too. The SURBL blacklist's lookup page, too. (Though SURBL just fixed theirs.)
There's probably a lot of other sites out there running the old version of ReCAPTCHA, as well. Do you use ReCAPTCHA on any of your websites? Have you upgraded to the latest version? If not, the time to do so is NOW.
Fun fact: Gmail has two domains
Did you know? Gmail actually has two domains. They are gmail.com and googlemail.com. The latter was used primarily in Germany from the launch of Gmail up through some time in 2012. At first, the Gmail trademark was taken by somebody else in Germany. Looks like it may have also been an issue in the UK up until sometime in 2010.
Google does not otherwise use "localized" domains elsewhere. There are no Gmail users at the email domains gmail.ca, gmail.co.uk, or anything like that. Just gmail.com and googlemail.com.
Google does not otherwise use "localized" domains elsewhere. There are no Gmail users at the email domains gmail.ca, gmail.co.uk, or anything like that. Just gmail.com and googlemail.com.
DMARC: sp= policy not always needed
I've started to search for and catalog big brand DMARC records to look for ideas and suggestions, and also to develop some best practice recommendations.
One thing I'm seeing quite often is that a big company will put "p=reject" and "sp=reject" in the same DMARC record. In this scenario, the "sp=" setting is actually not needed-- it is extraneous.
The "p" setting is for your choice of DMARC setting. The "sp" setting is for your choice of DMARC setting for any subdomains. If you don't set "sp" then the "p" policy is applied to any subdomains. So the only reason you would want to add "sp=" is if you want to specify a different policy for subdomains. If you want to give this domain and any subdomains the same policy, you don't need to include the "sp=" directive.
In short, there's no need to add "sp=" unless you want subdomains treated differently. Why would you add the "sp=" setting? If you don't have any legitimate subdomains, you could set your domain policy to "p=none" (safer for the main domain) but "sp=reject" (more restrictive for subdomains) to tell the world that any subdomains seen should be bounced (because they wouldn't authenticate properly, because you in theory don't have any subdomains).
Here's an easy guide to the variables present or optional in a DMARC record. This seems worth bookmarking.
One thing I'm seeing quite often is that a big company will put "p=reject" and "sp=reject" in the same DMARC record. In this scenario, the "sp=" setting is actually not needed-- it is extraneous.
The "p" setting is for your choice of DMARC setting. The "sp" setting is for your choice of DMARC setting for any subdomains. If you don't set "sp" then the "p" policy is applied to any subdomains. So the only reason you would want to add "sp=" is if you want to specify a different policy for subdomains. If you want to give this domain and any subdomains the same policy, you don't need to include the "sp=" directive.
In short, there's no need to add "sp=" unless you want subdomains treated differently. Why would you add the "sp=" setting? If you don't have any legitimate subdomains, you could set your domain policy to "p=none" (safer for the main domain) but "sp=reject" (more restrictive for subdomains) to tell the world that any subdomains seen should be bounced (because they wouldn't authenticate properly, because you in theory don't have any subdomains).
Here's an easy guide to the variables present or optional in a DMARC record. This seems worth bookmarking.
250ok on DMARC adoption among top US colleges
Matt Vernhout of deliverability monitoring service provider 250ok reports that US colleges are slow to adopt DMARC. I'm not totally surprised; my personal observation is that the financial sector and top tier ISPs/webmail providers seem to be leading the DMARC charge. But I do agree with 250ok that it's time for higher ed to get schooled on DMARC.
File under obvious? Engagement rules!
A bunch of friends have been forwarding around this link to an article from "EContent" entitled "Research Finds Email Senders with Strong Subscriber Engagement Are Likely to See Less Email Delivered to Spam"
On one level, duh.
But also, on another level, it's great to see this supported with research. There are always people out there who doubt what we in deliverability see and explain every day. Sometimes you even run into people like that one guy who ran that agency that went under whose whole shtick was telling people to do the opposite of what deliverability consultants said. It was bad advice, and that kinda thing gets tiring after a while.
So I'm very happy to see Return Path data and analysis supporting what I know to be the best path.
Go straight to the source (here) to get access to the full report.
On one level, duh.
But also, on another level, it's great to see this supported with research. There are always people out there who doubt what we in deliverability see and explain every day. Sometimes you even run into people like that one guy who ran that agency that went under whose whole shtick was telling people to do the opposite of what deliverability consultants said. It was bad advice, and that kinda thing gets tiring after a while.
So I'm very happy to see Return Path data and analysis supporting what I know to be the best path.
Go straight to the source (here) to get access to the full report.
Howto: Disable your Gmail spam folder
I have a few Gmail accounts set up where I programmatically download all the mail so that I can generate a report showing information about each message. Sometimes, some of the email messages I receive and want to report on go to the spam folder. I could download mail from the spam folder, but instead, I figured it would be easier to just configure my Gmail account so that no mail goes to the spam folder.
It's easy to do that. Here's how:
1. In Gmail, go to Settings.
2. Under Filters and Blocked Addresses, click on "Add new filter."
3. In the To field, type "me" (without quotes).
4. Click on "Create filter with this search."
5. Select "Never send it to Spam."
6. Click on the "Create Filter" button to save and activate your new filter.
It's easy to do that. Here's how:
1. In Gmail, go to Settings.
2. Under Filters and Blocked Addresses, click on "Add new filter."
3. In the To field, type "me" (without quotes).
4. Click on "Create filter with this search."
5. Select "Never send it to Spam."
6. Click on the "Create Filter" button to save and activate your new filter.
This will prevent almost all inbound mail to you from going to the spam folder. A few types of messages, mostly malformed ones, might slip through, but I'm OK with that.
This isn't something you'd want normally, but there are a number of use cases where this can come in handy, so I figured I would share it with all of you.
Note that any mail already in the spam folder is not going to magically get moved to the inbox. This only affects new mail as it comes in.
Best US cell carrier for phone spam protection? T-Mobile.
I'm curious to dig into the methodology here to look for limitations, but so far so good. Money reports on a recent study to compare spam identifying/blocking functionality of the top four US cell carriers. T-Mobile came out on top as far as identifying or blocking Scam/Fraud and Telemarketing/Spam calls.
I had T-Mobile years ago and was generally happy; though when my wife and I were forced to move back to Minnesota to deal with family issues, we would have had reception issues outside of Minneapolis, so we went with Verizon. That chapter is now behind us, and so now that we're basically steady in a big city here in Florida, maybe it's time to change. Spam call blocking matters to me; what do you all think, dear reader?
I had T-Mobile years ago and was generally happy; though when my wife and I were forced to move back to Minnesota to deal with family issues, we would have had reception issues outside of Minneapolis, so we went with Verizon. That chapter is now behind us, and so now that we're basically steady in a big city here in Florida, maybe it's time to change. Spam call blocking matters to me; what do you all think, dear reader?
Ask Al: Group mail is being blocked, what do I do?
Recently, a reader wrote in with the following question:
I host an email group of about 450 people who share a common autoimmune medical condition. I send/receive email through a Gmail account set up in Windows Live Mail on a home PC. My ISP is RCN. Recently, any emails sent to any group member using an AOL or Verizon.net account are being blocked by AOL. I sent an email to AOL asking to not be blocked and my request was denied with little feedback as to why. I was then pointed to recent changes concerning DMARC and FBL. I generated an AOL account just for those members to get the information they need but this is an awkward way to send emails, using two separate accounts.
I host an email group of about 450 people who share a common autoimmune medical condition. I send/receive email through a Gmail account set up in Windows Live Mail on a home PC. My ISP is RCN. Recently, any emails sent to any group member using an AOL or Verizon.net account are being blocked by AOL. I sent an email to AOL asking to not be blocked and my request was denied with little feedback as to why. I was then pointed to recent changes concerning DMARC and FBL. I generated an AOL account just for those members to get the information they need but this is an awkward way to send emails, using two separate accounts.
Gmail: Filtering mail into folders
Somebody recently asked me how does one set up folders in Gmail, and how does one then filter mail into those filters? Setting up filters and folders (labels) makes Gmail much more usable; makes my very busy email stream much more manageable.
Here's how you do it, courtesy of Wikihow.
Here's how you do it, courtesy of Wikihow.
Gmail & B2B Spam
A client recently reminded me of Gmail's yellow bar that explains why a message went to spam. I decided to pull up the last few spams out of my spam folder and check the yellow "why" bar.
b2b-leadgen.com: Why is this message in Spam? It's similar to messages that were detected by our spam filters.
verizones.com: Why is this message in Spam? We've found that lots of messages from verizones.com are spam.
mail-leadiro.com: Why is this message in Spam? We've found that lots of messages from mail-leadiro.com are spam.
trainingdoyens.com: Why is this message in Spam? We've found that lots of messages from trainingdoyens.com are spam.
If Gmail says that these three sending domains seem to be spammy, who am I to argue?
(If you recognize your company name there, maybe it's time to reconsider your B2B strategy. I never signed up for your emails. Send a lot of mail to people who didn't sign up for it, and that's what happens.)
b2b-leadgen.com: Why is this message in Spam? It's similar to messages that were detected by our spam filters.
verizones.com: Why is this message in Spam? We've found that lots of messages from verizones.com are spam.
mail-leadiro.com: Why is this message in Spam? We've found that lots of messages from mail-leadiro.com are spam.
trainingdoyens.com: Why is this message in Spam? We've found that lots of messages from trainingdoyens.com are spam.
If Gmail says that these three sending domains seem to be spammy, who am I to argue?
(If you recognize your company name there, maybe it's time to reconsider your B2B strategy. I never signed up for your emails. Send a lot of mail to people who didn't sign up for it, and that's what happens.)
AOL/Yahoo Transition Update: AOL DMARC & FBL Reports
AOL Postmaster Lili Crowley posted an update yesterday to the AOL Postmaster Blog regarding the future of DMARC and FBL reports from the AOL platform.
Here's my summary of that information:
For DMARC reports: AOL is saying that the MX records for their domains are in the process of being transitioned from AOL inbound email servers to new email servers. As each domain's MX record is transitioned, AOL will no longer send DMARC reports for that domain. Any DMARC reports for that domain will now come from Yahoo.
(These are reports that you get from other ISPs, when you have a DMARC record in place that specified that reports should be sent providing information about DMARC failures. Most people feed these into a DMARC-specific automation platform for parsing and reporting. Not everybody has this / does this.)
For ISP Feedback Loop reports (spam complaints): AOL is saying that currently, FBL reports for AOL users on AOL domains will continue to come from AOL. But, at some point in the (very?) near future, these AOL users' mailboxes will be transitioned to new infrastructure. When that happens, AOL FBL reports from that user will cease. That user is now covered by Yahoo's Feedback Loop, and if that user reports an email message as spam, it will be handled in accordance with Yahoo's FBL process.
In my estimation, it's very likely that the transitioning of all AOL users' mailboxes to new infrastructure will take some amount of time. It seems quite likely that there will be a period of time when some of those AOL users are on AOL infrastructure (resulting in AOL FBL traffic) while you see some other AOL users sending in complaints via the Yahoo FBL process.
If you sign all mail with DKIM authentication, and you register your domains with Yahoo's FBL system, you should be all set. If not, it's time to get that process going.
Here's my summary of that information:
For DMARC reports: AOL is saying that the MX records for their domains are in the process of being transitioned from AOL inbound email servers to new email servers. As each domain's MX record is transitioned, AOL will no longer send DMARC reports for that domain. Any DMARC reports for that domain will now come from Yahoo.
(These are reports that you get from other ISPs, when you have a DMARC record in place that specified that reports should be sent providing information about DMARC failures. Most people feed these into a DMARC-specific automation platform for parsing and reporting. Not everybody has this / does this.)
For ISP Feedback Loop reports (spam complaints): AOL is saying that currently, FBL reports for AOL users on AOL domains will continue to come from AOL. But, at some point in the (very?) near future, these AOL users' mailboxes will be transitioned to new infrastructure. When that happens, AOL FBL reports from that user will cease. That user is now covered by Yahoo's Feedback Loop, and if that user reports an email message as spam, it will be handled in accordance with Yahoo's FBL process.
In my estimation, it's very likely that the transitioning of all AOL users' mailboxes to new infrastructure will take some amount of time. It seems quite likely that there will be a period of time when some of those AOL users are on AOL infrastructure (resulting in AOL FBL traffic) while you see some other AOL users sending in complaints via the Yahoo FBL process.
If you sign all mail with DKIM authentication, and you register your domains with Yahoo's FBL system, you should be all set. If not, it's time to get that process going.
List-Unsubscribe header: You need it!
Allow me to distill this very insightful article from Word to the Wise down to four simple points:
I've seen some folks complain that the list unsubscribe header is bad and that it should be removed, because it makes it too easy for recipients to unsubscribe from a company's marketing email messages. Well, here's a very significant downside that can apply to you if you don't have (or if you remove) the list-unsubscribe header from your email messages.
- Microsoft wants you to include the list-unsubscribe header. And today, you'll want to use the "mailto" version, not the "http" version.
- If you don't, Microsoft is going to make it very easy for Hotmail/Outlook.com subscribers to BLOCK your mail, when in fact they perhaps only wanted to unsubscribe.
- If subscribers BLOCK your mail, they're not going to get any followup transactional mail, which isn't great. Or if they opt-in again later, they won't receive that new mail.
- It's unclear whether or not this BLOCK action registers some sort of negative reputation market against a sender, but I suspect it does.
I've seen some folks complain that the list unsubscribe header is bad and that it should be removed, because it makes it too easy for recipients to unsubscribe from a company's marketing email messages. Well, here's a very significant downside that can apply to you if you don't have (or if you remove) the list-unsubscribe header from your email messages.
Isleton Spam Festival: There's still time
You've got just over two weeks until it's time for Isleton, California's Spam Festival. The February 18th affair has in the past offered up treats like SPAM Fudge, SPAMbalaya, and -- good lord -- a SPAM-eating contest? Read all about it here. Be sure to drop me a line if you happen to attend.
AOL Announces Mail System MX Changes
As expected, AOL announced yesterday that the MX records for their domains are being updated:
As AOL and Yahoo come together under the OATH umbrella, we will merge the mail infrastructure serving our consumer brands.
As a first step, starting this week, the majority of AOL's MX records will point to our new combined servers. This should be transparent to any sender as those servers will operate in simple pass-through mode. This means senders with established FBLs will continue to receive them from our AOL mail infrastructure.
While we do not foresee any issues, you are welcome to reach out to the AOL postmaster team at https://postmaster.aol.com if you should encounter anything.
Over the next few months we will continue to make adjustments as we further combine our systems. Watch this space for additional notes in the future.
Thanks to the folks at AOL/Yahoo/OATH for taking the time to make a public statement about this. Transparency is a good thing, and this is much appreciated.
As AOL and Yahoo come together under the OATH umbrella, we will merge the mail infrastructure serving our consumer brands.
As a first step, starting this week, the majority of AOL's MX records will point to our new combined servers. This should be transparent to any sender as those servers will operate in simple pass-through mode. This means senders with established FBLs will continue to receive them from our AOL mail infrastructure.
While we do not foresee any issues, you are welcome to reach out to the AOL postmaster team at https://postmaster.aol.com if you should encounter anything.
Over the next few months we will continue to make adjustments as we further combine our systems. Watch this space for additional notes in the future.
Thanks to the folks at AOL/Yahoo/OATH for taking the time to make a public statement about this. Transparency is a good thing, and this is much appreciated.
Reference: Time Warner/Road Runner/Spectrum Email Domains
Sometimes it comes in handy to know all of the common domains associated with a given Internet Service Provider (ISP) or webmail provider.
I believe these are all of the common, legitimate email domains associated with Time Warner (TWC) / Road Runner / Spectrum Cable ISP properties as of January, 2018.
I believe these are all of the common, legitimate email domains associated with Time Warner (TWC) / Road Runner / Spectrum Cable ISP properties as of January, 2018.
Using ClamAV? Update Now
ClamAV is a popular open source anti-virus engine, that among other things, is popularly used to scan emails on Linux/Unix systems for bad stuff. There's talk of a vulnerability out there relating to PDFs (source in German, but Google translate worked well) and users are advised to update to the latest version. I recommend reading the ClamAV-Users mailing list to figure out what's up with that latest version; it sounds like there is some confusion or a potential issue -- some users are attempting to download the latest 0.99.3 version but are getting beta code, not final production code. It's all a bit confusing and I'm hoping that admins running ClamAV will be able to decipher it all a bit better than I'm able to from afar.
More Transitions: AOL/Yahoo Consolidation
Remember how I said that I thought 2018 would be the year of consolidation?
First you had the Microsoft platform consolidation, the merging of their Office 365 and Hotmail platforms. A lot of senders are still dealing with issues around that transition.
Now we're getting word that AOL and Yahoo are going to begin to merge their platforms, starting in February. Step one: Inbound mail to the AOL domains will now be handled by the Yahoo inbound mail servers.
2018 is going to be a wild ride.
H/T: Word to the Wise
First you had the Microsoft platform consolidation, the merging of their Office 365 and Hotmail platforms. A lot of senders are still dealing with issues around that transition.
Now we're getting word that AOL and Yahoo are going to begin to merge their platforms, starting in February. Step one: Inbound mail to the AOL domains will now be handled by the Yahoo inbound mail servers.
2018 is going to be a wild ride.
H/T: Word to the Wise
History Repeating: Challenge/Response again?!
At least one mailing list operator on Mailop is reporting that he's receiving mail from something called BitBounce. It sounds like some combination of crypto-currency based "pay to send email" thing (remember Hashcash? Or is this more like e-postage?) where you attempt to limit spam by requiring each individual sender to pay some extra fee (which doesn't really work unless the whole world buys into the model) and "challenge/response" email filtering wherein you attempt to limit spam by spamming back to the sender a requirement that they click on a link and do a little dance to prove they're human. Which still doesn't work very well, not back when I talked about it in 2014, not back when I talked about it in 2006.
Whaaaaat? This nonsense again? Nobody reads the history books anymore, do they? Kids today...
Whaaaaat? This nonsense again? Nobody reads the history books anymore, do they? Kids today...
Canada and Japan joining forces to stop spam
The Canadian Radio-television and Telecommunications Commission (CRTC) has signed an agreement with Japan’s Ministry of Internal Affairs and Communications. The two groups pledge to work together to "combat unsolicited commercial electronic messages." It sounds like they'll be sharing information to trace spamming bad guys across borders. The agreement came into force on January 1st, 2018.
The CRTC further indicated that it "has entered into similar bilateral agreements with the United Kingdom’s Information Commissioner’s Office, the United States Federal Trade Commission, the United States Federal Communications Commission, the New Zealand Department of Internal Affairs and the Australian Communications and Media Authority."
The CRTC further indicated that it "has entered into similar bilateral agreements with the United Kingdom’s Information Commissioner’s Office, the United States Federal Trade Commission, the United States Federal Communications Commission, the New Zealand Department of Internal Affairs and the Australian Communications and Media Authority."
You use 2FA for your Google account, right?
If so, eventually you'll end up replacing your phone, and you might need a guide on how to transfer that 2FA code generation from the current phone to the new phone. How do you do that? Gizmodo's Field Guide has you covered.
They also explain how to do this with Apple and Microsoft accounts, as well.
You DO use 2FA (two factor authentication), right? Please do. It can perhaps be imperfect, but I've personally seen it save the day when people have tried to nefariously access the email accounts of my friends (and even my own account).
They also explain how to do this with Apple and Microsoft accounts, as well.
You DO use 2FA (two factor authentication), right? Please do. It can perhaps be imperfect, but I've personally seen it save the day when people have tried to nefariously access the email accounts of my friends (and even my own account).
Dead email domain: alltel.net
A reader wrote in asking me if anybody was home at the email domain alltel.net.
I performed a handful of checks to see:
I performed a handful of checks to see:
- Does the domain have an A record? No. We're getting a server failure response or server not found response.
- Does the domain have an MX record? No. We're getting a server failure response or server not found response.
- Does that MX or A record answer as a mail server when you try "telnet (hostname) 25"? Doesn't matter, can't find either.
- Search the web -- what do I find? Two things: First, Matt Vernhout blogged about this domain shutting down back in 2009. Second, here's information from an AT&T message board suggesting maybe the domain still worked in 2016.
According to this timeline, Windstream seems to have indeed picked up much of the Alltel user base at some point in the past through M&A, but AT&T may have later acquired some of the Windstream properties back later? Confusing. But regardless, the domain certainly seems dead today. There's no point in sending to it, and if you've got alltel.net subscribers on your list, then something is funny. Is your list old? Are you sure it's all people who recently opted-in to receive email from you?
TinyLetter: Don't freak out just yet!
Slate reports that popular email service provider Mailchimp plans to phase out TinyLetter, the neat simple newsletter service they have owned since 2011. It sounds like people are jumping the gun on freaking out, though. Mailchimp says that things will change eventually but they actually don't seem to have pulled the plug on the thing yet, or even announced when they might do so.
So stay calm, Tiny fans! Mailchimp even says that even if/when they roll TinyLetter back up into Mailchimp, "it will still have the same super-simple newsletter building functionality, but it’ll be refreshed and updated for improved user experience."
So stay calm, Tiny fans! Mailchimp even says that even if/when they roll TinyLetter back up into Mailchimp, "it will still have the same super-simple newsletter building functionality, but it’ll be refreshed and updated for improved user experience."
More on "Smart Unsubscribing"
I mentioned recently that Google has implemented a feature wherein they'll suggest to "Inbox by Gmail" users that the user may want to unsubscribe from communication from a sender under certain circumstances. Turns out Yahoo Mail does something similar. Tom Sather explains in more detail over on the Return Path blog.
Challenges in 2018?
It's the first working day of the new year. What do you think are going to be some of the challenges we face in the realms of email and deliverability this year?
Here's three concerns that are on my mind for 2018:
Here's three concerns that are on my mind for 2018:
- Continuing platform consolidation. Microsoft started merging their Outlook.com (Hotmail) and Office 365 Outlook email platforms in 2017. From the outside, things didn't always seem to go so smoothly, and indeed, are perhaps not today all that smooth in some cases. Some senders were seeing unexpected blocking with confusing (or no) error messages, for example, and the receiving systems appeared as though they were perhaps overwhelmed. That's potentially still ongoing for some folks today.
And then we have to look forward to a potential merger between the webmail systems of Yahoo and AOL. Now that they're owned by the same company, it makes sense to assume that they would standardize down to one single webmail platform. That's a whole lot of mailboxes and data to transfer (in either direction) and I admit that I'm a little nervous wondering about how things will go if/when they pull that off. (It's not that I think the Oath people are dumb, by any means. Very smart folks-- I just wonder about the scale of such a platform merge.) - Getting serious about DMARC. I might have called 2015 the year of DMARC, as it was all over the news, but 2018 is the year all should start implementing DMARC. Too many folks are ignoring it until they run into problems. Implementing it while something bad is happening can be tougher (like trying to do math while the building is burning) and it takes some finesse and technical skill to ensure that you're doing it right, which is why I think you should partner with a DMARC specialist service instead of trying to do it yourself.
And don't send mail that wouldn't pass DMARC, even if you don't have a DMARC record set up or policy enabled. My very non-scientific observations suggest that at least one large webmail provider will effectively give you a modest positive delivery boost if your mail is DMARC-compatible and a modest negative deliverability drop if your mail isn't DMARC-compatible.
And it goes without saying that in 2018, you should no longer use a from address domain that you don't control or own. - More Stringent Filtering. This past holiday season (Q4), a lot of folks saw a higher-than-expected amount of inbound mail being deferred by multiple large webmail providers, possibly because their systems were overwhelmed with so many senders attempting to send so much mail. I'm sure that to some degree, those platforms will be looking to beef up their inbound mail capacity, but that can get really expensive really quickly, and they aren't likely to endlessly scale up to accept all the mail that every sender in the world cares to send. That means that those providers are probably going to have to look to other means to keep their systems up and stable, and that suggests to me that spam filtering could become more stringent. If you don't have enough resources to accept all the mail, you're going to try to figure out which senders are the better senders and accept their mail first. The not-as-good senders might not get as much mail through, or perhaps even be locked out outright. ISPs and spam filters constantly stack rank senders against each other and this is just yet another example of how they could choose to do that. It's not that different than the way things work today, just keep in mind that what is allowed as far as practices and percentages is likely to be tightened up.
What that means for a sender is, keep your nose clean. Practices that were edge case and perhaps OK a few years ago (old lists, low engagement, etc.) are going to be problematic today. Don't just keep on skating along on what you've been doing for years. Instead, be forward looking and ensure that you're fully on top of everything when it comes to permission and best practices.
Let's regroup in about 350 days and see how things turned out, shall we? I'm sure there will be another five or more big considerations that hit us in 2018 that we didn't consider up front.
Subscribe to:
Posts (Atom)