What is Microsoft BCL?

Now that Microsoft has merged their Office365 and Hotmail/Outlook.com platforms, this should apply to anybody sending to either platform. Microsoft calculates a "BCL" (Bulk Complaint Level) for a sender's IP address or sending domain name. (Which? I'm actually not sure at the moment. Let's assume both for now.)

The BCL score is a 0-9 score, where higher basically means "sent by a bulk sender, and more spammy." See this Microsoft Technet article for more details.

How do I tell what my BCL score is? Select "View Message Source" on an email message received at Microsoft Hotmail/Outlook.com. Find the "X-Microsoft-Antispam" header. Here's an example:

X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(5000109)(4604075)(4605076)(610169)(650170)(651021)(8291501071);SRVR:CY1NAM02HT241;

That first entry -- BCL:0 tells us that this message is from a sender that has a BCL score of zero. (This message is not from a bulk sender.)

What do those other entries mean? PCL means "Phishing Confidence Level" per this document. So it's good to see that is zero. The rest? I'm not sure. I'll share more as I learn more.

Please Hire Mike Teixeira!

My esteemed industry colleague Michael Teixeira is looking for an opportunity in the anti-abuse or email fields. Got something suitable that you’d like to interview him for? I hope you'll consider him. He and I have something in common – we’ve both worked spam issues for MAPS (Mail Abuse Prevention System-- the first anti-spam blacklist group) – me, for a time before Trend Micro acquired MAPS, and Mike, after.

PSA: Time to update your ReCAPTCHA

Google's "ReCAPTCHA" API-based user validation process is very popular. So popular, that internet users are running into warnings here and there on the web, suggesting that it's about to stop working on some websites.

The reason? The V1 version is deprecated and about to be retired. It's going to stop working at the end of March, in just a couple of weeks from now.

The problem? Lots of sites have yet to update from V1 to V2. What happens to those sites on March 31st? I'm not sure, but it probably won't be a good thing.

What's the connection to email? Why am I posting about this?

Because Cloudmark is running V1 of the ReCAPTCHA. The spamrl.com spam filtering service is running the old version, too. The SURBL blacklist's lookup page, too. (Though SURBL just fixed theirs.)

There's probably a lot of other sites out there running the old version of ReCAPTCHA, as well. Do you use ReCAPTCHA on any of your websites? Have you upgraded to the latest version? If not, the time to do so is NOW.

Fun fact: Gmail has two domains

Did you know? Gmail actually has two domains. They are gmail.com and googlemail.com. The latter was used primarily in Germany from the launch of Gmail up through some time in 2012. At first, the Gmail trademark was taken by somebody else in Germany. Looks like it may have also been an issue in the UK up until sometime in 2010.

Google does not otherwise use "localized" domains elsewhere. There are no Gmail users at the email domains gmail.ca, gmail.co.uk, or anything like that. Just gmail.com and googlemail.com.

DMARC: sp= policy not always needed

I've started to search for and catalog big brand DMARC records to look for ideas and suggestions, and also to develop some best practice recommendations.

One thing I'm seeing quite often is that a big company will put "p=reject" and "sp=reject" in the same DMARC record. In this scenario, the "sp=" setting is actually not needed-- it is extraneous.

The "p" setting is for your choice of DMARC setting. The "sp" setting is for your choice of DMARC setting for any subdomains. If you don't set "sp" then the "p" policy is applied to any subdomains. So the only reason you would want to add "sp=" is if you want to specify a different policy for subdomains. If you want to give this domain and any subdomains the same policy, you don't need to include the "sp=" directive.

In short, there's no need to add "sp=" unless you want subdomains treated differently. Why would you add the "sp=" setting? If you don't have any legitimate subdomains, you could set your domain policy to "p=none" (safer for the main domain) but "sp=reject" (more restrictive for subdomains) to tell the world that any subdomains seen should be bounced (because they wouldn't authenticate properly, because you in theory don't have any subdomains).

Here's an easy guide to the variables present or optional in a DMARC record. This seems worth bookmarking.

250ok on DMARC adoption among top US colleges

Matt Vernhout of deliverability monitoring service provider 250ok reports that US colleges are slow to adopt DMARC. I'm not totally surprised; my personal observation is that the financial sector and top tier ISPs/webmail providers seem to be leading the DMARC charge. But I do agree with 250ok that it's time for higher ed to get schooled on DMARC.

File under obvious? Engagement rules!

A bunch of friends have been forwarding around this link to an article from "EContent" entitled "Research Finds Email Senders with Strong Subscriber Engagement Are Likely to See Less Email Delivered to Spam"

On one level, duh.

But also, on another level, it's great to see this supported with research. There are always people out there who doubt what we in deliverability see and explain every day. Sometimes you even run into people like that one guy who ran that agency that went under whose whole shtick was telling people to do the opposite of what deliverability consultants said. It was bad advice, and that kinda thing gets tiring after a while.

So I'm very happy to see Return Path data and analysis supporting what I know to be the best path.

Go straight to the source (here) to get access to the full report.

Howto: Disable your Gmail spam folder

I have a few Gmail accounts set up where I programmatically download all the mail so that I can generate a report showing information about each message. Sometimes, some of the email messages I receive and want to report on go to the spam folder. I could download mail from the spam folder, but instead, I figured it would be easier to just configure my Gmail account so that no mail goes to the spam folder.

It's easy to do that. Here's how:

1. In Gmail, go to Settings.
2. Under Filters and Blocked Addresses, click on "Add new filter."
3. In the To field, type "me" (without quotes).
4. Click on "Create filter with this search."
5. Select "Never send it to Spam."
6. Click on the "Create Filter" button to save and activate your new filter.

This will prevent almost all inbound mail to you from going to the spam folder. A few types of messages, mostly malformed ones, might slip through, but I'm OK with that.

This isn't something you'd want normally, but there are a number of use cases where this can come in handy, so I figured I would share it with all of you.

Note that any mail already in the spam folder is not going to magically get moved to the inbox. This only affects new mail as it comes in.