spam resource: 2019

ISP Deliverability Guide: Gmail

Launched over fifteen years ago, Gmail has grown from the "new kid on the block" into a position of prominence. Depending on what data you look at, you might even see Gmail as the #1 mailbox provider, at least here in the US.

Gmail's spam filtering systems incorporate user feedback and engagement. And they know what they're doing. If you are not sending wanted mail to people who requested that mail and who read that mail at high enough percentages, you're going to struggle. You won't reliably get your mail to the inbox. Their systems are too good -- their magic spam fighting robots look at metrics very closely -- and their view of certain metrics can even change over time! What got you to the inbox in 2016 might not be good enough to get you to the inbox in 2020. Deliverability success at Gmail requires not only that you adhere to best practices, but it also necessitates ongoing monitoring and tweaking of your marketing program.

It was originally called Hotmail. You might call it Outlook.com. I suspect the best name might be "Microsoft OLC" (Outlook Consumer), as this appears to be one of the names applied to this email platform internally at Microsoft. Whatever you call it, successful inbox delivery can be a bit of a challenge, as this webmail provider can be quick to block senders that may not have issues elsewhere.

Nowadays, they're called "Verizon Media Group" but you might know them as internet service providers AOL, Yahoo and Verizon. The email platform they all utilize now is, from a sender's perspective, Yahoo! Mail. Here are my five top recommendations of things you need to consider or implement in order to maximize your ability to successfully deliver mail to AOL, Yahoo and Verizon subscribers. (They also have a bunch of other domains, too. Click here for the full list.)

How the military made Spam an iconic American brand

I hope everybody survived Black Friday and Cyber Monday! It's still a busy week but when you've got things under control, why not take a break and spend it reading about how the military made Spam (the food) an iconic American brand, courtesy of Navy Times.

Best Practices on Domain Name Choices: What TLD should I use?

As a follow up to my previous post on domain name choice best practices, here's an additional two cents I wanted to share. Because I get this question all the time -- should I use my ".com" domain for my email program? Or should I register a ".email" domain or a domain under some other cool and hip TLD?

Egypt’s economic court fines insecticide company for SMS spam

Sometimes those of us with a quite-possibly-myopic worldview might assume that outside of North America and Europe, spam regulation doesn't exist. Well, here's an example where Egypt's National Telecom Regulatory Authority filed a complaint against an insecticide company for, among other things, sending unsolicited mobile text messages. That resulting 900,000 Egyptian pound court fine works out to almost $56,000 in US dollars.

Yahoo Groups is changing

The folks behind Yahoo Groups sent out a notice a couple of days ago indicating that they are making changes to Yahoo Groups. They say that these changes are to make Yahoo Groups more email-oriented by removing the ability to participate in Yahoo Groups discussions on the web. They'll be taking away the "message board" style communication functionality to drive Yahoo Groups communication back to email.

SPAM Alert!

Not that kind--the other kind! From Minneapolis-St. Paul Magazine: Trendy chefs are celebrating SPAM coast-to-coast, and they’re leaving us in the dust.

Chicken-fried spam tacos? I want to try those!

Can I use FOIA to source lists?

Sure! It's legal. Is it wise? Um....let's skip that point for a moment. Let's start with, "it's legal!"

What does "FOIA" mean in this context? Wikipedia to the rescue:

The Freedom of Information Act (FOIA), 5 U.S.C. § 552, is a federal freedom of information law that requires the full or partial disclosure of previously unreleased information and documents controlled by the United States government upon request.

Apart from the U.S. federal government's Freedom of Information Act, the U.S. states have their own varying freedom of information laws.

Querying a government agency to get information back is almost always referred to as "obtaining this information via FOIA" even if that's not exactly the correct governing law in some circumstances.

Google: No favors at Gmail

Tulsi Gabbard's presidential campaign is suing Google for various reasons, primarily for suspending her Google Adwords account. Not really email related, so not really my realm to cover. But something did catch my eye when Laura Atkins blogged about it last week on Word to the Wise:

Gabbard's lawyers included a statement in their complaint about how Google's systems were relegating her campaign's mail to the spam folder at Gmail.
Google's response, as quoted by Laura, is something that I would sum up as, "Shrug. Go read our sending to Gmail best practices page." Ouch.

Anyway, my point here is, Google doesn't do "favors." It doesn't matter if you're a big brand, a well respected company, a Fortune 50 financial institution, or a presidential candidate. They're going to put your mail in the spam folder if they data shows that's where it should go.

To fix it, improve what you're doing. Send more engaging mail. Submit requests to Google to ask them to reconsider spam folder deliver, if appropriate. (This does actually work.) But going outside of process, whether it be to ask a person there for a favor, or to sue them over it, isn't going to be the way to get your mail delivering to the inbox.

Just another reminder that inbox delivery is driven by data and best practices, not relationships (friendly OR adversarial).

Best Practices on Domain Name Choices

If you're going to use your domain (or a custom domain) with an email platform, try, if at all possible, to use your main domain name.

Here's why I say that.

Another day, another dead DNSBL

Another anti-spam blacklist has ceased to exist. For more on the now-defunct Email Basura blacklist, head over to DNSBL Resource.

New XNND DNS Tool Update!

I've updated the XNND DNS lookup tool so that it you can now select "Multi DNS = yes" and the tool will now make the same DNS query against a number of different public DNS servers all in a row.

It'll help you catch issues where you've perhaps updated a DNS entry but are waiting out the TTL (DNS cache) and want to check to see what different servers can see. It can also help you identify some kinds of intermittent DNS issues. I've already run into a couple of different scenarios where I've found it quite useful. I hope you'll find it useful, too!

Example query: Look up the MX records for spamresource.com against all available DNS servers.

Sender ID is back!! No, wait...

Gossip has been flowing through the back channels lately suggesting that Microsoft might be checking Sender ID email authentication DNS records anew.

No...but. My answer to this is a little nuanced, so bear with me.

Dead email domain: ono.com

It appears that the email domain ono.com is going away. ONO was a Spanish broadband communication and entertainment company, purchased by Vodafone in 2014. Fast forward to 2019, and it looks like Vodafone is shutting down the ono.com email domain.

How not to get people to open your emails

Email Compliance manager Skyler Holobach explains why you shouldn't act on clickbait advice you find on the internet. Read more >>

Charter/Roadrunner bounces?

I'm pulling together information from various sources here, and using a bit of guess work. So keep in mind that this info is not guaranteed.

When sending mail to Charter/TWC/RoadRunner domains (full list here), are you seeing any of these bounces?

How Email Spam Filters Work Based On Algorithms

This is pretty basic stuff; it's not inaccurate, but it's not complete. Most other ISPs have other things going on that can also result in emails going to the spam folder. But as a starting point? It's not too bad. Check it out, from NBC: How Email Spam Filters Work Based On Algorithms.

Need example SMTP bounces for different ISPs?

Wondering what different kind of bounces an ISP might give to you? Postmark put together this handy-dandy SMTP bounce example lookup tool. It's called the SMTP Field Manual and it's pretty neat.

Spamhaus Blocklist Changes

Speaking of Spamhaus, this just popped up in my RSS feed reader. It looks like Spamhaus is going to take a harder stance against users who query their lists via open or public DNS systems (such as Google Public DNS or Cloudflare's 1.1.1.1 Service). They're going to respond to all queries from public/open DNS systems with a new 127.255.255.254 answer code, and respond to excessive queries from other sources with a new 127.255.255.255 response code. The net here is that if you query Spamhaus a lot, and aren't a registered, paying user, or if you use public DNS services for even your small hobbyist server, you're going to get cut off.

And based on the way this is implemented, it's possible that a bunch of legitimate mail will start bouncing before all Spamhaus users figure it out.

Even on my own hobbyist Linux box, I'm likely to run afoul of this. Instead of running my own DNS server, I just use Google's public DNS, and I use Spamhaus's "Zen" blocklist in my Postfix email server. Or at least I did, until I removed that DNSBL from the mail server configuration just now.

Stay tuned. I bet we're going to start seeing people popping up to ask why they're suddenly not receiving any more inbound mail.

Click here to head on over to Spamhaus to read the announcement.

Blacklists and multi-client impact: The risk is real

You hear stories sometimes. About how when a deliverability person warns sales that they shouldn't sign that client, but the client comes aboard anyway. "If they do bad things, so what? It shouldn't impact other clients. We'll give them their own domain, their own IPs, and it'll be fine."

Are you sure?

Too many times now, I've seen blacklists like SORBS or Spamhaus blacklist whole ESPs or whole large blocks of IP addresses at an ESP. I bet it's not fun explaining to client #2 that their bounce rate jumped to 50%+ because of the bad acts of client #1.

And this isn't just something that happened in the past. Just about two weeks ago I saw Spamhaus blacklist 255 IP addresses at a particular email service provider due to the actions of a single client. (The listing is since removed, so I can't link to it. And my goal isn't to name-and-shame, so I'm not mentioning which ESP it is. If you're smart, maybe you can figure it out.)

You might argue that Spamhaus appled too broad a stick and perhaps they shouldn't have done that. You might be right. Complain all you want, though, but you can't control Spamhaus, and neither can I, and neither can that ESP. But that ESP can control what clients they allow to use their services, so I would argue that they did have a way that they could have prevented this.

Assuming that one client's bad practices won't affect other clients is a risky proposition.

And I'm not even touching on what this kind of thing does to an ESP's reputation. If you want to be a member of M3AAWG, or if you want ISP people to respond to you favorably when you sometimes ask for help out of band, you need to not have the reputation that your platform will take any client, even ones with bad practices.

Let's go buy a list!

Is buying an email list a good idea? Let's ask around.

Hubspot's got the best quick summary, in my opinion. They say buying an email is a bad idea because:

Reputable email marketing services don't let you send emails to lists you've bought.
Good email address lists aren't for sale.
People on a purchased or rented list don't actually know you.
You'll harm your email deliverability and IP reputation.
You can come across as annoying.
Your email service provider can penalize you.

Don't believe them? Ask Campaign Monitor.

Don't believe Campaign Monitor? Ask Constant Contact.

Don't believe Constant Contact? Ask Godaddy.

Don't believe Godaddy? Ask HostGator.

Don't believe HostGator? Ask SparkPost.

Don't believe SparkPost? Ask GetResponse.

Don't believe GetResponse? Ask Vertical Response.

Don't believe Vertical Response? Ask WhatCounts.

I could keep going...but you get the idea.

HOWTO: Work around Office 365 Unblocking Issues

If you've previously seen this bounce message:

5.7.606 Access denied, banned sending IP [1.2.3.4]. To request removal from this list please visit https://sender.office.com/ and follow the directions. For more information please go to http://go.microsoft.com/fwlink/?LinkID=526655 [eop-APC01.prod.protection.outlook.com]"

What about AOL?

If you're wondering if AOL still exists as a separate entity, the answer is no. AOL as a standalone ISP is no more.

What was AOL is now part of Verizon Media Group, which for a time was called Oath.

SPF and DKIM Alignment: What are they and why do they matter?

If you have implemented DMARC for your email sending domain, the spec requires that your messages either pass "SPF alignment" or "DKIM alignment." Here's what those are and why they are important (and why you should always do both).

SPF alignment is where the mail you send has a return-path domain (aka the sender domain or bounce domain) that matches your from address domain. A DMARC record uses the "aspf" setting to govern how tightly this is checked. If you do not include the "aspf" setting (and you don't need to), then the default "relaxed" setting will be applied.

Is email spam a solved problem?

Engadget asks, "Did AI kill off spam and we just didn’t notice?"

I'm not sure about THAT, but this article is still a very interesting read, and a good overview of how CAN-SPAM isn't considered a great law, how e-postage went nowhere (in spite of Bill Gates' help), and what TensorFlow is and why it matters.

Also: Wow! In this article, Neil Kumaran, Product Manager for Gmail, points out that "Gmail blocks about 10 million spam emails a minute." I guess the barbarians are still at the gate.

BIMI: Current Status? Should we bother?

Since lots of folks are reaching out to me, asking for help with BIMI records and/or wondering if it's something they should take the time to implement, I figured I would take a few minutes to explain the current state-of-the-state with regard to BIMI, and help to answer the question of whether or not you should move forward with it.

ARS Technica: How to read email headers

Here's a not totally bad guide from ARS Technica on how to read email headers. It's worth reading (and bookmarking for future reference.)

BIMI Moves Forward as Google Commits to Pilot Program

It looks like Gmail will have support for BIMI! As announced by Agari, Google will be running a BIMI pilot program soon. Read all about it here.

If you didn't already know, BIMI is meant to be a simple method for a brand or domain owner to publish a logo that is meant to be displayed adjacent to their email messages in an email client or webmail platform. Yahoo has beta-level support for it today.

Google previously would show a logo defined by the Google Plus profile associated with that email address, but future support for that was thrown in doubt when Google announced the shutdown of end user access to the Google Plus platform. Existing logos in place still seem to work. It's unclear what will happen in the future with regard to currently published logos or brand avatars.

Google and Yahoo seem to be the only mail platforms with announced support for BIMI at this time. Still, that's a significant chunk of a marketer's B2C subscriber list, covering Gmail, AOL, Yahoo and Verizon email domains.

Google Postmaster Tools doesn’t like us. How can I fix it?

Are you struggling with how to improve your sending reputation in Google Postmaster Tools? 250ok's LoriBeth Blair just published a very insightful blog post on this very topic.

Mailkit's BIMI Inspector Tool

Trying to publish a BIMI record? Wondering if you've done it correctly? Mailkit has this cool new tool in beta that will help you check and validate your BIMI record. Check it out!

AOL & Yahoo Mailbox Merger: It’s Done!

Verizon Media (aka Oath, aka Yahoo & AOL) folks report that the merger of the AOL user base into the Yahoo Mail infrastructure is complete! Congrats! I'm sure it was a long, hard road.

The bad way to do this would have been to keep the AOL accounts alive on some old, deprecated server cluster that people will eventually forget about, and some day it would crash and data would be lost. So while it was harder up front to immediately consolidate everyone onto one single platform, I'm definitely sure that in the long term, it's for the best.

When Gmail Was First Announced, People Thought It Was an April Fools' Joke

Gmail just turned 15 years old! Hard to believe that when it was announced on April 1, 2004, some people actually thought it was an April Fools' joke.

And now? Gmail's pretty much in charge of email. Don't count out Microsoft and Verizon (Yahoo), but most B2C senders will tell you that Gmail houses the largest single pool of subscribers that they send messages to.

And here's Google looking forward: Hitting send on the next 15 years of Gmail.

AMP: The next big thing?

AMP (short for “Accelerated Mobile Pages") is a method to place dynamic content in email messages, announced by Google, now supported in Gmail, and with Verizon (AOL/Yahoo) now announcing support for it. What is it? Should you care? Want to learn more about it? Lifehacker has posted a pretty good overview of it, albeit from a user's perspective. It's worth a read.

How Do I Avoid the Spam Filter?

Savvy deliverability expert Karen Balle answers a common but important question: How do I avoid the spam filter? And follows it up with a spot-on 6-Step Plan to Escape the Spam Folder.

Hello, Verizon Media Postmaster!

Verizon Media (previously known as OATH, previously known as Yahoo, previously known as AOL) has just launched their new Postmaster Site. Check it out!

As announced on their Postmaster Blog by Lead Postmaster Lili Crowley.

I think it's fair to assume that the legacy AOL Postmaster site is likely to shut down at some point in the near future. It brings a tear to my eye, as that site goes back quite a long time. Here it is in 2003, courtesy of the Internet Archive.

The latest trend at D.C. restaurants? Spam. And it’s delicious.

Sometimes you get tired of working on email spam and just want to go out to dinner. To eat ... spam? Read about spam musubi and more courtesy of the Washington Post.

How to Make Sure Important Emails Stay Out of Your Spam Folder

Today, Gizmodo explains how to train Gmail, Outlook/Windows Mail, and Apple Mail on what shouldn't be considered spam.

They left out filter rules in Gmail -- it's pretty easy to create a filter rule in Gmail where the action is "never send to spam" -- this comes in very handy for me, as a lot of the mailing lists I'm on talk about spam and sometimes include samples. Though they might legitimately be spam, if they go to my Gmail spam folder, it makes it hard to see them.

GPT Downtime

Over on the Mailop list (ignore the SSL warning, that is a long-standing issue), people are noting that Google Postmaster Tools has been missing data and/or been glitchy and/or disallowing new domain registrations over the past days. If you had trouble before, you might want to try again now -- a few folks are saying that things seem to be getting better as of today (Wednesday), though it is unclear as to whether or not all missing historical data will be populated.

For more on Google Postmaster Tools, start here.

DMARC Policies Up 250% In 2018

Look at the explosive growth of DMARC implementations! This is great to see.

Read more about it over on dmarc.org.

Gmail SPF Status of Best Guess: What does it mean?

If, like me, you use Gmail to test and check email authentication results, then you're used to seeing SPF results that say pass or fail. But what does it mean when it says "best guess"?

Here's an example of a Gmail SPF results header that mentions "best guess":

Received-SPF: pass (google.com: best guess record for domain of bounce31@b.email.example.com designates 1.2.3.4 as permitted sender)

What this means is that Google's "faking it" -- they are synthesizing a potential SPF record based on what information they can figure out about the domain. The exact rules that go into the synthesized SPF record are unclear. It could be past email history. It could be that reverse DNS between the sending IP address and sending domain match. Or it could be other things. That's not the important bit. The important bit is this: When Gmail tells you "best guess," it means it can't find your SPF record in DNS. That's a problem, and one you should investigate immediately.

In the example above, Gmail is saying that it can't find an SPF record for "b.email.example.com." Google's systems are smart enough to deal with it, so your deliverability to Gmail subscribers is unaffected. But other ISPs do not all have similar "fake an SPF record" functionality. That means that some other ISPs probably will block this same mail due to DNS failures or lack of DNS entries. If you review all your bounces, you'll probably see that this is the case.

And it can be a difficult issue to troubleshoot, if you see those bounces, then test with Gmail, and Gmail says that SPF passes. There's little to indicate that something is wrong, except for that magic phrase "best guess." Keep an eye out for it and know that it's a strong indicator of a potential DNS issue with your sending domain.

Gmail: Improving spam filtering with TensorFlow

Google just announced today how they've improved spam filtering using TensorFlow.

What's TensorFlow, you might ask? "An open-source machine learning (ML) framework developed at Google. These new protections complement existing ML and rules-based protections, and they’ve successfully improved our detection capabilities. With TensorFlow, we are now blocking around 100 million additional spam messages every day."

That's a lot of newly blocked email messages. Does it affect you, dear sender? Hopefully not, because Google says that they're "now blocking spam categories that used to be very hard to detect," including "image-based messages, emails with hidden embedded content, and messages from newly created domains that try to hide a low volume of spammy messages within legitimate traffic."

This doesn't mean suddenly it is unsafe to send image-heavy emails to your Gmail subscriber base. Google's not about to intentionally start blocking legitimate mail that people actually signed up for. But it does highlight that the closer you get to the edge of best practices -- if you have any practice failings in different areas, you could end up overlapping with one or more of these categories. If so, your messages might actually merit blocking. I'm guessing the chances that it affects a "legitimate" sender are pretty slim, though. But, just a reminder -- "Don't be like Goofus," as the old Goofus and Gallant stores in Highlights for Children used to tell us.

Spammers often do things like rotate through newly purchased domains, embed content in unique ways to try to evade filters, and use images to hide messaging from machine filter review. Don't do these things, and I think you'll probably be just fine.

2018: Did I get it right?

Just over a year ago I predicted that 2018 would be a year full of mailbox provider consolidation, many folks implementing DMARC, and ISP filtering getting more tougher than ever. Was I right? It sure sounds a lot like what I worked on much of the time last year.

Is it too glib to say 2019: More of the same? Because that's my first thought. Provider filters continue to get tighter, DMARC is bigger than ever, and AOL and Yahoo are not quite done merging. I suspect BIMI will grow in 2019, but I feel like we're two or three years out before somebody can declare that 20xx is the "year of BIMI."

I know I'll be focusing more on international (non-US) deliverability this year, but it's hard to say if that's just me, that might not be an "industry" thing.

What do you foresee for challenges and likely focus areas for email and deliverability in 2019?

Fun while it lasted...

Remember back in September when I blogged about how to create a Google+ account to make your brand icon display next to your emails when sending to Gmail users?

Well, looks like that won't work after a certain point, as Google is shutting down Google+ and will be deleting Google+ accounts and content.

I got a notice this morning that says my various Google+ accounts (used for logo display for various email sender tests I've set up) will be shut down on April 2, 2019.

It was fun while it lasted.

I wonder if this means Google will get on board with the BIMI logo display standard? Or there will be some other way to do this? We shall see.

Stop using NJABL! Now!

I just replied to an email from a guy who thinks I'm blocking his mail. I'm not, because I don't run a blacklist or a spam filter, and haven't done so for years. I would have loved to have helped guide him in the right direction, but my reply to him bounced because his mail server is misconfigured to use the NJABL blacklist.

The NJABL blacklist has been dead for almost five years.

If you still have it in your email server configuration, you're now going to block a lot of wanted mail. Because the domain's name servers just changed and they have a wildcard entry that now has the effect of "blacklisting the world."

You were warned...almost five years ago.

Characters in the local part of an email address

Need a "common sense" breakdown showing you what characters should be allowed in the username part (local part) of an email address? This handy guide from Jochen Topf covers exactly that.

It doesn't EXACTLY align with RFCs, but when you look at it from a common sense perspective, I agree with his categorization of each character. This would be a good thing to reference if you were building your own email capture form. (I'd probably also reject the "maybes" for an email capture form, but not reject them in an MTA configuration. Some of the "maybes" show up in bounce addresses somewhat regularly, but are almost never found in legitimate end user email addresses.)