Gmail Spam Attack on June 30th

Did you receive more spam than usual in your Gmail account at the end of June? Or did you receive more spam IN YOUR INBOX than usual? It might have been due to this. Google just released a root cause analysis of an issue from June 30th, where "Google's email delivery service was targeted in what we believe was an attempt to bypass spam classification." Sounds like the issue resulted in email delivery delays and some messages not getting spam filtered properly. Find more details here.

I *think* this is the same issue that Ben Schoon from 9to5Google is reporting on here.

Hey good senders, this is just another reminder that sometimes ISPs/webmail providers have bigger things to attend to, beyond whatever our problems are. It's good to remember that we may not be the only problem on a provider's plate. And let's not forget that there are lots of bad guys out there trying to send BILLIONS of spam messages every day. You'd never believe the amount of spam a large webmail provider like Gmail or Yahoo Mail (Verizon) or Microsoft OLC (Hotmail) are forced to process or reject every day. The unwanted junky stuff made up around 45% of internet email traffic as of March.

Re-visiting mail forwarding in a DMARC world

Forwarding email messages automatically can be tricky, as evidenced by recent conversation on the Mailop list. Email forwarding always breaks SPF authentication, and can easily break DKIM authentication if you modify any of the headers (and knowing which headers to stay away from can take a bit of work). But it's still doable if you take some care.

For me, this was a solved problem way back in 2015. In a nutshell, I have a script that will just grab the mail, rewrite the headers, send it on with my domain and IP as the sender (properly authenticated with DKIM and SPF). (Funny how I thought ARC would eventually help with email forwarding, but its use case seems perhaps only suited to the biggest providers.)

Last night, I updated my email forwarding script slightly and here's where you'll find the new version. It's still potentially pretty fragile in that it makes a lot of assumptions about the case sensitivity of headers, but in my (admittedly limited) use case, I actually haven't had any trouble with this in years. If you capture mail on a Linux server running postfix/Maildir set up, you could easily modify this script to edit the username, sender address, and recipient address, and drop it into your server to be called by cron periodically and it'll happily pick up mail, rewrite the headers to prevent DMARC-related forwarding issues, and then email it onward it on as directed.

Here's my top five best practices for email forwarding, if you want to do as I do:
  1. Don't forward spam. Have a spam filter in front of this. Otherwise you'll damage your own IP/domain reputation. (Perhaps even have a separate sending IP address or at lease a separate DKIM domain for forwarding, if you're really worried about this.)
  2. Send as you, not as them. The forwarded mail should have your from domain and you should sign the forwarded mail with your DKIM signature. I strip away the old signature (change the header name to X-DKIM-Signature) to fully remove it from the equation.
  3. Make sure that the mail is fully authenticated. DKIM as noted above, sending IP address is in the SPF record of the return-path domain, domain has a DMARC record. All help with deliverability, directly or indirectly.
  4. Rewrite the return-path address. Why? If you don't, you'll potentially run afoul of DMARC policy due to SPF authentication failure, and some of the forwarded mail will be rejected. (I don't recommend bothering that you configure it to play nice with Sender Rewriting Scheme as SRS is not widely implemented.)
  5. Preserve the original from address in the reply-to field, if at all possible. That way users can still respond to the original sender, in spite of the DMARC-necessary header rewriting. This doesn't always work perfectly, as Gmail has some safeguards to prevent what they think may be funny business in from/reply-to combinations. But it generally works. (And Gmail's limitations aren't set in stone.)
And finally, keep in mind that email forwarding can be complex and imperfect. The biggest providers do it, but I think some of their success with it is due to bending email authentication checks and/or whitelisting forwarding IP addresses, which are options not always available to the hobbyist or smaller enterprise. That doesn't mean you can't or shouldn't do it, but like with so many things deliverability-related, it's important to "keep your nose clean" and do whatever you can to ensure that your IP address and domain are only sending (or in this case forwarding) wanted mail.

(And don't complain to me about how this "breaks email" -- no, email has changed, email has evolved, and the old ".forward" method of email forwarding hasn't been very compatible with most large mailbox providers for years. I strongly feel that you have to adapt and evolve if you want continued success.)

BYE: My first impressions

If you recall my recent review of the new HEY email service, you'll remember that I wasn't convinced that it was the right email tool for me. Maybe you felt the same way? Maybe not. But if you didn't feel like HEY was the next big thing, BYE might just be the right email service for you! Clearly inspired by HEY, BYE promises to be "the first email service to automatically respond with an insult, and then delete every email sent to you." I think I'm in love. Read all about it here

Joking aside -- I am struck by another comparison with HEY. That still, this is stuff you can just as easily do with Gmail. How do I know? A couple of years ago, my wife published a particular op-ed in the Washington Post and this is exactly what we ended up having to do just afterward. We configured a Gmail account to auto-reply with a "go away" message and delete everything. We had to. Stop and think about what kind of angry emails you might get in response to political speech. And then double the abuse to account for how jerks treat women online. That mailbox was wholly radioactive -- we could feel the heat all the way from the next room, even with the laptop closed.

Huh, you know, the more I think about it, maybe we do need an email service like BYE.

Quick List: ESP Abuse/Spam Contact List

There are useful tools out there that can help you figure out where to send a spam report to. I use the ARIN Regional Internet Registry and abuse.net nearly every day to look up spam reporting (abuse) contacts for IP addresses and domains. Some folks use SpamCop (which historically does not play nice with ESPs, so it's not as valuable to me). I don't necessarily have the time or skills to build something as technically complex or useful as these tools, but I did want to try to make it easier for people to find spam/abuse contact information for various sending email platforms (ESPs, email service providers). To that end, I've reached out to various providers and asked them to share contact info so that I can share it with you here.

HEY: My first impressions

HEY is a new email service with webmail and a mobile client, recently launched by the folks behind Basecamp, a web-based project management tool. HEY users receive email at the domain hey.com.

They're selling email service for $99/year (or more). If you're really just interested in a taste of deliverability and rendering testing, you can get a free trial account that lasts for two weeks (and HEY gets to pick your username). You can initiate that free trial from inside the mobile app or on the web. (I tested the iOS app; YMMV on Android.)

Reporting Spam to Apple from your iCloud Mail account

Apple's iCloud Mail doesn't have an ISP Feedback Loop (the mechanism that sends spam reports back to the sender or sending email platform), but even so, I think it is good to tell them when you believe a particular email message to be spam.

Full headers: What are they and how to access them

Internet email messages have hidden headers (that email technology people commonly call "full headers") that can help you trace the source of a message and these can come in very handy for troubleshooting email delivery issues or reporting spam.

Reporting spam with Outlook on iOS

Good news! The latest version of the Outlook email client for iPhone (version 4.42.0) now supports user submission of spam and phishing reports. TL; DR? When viewing a message in Outlook on your iPhone, open the "more" (three dots) menu and select "report junk" to tell Microsoft that you think a particular email message is spam.

You WANT spam folder delivery?

You don't want your mail to go to the inbox? What? Why would you want that?

But OK, if you truly want to send an email message and ensure that it goes to the spam folder, The Next Web reports on a tool called Straight2Spam, for those times when you want to email somebody but want them to possibly miss the email by having it delivered to the spam folder. It sounds like a fine opportunity to engage in passive aggressive behavior, if you ask me.

You might be wondering, how well does it work? I have no idea. I've got a full time job and no spare cycles to test this kind of nonsense myself. You should try it out and let me know if it gets the job done.

Help! All mail to privaterelay.appleid.com users is bouncing!

Here's the scenario. You've got "privaterelay.appleid.com" email addresses on your list. They signed up for your email. But when you try to email them, that email bounces back. What's going wrong? Allow me to explain.

What is the Vade Threat List? How do I request removal?

Vade Secure is "a global leader in predictive email defense, protecting 600 million mailboxes in 76 countries. We help MSPs and SMBs protect their Office 365 users from advanced email threats, including phishing, spear phishing, and malware."

Blocked at t-online.de?

On Tuesday, June 9th, 2020, various mail server administrators were reporting that they were now having trouble delivering email messages to large German ISP and mailbox provider (and telecommunications company) T-Online.

ISP Deliverability Guide: 1&1 (Web.de, GMX, Mail.com)

1&1 is a large email and web hosting provider headquartered in Germany, but with a large presense throughout Europe and a significant showing in the US. They host mail using the domains mail.com, email.com, web.de, gmx.net as well as many other domains.

New email vendor? Expect your deliverability to plummet… at first

I've worked in Deliverability for a long time now, across multiple sending platforms, and I go to industry events and know a lot of people in the space. One of the things I've learned from talking to colleagues at different companies is how opens and clicks are almost always lower after a sender switches ESPs. Not forever, and not lethally so, but regardless of which platform you used to use, and which one you use now, opens and clicks will be lower on the new platform compared to the old platform. Clients can be confused about it, assuming the new platform must be doing wrong, and deliverability people are invariably stumped when they first run into it, because there's no real handbook or guide to walk you through this.

BIMI: ISP Support as of June 2020

It's been about three months, so time for another BIMI status update. Here's the current status of BIMI and its support by the top ISPs.

Tony Webster: Investigating using domain & SSL info

Minnesota-based freelance journalist Tony Webster is somebody you should follow on Twitter. He's been mining public records and other info to provide additional insight into what's going on in Minneapolis (my home town) right now.

You should check out his website, too. One thing that really caught my eye was this: Using domain registrations, security certificates, and Shodan to break news. He calls it, "A quick guide for journalists: how to spot new domain registrations, recently-issued SSL certificates, and new servers to report on political, business, and government initiatives." It's good stuff! It might need an update, as WHOIS output in a GDPR-compliant world can be limited compared to what it once was (thanks, ICANN), but there's still some very good stuff here.

How to Send a Text Message Via Email

I'm not sure how the website "20somethingfinance.com" ended up being a good resource for this, but that's where I found the most information when I started doing my research. Just to be safe, I'm going to share their same info here just in case that website disappears.

Want to use email to send a text message to your cell phone? Just send an email message to your ten digit phone number + @ + your provider's SMS/MMS gateway domain name. For example, the Verizon Wireless domain for this is vtext.com. If you're a Verizon Wireless customer, and your mobile phone number is 3125551212, you would send email to 3125551212@vtext.com to send a text message to your mobile phone.

Please hire: Aric McKeown

My friend Aric McKeown is a smart guy on a job hunt. Are you hiring? Got anything suitable for his unique set of skills? He's got very solid deliverability, email operations expertise and more!

Aric writes: I have spent the last 5 years work in email deliverability and the 13 previous years working in email marketing production, website analytics, and website design.

In addition to my work resume, I have a large swath of creative side work I've been involved in and created.

Least Dangerous Game - A urban scavenger hunt created at the outset of Twitter, highlighted by Twitter's Jack Dorsey himself.

Make Me Watch TV - A one-year experiment in web 3.0, allowing users to dictate the TV shows I would watch and live-blog nightly.

The Mustache Rangers - A 250-episode improvised podcast produced, edited, and performed by me. 

Blank It - An abstract and surreal webcomic written by me.

A Talking Cat!?!: The Blog - Examples of extreme critical and humorous writing pertaining to the horribly bad movie A Talking Cat!?!

If you, or somebody you know, needs someone with a large history of email marketing skills, or any of my other myriad of critical and creative skills, please let me know.


Dead domains: upcmail.cz, chello.cz, karneval.cz, mistral.cz and mbox.dkm.cz

Back in 2019,  UPC (Liberty Global) sold their Czech Republic holdings to Vodafone. Fast forward to May 2020 and they've just announced that email service to the Czech UPC/Chello domains is being shut down, with service terminating on August 31, 2020.

Finally! A font-based solution to the Scunthorpe problem

I've mentioned the Scunthorpe problem a couple times previously--how computerized attempts to block profanity inevitably result in silly false positives. Today it is with glee I note that a kindly font designer has taken heed of the plight of the town of Scunthorpe and implemented a rather silly font that automatically blocks most swears, but allows the name "Scunthorpe" to remain fully viewable. You'll want to click on through and learn more about this, I am sure.

ISP Deliverability Guide: Apple's iCloud Mail

Apple's iCloud Mail is a top ten consumer email mailbox provider based in the US, hosting consumer mailboxes at the domains mac.com, me.com and icloud.com.

Apple may not always make it clear exactly why they may have blocked your mail, but I strongly believe that they look at the typical deliverability and reputation-related data points that most smart ISPs look at. Based on metrics and reputation, do they suspect that the mail you are sending is unwanted? Do they see high spam complaints? Are you blacklisted by Spamhaus or is your mail fingerprinted as spam with a major reputation provider such as Proofpoint? Any of these are likely reasons for being blocked from sending to Apple's consumer mailboxes.

Dead DNSBLs: all.rbl.webiron.net and bsb.spamlookup.net

Two anti-spam blocking lists appear to have died or malfunctioned recently.

Your periodic reminder: Please register with abuse.net

If you're an email marketer, a compliance or deliverability specialist at an ESP, if you work for an email platform, or if you're a marketing manager who manages a lot of outbound email streams, I ask that you register all of your domains with abuse.net.

Abuset.net, the Network Abuse Clearinghouse, run by John Levine, is a simple, centralized database of spam contact information for different domains. John, who has managed this serviced for many years, has done the internet community a very good service by helping to make it easier for people and automation to send spam reports to the right place.

Yikes! Cyber-Criminals Increasingly Using CAPTCHA Walls in Phishing Attacks

From Infosecurity Magazine: "New research from Barracuda Networks has revealed that cyber-criminals are increasingly using official reCAPTCHA walls to disguise malicious content from email security systems and trick unsuspecting users." Read more here.

Meaning, if a phishing email's landing page blocks content until and unless a user solves a CAPTCHA or CAPTCHA-like process, the automated systems in use by email security devices and services (such as Barracuda) may not be able to fully review the content to correctly categorize it as malicious. That's pretty scary. I wonder if a long term solution is perhaps for security services to collaborate with CAPTCHA providers to be able to see past these challenges. I've long felt there's a missed opportunity there for those important security services to work more closely with content providers and email platforms to better understand each other and improve threat identification. But what do I know?

In the meantime, it's important that users stay vigilant, as even before this challenge there's always going to be some bad content or other that gets past a filter. Be careful what you click on and be sure to check URLs of any site where you may be entering login credentials. (And a password tool such as LastPass can help with this sort of thing as well; it'd only populate your credentials in a site with the correct domain name, not suggesting a user/password entry on a fake domain name that it doesn't recognize.)

[ H/T: Slashdot ]

Google: Protecting businesses against cyber threats during COVID-19 and beyond

Neil Kumaran and Sam Lugani from Google recently shared staggering statistics regarding the amount of bad stuff that gets aimed at Gmail users daily: "Every day, Gmail blocks more than 100 million phishing emails. During the last week, we saw 18 million daily malware and phishing emails related to COVID-19. This is in addition to more than 240 million COVID-related daily spam messages. Our ML models have evolved to understand and filter these threats, and we continue to block more than 99.9% of spam, phishing, and malware from reaching our users."

Outlook.com has tabs now, too?

What? This seems new. Brad Gurley talks about this over on his Delivery Counts blog. He says the tabs that show up include "Focused Inbox, Microsoft’s 'Priority Inbox' clone, along with Promotions, Social, and Newsletters." Find more details and screenshots here.

Spam-a-licious!

With so many grocery store shelves running bare during the pandemic, it looks as though people are turning to Spam (the good and salty kind). "The packaged pork product that is Spam has never been more popular," reports the Minneapolis Star-Tribune. Looking for recipes? They've got you covered. I'll be trying the spam fried rice, myself. It sounds like a nice change from my usual spam-and-eggs.

Beware of questionable and/or bad guys trying to take advantage of you in a rough time

You want the country to open up again? Be careful not to let your haste allow you to fall into the astroturf-driven fake news websites, or even worse, get tricked into giving your personal information out to bad actors.

Blocking emails to role accounts: Best practice?

Do you block email signup attempts from role accounts? If not, I think you should consider it.

What's a role account, you might ask? It's an email that has a username part (the part to the left of the @ sign) that is commonly reserved for either a system function or administrative role.

Call for Deliverability Monitoring Vendors: ZeroBounce

In my ongoing quest to share info about additional email deliverability testing and monitoring vendors, I've stumbled across this press release from email validation platform ZeroBounce. They say: "The ZeroBounce Inbox Placement Tester gives senders an overview of their future email deliverability. Customers will receive access to more than 20 test email addresses associated with the most popular email providers around the world. The results – inbox, spam or not delivered – give users a chance to revise their emails, troubleshoot issues, and send more confidently."

BIMI: ISP Support as of April 2020

I get asked about this quite often, so I think periodically I'll post a quick update out there showing current status of BIMI and its support by the top ISPs.

More (pointless) fun with double opt-in

For no useful reason, I took my little double opt-in tool and hitched it to a script that sends a daily automated email message. Now if you sign up for this new email list, you'll get a daily email with a link to a song or music video. Different every day, personally selected by me. Some good, some very good, some not so good. If you're bored and need a daily distraction, check it out!

Bounteous explains AMP for Email

What is AMP for Email? Where did it come from, who supports it, what do you do with it, what's its current state, and what does the future likely hold? Caity O'Connor, Campaign Specialist for Bounteous answers most of these questions in what I believe to be the best overview to date. Click here to read.

Ask Al: Help! How best to send to 70 friends at once?

Thierry writes: "For the past 3 days I have been identified by Spamhaus as a spammer, I guess, as I get error 554 when sending to domains that they filter. As you can see I have a mail.com address.

"The only change in my recent email activity is that for the past 10 days I have been writing kind of a diary email to all my friends and family (about 70 recipients). The frustrating part is that they write to me and I can't reply to them!

"If you have any advice and time to give it, that would be really really nice."

(Thursday, April 9, 2020 Edit: Updated title to better reflect the likely underlying issue.)

Why coronavirus scammers can send fake emails from real domains

Here's a very simple and straightforward explanation of how "Organizations like the WHO could prevent domain spoofing, but many don’t," by Joss Fong and Cleo Abram for Recode. If you know about DMARC, you already know what's going on here, but it's still an important read. Hopefully it'll drive further DMARC adoption.

[H/T: Brian Westnedge.]

April Fools Day is Cancelled

Please don't email me something fake or "jokey" on Wednesday. And don't do that thing where your company or blog posts a bunch of fake stuff to try to troll people. Tensions are high and people are nervous. Now truly is not the time for failed attempts at being wacky.

Reference: Web.de, GMX and Mail.com Domains

GMX and Web.de are two freemail providers based owned by United Internet (1&1) and primarily based in Germany, but providing free email seemingly globally. Mail.com might be considered the "US edition" of their email service and has nearly 200 different email domains to choose from.

It's been tough to find a published reference list of domains used by them (with the exception of the Mail.com domains), but here's what I was able to come up with, with help from smart guys Jakub Olexa and Udeme Ukutt.

Spam and reputation

Need a break from the heavier news? Okay, let's talk about spam and reputation. No, not that spam, and not that kind of reputation. Spam, the food product. Julia Press of Business Insider explains "how the makers of Spam stopped worrying about being a global punchline and learned to embrace the joke."

While I'm not planning to hoard Spam during this tough time, I do keep a tin of bacon-flavored Spam in the cupboard, as it makes a good breakfast meat if you find yourself out of bacon or sausage. Slice it thin and it fries up nicely on the stovetop. It also greases the pan well enough that I find that I don't need to oil the pan before frying the eggs.

A few COVID-19 subject lines

The Freecycle Community and COVID-19. COVID-19: How UPS is Responding. Update from Starbucks. Supporting our customers during this critical time. Coronavirus Update. Temporary Change to Store Hours. A travel update from our leadership. COVID-19 Updates From the Illinois Lottery. Our commitment to safety - a message about coronavirus. A message from our CEO. Important information about the coronavirus. A message to our guests from CEO. More Flexibility for Your Travel. Health and Safety Information from WG Restaurants. Caring for the Lyft community. Traveling with Flexibility and Care. We are here for you. Here’s Are New Hours and Closures for Campus Buildings During Coronavirus Outbreak. How we're supporting you during the coronavirus. A message from our CEO. Health & Safety Update from Tire Store. A travel update from leadership. A Letter to our Fans. Our pledge to you during the coronavirus outbreak. A message from E.T. about COVID-19. Updates & Resources for Businesses Impacted by COVID-19. We are still operating at full capacity. A Day of Giving Message for Customers. Message from the Mayor: COVID-19 Updates. Extending Our Support Through COVID-19.

Reference: All Virgin Media (UK) domains

I'm working to add to my list of ISP resource pages, including new information on domains used by various ISPs. Here's information for UK broadband provider Virgin Media.

Call for Deliverability Monitoring Vendors: Postmastery

Hey, deliverability monitoring vendors! I know you're out there, and I don't know a lot about many of you. Do you manage a service that does inbox deliverability testing, seedlist testing, inbox monitoring, or similar functionality? Feel free to drop me a line and let me know a little bit about your product or service, and I'll publish it here. 

First up -- Willem Stam has kindly provided the following information about Postmastery:

Everything marketers need to know about BIMI: The latest email standard

Jennifer Cannon from Martech Today just posted a solid overview of where BIMI is at today. If you don't recall what BIMI is, she explains: "BIMI is a way for brands to publish their logos in their customers’ inboxes and allows logos to be easily incorporated into messaging."

Amazon Web Services (AWS) now blocking block port 25

Amazon recently made a change affecting AWS/EC2 users. As of January 27, 2020, new EC2 instances will no longer have port 25 access to the world. This means that by default, they won't be able to send email.

Other Deliverability Monitoring Vendors?

Besides Return Path and 250ok (now both owned by Validity), and eDataSource (now owned by SparkPost), here are three other deliverability monitoring vendors, as shared by kind commenters on my previous post:

Validity to Acquire 250ok

When I ask myself, what vendors are there in the deliverability monitoring tools space, I think of three primary vendors: Return Path, 250ok and eDataSource.

Then I ask myself, what will this vendor landscape look like in a year from now?

Fun with Double Opt-in

Here's a link to the source of my new double opt-in sign up tool, if you'd like to check it out or install it for your own use. (It is now called WombatMail.) Of course, feel free to go ahead and submit your address if you'd like to receive email updates from Spam Resource.

Some considerations related to the double opt-in signup script:
  • This is written in Bash, a common linux/unix scripting language.
  • There are variables near the top that you will need to edit to specify things like the name of your list, the email address to send from, etc.
  • You can block various domains, usernames and email addresses using the BADDOMS, BADUSERS and BADEMAILS variables.
  • There are a few lines you can comment out to disable things like the unsub notification email, DNS checks, and the new subscriber notification email. Search for the word "comment" to find these points.
  • Email authentication is a function of your mail server and DNS configuration in this context, not my script. Meaning my script does not add SPF or DKIM or DMARC -- you add these by way of configuring DNS and your mail server for your domain.
  • You can look at the gen_code subroutine if you want to modify the way the opt-in link looks. Be careful not to make it so simple that anybody could manipulate a URL to cause a forged opt-in subscription.
  • To export subscribers, use this script. It reads the log, exporting every person whose current status is "subscribed." 
  • I think this process of using a log file and finding status via the log file is a clunky-but-good-enough way to manage a database without actually using a database. You could implement a SQL database to track active subscriptions and logs if you like, but I wanted to minimize my reliance on additional tools for this particular project.
Some thoughts on this opt-in process and double opt-in best practices in general:
  • The script generates fairly long/random opt-in URL codes. This is to prevent opt-in forgeries. You don't want people to be able to "hack" URLs to cause forged subscriptions or even forged unsubscribes. For this reason, you should never expose the email address in the opt-in URL.
  • My opt-in URLs don't expire. Maybe they should, and maybe they will in a future update.
  • To prevent "opt-in confirmation bombing," this tool allows a user to re-request an opt-in confirmation twice, for a total of three opt-in confirmation emails. After that it won't send you another. If you subscribe, then later unsubscribe, the counter is reset and you could receive three more. That way it allows re-sends for users who might resubscribe in the future.
  • The script checks subscriber domain validity by matching the TLD against a fixed list of TLDs. This will eventually go out of date as somebody adds the latest new, weird TLD to the world, but is probably good enough for government work. It is unlikely that anyone with an email address of bob@chicago.squirrelunderpants is going to try to sign up for your list, even if "dot squirrelunderpants" ends up being a valid TLD in the future. I suppose I could do a live call out to the IANA TLD list, but why add the network noise?
  • The script also requires that the sending domain have a valid MX record or A record. If it doesn't, mail won't be accepted anyway, so why bother sending a confirmation mail? Similarly, it looks for an SPF record that suggests that a domain sends no mail. A domain configured like that isn't likely to have valid users who want to receive your mail. A lot of spamtrap domains are configured this way; let's not bother them with confirmation requests.
By the way, it turns out that the opt-in confirmation emails for my list are delivering to the spam folder at Microsoft/Hotmail, even though my IP address has a Sender Score of 100, 5+ years of history sending good mail, and I authenticate mail with DKIM and SPF. Perhaps that says more about Microsoft than me. I suppose I'll open a mitigation request ticket at some point.

Anyway, the reason I put all this together was just to remind myself that double opt-in isn't hard. I hacked this script together over a few hours here and there last weekend, and somebody putting more time, effort and planning into it could do a better job than I do. You could take this script and use it to manage signups for your list, and know that every signed up address has been properly validated, accurate and truly opted-in, without spending a dime on an external vendor.

(Updated 3/2/2020: I've renamed the list management tool "WombatMail," since it's a domain name I've had forever but do very little with.)

You should check out: Really Good Emails

Fellow Director of Deliverability Jen Nespola Lantz reached out to me to share a link to Really Good Emails.

She writes:"I often get asked, "Okay, you want me to do X, but what would that look like? Can you send me ideas?" I am not always able to send client examples, so I used to either have to mock them up or pull from personal examples. Although this is not necessarily a deliverability tool, it is a great source of ideas for emails and messaging for this very case (and many more). If you think about it, ultimately, if you send content that looks great and functions well, you may drive more customers to look for it and then interact with it. If you drive a better experience you'll likely end up improving deliverability anyway...so maybe it is a tool, just an indirect one. The examples stored here are clean and beautiful and demonstrate very creative ways to message successfully once you get those eyeballs. Hope you find it useful!"

This is a cool site and I think folks will find it very helpful! Thanks, Jen!

DMARC.org: DMARC Policies Increase 300% over 2019

Wow, DMARC continues to spread like wildfire! Data from Farsight Security shows that DMARC adoption increased significantly in 2019. Up from 630,000 domains with DMARC in 2018, they now have observed 1.89 million domains publishing a DMARC policy over the past year.

DMARC is a very useful security tool to help prevent malicious and unauthorized use of your domain name in email. You should implement DMARC if you haven't already. And if you have, you're in good company!


Verizon announces new Email Deliverability and Performance Feeds

Sean McWilliams of Verizon (aka AOL and Yahoo) just announced something that they are referring to as "Email Deliverability and Performance Feeds." Click here to read the announcement.

What does it look like? Don't quite know yet. I am hoping it will be a sort of Google Postmaster Tools-like or Microsoft SNDS-like dashboard where one can log in and view engagement-based sender reputation metrics for a given domain name. We will see.

Their new Verizon Postmaster page on the topic suggests that there will be two types of "feeds":
  • "The Placement Feed provides metrics on how many emails from a sender domain are delivered to the inbox, spam, and folders. It also provides metrics for error and complaint counts.
  • "The Campaign Performance Feed provides key metrics such as delivers, opens, reads, glances, skims, deletes, and clicks for a sender domain. Metrics are broken down by sender domain and campaign."
Inbox versus spam folder placement data is a nice touch. Until now, folks needed a tool like 250ok, eDataSource, or Inbox Monitor to denote spam folder placement.

This looks really interesting and I'm really looking forward to learning more about it. Stay tuned!

Receive Email Updates from Spam Resource

People periodically ask me if there is a way that they can receive an email notification whenever a new blog post is posted on Spam Resource. Never really thought much about it, as my focus was on blogging about emails and not sending them, but enough people have asked that I decided it was time to put something together.

Why Email Engagement Is the Holy Grail of Email Deliverability

ActiveCampaign's Robert Colomberti's explains.

This is REALLY good stuff. The date range guidance might change depending on your industry or differences in sales pipeline, and the segmentation guidance gets a bit platform specific, but the core of this is solid.

As far as the bit at the end about using an email validation vendor, that's a whole other discussion. Upfront verification that somebody isn't submitting an invalid address into a form is a good thing, but don't forget that it's not the same as verifying permission. Data validation isn't going to fix a non-permissioned list, for example. That kind of thing is still deliverability killing. (I don't mean to imply that ActiveCampaign says otherwise. I am just making my own voice heard here.)

Apache SpamAssassin 3.4.4 now available

The Apache SpamAssassin Project has just announced the release of version 3.4.4 of the popular spam filter SpamAssassin.


Apache SpamAssassin 3.4.4 is "primarily a security release," but includes various fixes for things like improved carriage return handling for DKIM checks and re-implementing Perl 5.8.x compatibility. Click here to learn more about it and/or download the updated version.

Following best practices for sending to Gmail

Google has updated the Gmail "Bulk Sender Guidelines" page, and it is now called, "Prevent mail to Gmail users from being blocked or sent to spam." Check it out!

(Thanks to the smart folks at Postmark for the tip!)

Is 2020 the year of BIMI?

You might notice that in my "2020: What's next?" post, I didn't mention BIMI.

BIMI, aka Brand Indicators for Message Identification, is the new way to specify what logo or brand avatar a sender wants shown alongside their email messages. (Learn more about BIMI here.)

Showing a logo, avatar or little graphic along side an email message isn't a new thing. Gmail, Yahoo Mail and others have supported some form of logo display for a long time now. But where that logo was sourced from, how it was populated, this wasn't always clear or obvious. Gmail would pull the graphic from a Google Plus profile or Google account. Yahoo Mail would do the same, I found, but it also could pull the logo from other places. It had some sort of internal process that I wasn't privy to.  And there's Gravatar, which is still out there and still (modestly) supported. (And at some point, Microsoft announced something called Brand Cards that never seems to have launched. So I have no idea if anybody ever set up or observed a "brand card" logo in the wild.)

Mashable's wrong (sort of) -- empty your inbox!

Mashable's Alex Perry wrote just the other day that one should never bother to clean out your email inbox. Sort of right, sort of wrong. Me, I'd go crazy if I left 250,000 email messages in my email inbox. His point, though, is that you might as well save everything forever in email, and have it available to search through as needed. That's something I completely agree with. But he misses the point-- you don't have to "leave it in the inbox" to do that. In Gmail, for example, just "archive" it all at some point, and it is still there for you, in "All Mail," and available to be searched, without specifically cluttering up your inbox. So keep all that mail, but empty the inbox out periodically.

Got placed in the Gmail promo tab? You're not alone.

Apparently it happens to Seth Godin, too (click here).

He's got a fix for it, see, but those big meanies at Google won't let him implement it. He's even encouraging you to yell at Google on his behalf. (It turns out, Google is a bit shy about letting third parties have access to fiddle with your Gmail inbox settings. Can't say I blame them for that.)

Europe is different and why this matters for US-based companies

Here's an article from Mailkit's Jakub Olexa explaining how the ISP landscape is different in Europe. This is useful stuff for US-based senders to learn. That chart is especially insightful. Thanks, Jakub!

2020: What's next?

Well, the new year is here. (Along with a new blog template and updated ISP deliverability guides.) What do you think will happen in the deliverability realm in 2020? Here are my first thoughts.

First, DMARC is finally reaching critical mass. No longer an edge-case security feature that your marketing teams ignore, more and more senders finally start to understand that supporting DMARC is easy and should be considered a best practice. DMARC adds complexity to email forwarding, reply handling and mailing list management, so look to experts for assistance if your email use cases would run into any of those realms. But outside of those, DMARC can actually be pretty easy to set up.

Temporary Site Map

May 2020
Your periodic reminder: Please register with abuse.net
Yikes! Cyber-Criminals Increasingly Using CAPTCHA Walls in Phishing Attacks

April 2020
Google: Protecting businesses against cyber threats during COVID-19 and beyond
Outlook.com has tabs now, too?
Spam-a-licious!
Beware of questionable and/or bad guys trying to take advantage of you in a rough time
Blocking emails to role accounts: Best practice?
Call for Deliverability Monitoring Vendors: ZeroBounce
BIMI: ISP Support as of April 2020
More (pointless) fun with double opt-in
Bounteous explains AMP for Email
Ask Al: Help! How best to send to 70 friends at once?
Why coronavirus scammers can send fake emails from real domains

March 2020
April Fools Day is Cancelled
Reference: Web.de, GMX and Mail.com Domains
Please hire: Sarah Johnson
Spam and reputation
A few COVID-19 subject lines
ISPs do filter political mail
Reference: All Virgin Media (UK) domains
Call for Deliverability Monitoring Vendors: Postmastery
Everything marketers need to know about BIMI: The latest email standard
Amazon Web Services (AWS) now blocking block port 25
Other Deliverability Monitoring Vendors?

February 2020
Validity to Acquire 250ok
Fun with Double Opt-in
You should check out: Really Good Emails
DMARC.org: DMARC Policies Increase 300% over 2019
Verizon announces new Email Deliverability and Performance Feeds
Receive Email Updates from Spam Resource
Automatically Resend Emails to Non-Openers With Pardot
Why Email Engagement Is the Holy Grail of Email Deliverability

January 2020
Apache SpamAssassin 3.4.4 now available
Following best practices for sending to Gmail
Is 2020 the year of BIMI?
Mashable's wrong (sort of) -- empty your inbox!
Got placed in the Gmail promo tab? You're not alone.
Europe is different and why this matters for US-based companies
2020: What's next?

December 2019
ISP Deliverability Guide: Gmail
ISP Deliverability Guide: Microsoft OLC
ISP Deliverability Guide: Yahoo/AOL/Verizon
How the military made Spam an iconic American brand

November 2019
Best Practices on Domain Name Choices: What TLD should I use?
Egypt’s economic court fines insecticide company for SMS spam
Yahoo Groups is changing
SPAM Alert!
Can I use FOIA to source lists?
Google: No favors at Gmail

October 2019
Best Practices on Domain Name Choices
Another day, another dead DNSBL
New XNND DNS Tool Update!
Sender ID is back!! No, wait...
Dead email domain: ono.com
How not to get people to open your emails
Charter/Roadrunner bounces?
How Email Spam Filters Work Based On Algorithms
Need example SMTP bounces for different ISPs?
Spamhaus Blacklist Changes

September 2019
Blacklists and multi-client impact: The risk is real
Let's go buy a list!
HOWTO: Work around Office 365 Unblocking Issues
What about AOL?
SPF and DKIM Alignment: What are they and why do they matter?
Is email spam a solved problem?
BIMI: Current Status? Should we bother?

August 2019
ARS Technica: How to read email headers

July 2019
BIMI Moves Forward as Google Commits to Pilot Program

May 2019
Google Postmaster Tools doesn’t like us. How can I fix it?
Mailkit's BIMI Inspector Tool

April 2019
AOL & Yahoo Mailbox Merger: It’s Done!
When Gmail Was First Announced, People Thought It Was an April Fools' Joke

March 2019
AMP: The next big thing?
How Do I Avoid the Spam Filter?
Hello, Verizon Media Postmaster!
The latest trend at D.C. restaurants? Spam. And it’s delicious.
How to Make Sure Important Emails Stay Out of Your Spam Folder

February 2019
GPT Downtime
DMARC Policies Up 250% In 2018
Gmail SPF Status of Best Guess: What does it mean?
Gmail: Improving spam filtering with TensorFlow
2018: Did I get it right?
Fun while it lasted...

January 2019
Stop using NJABL! Now!
Characters in the local part of an email address

December 2018
How to win friends and influence people?

November 2018
4 Holiday Deliverability Tips
Report: ‘Trump’ most common spam term during run-up to elections

October 2018
Does Germany require COI/DOI?
How to Recover from Email Marketing Mistakes
The future of email?
Reference: All AT&T Email Domains
Sender ID? No, don't bother.

September 2018
Howto: Create a Gravatar brand icon
Howto: Make your brand icon display in Gmail
Inbox by Gmail: Bye bye
Spam in a post-GDPR world?
Test Authentication Here

August 2018
It's time to re-engage!
Scunthorpe Redux
List Bombing: History and Prevention
Thank you for signing me up!
Let's track!
Google moves gmail.com to "quarantine" DMARC policy (for subdomains)

July 2018
The 250ok Deliverability Guide
Apple Moves to "Quarantine" DMARC Policy
Reference: VMG Domains List (Verizon, Microsoft, Google)
Dead email domain: tesco.net
The secret to disconnecting? Email does it better.
Return Path launches Universal FBL
Happy birthday, spam (the good kind)!

June 2018
A spam score of 33.8!
The email problem no one is talking about: mistaken identity
XNND.com is 11 years old today
Revisiting Spam, the Documentary
Gmail's Promotional tab: How to escape
The big red warning box of doom
Locking down your unused domains

May 2018
Spam Cannibal blacklist is dead
Spam recall: For real!
Whoops! Cyberlogic DNSBL Broken
Smells like GDPR Season
AOL: No More Whitelisting
Unroll.me to close to EU users
Vodafone Ireland: vodafone.ie is a dead email domain

April 2018
Reference: Apple email domains
Lycos Mail: Free accounts to be eliminated
This weekend: Gmail spam, from me, to me
40 Years of Spam
Cloudflare Launches 1.1.1.1 DNS Service
Message Header & Message Checking Tools
Goodbye, goo.gl

March 2018
What is Microsoft BCL?
Please Hire Mike Teixeira!
PSA: Time to update your ReCAPTCHA
Fun fact: Gmail has two domains
DMARC: sp= policy not always needed
250ok on DMARC adoption among top US colleges
File under obvious? Engagement rules!
Howto: Disable your Gmail spam folder

February 2018
Best US cell carrier for phone spam protection? T-Mobile.
Ask Al: Group mail is being blocked, what do I do?
Gmail: Filtering mail into folders
Gmail & B2B Spam
AOL/Yahoo Transition Update: AOL DMARC & FBL Reports
List-Unsubscribe header: You need it!
How Email Works

January 2018
Isleton Spam Festival: There's still time
AOL Announces Mail System MX Changes
Reference: Time Warner/Road Runner/Spectrum Email Domains
Using ClamAV? Update Now
More Transitions: AOL/Yahoo Consolidation
History Repeating: Challenge/Response again?!
Canada and Japan joining forces to stop spam
You use 2FA for your Google account, right?
Dead email domain: alltel.net
TinyLetter: Don't freak out just yet!
More on "Smart Unsubscribing"
Challenges in 2018?

December 2017
Hotmail: Twenty years ago this month...
Top Five Spam Resource Posts of 2017
On the 12th day of Listmas...
LaPoste Now Offering DKIM-based ISP Feedback Loop
Did anyone recently notice that the Spamhaus XBL just got really big?
Inbox by Gmail will remind you to unsubscribe from unread promo emails
Finding and deciphering email headers
Krebs: Phishers Are Upping Their Game. So Should You.
The 12 Days of Listmas
Help! I'm blocked at Verizon.net!

November 2017
Vodafone (New Zealand) Email Closure
Happy Thanksgiving!
Reference: Top MAGY Domains

October 2017
Holiday Season is Here: What to do
October 11: Spam in the News

September 2017
HTML Email: JWZ's fault?
Whoops: iOS 11 Mail Microsoft Issues
Full Email Headers
Hotmail UK MX Change

August 2017
Haiku Break
Finding DMARC when it isn't there?
16 Years And Counting
DMARC will (not fully) fix it!

July 2017
Most federal departments aren’t using DMARC: Wyden
AOL: Reputation corrected and request denied

May 2017
Text to Image ratios in email
Verizon Email Transition Update
New Anti-Phishing Protection in Gmail on Android
Why list-unsub doesn't let you "opt-down"?

April 2017
Orange UK Email Closure
New DMARC Record Lookup Tool
Senders: What should you do about verizon.net?

March 2017
Do you care about WHOIS?
Friday Funny (With Good Advice)
Verizon Users: Leave, or move to AOL
Password Reset Emails: Best Practices
New Outlook.com/Hotmail IP ranges
AOL User Mike Pence
IBM Patents Out-of-Office Reply functionality

February 2017
Guest Post: A Guide to Microsoft SNDS
Sean Spicer and WHOIS
Howto: Maximize Inbox Delivery to Yahoo
What can SNDS tell you?

January 2017
The Scunthorpe Problem
What is UCENET?

December 2016
Ask Al: What of Senderbase?
List-unsubscribe on Gmail: Frequently Asked Questions (FAQ)
5 Reasons List-Unsubscribe Concerns Are Overblown
Microsoft breaks DKIM signature?
What You Need to Know About DMARC and Deliverability
Spam Museum Welcomes 100,000th Visitor
Yuck: iCloud Calendar Spam

November 2016
Virgin Media is so rustic and artisan you get to hand-sort your own spam
MegaRBL DNSBL FUBAR
AOL FBL Sending Address Changing
Putting Spam to the culinary test
Holiday Season Tip: Don't Experiment
Gmail Updated on iOS
Email and the 2016 Presidential Election
Barracuda (was) down

October 2016
Now you can read your email on Xbox One
Beware: Student loan forgiveness spam
Obama Administration Says Text-Spam Law Is Constitutional
Yahoo! Mail: No Forwarding for you
Checking an SPF record with the Kitterman SPF Validator
Best practices for parked domains

September 2016
AOL announces Alto, new mobile email app
Not receiving Yahoo FBL Confirmations? What to do
Spam Resource on Facebook
DMARC Support in Mailman
Gmail to Support Responsive Design + More
Ken Magill: Time to switch to COI/DOI
Subscription Mailbombing: Must Read
Gmail providing easy-to-read Auth Results
List Unsubscribe in Apple's iOS 10
Doing the Math on Purchased Lists
Bye bye, SmartScreen
Deliverability Problems: What You Can't Fix
7 Common Deliverability Myths Busted

August 2016
Dead email domain: facebook.com
Do you need COI/DOI? Probably.
Yahoo: Deferring Inbound Connections Today
Where do I get a new IP address?
Gmail now requiring SPF or DKIM

July 2016
Yahoo, AOL to both be owned by Verizon
Spamcop: Declines to send reports to ESPs
Steve's Co-Reg Inbox Saga
Wired on Email Reputation
What is SPF Lockdown?

June 2016
LinkedIn for list building: Still bad news
Apple iOS 10 to support List Unsubscribe
FBI Raids Spammer Outed by KrebsOnSecurity
Sanford Wallace gets jail time for FB scam
When is a phish not a phish?
Can't send to Dad, sorry.
Internet, Web Enjoy One Final Day As Proper Nouns
Putting the "free" myth to bed

May 2016
Scott Walker's got a list for you
What is phishing?
Outlook.com (Microsoft Windows Live Hotmail) Issues Today
Yahoo, Gmail and Spam in the news
Protect Your Brand and Reputation
Cisco PIX/ASA: Disable SMTP Fixup
Verizon.net moving to AOL
Google Postmaster Tools: Domain vs. IP address Data Thresholds

April 2016
Google Postmaster Tools: Not receiving data?
B2B Spam is Dumb and You're Dumb and This Other Guy is Dumb, too
Microsoft Outlook.com / Hotmail Deliverability Troubleshooting
I'm blocking all mail from .top
UnsubCentral: Anybody home?
Gmail: Top 5 Deliverability Do's and Don'ts
Best Email Frequency?
Researchers help shut down spam botnet that enslaved 4,000 Linux machines
Spamhaus to indicate DROP status via DNS
Outlook.com Inbound Email Issues

March 2016
Don’t Be Afraid to Say Buh-Bye
Here's why I unsubscribed
Mail.ru announces additional DMARC domain restrictions
What is an ISP Feedback Loop (FBL)?
Images off by default?
How to Optimize Your SPF Record
Yahoo Mail not accepting inbound mail
New: Check Auth Status with XNND
Yep, that's about right.
Sender ID Doesn't Matter in 2016
The spam map of the United States
Small scale, unsolicited, and sustainable...
SPF Still Matters in 2016
Email inventor Ray Tomlinson dies
Spamhaus Releases "Worst TLDs" List

February 2016
International Yahoo Domains to get DMARC "Reject" Policy
Let's Talk About Leadgen & Payday Loans
Prune Inactive Subscribers: Y/N?
Outlook.com (Microsoft Windows Live Hotmail) Issues Today
Outlook.com Got a Big Update Today
Mail.ru to Adopt p=reject DMARC Policy
How to track ISP delays
Contest Signups for Lead Generation: The Good and the Bad
What happened to McAfee and Postini?
Reference: Yahoo Email Domains

January 2016
Reference: AOL Email Domains
Checking Email Content with SpamAssassin
10 Simple List-Building Tips
Making it Easy to Unsubscribe (#2)
Does anyone at AT&T netops read Spam Resource?
Feedback Loop (FBL) Resources from M3AAWG
Making it Easy to Unsubscribe (#1)

December 2015
2015: The Year of DMARC?
Use the SECOND WEIRD TRICK when implementing your DMARC record
What RRVS Doesn't Fix
Mail forwarding in a DMARC world
French ISP Orange shutting down voila.fr mail domain
Congrats to Return Path!
Admin: Site Redesign Time
Yahoo! Mail China is no more

November 2015
From address: Don't use an invalid domain name
Using AdBlock? Using Yahoo! Mail?
Verizon Retiring Inactive Email Addresses
Gmail to flag unencrypted email connections
A Useful Email Validation Tool
Use this ONE WEIRD TRICK when implementing a DMARC record
Is my DKIM key Insecure?

October 2015
DMARC: Gmail "p=reject" policy is coming
Add Other Email Accounts to Yahoo Mail
Additional Yahoo Domains to get DMARC "Reject" Policy

September 2015
⛄ Put a snowman in your subject line ⛄
Need DNS Tools?
Google now allows you to "block" senders in Gmail
Another day, another dead blacklist....

August 2015
HostWinds: A Turnaround Story

July 2015
Oops: Gmail Spam Filter Changes Bite Linus Torvalds
1,072,835 Page views!

June 2015
Domain Registration Privacy: Another View
Return Path adds AOL to list of certification-enabled ISPs
DMARC and mailing lists: We survived!
On Sweating the Small Stuff
Return Path: When is it OK to Use a Shared IP Address?

May 2015
ESPs and Purchased Lists
DeliverNow: New Filters @ Orange, SFR, Laposte

April 2015
Sending mail over IPv6? Authenticate!
Domains clear.net and clearwire.net have been retired
Outlook.com Deliverability Support Form
More Jobs @ the Litmus Job Board
Troubleshooting AOL Deliverability Issues
Are you hiring for deliverability?

March 2015
Great work, MAAWG!

February 2015
DMARC & Mailing Lists: A Roundup
Spamhaus Sued for Libel in UK
Engagement Affects Deliverability
House Introduces Email Privacy Bill

January 2015
Amazon Starting Email Service
Microsoft Updates Use of List Unsubscribe Header
Ask Al: Help! AHBL is blocking inbound mail!
Yahoo Shuts Down Its Email Service In China

November 2014
Third party post-purchase research emails: spam?

October 2014
Is Yahoo.com a wireless domain?

September 2014
Interesting SBLs is back

July 2014
Purchased lists? DOA.
Pre-order Spam Nation by Brian Krebs
Does Gmail use Spamhaus blacklists?
Ask Al: Should I add a DMARC record to fix the Yahoo issue?

June 2014
Need to contact Live.com/Hotmail?
Check out this neat thing: Email Privacy Tester
DMARC does only one thing (but pretty well)
OpenDKIM & SpamAssassin Gotchas on Ubuntu 12.04
106 miles to Chicago
Blast from the past: Challenge/Response Filtering?

May 2014
Signing outbound list mail with OpenDKIM
Yahoo on Yahoo's new DMARC Policy
The Current State of TLS over SMTP?
Yahoo Groups rewriting from addresses to handle DMARC policy
Gmail’s message to email marketers: Focus on engagement

April 2014
How popular is Yahoo Mail?
Google Groups rewriting from addresses to handle DMARC policy
AOL Adopts New DMARC Policy
Yahoo DMARC Policy Change Roundup
Ask Al: Is my personal domain affected by DMARC?
Yahoo Statement on new DMARC policy
Yahoo DMARC Policy: Why they did it.
How OnlineGroups.net used the Yahoo! DMARC crisis to make a better Mailing List Manager
Who uses a Yahoo from address?
Run an email discussion list? Here's how to deal with DMARC
Up in arms about Yahoo's DMARC Policy? You're not alone.
Payday Loans: Not Even Necessary
Masking WHOIS Information: No Abuse.net for you

February 2014
SpamAssassin 3.4.0 Released

January 2014
Gmail Oops
Gmail: Reach the people you know more easily

December 2013
Ask Al: Help! My email address is being used in spam! What do I do?
Rest in Peace, Nadine
The Return of the Open Relay

November 2013
Dynamic Dolphin Dies
Ask Al: Remove me from APEWS?
Payday Loan Stories on NPR
Looking at a spam stream: The story of Jimmy Walker
Checking the SBL "Latest Listings" Page

September 2013
LinkedIn Sued by Users
SpamArrest Loses in Court
Mail merge?
Gmail Tabs Roundup
Ken Magill on Gmail Tabs

June 2013
CAN-SPAM Ruling: Domain Ownership Masking Deceptive
DMARC: Please Be Careful!

May 2013
Twitter Rolls Out Two-Factor Authentication
Apple Rolls out Two-Factor Authentication
A New DNSBL: DNSBL Chile

April 2013
Dutchman Arrested in Spamhaus DDoS
COI: Another List Manager's View (or two)
Payday Loans in the News
Tons of Misdirected Mail
Does COI make sense?
Two-step auth coming to Microsoft?
Sky.com Transitioning to Yahoo! Mail backend
Worst Write-up?

March 2013
Spamhaus DDoS in the News
That Wasn’t Funny
Crazy on Display

February 2013
Another Dead DNSBL
On Spamhaus and Anonymity

January 2013
A bit of spam history
On the Recent Yahoo! Mail Exploit

December 2012
Friends in high places?

November 2012
Email is Not Anonymous
Ask Al: What of the MAPS RBL?

October 2012
CRTC Issues Updated Canadian Spam Law Guidelines

September 2012
Confirmed Opt-in in the Wild
RFC Ignorant Blacklist Shutting Down
Email Append Gone Wrong
More Misdirected Messages

August 2012
COPPA in the news
No Permission = Bad Experience

July 2012
The Transactional Unsub
Guest Post: Canada's New Anti-Spam Bill - Is Anyone Listening?

June 2012
Transactional Spam: It Happens
SMS Spam in the News
Defining Persimmon
Change your LinkedIn Password

May 2012
Defining Permission
Double Opt-in in the Wild
How Subscriber Complaints Affect Inbox Placement
Engagement – Buzzword, or a rule to live by?
What does your email address say about you?
Read the Comments
Neutraceutical Spammer Sentenced to 2 Years
MAAWG: Internet Police?

April 2012
CASL Slips to 2013
SMS Spam: Google Voice is Helpful
Spam Complaints Matter
A flippant, but true, response.

March 2012
5 Design Tips That Will Lower Your Spam Scores
Whitelisting – A partial solution to Inbox Woes?
Inside the Gmail Kimono: A Whole Lotta Nothing?
Why did Gmail junk that message?
Send Less Mail, Make More Money
Who invented email?
You Get the Deliverability You Deserve
Does Hotmail use the SBL (Spamhaus Block List)?

February 2012
A wizard did it.
It's not all spam, is it?

January 2012
What's DMARC?
Address Validators: What are you Validating?
If the email’s legal, it can’t be spam. Can it?
CheetahMail "Gives Up" Email Append
Still Delicious in 2012
A Heck of an Oops

December 2011
2011: The Year in Spam
Ask Al: Help, I'm blocked at AT&T!
Netprospex Blacklisted By Spamhaus

November 2011
The Passing of J.D. Falk
What does Spamhaus think of email append?

October 2011
On Validating Email Addresses
Visualizing Yahoo Spam Blocking
Dutch ISP Picks Fight with Spamhaus

September 2011
Another Experience with Email Append
Email Append: Not a Great Practice

August 2011
Push Clickers Across the Conversion Finish Line
No surprise: Holomaxx loss.
MAPS/Trend Micro Spamtrap Issues?

July 2011
What's your (telephone) reputation?

June 2011
Is DKIM evil?

May 2011
DNSBL Safety Report 5/14/2011
AOL blocked? Don't try this at home.
What would you present?

April 2011
Spamcop Blacklisting: Should you care?
Is this permission?

March 2011
Why are you in my inbox?
Neil Schwartzman: CASL Compliance
What changed?
Score one for the Good Guys
On the Legality of Spam Filtering
No false-starts, do-overs, or mulligans for Email
Spamhaus & URL Shortening Services
Comcast’s Impressive System for Notifying Infected Users
China cleans up spam problem

February 2011
Is there a war on small mail servers?
How to Start a Spam trap
Return Path hires Sam Masiello
Now Hiring: Who?
Cloudmark developing SMS spam filter
Making Permission Assumptions
Who/what is RESMAIL?
Goodmail to Shut Down
Thought of the Day: Permission

January 2011
Guest Post: Reader Feedback Week
An Informal Definition of Spam
Dennis Dayman: Watch out for DeepWWW
How to Generate Leads with LinkedIn
AMENDMENT IS FUTILE
LinkedIn: A list-building opportunity?
Microsoft, Holomaxx, ISPs Reading Your Email
Top 5 Spam Resource Posts in 2010

December 2010
All About List Growth
Venkat Balasubramani: Portrait of a Lawyer Turned Anti-Spammer
Spouse Can't Hack Your Email, says Michigan
Have you checked out NiX Spam?
Quick Note: AOL Inbound Email Issues
Backscatter from Microsoft Exchange
Spamhaus under DDOS from AnonOps (Wikileaks.info)
Newegg Continues to Spam, says Horwath
Gov't Needs Warrant to Search Email
Canada Passes Anti-Spam Legislation
Wikileaks Mirror Malware Warning
HolomaXx Dismisses Suits against Return Path, Cisco IronPort
How To (or How Not To) Operate a Blacklist
All About Email Address Validation
Feelin' Old
More on Growing Your List
Mark Brownlow on Permission
Ask Al: How do I grow my list?

November 2010
What is bulletproof hosting?
Netprospex: "Verified," really?
ESPs being targeted
Gmail Priority Inbox?
More Spam from Newegg?
What You Suggest Will Kill Email for Everyone
The Truth about Permission
New Data Breach: Chili's
Please Help us Kill Zombies!
Does Facebook Mail Change Everything?
Email Address Validation: Options
SMTP Address Validation: Bad Idea
Holomaxx Link Roundup
Size isn’t the only metric
Holomaxx suing Microsoft, Others
Javascript in emails: Bad idea? (Updated)

October 2010
Top 4 CAN-SPAM Myths
Rendering & CAN-SPAM Compliance
Changes to DNSWL.org
Godaddy blacklisted by AHBL
Friday Funny: I Need Your Legal Advice
Selling Customer Data: Good idea?
Mediacom Outbound Mail Servers
Payday Loan Marketer Settles with FTC
Ask Al: Senderbase.org?
Magill Has Questions
The Rise and Fall of a Spam Plaintiff

September 2010
Magill-Meat Love Fest
HR2221: Data Accountability and Trust Act
What is Hashbusting?
WHOIS Wasn't Hacked
Rich Kulawiec Booted from SPAM-L
ARF: Now a Proposed Standard

August 2010
Stupid Search-Trick Watch: Content Thieves Strike!
Newegg.com: How not to handle a spam complaint
Co-RegData.com: Content Thieves
Ken Magill Returns
Spammer Claims that he is a Victim

July 2010
Google: Bulletproof Hosting Provider
What of SRV?
Does the First Amendment forbid spam filtering?
Is it OK to block political speech?
First Amendment Restrictions on DNSBLs

June 2010
How to avoid getting swindled on your email lists
The view from a blacklist operator
Spamhaus Case: e360 Award Slashed to $27k
NY AG Taking Legal Action Against Tagged.com
Does CAN-SPAM Cover Affiliate Spam?
Who's Sharing Your Personal Info?
Twitter Blacklisted by Spamhaus
Let's Talk About the Rules

May 2010
Groan: .co TLD to be opened to the public
In Memoriam: Stefan Pollard
Recommended Reading: Fatal System Error
If It’s Not Permission-Based Email Marketing, It’s Just Not Worth it
DNSStuff Leaking Addresses?
How Not to Respond to Public Spam Allegations
Bad idea: Sending from the Cloud
CAN-SPAM Myth #4: Doesn't Apply to Non-Profits
CAN-SPAM Myth #3: Password Protecting the Unsub Page is OK
CAN-SPAM Myth #2: This Law Makes it OK to Spam

April 2010
CAN-SPAM Myth #1: Applies Only to Spam
Example Double Opt-In Process
Recent Spam Litigation Activity in California Courts
Alleged Spammers Using Google Apps: Bad Idea
The Pernicious Effect of Gordon vs. Virtumundo
Speaking of Tagged.com
CAN-SPAM Compliance Impacts Deliverability?
Beware: Free Gift Card Ads
Do you track your opt-in data?
Harvard Business Review Is DEAD Wrong About Opt-Out
Your Help Needed: Sign me Up!

March 2010
A Note on Dutch "Tell-A-Friend" Regulation
Interview Day at Spam Resource
Spam from Image Factory
Are you on SPAM-L?
ISPs: Preventing Outbound Spam?
Virgin Mobile Settles Spam Allegations for 22,000 AUD
Classmates.com Settles Lawsuit over Deceptive Emails
On Defending Jigsaw & Similar...
Twitter Has Spammers, Too
Spamhaus: Waledac Botnet Culling Had Little Effect
Alan Ralsky Goes to Jail, Does Not Pass Go
Is Online Anonymity a Bad Thing?
Arrests made in "Mariposa" botnet that infected 13 million PCs
Quick Hits
Identify anonymous domains with anonwhois.org

February 2010
More on Netprospex
Ask Al: Additional Received Headers?
ClickZ: Goodmail CEO Steps Down
Bad Advice in the B2B Space
Don't Spam the Judge
SpamResource/XNND Co-Reg Dashboard
Tagged.com Wins Spam Lawsuit
Surprise! Internet filled with Junk
WHOIS Privacy Protect -- What Spamfighters Think
What is this thing?
Word to the Wise Delivery Wiki

January 2010
Who is this Ken Magill guy anyway?
Engagement: Best Practice for Years
Ken Magill Leaves Penton
Spam Complainants Are Sometimes Angry
Bad News in 2010, if You Suck
The E360 Pantsing Continues
Work-at-Home Spam, Scam or both?
In-Application Email Signup: Ew, Really?
What is Zeusmail.org?
Pivotal Veracity Acquired by Unica Corp.
Ken Magill Sucks
Brazil Overtakes US as Spam Leader
How Tradeshow Email Lists Can Get You Blacklisted
The Beatings Will Continue...Forever
10 Deliverability Tips for 2010
Email to Die in 2010
AOOGAH!! DIVE! DIVE!
SpamAssassin 2010 bug

December 2009
Data Breaches and Email List Data Theft
Mickey Chandler, Deliverability Consultant
Top Five Spam Resource Posts in 2009
"Herbal King" Spanking Continues
Aweber Hacked; Email Addresses Stolen
On List Growth and Buying Lists
Wahhh, "Just Hit Delete"
The Case of the 500-mile Email
More Anti-Spamhaus Fun
Fire up the ROFLCopter!
Receiving Duplicate List Messages?
Not How It Works
SURBL Announces New Experimental Blacklist
Check Your Rep @ AOL
Is an Unsubscribe Link Required?
Did you catch that?
CAN-SPAM Plaintiff Spanking Appeal Rejected
Permission, Co-Reg Sucks, and ESPs
IT'S A RACKET!

November 2009
"Herbal King" Ringleader Fined $15 Million
Ralsky Gets 51 Months in Prison
Ask Al: Delivering a Monthly Newsletter to 350 People?
O HAI TAG44 WTF?
Loren McDonald on FISUE Syndrome
Ask Al: What are filters checking?
Is email dead?
Breaking News: Spambag is Still Dead
The Legitimate Email Marketer Isn't
Karmasphere Reputation Services Shutting Down
Two New Zealand Spammers Fined

October 2009
Ask Al: Bad things happening?
Judge rejects TD Ameritrade breach settlement
Ask Al: The Strange Case Of The Help Request Gone Awry
C-27 Canada's Electronic Commerce Protection Act passes Committee Review
Top Five Tips for Dealing with Blacklists
FRIDAY LOLZ: BALLOON BOY SPAM!
Barry Don't Play That
Why do we need an opt-in spam law?
I Support Opt-In Legislation for Canada
Another Day, Another 419 Scam
Spamfighting Spam?
Zombie Blacklists: Life Goes On
Cleaning NDRs out of a Spamtrap Feed?
Auth Don't Fix That!
Staying Safe Online
Let Us Count Up The Fail
A Twitter Conversation About List Rental
Too Much Contact
A message from me...but not!
Spamhaus, Snoeshow spam, and You

September 2009
Don't Share Needles!
Google Voice and Phone "Spam"
Symantec Says Illinois is #5
Rocky Mountain Bank WTF
Make it stop!
Funny T-Shirt
Spam Resource, New and Improved
Pivotal Veracity on Domain Reputation and ISP Insights
Breaking: Goodmail Sued for Patent Infringement
Ask Al: Help! I'm Blacklisted!
DUDE: YR DOIN' IT WRONG!
Domain Reputation and Recipient Engagement
Quick Hit: Blagojevich Spam
Online Privacy in the UK
Ask Al: Trouble Sending From My Own Domain?
Good Advice for Senders
New FBL from Tucows/OpenSRS
Jigsaw Blacklisted by Spamhaus
New Maine Law Came...and Went
How Google Looks at Spam Complaints
You Can't Buy an Existing Business Relationship
Happy Birthday, Internet!
Internet Miracle Cures For Everything!
Don't Lie About Safe Harbor

August 2009
White House Spam, Signup Forgery, and GovDelivery
Guest Post: Email and the White House
Blocking specific domains?
Ask Al: Not Receiving any emails!
AOL to Stop Sending Report Cards
More on Email Forwarding (and Fastmail.fm)
And the Most Popular Email Service Is...
Permission Marketing: A Loaded Term?
Wholesale e-mail data? Uh, no.
Ask Al: Spam From Me To Me?
Do you use SpamAssassin?
Yahoo handles email for Verizon?
Neat Trick: Forwarding Webmail into Work Email

July 2009
Ask Al: Blacklisted by Spambag?
Ask Al: Checking email addresses against URIBLs?
Postini: Google's take on e-mail security
Usenet.com Gets Ass Handed To It By Court

June 2009
Ask Al: Help prevent a bad thing!
SORBS Information Roundup
Ask Al: Getting my Controversial Email Delivered
Ask Al: Blacklisted IP Address?
Check Your CAN-SPAM Checklist

May 2009
Help! My address was forged in spam!
Help! I'm spam blocked by DCC!

April 2009
Speaking of Business Contact Databases
I'm on a List
Barnes and Noble Emails Opt-Outs

March 2009
SCOTUS Declines Review of VA Anti-Spam Law Case
E360 Gets an Important Bit Wrong
JC Penney Does WHAT?

January 2009
No more, Direct Magazine
AT&T's 'American Idol' Text Message Stunt Backfires
Neat Hack: Re-Assassinate
Abuse Mailbox on Google Apps?
Email Append and New Domain Spam

December 2008
EmailAppenders Has a Question
Michigan State to student: Political e-mail is spam

November 2008
Ken Magill, Laura Atkins on Zoominfo
Spam from Postini Servers
Gmail Tempfailing

October 2008
Backscatter Goes Mainstream
Tell me about this new opt-out list!
Tracking Spam From "Nett Solutions"
Authorities Shut Down Spam Ring
Message Timing FAIL
Spam from Randolph Wine Cellars
Blacklist BCP and Dead DNSBLs
Spammers: SambaMail and The Data Supplier
Ask Al: Help! Am I blacklisted?

September 2008
Uncommon Ground Post
Virginia Spam Law Overturned: Doesn’t Matter
Friday Funny: Give Her Big Meat
Ken Magill Defends Blacklists

August 2008
On Political Speech, DOI, and Mr. Poopyhead
Godaddy misusing the PBL?
Ow, my Irony hurts!
What is a Sender?
More on Pizza Hut
Don't Spam to Apologize for Spam
ReturnPath Buys Habeas
Political Sending Reputation
Beware the Fake News Spam
Yahoo Insights and Subcriber Engagement
List Reconfirmation Example

July 2008
Ken Magill on the Eddie Davidson Coverage
COI Can't Protect Against Stupid
Backscatter in Detail
Dear MediaPost (x4)

June 2008
When Terminology Attacks
E360 Failure Update

May 2008
Do you want to fund the lawsuit?
The "Report Moron" Button
Offers You Can't Refuse
MAPS: Ancient History
The EEC/Zinio Affair
Postini Bug and False Positives
Thanks, James Gordon
Behold the Box of Meat
Sender Complaints about Spam Filtering

April 2008
On Blog Etiquette and Content Ownership
Jam Productions
You Gotta Fight!
E360: EPIC FAIL CONTINUES
The One Goes To Eleven
Promoting Transparency
Mourning the Loss of DearAOL.com

March 2008
More bites at the apple?
Are you sure it's broken?
e360 v. Comcast: EPIC FAIL
Forced Opt-in
Ken Magill Gets It!
Las Vegas Spam via China

February 2008
Liveblogging from MarketingSherpa
Help David Ritz
More on the Obvious
Another Thing to Remember
Dear Direct Magazine

January 2008
What the heck is Notchup?
Domain Tasting to End?
Excellent comment(s) on the Ritz affair
David Ritz Story Gets Press
North Dakota Judge Gets it Wrong
Gmail's Taking Care of Me
Good to leave your Wifi open?
Alan Ralsky indicted
My Prediction For 2008

December 2007
Yahoo using Spamhaus lists
Best Practices & ISP Rules

November 2007
Here is why people get blocked

October 2007
Purchased Lists Are Still Lame
David Ritz lawsuit
Address portability? Already got it!
McAfee vs Barracuda
DNSBL Resource Updates
Psst...wanna buy a list?
Tracking Blacklists

September 2007
Opt-in Censorship?
Getting it Half Right
Monkeys!
Oh, please.
Spam, the Documentary
The Real Spam Has Stood Up
Zombie Pfizer Computers Spew Viagra Spam
More on the Spamhaus Ruling

August 2007
7th Circuit Court Opinion on e360 v Spamhaus
SPEWS Memorial Day?
An open letter to DNSStuff
An open letter to DNSStuff
Blowback sucks
MAPS Blacklisted? It's True!
Division of Permission
On the APEWS Blacklist
The Virtumundo/Jim Gordon Affair

July 2007
Blah on Challenge Response
Happy Friday from...the Baron!
Where was the consumer?
Blacklist notifications? Think again.
Ask Al: My email address is being used in spam!
Blink: 32 new spams.
Blogger listed on Spamhaus blacklist
TQMCUBE Blacklist Status

June 2007
Even More on Confirmed Opt-in Best Practices
Know when to quit!
Vonage did WHAT?
Opt-in vs. Relevancy
Harvesting BAD! Grr!
Spamming That New Account
Greetings from San Jose

May 2007
Robert Soloway Arrested
AOL Image Blocking Link Roundup
Re-thinking Spamcop
ESPs, their clients, and ISP blocking
Mark Mumma News Roundup

April 2007
How big and how often?
Get your Sender ID on!
Tracking lots of spam for fun and profit
Are you a good blogger?
Sweepstakes and List Building
The very first spam?
Email Diva: Industry Standard For List-Cleaning
There's always more spam!
Ask Al: How do I publicize my new site?

April 2007
Double opt-in: For and Against
e360 vs Spamhaus Update
Surveys, Profile Information, and Hamtraps
Flixster Wants Your Passwords
Which blacklists work well?
Announcing SpamSuite.com
Gmail, End User Privacy, and Harassment
Well-Known E-mailers Back Spamhaus in Amicus Brief
e360 vs Spamhaus: Sparring in the Newsgroups

February 2007
What are spamtraps?
Dealing with spam to your abuse desk?
The Changing Definition of Spam
What it does it mean “We do not relay?”
CAN-SPAM Roundup
Microsoft using Spamcop and Spamhaus? Yes!
Blast from the past: Scott Richter on the Daily Show
The AOL email tax: Is the sky falling?
Backscatter: What is it? How do I stop it?
Joe Jared Wins

January 2007
Senders: How to avoid false positives
About the author, Al Iverson
SPEWS Current Status
How to deliver mail to AOL
The Story of "Nadine"
Quick Update: Scott Richter Makes the News
I Still Get More Spam Than You
Whatever happened to VRFY?
Ask Al: Help, you're blocking my mail!
Full Text of CAN-SPAM
China's Anti-Spam Law

December 2006
Blast from the past: John Gilmore's open relay
Opinions on Challenge/Response?

November 2006
Blast from the past: RFC Ignorant
Ask Al: How do I track abusive spam?
Ask Al: Help, I'm being blocked as a spammer!
How to deal with Challenge/Response?

October 2006
Groklaw on the Spamhaus case
Who's been sued under CAN-SPAM?
Ask Al: Help, my domain is being forged!
Co-Registration Woes
Google Code Search
Who has your personal information?
Spamhaus in the News
If it's good enough for the cops...?
Sending an attachment with your email campaign?

September 2006
A question about your practices.
Europe hasn't caught up yet
Double Opt-in How To
Sender Policy Framework (SPF) trick of the day

August 2006
I'm back!

April 2006
This is a test post.

February 2004
Bill Gates, spamkiller?

January 2004
CAN-SPAM is here

May 2003
Double Opt-in/Confirmed Opt-in

March 2003
Problems with Spamcop

January 2003
MonsterHut in the News

January 2002
Buying dirty lists doesn't pay
Selling your e-mail address for fun and profit

November 2001
Audit Trails and Relay Blocking Lists

October 2001
Nick Renton
MAPS

August 2001
Ramblings about MAPS and the RBL