April Fools Day is Cancelled

Please don't email me something fake or "jokey" on Wednesday. And don't do that thing where your company or blog posts a bunch of fake stuff to try to troll people. Tensions are high and people are nervous. Now truly is not the time for failed attempts at being wacky.

Fellow email industry colleague Chad S. White sums it up better than I can. He writesI'm really worried that brands are going to botch #AprilFoolsDay more than usual this year. The risks of being the wrong kind of funny are extra high this year. My advice? Skip it this time around.

Thankfully, Google gets it. The Verge reports that Google has canceled its infamous April Fools' jokes this year, and rightly so. Now is not the time to spread misinformation, even if it's well meant and in the name of humor.

Reference: Web.de, GMX and Mail.com Domains

GMX and Web.de are two freemail providers based owned by United Internet (1&1) and primarily based in Germany, but providing free email seemingly globally. Mail.com might be considered the "US edition" of their email service and has nearly 200 different email domains to choose from.

It's been tough to find a published reference list of domains used by them (with the exception of the Mail.com domains), but here's what I was able to come up with, with help from smart guys Jakub Olexa and Udeme Ukutt.

Please hire: Sarah Johnson

Are you hiring? Sarah Johnson could use your help.

Sarah has strong email & digital experience providing her a very strategic understanding of email platforms like Salesforce Marketing Cloud & AWS SES for transactional automated programs & SMS. She prides herself on knowing how to befriend your subscribers and provide valuable content to be allowed successfully onto their laptops and phones. Most recently leading successful secured communication digital programs & Salesforce Marketing Cloud implementations, purchases and creating strong growth programs for B2B & B2C messaging. She seeks a contract or FTE digital role in the Minneapolis area.

Does Sarah sound like the right hire for you? I hope you'll consider her -- her strong experience and overlap between e-commerce and digital marketing shows she's got a broad skillset and can adapt easily. Here's a link to her LinkedIn profile. Please contact her on Linkedin or via email at Josojohn@gmail.com.

Editor's note: Because it's such a challenging time to job hunt right now, I'm going to use this platform to occasionally highlight smart folks who are looking for work and who would welcome the exposure from being shared here. I hope you won't find it too intrusive and let's hope it helps lead to good things for the folks featured here!

Spam and reputation

Need a break from the heavier news? Okay, let's talk about spam and reputation. No, not that spam, and not that kind of reputation. Spam, the food product. Julia Press of Business Insider explains "how the makers of Spam stopped worrying about being a global punchline and learned to embrace the joke."

While I'm not planning to hoard Spam during this tough time, I do keep a tin of bacon-flavored Spam in the cupboard, as it makes a good breakfast meat if you find yourself out of bacon or sausage. Slice it thin and it fries up nicely on the stovetop. It also greases the pan well enough that I find that I don't need to oil the pan before frying the eggs.

A few COVID-19 subject lines

The Freecycle Community and COVID-19. COVID-19: How UPS is Responding. Update from Starbucks. Supporting our customers during this critical time. Coronavirus Update. Temporary Change to Store Hours. A travel update from our leadership. COVID-19 Updates From the Illinois Lottery. Our commitment to safety - a message about coronavirus. A message from our CEO. Important information about the coronavirus. A message to our guests from CEO. More Flexibility for Your Travel. Health and Safety Information from WG Restaurants. Caring for the Lyft community. Traveling with Flexibility and Care. We are here for you. Here’s Are New Hours and Closures for Campus Buildings During Coronavirus Outbreak. How we're supporting you during the coronavirus. A message from our CEO. Health & Safety Update from Tire Store. A travel update from leadership. A Letter to our Fans. Our pledge to you during the coronavirus outbreak. A message from E.T. about COVID-19. Updates & Resources for Businesses Impacted by COVID-19. We are still operating at full capacity. A Day of Giving Message for Customers. Message from the Mayor: COVID-19 Updates. Extending Our Support Through COVID-19.

Reference: All Virgin Media (UK) domains

I'm working to add to my list of ISP resource pages, including new information on domains used by various ISPs. Here's information for UK broadband provider Virgin Media.

Call for Deliverability Monitoring Vendors: Postmastery

Hey, deliverability monitoring vendors! I know you're out there, and I don't know a lot about many of you. Do you manage a service that does inbox deliverability testing, seedlist testing, inbox monitoring, or similar functionality? Feel free to drop me a line and let me know a little bit about your product or service, and I'll publish it here. 

First up -- Willem Stam has kindly provided the following information about Postmastery:

Everything marketers need to know about BIMI: The latest email standard

Jennifer Cannon from Martech Today just posted a solid overview of where BIMI is at today. If you don't recall what BIMI is, she explains: "BIMI is a way for brands to publish their logos in their customers’ inboxes and allows logos to be easily incorporated into messaging."

Amazon Web Services (AWS) now blocking block port 25

Amazon recently made a change affecting AWS/EC2 users. As of January 27, 2020, new EC2 instances will no longer have port 25 access to the world. This means that by default, they won't be able to send email.

Other Deliverability Monitoring Vendors?

Besides Return Path and 250ok (now both owned by Validity), and eDataSource (now owned by SparkPost), here are three other deliverability monitoring vendors, as shared by kind commenters on my previous post:

Validity to Acquire 250ok

When I ask myself, what vendors are there in the deliverability monitoring tools space, I think of three primary vendors: Return Path, 250ok and eDataSource.

Then I ask myself, what will this vendor landscape look like in a year from now?

Fun with Double Opt-in

Here's a link to the source of my new double opt-in sign up tool, if you'd like to check it out or install it for your own use. (It is now called WombatMail.) Of course, feel free to go ahead and submit your address if you'd like to receive email updates from Spam Resource.

Some considerations related to the double opt-in signup script:
  • This is written in Bash, a common linux/unix scripting language.
  • There are variables near the top that you will need to edit to specify things like the name of your list, the email address to send from, etc.
  • You can block various domains, usernames and email addresses using the BADDOMS, BADUSERS and BADEMAILS variables.
  • There are a few lines you can comment out to disable things like the unsub notification email, DNS checks, and the new subscriber notification email. Search for the word "comment" to find these points.
  • Email authentication is a function of your mail server and DNS configuration in this context, not my script. Meaning my script does not add SPF or DKIM or DMARC -- you add these by way of configuring DNS and your mail server for your domain.
  • You can look at the gen_code subroutine if you want to modify the way the opt-in link looks. Be careful not to make it so simple that anybody could manipulate a URL to cause a forged opt-in subscription.
  • To export subscribers, use this script. It reads the log, exporting every person whose current status is "subscribed." 
  • I think this process of using a log file and finding status via the log file is a clunky-but-good-enough way to manage a database without actually using a database. You could implement a SQL database to track active subscriptions and logs if you like, but I wanted to minimize my reliance on additional tools for this particular project.
Some thoughts on this opt-in process and double opt-in best practices in general:
  • The script generates fairly long/random opt-in URL codes. This is to prevent opt-in forgeries. You don't want people to be able to "hack" URLs to cause forged subscriptions or even forged unsubscribes. For this reason, you should never expose the email address in the opt-in URL.
  • My opt-in URLs don't expire. Maybe they should, and maybe they will in a future update.
  • To prevent "opt-in confirmation bombing," this tool allows a user to re-request an opt-in confirmation twice, for a total of three opt-in confirmation emails. After that it won't send you another. If you subscribe, then later unsubscribe, the counter is reset and you could receive three more. That way it allows re-sends for users who might resubscribe in the future.
  • The script checks subscriber domain validity by matching the TLD against a fixed list of TLDs. This will eventually go out of date as somebody adds the latest new, weird TLD to the world, but is probably good enough for government work. It is unlikely that anyone with an email address of bob@chicago.squirrelunderpants is going to try to sign up for your list, even if "dot squirrelunderpants" ends up being a valid TLD in the future. I suppose I could do a live call out to the IANA TLD list, but why add the network noise?
  • The script also requires that the sending domain have a valid MX record or A record. If it doesn't, mail won't be accepted anyway, so why bother sending a confirmation mail? Similarly, it looks for an SPF record that suggests that a domain sends no mail. A domain configured like that isn't likely to have valid users who want to receive your mail. A lot of spamtrap domains are configured this way; let's not bother them with confirmation requests.
By the way, it turns out that the opt-in confirmation emails for my list are delivering to the spam folder at Microsoft/Hotmail, even though my IP address has a Sender Score of 100, 5+ years of history sending good mail, and I authenticate mail with DKIM and SPF. Perhaps that says more about Microsoft than me. I suppose I'll open a mitigation request ticket at some point.

Anyway, the reason I put all this together was just to remind myself that double opt-in isn't hard. I hacked this script together over a few hours here and there last weekend, and somebody putting more time, effort and planning into it could do a better job than I do. You could take this script and use it to manage signups for your list, and know that every signed up address has been properly validated, accurate and truly opted-in, without spending a dime on an external vendor.

(Updated 3/2/2020: I've renamed the list management tool "WombatMail," since it's a domain name I've had forever but do very little with.)

You should check out: Really Good Emails

Fellow Director of Deliverability Jen Nespola Lantz reached out to me to share a link to Really Good Emails.

She writes:"I often get asked, "Okay, you want me to do X, but what would that look like? Can you send me ideas?" I am not always able to send client examples, so I used to either have to mock them up or pull from personal examples. Although this is not necessarily a deliverability tool, it is a great source of ideas for emails and messaging for this very case (and many more). If you think about it, ultimately, if you send content that looks great and functions well, you may drive more customers to look for it and then interact with it. If you drive a better experience you'll likely end up improving deliverability anyway...so maybe it is a tool, just an indirect one. The examples stored here are clean and beautiful and demonstrate very creative ways to message successfully once you get those eyeballs. Hope you find it useful!"

This is a cool site and I think folks will find it very helpful! Thanks, Jen!

DMARC.org: DMARC Policies Increase 300% over 2019

Wow, DMARC continues to spread like wildfire! Data from Farsight Security shows that DMARC adoption increased significantly in 2019. Up from 630,000 domains with DMARC in 2018, they now have observed 1.89 million domains publishing a DMARC policy over the past year.

DMARC is a very useful security tool to help prevent malicious and unauthorized use of your domain name in email. You should implement DMARC if you haven't already. And if you have, you're in good company!

Verizon announces new Email Deliverability and Performance Feeds

Sean McWilliams of Verizon (aka AOL and Yahoo) just announced something that they are referring to as "Email Deliverability and Performance Feeds." Click here to read the announcement.

What does it look like? Don't quite know yet. I am hoping it will be a sort of Google Postmaster Tools-like or Microsoft SNDS-like dashboard where one can log in and view engagement-based sender reputation metrics for a given domain name. We will see.

Their new Verizon Postmaster page on the topic suggests that there will be two types of "feeds":
  • "The Placement Feed provides metrics on how many emails from a sender domain are delivered to the inbox, spam, and folders. It also provides metrics for error and complaint counts.
  • "The Campaign Performance Feed provides key metrics such as delivers, opens, reads, glances, skims, deletes, and clicks for a sender domain. Metrics are broken down by sender domain and campaign."
Inbox versus spam folder placement data is a nice touch. Until now, folks needed a tool like 250ok, eDataSource, or Inbox Monitor to denote spam folder placement.

This looks really interesting and I'm really looking forward to learning more about it. Stay tuned!

Receive Email Updates from Spam Resource

People periodically ask me if there is a way that they can receive an email notification whenever a new blog post is posted on Spam Resource. Never really thought much about it, as my focus was on blogging about emails and not sending them, but enough people have asked that I decided it was time to put something together.

Why Email Engagement Is the Holy Grail of Email Deliverability

ActiveCampaign's Robert Colomberti's explains.

This is REALLY good stuff. The date range guidance might change depending on your industry or differences in sales pipeline, and the segmentation guidance gets a bit platform specific, but the core of this is solid.

As far as the bit at the end about using an email validation vendor, that's a whole other discussion. Upfront verification that somebody isn't submitting an invalid address into a form is a good thing, but don't forget that it's not the same as verifying permission. Data validation isn't going to fix a non-permissioned list, for example. That kind of thing is still deliverability killing. (I don't mean to imply that ActiveCampaign says otherwise. I am just making my own voice heard here.)

Apache SpamAssassin 3.4.4 now available

The Apache SpamAssassin Project has just announced the release of version 3.4.4 of the popular spam filter SpamAssassin.

Apache SpamAssassin 3.4.4 is "primarily a security release," but includes various fixes for things like improved carriage return handling for DKIM checks and re-implementing Perl 5.8.x compatibility. Click here to learn more about it and/or download the updated version.

Following best practices for sending to Gmail

Google has updated the Gmail "Bulk Sender Guidelines" page, and it is now called, "Prevent mail to Gmail users from being blocked or sent to spam." Check it out!

(Thanks to the smart folks at Postmark for the tip!)

Is 2020 the year of BIMI?

You might notice that in my "2020: What's next?" post, I didn't mention BIMI.

BIMI, aka Brand Indicators for Message Identification, is the new way to specify what logo or brand avatar a sender wants shown alongside their email messages. (Learn more about BIMI here.)

Showing a logo, avatar or little graphic along side an email message isn't a new thing. Gmail, Yahoo Mail and others have supported some form of logo display for a long time now. But where that logo was sourced from, how it was populated, this wasn't always clear or obvious. Gmail would pull the graphic from a Google Plus profile or Google account. Yahoo Mail would do the same, I found, but it also could pull the logo from other places. It had some sort of internal process that I wasn't privy to.  And there's Gravatar, which is still out there and still (modestly) supported. (And at some point, Microsoft announced something called Brand Cards that never seems to have launched. So I have no idea if anybody ever set up or observed a "brand card" logo in the wild.)

Mashable's wrong (sort of) -- empty your inbox!

Mashable's Alex Perry wrote just the other day that one should never bother to clean out your email inbox. Sort of right, sort of wrong. Me, I'd go crazy if I left 250,000 email messages in my email inbox. His point, though, is that you might as well save everything forever in email, and have it available to search through as needed. That's something I completely agree with. But he misses the point-- you don't have to "leave it in the inbox" to do that. In Gmail, for example, just "archive" it all at some point, and it is still there for you, in "All Mail," and available to be searched, without specifically cluttering up your inbox. So keep all that mail, but empty the inbox out periodically.

Got placed in the Gmail promo tab? You're not alone.

Apparently it happens to Seth Godin, too (click here).

He's got a fix for it, see, but those big meanies at Google won't let him implement it. He's even encouraging you to yell at Google on his behalf. (It turns out, Google is a bit shy about letting third parties have access to fiddle with your Gmail inbox settings. Can't say I blame them for that.)

Europe is different and why this matters for US-based companies

Here's an article from Mailkit's Jakub Olexa explaining how the ISP landscape is different in Europe. This is useful stuff for US-based senders to learn. That chart is especially insightful. Thanks, Jakub!

2020: What's next?

Well, the new year is here. (Along with a new blog template and updated ISP deliverability guides.) What do you think will happen in the deliverability realm in 2020? Here are my first thoughts.

First, DMARC is finally reaching critical mass. No longer an edge-case security feature that your marketing teams ignore, more and more senders finally start to understand that supporting DMARC is easy and should be considered a best practice. DMARC adds complexity to email forwarding, reply handling and mailing list management, so look to experts for assistance if your email use cases would run into any of those realms. But outside of those, DMARC can actually be pretty easy to set up.