Validity to Acquire 250ok

When I ask myself, what vendors are there in the deliverability monitoring tools space, I think of three primary vendors: Return Path, 250ok and eDataSource.

Then I ask myself, what will this vendor landscape look like in a year from now?

Fun with Double Opt-in

Here's a link to the source of my new double opt-in sign up tool, if you'd like to check it out or install it for your own use. (It is now called WombatMail.) Of course, feel free to go ahead and submit your address if you'd like to receive email updates from Spam Resource.

Some considerations related to the double opt-in signup script:
  • This is written in Bash, a common linux/unix scripting language.
  • There are variables near the top that you will need to edit to specify things like the name of your list, the email address to send from, etc.
  • You can block various domains, usernames and email addresses using the BADDOMS, BADUSERS and BADEMAILS variables.
  • There are a few lines you can comment out to disable things like the unsub notification email, DNS checks, and the new subscriber notification email. Search for the word "comment" to find these points.
  • Email authentication is a function of your mail server and DNS configuration in this context, not my script. Meaning my script does not add SPF or DKIM or DMARC -- you add these by way of configuring DNS and your mail server for your domain.
  • You can look at the gen_code subroutine if you want to modify the way the opt-in link looks. Be careful not to make it so simple that anybody could manipulate a URL to cause a forged opt-in subscription.
  • To export subscribers, use this script. It reads the log, exporting every person whose current status is "subscribed." 
  • I think this process of using a log file and finding status via the log file is a clunky-but-good-enough way to manage a database without actually using a database. You could implement a SQL database to track active subscriptions and logs if you like, but I wanted to minimize my reliance on additional tools for this particular project.
Some thoughts on this opt-in process and double opt-in best practices in general:
  • The script generates fairly long/random opt-in URL codes. This is to prevent opt-in forgeries. You don't want people to be able to "hack" URLs to cause forged subscriptions or even forged unsubscribes. For this reason, you should never expose the email address in the opt-in URL.
  • My opt-in URLs don't expire. Maybe they should, and maybe they will in a future update.
  • To prevent "opt-in confirmation bombing," this tool allows a user to re-request an opt-in confirmation twice, for a total of three opt-in confirmation emails. After that it won't send you another. If you subscribe, then later unsubscribe, the counter is reset and you could receive three more. That way it allows re-sends for users who might resubscribe in the future.
  • The script checks subscriber domain validity by matching the TLD against a fixed list of TLDs. This will eventually go out of date as somebody adds the latest new, weird TLD to the world, but is probably good enough for government work. It is unlikely that anyone with an email address of bob@chicago.squirrelunderpants is going to try to sign up for your list, even if "dot squirrelunderpants" ends up being a valid TLD in the future. I suppose I could do a live call out to the IANA TLD list, but why add the network noise?
  • The script also requires that the sending domain have a valid MX record or A record. If it doesn't, mail won't be accepted anyway, so why bother sending a confirmation mail? Similarly, it looks for an SPF record that suggests that a domain sends no mail. A domain configured like that isn't likely to have valid users who want to receive your mail. A lot of spamtrap domains are configured this way; let's not bother them with confirmation requests.
By the way, it turns out that the opt-in confirmation emails for my list are delivering to the spam folder at Microsoft/Hotmail, even though my IP address has a Sender Score of 100, 5+ years of history sending good mail, and I authenticate mail with DKIM and SPF. Perhaps that says more about Microsoft than me. I suppose I'll open a mitigation request ticket at some point.

Anyway, the reason I put all this together was just to remind myself that double opt-in isn't hard. I hacked this script together over a few hours here and there last weekend, and somebody putting more time, effort and planning into it could do a better job than I do. You could take this script and use it to manage signups for your list, and know that every signed up address has been properly validated, accurate and truly opted-in, without spending a dime on an external vendor.

(Updated 3/2/2020: I've renamed the list management tool "WombatMail," since it's a domain name I've had forever but do very little with.)

You should check out: Really Good Emails

Fellow Director of Deliverability Jen Nespola Lantz reached out to me to share a link to Really Good Emails.

She writes:"I often get asked, "Okay, you want me to do X, but what would that look like? Can you send me ideas?" I am not always able to send client examples, so I used to either have to mock them up or pull from personal examples. Although this is not necessarily a deliverability tool, it is a great source of ideas for emails and messaging for this very case (and many more). If you think about it, ultimately, if you send content that looks great and functions well, you may drive more customers to look for it and then interact with it. If you drive a better experience you'll likely end up improving deliverability maybe it is a tool, just an indirect one. The examples stored here are clean and beautiful and demonstrate very creative ways to message successfully once you get those eyeballs. Hope you find it useful!"

This is a cool site and I think folks will find it very helpful! Thanks, Jen! DMARC Policies Increase 300% over 2019

Wow, DMARC continues to spread like wildfire! Data from Farsight Security shows that DMARC adoption increased significantly in 2019. Up from 630,000 domains with DMARC in 2018, they now have observed 1.89 million domains publishing a DMARC policy over the past year.

DMARC is a very useful security tool to help prevent malicious and unauthorized use of your domain name in email. You should implement DMARC if you haven't already. And if you have, you're in good company!

Verizon announces new Email Deliverability and Performance Feeds

Sean McWilliams of Verizon (aka AOL and Yahoo) just announced something that they are referring to as "Email Deliverability and Performance Feeds." Click here to read the announcement.

What does it look like? Don't quite know yet. I am hoping it will be a sort of Google Postmaster Tools-like or Microsoft SNDS-like dashboard where one can log in and view engagement-based sender reputation metrics for a given domain name. We will see.

Their new Verizon Postmaster page on the topic suggests that there will be two types of "feeds":
  • "The Placement Feed provides metrics on how many emails from a sender domain are delivered to the inbox, spam, and folders. It also provides metrics for error and complaint counts.
  • "The Campaign Performance Feed provides key metrics such as delivers, opens, reads, glances, skims, deletes, and clicks for a sender domain. Metrics are broken down by sender domain and campaign."
Inbox versus spam folder placement data is a nice touch. Until now, folks needed a tool like 250ok, eDataSource, or Inbox Monitor to denote spam folder placement.

This looks really interesting and I'm really looking forward to learning more about it. Stay tuned!

Receive Email Updates from Spam Resource

People periodically ask me if there is a way that they can receive an email notification whenever a new blog post is posted on Spam Resource. Never really thought much about it, as my focus was on blogging about emails and not sending them, but enough people have asked that I decided it was time to put something together.

Why Email Engagement Is the Holy Grail of Email Deliverability

ActiveCampaign's Robert Colomberti's explains.

This is REALLY good stuff. The date range guidance might change depending on your industry or differences in sales pipeline, and the segmentation guidance gets a bit platform specific, but the core of this is solid.

As far as the bit at the end about using an email validation vendor, that's a whole other discussion. Upfront verification that somebody isn't submitting an invalid address into a form is a good thing, but don't forget that it's not the same as verifying permission. Data validation isn't going to fix a non-permissioned list, for example. That kind of thing is still deliverability killing. (I don't mean to imply that ActiveCampaign says otherwise. I am just making my own voice heard here.)