Purchased lists? DOA.

MailChimp's John Foreman explains the usual reasons why sending to purchased lists is a bad idea, but then he adds on one important practical fact: They perform very poorly. Click on over to the MailChimp blog to learn more.

Pre-order Spam Nation by Brian Krebs

From Brian Krebs: "The backdrop of the story is a long-running turf war between two of the largest sponsors of spam. A true-crime tale of political corruption and ill-fated alliances, tragedy, murder and betrayal, this book explains how the conditions that gave rise to this pernicious industry still remain and are grooming a new class of cybercriminals.

But Spam Nation isn’t just about junk email; most of the entrepreneurs building and managing large-scale spam operations are involved in virtually every aspect of cybercrime for which there is a classification, including malware development, denial-of-service attacks, identity theft, credit card fraud, money laundering, commercial data breaches and extortion."

I'll be ordering my copy soon!

Does Gmail use Spamhaus blacklists?

Probably, implies Return Path based on a correlation between a typical Spamhaus blacklisting and drop in inbox delivery rates at Gmail. I think it's safe to assume that Google does use Spamhaus data for some sort of reputation calculation impacting Gmail deliverability.

Ask Al: Should I add a DMARC record to fix the Yahoo issue?

A friendly representative of a company who helps small businesses sell products asked: "We're having problems forwarding mail from our customers back to our users due to the new Yahoo and AOL restrictive DMARC policy. If we add a DMARC record for our own domain name, would that help address the Yahoo/AOL bouncing issue? Would that explain to the ISPs that we're not spoofing when we forward on that mail?"

No, this wouldn't fix your issue. It's probably not a bad idea for you to implement a DMARC record for your domain, especially if the domain is one you use for email marketing or online retail and want to make it harder for bad guys to spoof it. (But be sure you learn more about DMARC before proceeding; I would recommend partnering with somebody like Return Path or Agari to use their tools and benefit from their expertise with regard to anti-phishing/spoofing and DMARC.)

The reason this wouldn't fix your issue is because the Yahoo and AOL DMARC policies affect only mail that has a Yahoo or AOL domain in the from address. Also, they have the potential to affect all/any mail with a Yahoo or AOL domain in the from address. What other domain you might have in the message or message headers has no bearing on that fact. Whatever DMARC policy setting you publish wouldn't override whatever policy setting the owner of those domains may have published. In other words, if it's AOL.com in the from address, it's always going to be the AOL.com policy that applies, no matter what.

The real fix for the issue is to figure out how to get it so only your own domain name shows up in the from address. That might necessitate a change in your message flow process. It might make you have to reconsider whether or not you forward on messages through your system at all. Or you might have to rewrite headers, if you still want to be able to forward on that mail.

Need to contact Live.com/Hotmail?

On a mailing list I subscribe to, someone recently asked for assistance with getting mail delivered to Microsoft's Live.com and Hotmail.com domains. Apparently the poster works for an internet provider that had a compromised account or two, and Microsoft was blocking their mail as a result.

A kind soul posted this reminder in response:

"The most efficient and effective way to address any deliverability problem is by submitting the issue to our dedicated deliverability support team. Senders can do this by filling out a form with detailed information necessary to diagnose the problem. The form can be found here: https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=edfsmsbl3&ccsid=. Going directly to deliverability support will ensure that we have the right information to investigate the cause and recommend the right solutions quickly."

Those of us who have been around a while already have that URL bookmarked, but I thought I would share it here for new folks who might not already know it.

(June 2015 update: Link has been updated to most current version.)

Check out this neat thing: Email Privacy Tester

Smart web developer and systems admin Mike Cardwell put together something neat that I think you'll want to check out: Email Privacy Tester. Plug in your email address, and his system will send you an email message. That message will contain a whole bunch of different types of active content in various different wrappers and encodings, to see which of them are triggered by your MUA (mail user agent; aka email client). I did a quick test to a Gmail account and I already see one thing that I don't like, something Gmail executes automatically without asking me.