I’m seeing some questions about TLS and Gmail. Folks are seeing a correlation between sending without TLS and the mail going to bulk.
Has anyone seen this? Are you sending mail with TLS and can’t get to the inbox? Or are you sending mail without TLS and getting to the inbox?
Inquiring minds and all that.
The US National Cybersecurity Assessments & Technical Services Team have issued a mandate on web and email security, including TLS+HSTS for web servers, and STARTTLS+SPF+DKIM+DMARC for email. It’s … pretty decent for a brief, public requirements doc. It’s compatible with a prudent rollout of email authentication. Set up a centralized reporting repository for DMARC failure...
Hello! Hope all are keeping safe through Harvey, Irma, Katia and the aftermath. I know many people that have been affected and are currently out of their homes. I am proud to see so many of my fellow deliverability folks are helping our displaced colleagues with resources, places to stay and money to replace damaged property. Here’s a mid-month late wrapup of our August blog posts. Our favorite...
Well, not exactly mandatory but Chrome will start labeling any text or email form field on a non-TLS page as “NOT SECURE”. Chrome 62 will be released as stable some time around October 24th. If you want to avoid the customer support overhead then, regardless of whether any of the information on a form is sensitive, you should probably make sure that all your forms are accessible via...
Transport Layer Security (TLS) is what gives you the little padlock in your browser bar. Some people still call it SSL, but TLS has been around for 18 years – it’s time to move on. TLS provides two things. One is encryption of traffic as it goes across the wire, the other is a cryptographic proof that you’re talking to the domain you think you’re talking to. The second...
When you link to an external resource – an image, a javascript file, some css style – from a web page you do so with a URL, usually something like “; or “;. The world is beginning to go all https, all the time, but until recently good practice was to make a web page available via both http and https. The problem is that if you try and load a resource from an http URL from...
We’re officially halfway through 2016, and looking forward to a slightly less hectic month around here. I hope you’re enjoying your summer (or winter, for those of you in the Southern Hemisphere). Our first June blog post marked the fifteen year anniversary of the very first anti-spam conference, SpamCon. As I noted, many of the people at that conference are still working in the...
We run a lot of our own infrastructure at Word to the Wise. Our email and web presence runs on our own hardware, in our own cabinet in our own network space. Partly that’s because we’re all from very technical backgrounds, and can run them in a way that’s better suited to our needs than an off-the-shelf web service. Partly it’s so we can do things like add instrumentation...
Google is disabling support for email sent using version 3 of SSL or using the RC4 cypher. They’re both very old – SSLv3 was obsoleted by TLS1.0 in 1999, and RC4 is nearly thirty years old and while it’s aged better than some cyphers there are multiple attacks against it and it’s been replaced with more recent cyphers almost everywhere. Google has more to say about it on...
Yesterday Gmail announced on their blog they would be pushing out some new UI to users to show the authentication and encryption status of email. They are trying to make email safer. There are a number of blog posts on WttW for background and more information. TLS and Encryption Protect your email with TLS Cryptography and Email M3AAAWG Recommends TLS The short version is that TLS is encryption...
RSS - Posts