Author: steve

AOL Changes

We’ve known for a while that AOL email infrastructure is going to be merging with Yahoo’s, but apparently it’s happening sooner than anyone expected. The MXes for will be migrated to Yahoo infrastructure around February 1st. Reading between the lines I expect that this isn’t a flag day, and much of the rest of […]



When we say that you might just be sending too much email and fatiguing or annoying the recipient into unsubscribing or hitting spam, this is the sort of thing we mean. Three emails (to the same email address) in four minutes might be a bit much. If you can’t combine the content you want to […]


That Should Be A Word

No Comments

What … is your name?

For some reason otherwise legitimate ESPs have over the years picked up a habit of obfuscating who they are. I don’t mean those cases where they use a customers subdomain for their infrastructure or bounce address. If the customer is Harper Collins then mail “from” sent from a server claiming to be isn’t unreasonable. (Though […]


Meltdown & Spectre, Oh My

If you follow any infosec sources you’ve probably already heard a lot about Meltdown and Spectre, Kaiser and KPTI. If not, you’ve probably seen headlines like Major flaw in millions of Intel chips revealed or Intel sells off for a second day as massive security exploit shakes the stock. What is it? These are all about a […]

No Comments

Authentication is about Identity, not Virtue

I just got some mail claiming to be from “Bank of America <>”. It passes SPF: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=;; It passes DKIM: Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) The visible RFC 822 From address is strictly aligned with both the SPF domain and the DKIM domain. So if they’d published […]


Organizational Domain

We often want to know whether two hostnames are controlled by the same person, or not. One case for that is cookie privacy in web browsers. We want pages at and and to all be able to set and read cookies for each other – so a user only needs to log […]


Interacting in professional fora

There are a bunch of online communities – mailing lists, Slack channels, etc. – where “people who do email” interact. Some of them are open to anyone to subscribe, some of them are semi-private and require an invitation, others are closed and only available by invitation and yet others are associated with trade associations and […]


The feds are deploying DMARC

The US National Cybersecurity Assessments & Technical Services Team have issued a mandate on web and email security, including TLS+HSTS for web servers, and STARTTLS+SPF+DKIM+DMARC for email. It’s … pretty decent for a brief, public requirements doc. It’s compatible with a prudent rollout of email authentication. Set up a centralized reporting repository for DMARC failure and aggregate […]

No Comments

Sometimes less is more

We just bought some new desks, to replace the old ones that date back to the days of CRT monitors. The supplier we bought them from, Autonomous, did a nice set of triggered sends throughout the sales process – “we’ve received your order”, “we’ve shipped your order”, “your order has been delivered”. That’s not rocket […]

No Comments