On Friday I talked a little about DMARC being a negative assertion rather than an authentication method, and also about how and when it could be deployed without causing problems. Today, how DMARC went wrong and a partial fix for it that is coming down the standards pipeline. What breaks? DMARC (with p=reject) risks causing problems any time mail with the protected domain in the From: field is...
We know that legitimate email sent with valid SPF and a DKIM signature often breaks in transit. SPF will fail any time mail is forwarded – via a mailing list, a forwarding service used by the recipient, or just ad-hoc forwarding. DKIM will fail any time the message is modified in transit. That can be obviously visible changes, such as a mailing list tagging a subject header or adding a...
All the authentication and DMARC in the world can’t save you from stupid. I just got a survey request from my bank. Or, at least, it claimed to be from my bank. From: Barclays International Banking Survey <internationalbanking@barclayssurveys.com> The mail passed SPF (though the SPF record suggests this is being mailed from all over the place) and was validly DKIM signed for...
I talked last week about how incentivizing people to sign up for your mailing list could be effective when it’s done well. This week I’m staying at a Large International Hotel Chain and I’ve got a great example of what happens when it’s done poorly. The “free” wifi requires you to join the hotel’s loyalty programme. I’ve done that in the past, so I...
We often talk about confirmed opt-in (aka “closed-loop opt-in” or “double opt-in”) as the gold standard for address acquisition for permission-based mail. It’s not the only way to gather permission, and in some ways it’s a rather blunt tool that can discourage people from completing a sign-up process if it’s done badly – the confirmation email...
I just added a DMARC validation tool over on tools.wordtothewise.com. You can give it a domain – such as ebay.com – and it will fetch the DMARC record, then explain and validate it. Or you can paste the DMARC record you’re planning to publish into it, to validate it before you go live. If you’ve not seen our tools page before, take a look. As well as DMARC we have a DKIM...
A “/8” is a block of 16,777,214 usable IP addresses. That’s a big fraction of the entire IPv4 address space – about 1/224, in fact. Each one is all the addresses that begin with a given number: 10.0.0.0/8 is all the IP addresses that begin with “10.”, “184.0.0.0/8” (or “184/8” for short) is all the IP addresses that begin with “184...
due diligence noun. research and analysis of a company or organization done in preparation for a business transaction It’s a term that’s been around for five centuries or so. Originally it meant the effort that was necessary for something, but it evolved into a legal term for “the care that a reasonable person takes to avoid harm to other persons or their property“. More...
Hi Laura, Merry Xmas and wishing you a Happy New Year! I recently looked at a popular ESP’s IPv4 space and I was astounded. How does an ESP get an IP allocation of 20,480 IPs? ARIN guidelines do not allow “MX/Mailing” IPs to count towards a valid justification especially in the case when each and every IP is being used for this purpose. That’s 80 /24’s…and at a time when we are out of IPv4 space…...
Many of the operational goals of a commercial spammer aren’t related to email delivery at all, rather they revolve around optimizing ROI and minimizing costs. That’s even more true when the spammer isn’t trying to sell their own product, rather they’re making money by sending spam for other companies. Most legitimate network providers pay at least lip service to not...
RSS - Posts