Industry News & Analysis

Working around email security

One of the common things I see as a delivery consultant is that companies do their best to set effective policies about email, but make it difficult to comply with those policies. It happens all the time. It’s one of the reasons that the tweets Steve shared about Sec. Clinton’s email server rang so true to me.


One of the commenters on that post disagrees, and uses banks and health care as an example.

Erik says:

Disagree. I work for a bank – highly regulated, just like health care and the government itself.

We go through quarterly compliance training – yes every three months. I can assure you anyone working on department of state information systems also has security clearance and goes through compliance training.

They knew what they were doing and did it anyway, my theory is that some higher up (Clinton or direct report) asked for it and someone was afraid to say no.

Banks and health care companies are notorious for registering new domains and creating infrastructure because they can’t do what they want through normal IT channels. I’ve had both industries as clients and I’m a consumer of mail from both. I’ve had conversations with folks in their security and their marketing departments. If anything, banks and health care are prime examples of how companies will work around things.

Generally the work around involves registering an entirely new domain and then authenticating that domain through their ESP. It’s mail that’s sent to customers by the bank, but it’s not the primary bank domain. This can be done for all sorts of reasons.

In at least two cases a bank registered a new domain to use for alerts of a security breach. In one case it was my credit card company, sending to the tagged address only the company had. I called the bank and they told me it was a phish and not to answer it. Except if that was true, there was a much bigger breach as only the bank had that address of mine.

In another case a bank sent us an alert that a system one of our customer uses for invoicing and payments was compromised. Again, the bank sent out an alert. That alert failed DKIM checking and was unauthenticated email. I’d believe this was a phish / spoof, except I used tagged addresses and I know that only the supplier portal had that address. If it was a phish, it was a phish using data stolen from the company.

To be fair, things are getting better. Banks are working to consolidate domains and stop with the using so many different domains. I even had a discussion with on bank employee earlier this year at CNX16 about the delivery implications of the consolidation they’re undergoing. Seems a different division was having problems with a blocklist and she was concerned those problems would spread to her mail when they consolidated the domains.

As I was writing this post I discovered that our health insurance company has finally started DMARC protecting the cousin domain they use to send billing notices. Last year they weren’t and I used them as an example during one of my talks to a health care audience. Many of the DMARC advocates were loudly trumpeting that this company was protecting all their mail with DMARC, but they weren’t they were only protecting part of it. So things are improving.

The point is that this isn’t unusual at all. IT can’t do what part of the company needs, whether for policy or budget reasons, and so options are explored. Those options are often registering a new domain and handling the mail on external hardware. It is common business practice, even in highly regulated industries like health care and banking. It does seem to be becoming less common, which is great! But let’s not pretend that email is some perfect bastion of security and policy compliance in regulated industries.

No Comments

SPF ?all

The most read post on the blog is Authenticating with SPF: -all or ~all. In fact, it’s in the top 5 posts every single day. We still get comments on it, too. Usually from folks who disagree with my recommendations.

I still stand by my recommendations, though. It doesn’t really matter if you choose ~all or -all in your SPF records. Why? No major provider is rejecting mail solely because of a SPF fail. They may bulk the mail, but they won’t reject it. That’s why, in a deliverability context, it doesn’t matter which one you choose.

My one rule for SPF is never use ?all. Just. No. In the spec, ?all is “testing” mode. But it really is a signifier that the person who put the SPF record together doesn’t know what they’re doing. Unless they really are testing, but even then you shouldn’t see ?all on records for weeks or months.

~ or – never ?


Do you know where your signups are?

Here at Word to the Wise we sign up for a lot of email from our customers. There are multiple reasons we do this.

Engagement starts before the first email

These days the key to getting to the inbox is sending mail your users want and expect. We always recommend senders start the engagement process during signup. Why? Because it establishes the relationship even before email happens. People want to like the vendors and brands they interact with. A key part of that is making the recipient feel special and like they have value to you.

There are other benefits to engaging before email. The biggest is the opportunity for the recipient to look in the bulk folder for mail. When a user says “this is not spam” by moving mail to the inbox, that whitelists the mail for that user. Even better, that acts as a big positive for the email’s overall reputation. Positive signals feed into the machine learning engines and change reputation for the better.

Broken signup forms

One thing that always amazes me is the number of broken signup forms there are online. Even when the senders have effective email programs, sometimes there’s a problem with the signup.

We’ve found some recurring problems during our signup experiences.

Signup forms are hard to find. For some systems this is OK, the signups happen during checkout, for instance. But every company sending non-transactional mail to their customers should make it possible to sign up for mail without making a purchase. Make the sign up form visible!

“Rogue” signup forms. At some point site design changes and new forms are added. Occasionally an older signup form isn’t deleted and subscriptions sorta happen, but the welcome messages are sent from a system no one is aware of still being active. In other cases, the forms looked like they worked, but addresses were never added to lists. Check all signup pathways regularly!

Going through the signup process tells me a lot about an email program. Deliverability problems often start at the point of address collection.

When was the last time you signed up at your site?


Almost Caturday

It’s Friday. It’s been a week.

Have a cat picture.


No Comments

Electronic records outside US not covered by US warrants

The 2nd Circuit Court of Appeals ruled against the Government today in US Government vs. Microsoft. The government is investigating a drug dealer and want access to records held by Microsoft. Microsoft turned over metadata stored on US machines. But they refused to turn over the specific emails stored on machines in Dublin. The company’s position is that the federal government needs to follow the rules of the Mutual Legal Assistance Treaty between the US and Ireland.

This has been winding its way through the appeals court.

The court’s ruling today states “§ 2703 of the Stored Communications Act does not authorize courts to issue and enforce against U.S.‐based service providers warrants for the seizure of customer e‐mail content that is stored exclusively on foreign servers.”

An interesting ruling, and I see pros and cons to the ruling. It does complicate anti-spam enforcement a bit and make it easier for criminals to hide their data overseas while they might be in the US. But it’s already easy for them to do that. Many arrests of spam gangs and others for crimes committed on the Internet over email involve multiple law enforcement agencies across the world.

Full text of the ruling (.pdf link)

No Comments

Politician sends spam, experiences consequences, news at 11

Over the weekend I’ve been seeing a number of over the top, hyperbolic blog posts about the Trump Campaign’s agency getting suspended from their ESP for spamming. Adestra suspended the Donald Trump campaign for “for committing some of the most egregious spamming in the history of the Internet in an effort to save his broke campaign.”

That quote about “most egregious spamming” is from some partisan website that is all about making Trump look bad.  I did actually laugh out loud reading most egregious. Let’s be real here. This incidence of spamming doesn’t even make it into the top 100 of the ones I know about. And it’s not like I’m particularly well up on who’s spamming what.

This really is business as usual in the email space and particularly the political email space. Political sender, be they special interest groups or politicians, are sloppy with permission and will send mail to any email address they get their hands on. I talked about this last week: Spam Filtering is Apolitical


The Trump campaign isn’t the first political campaign to send spam.  It wasn’t huge news in 2012, but the Romney campaign was doing some bad stuff with their email marketing. They were working with snowshoe spammers. They were listed on the SBL. They got cut off by their ESP.

While Spamhaus doesn’t keep historic records, I found a post from 2012 on the “Mainsleaze” about the Romney campaign / supporters and their use of spam as a campaign tactic. In the comments on that post a representative of Spamhaus says, “Entirely too many political operatives and some of those who work with them at ESPs feel entitled to ignore the usual rules and send opt-out bulk email to anybody they wish.” This is true, and something I’ve repeatedly mentioned on this blog.


The only reason Trump spamming should make news is because of potential FEC violations.  Foreign nationals are prohibited from donating to US political campaign and campaigns are expected to do due diligence to remove foreign nationals from fundraising campaigns. Given that many of the foreign nationals were government officials who received email on their work accounts, it’s clear the campaign did nothing related to compliance with FEC regulations.

There is the possibility that email marketing laws were violated in other countries, too. Inside the US, CAN SPAM does not apply to political mail. Other countries, including Canada, also exempt political and or fundraising mails from their anti-spam laws.

Short version

Political campaigns send spam. Nothing new here.

Politicians send spam. Nothing new here.

ESPs have taken action against political senders before. Nothing new here.

Political email has been blocked before. Nothing new here.

What next?

Next, the Trump Campaign needs to find a new ESP. There are, of course, rumors flying around the industry about where he’s going to end up. I can see the campaign being a challenging customer to deal with. Not only have they been quite publicly caught spamming, but they’ve also lost a major ESP. These types of customers are challenging at the best of times. There is a lot of work to fix a problem list and get to the inbox.

On top of that, Return Path shows deliverability numbers that point to a list with very, very questionable permission. Any ESP who takes the campaign as a customer is going to have a significant amount of work to get this mail into the inbox. And, no, using a list validation service like the one RP is selling won’t do anything. List validation services remove undeliverable addresses. The problem is not that the addresses are undeliverable – they’re very deliverable. The problem is that too many recipients don’t want mail from Trump and never asked for it.

I’ve worked with a lot of clients with delivery stats this bad or worse. Some have been able to make the hard decisions necessary to get back to the inbox. Some … haven’t. It’s really hard to get rid of a high proportion of a list, even when that list is not performing. Fixing a list this bad can take months, and there’s just not time. The election is in 3 months. That’s not enough time to fix his deliverability problems, even if he found an ESP to take him on.





1 Comment

Spam, campaign statistics and red flag URLs

It’s not often spammers send me their campaign statistics, but on Tuesday one did.

The spam came “from”, used in the HELO and message-ids and, sure enough, was advertising


Received: from (unknown []) by ...
From: Udemy <>
Subject: The Photoshop Secret - Master Adobe Photoshop like a Pro!
Message-ID: <>


But the call to action link was a URL. Following the clickthroughs, the URL redirected to, which in turn redirected to Nothing too surprising –’s users are paying udemy for clicks, which udemy are buying from linksynergy and linksynergy are buying from our spammer. A perfectly normal, spammer-infested affiliate programme.

The spammer might be using bitly to hide the linksynergy URL (linksynergy links on web pages might well be legitimate, but in email they’re a serious red flag and an almost sure sign that the mail is spam), but I think it more likely they’re using it for bitly’s click-through reporting.

One of the nice things about bitly clickthrough reporting is that anyone can see it, just by adding a + sign to the end of it. Our spammer sent, so if we go to we can see everything about the clicks on it.

It’s had 56,622 clickthroughs since early February. The vast majority of clicks had no referers, so were likely from email. Of the few hundred that did have referers, they mostly look like webmail. So it’s pretty likely this URL has been used solely for spam.


This same URL has been used in four spam campaigns so far, mostly targeted to North America.



From a spam perspective one of the interesting things is that this URL has been in active use in spam for at least six months, without any of Udemy, LinkSynergy (aka Rakuten) or taking any action against it. It’s possible that’s just because none of them knew about it, I guess.

If I’m filtering email this tells me that bitly (or clicksynergy or linkshare) URLs in email are likely to be a problem – and, hence, if I’m sending legitimate email I should avoid using any of that sort of URL in my email. Something we’ve discussed here before.

And if I’m considering running an affiliate programme this is a good example of why I either have to run a very good, well-policed affiliate programme or make a business decision that I’ll make more money from paying spammers to bring in leads than I’ll lose customers due to my poor reputation.

No Comments

June 2016: The Month in Email

We’re officially halfway through 2016, and looking forward to a slightly less hectic month around here. I hope you’re enjoying your summer (or winter, for those of you in the Southern Hemisphere).


Trinity College Dublin, 2015 © Laura Atkins

Trinity College Dublin, 2015 © Laura Atkins


Our first June blog post marked the fifteen year anniversary of the very first anti-spam conference, SpamCon. As I noted, many of the people at that conference are still working in the email space — and many of the same spammers are still working in email too. We were also delighted to see that one of the worst of them, Sanford “Spamford” Wallace, was finally sentenced to jail time for his exploits.

We’ve also been longtime members of the M3AAWG community, and as the 37th meeting convened in Philadelphia this month, I wrote about some of what makes that group work so well.

As we inch closer and closer to the November election, we see more and more email from candidates, PACs, and other interest groups. I wrote about some of the challenges these senders face with spam filtering, both in terms of content and bad subscriber data.

Filtering, as I often reiterate, is increasingly a function of permission. You need to be invited into the inbox, and if you’re not, your mail will be filtered. Permission isn’t transferable. It can’t be shared from one list to another. If you’ve purchased addresses, you don’t have permission to mail those recipients, and your mail doesn’t belong in the inbox. People often call us to see how they might work around this lack of permission, and we’re constantly explaining why we can’t help them with that. Not convinced? Here’s another post about who owns the inbox, with some detail from my panel at Connections 16 and a followup post from Litmus.

Another deliverability question that came up at a recent panel discussion was about role accounts, so I wrote up some thoughts on how these are used and the specific challenges of delivering to these accounts.

In technical topics, I wrote a long guide to bounce handling, and we had some good discussion in the comments, which I always like (hint, hint!). Steve wrote about our experience (and others’) with TLS certificates, specifically with Comodo, who have failed their customers in numerous less-than-ethical ways. Steve also wrote a post about domain transparency, and how important it is for recipients to be able to understand where their email is coming from.

For my Ask Laura column, I answered a question about using video content in email. There are currently no standards for using rich media in email, and as such, this content can create delivery challenges. In a related topic, I wrote about the way that content complexity affects delivery, and some tools marketers can use to help with this.

No Comments