Industry News & Analysis

I’m not a customer any more

We recently moved co-working spaces, after 8 or 9 years in the same place.  I’ll be up front here, we left Space A because I was annoyed with them. I’ve been increasingly unhappy with them for a while, but moving is a pain so just put up with them. But their most recent rent increase along with the lost packages, increasing deposit requirements and revolving door of incompetent staff finally drove us to find a new co-working space.

On the 15th of the last month of our contract, I started receiving marketing emails from Space A. I just deleted a couple of them but finally decided I didn’t want to ever see their name again. I tried to unsubscribe.

Gotta give them credit. Checkboxes for everything, except some of them are to opt-in and some of them are to opt-out. This is the kind of interface marketers use to confuse folks and limit the actual number of opt-outs. I’ll admit, the first time I tried to opt-out, I probably did it wrong. But, I know CAN SPAM says they have 10 days, and I know many marketers take advantage of that so I wait a while and keep deleting the messages that show up in my mailbox.

That was late June. By early July I realize it’s been more than 10 days and I’m still getting mail from them. So I click another opt-out link. This time I notice I need to uncheck most boxes, but check the bottom one. OK, fine, you got me, I didn’t read and didn’t correctly opt-out the first time. This time I will.

I continue to receive email. I continue to delete the email. We run our own mail system so I don’t have the benefit of a this-is-spam button, but you can bet if I did I would have used it, on every message I received after my first attempt to opt-out.

This week, after getting yet more mail, I start digging. What ESP are they using that’s bungling the opt-out process? Ah. I know that ESP. So I send in a complaint to abuse@ESP asking them to please make their customer stop mailing me. I also go, once again, to the preference page and submit an opt-out request. Because, hey, maybe third time is a charm?

12 hours later I get yet another mail from them. Really? REALLY? OK. Now I’m moving from annoyed to irate. First step: figure out if I know anyone working at said ESP. Ah, right, them. I have a lot of respect for this colleague, so I send a heads up pointing out that their customer isn’t honoring unsubscribes and can they take a look at what might have broken in their unsubscribe process.

This morning they tell me they looked into my subscription and have not registered any opt-out request until the one this week. The other two? Not recorded in their system. “Does this match your recollection of what happened?” No. No it doesn’t. I know I clicked on unsub links at least 3 times and only one of those clicks is recorded.

At this point, I’m pretty sure I’ll be suppressed by the ESP so I won’t have to get mail from Space A any longer. That fixes the annoyance on my end. But I can’t help thinking about how horrible this interaction was, both from a deliverability perspective and from a customer perspective.

As a deliverability consultant

I understand why they added me to their mailing list immediately before our contract ended. As a customer, I was regularly interacting with them. Now that we were on our way out the door, they were losing that touchpoint. Good marketing says you use all the touchpoints, so adding me to their list makes sense.

I understand that opt-outs break down and sometimes don’t work correctly. They shouldn’t, but they do.

Overall, they didn’t really do anything wrong from a deliverability or marketing perspective. Maybe 3rd time really was the charm and I should have just waited another two weeks before raising a stink about getting mail from them.

As a former customer

I am a former customer because of how they treated me. I wasn’t happy with them and had many a troubling set of interactions with their corporate office over the years. For a long time, they had competent onsite staff that were friendly and helpful, so that made it tolerable. More recently, those staff were gone. They were replaced with an ever changing group of people who weren’t very helpful and weren’t around for more than a few weeks at a time. Additionally, corporate kept raising our rents and charging us “deposits” to cover … something. I’m still not sure why we needed to give them a few hundred dollars in deposits, when we were long term customers and they had permission to charge our credit card every month. Clearly they care nothing for me as a customer, as they just waved us out the door. 

Adding me to their mailing list after I left is just insulting. It didn’t make me want to come back or continue using their services. All it did was convince me that I’m just a piece of data and they don’t care about anything other than how much money they can extract from me.

Most small business owners use some sort of service for email. A lot of companies will just use Google Apps or Office365. Both of these companies provide users with access to a “this is spam” button. Even though the button doesn’t generate a FBL email, it does register in the reputation engines of both providers. I am sure that the average business owner would have availed themselves of the “this is spam” button. I would have in their shoes. This has the effect of both preventing the user from seeing future mail from the sender, but also harms the sender’s overall reputation.

Does it matter?

I will certainly never recommend Space A to anyone looking for space. The way they treated us at the end of our relationship guarantees that. Is this going to matter? Not really. Sure, multiple folks come to me looking for advice on starting small businesses, but me not recommending an international corporation with a multi-billion dollar market cap isn’t going to matter to them. It’s unlikely that even if every former customer in my position were to do the same they wouldn’t even notice.

But for companies that aren’t such market behemoths even a few poor word of mouth recommendations may hurt them. A few people hitting “this is spam” because they tried to opt-out and it didn’t work could hurt delivery.

Context does matter. Details do matter. How you interact with customers affects brand reputation and deliverability. I’m sure that Space A has a carefully planned marketing campaign and it works more than it doesn’t. I’m also sure I’m going to be telling folks that their service is not great and their marketing verges on spamming. They won’t care. But at least I’ll protect other small businesses from them.

1 Comment

Online communities and abuse

A few weekends ago we met a friend for coffee in Palo Alto. As the discussion wandered we ended up talking about some of the projects we’re involved in. Friend mentioned she was working with a group building a platform for community building. We started talking about how hard it is these days to run online groups and communities. One of the things I started discussing was what needed to be built into communities like this to prevent abuse and damage.

It’s a sad fact of online life that trolls exist and have been a part of online life since before Usenet. My perception is this is getting worse. It’s not that there wasn’t harassment in the past. There was. 20 years ago, I managed to annoy some random woman on a newsgroup back in ’96 or ’97. This resulted in months of harassing phone calls to me at home and work, my boss at home and work, the head of the rescue group I volunteered with. The police were involved, but there wasn’t much they could do. There’s till not much police do about online threats.

Now it seems worse. People are getting physically threatened. Women and activists are driven from their homes because someone online decided to attack / doxx / frighten them. We have online platforms that allow hate speech and threats and don’t provide sufficient tools for users to protect themselves. For all the good that comes from the Internet, there’s an awful lot of bad.

A big part of the issue is anonymity. Real anonymity online is hard, as evidenced by how quickly CNN tracked down the real life identity of a Reddit user. They did that in less than 24 hours, without the benefit of any private information. But partial anonymity is pretty easy. It’s trivial for anyone to register any number of twitter accounts, or reddit accounts. I recently heard the term “weaponized anonymity” and it accurately describes the situation. (I don’t agree with all of the opinions in that article, but I think the definition is useful.)

Before my harasser, I was pretty open online with where I worked and volunteered. I think I even had my physical location (at least city and state) on my webpage. Afterwards, I stripped as much info from the space I had control over. I thought about creating a new online identity, but decided that it was both a lot of work and wouldn’t be that effective. It’s near impossible to hide online now.

These are issues we have to address. Unfortunately, too many community platforms (twitter, I’m looking at you) don’t have controls in place to allow users to block harassment. At the volume of users some online communities have there is simply no way to put a human in the loop to deal with every complaint. There’s also a ‘x said, y said’ problem, where abusers claim they’re the victim when called on their behavior. The Mary Sue has an article on a recent example. In some cases, harassment goes back for years and the story is too complicated for an abuse desk worker to absorb in the short time they have to deal with an issue.

I certainly don’t have the answers. But I know that when we’re building online software we have to start prioritizing user safety and privacy. Too many online spaces don’t have walls or fences or locks. That’s a good thing because it lets people find communities. But it is a bad thing because there are folks out there who disrupt communities as a hobby. Anyone building community software needs to think how they and their software will handle it if one of their users is targeted.

These are discussions that need to happen. Those of us with experience in the online abuse space need to be involved and contribute where we can.

No Comments

5 answers you need before mailing old addresses.

From the archives: Mailing old addresses: 5 questions to ask first

James asked the question on twitter:

If you haven’t mailed an address in 5-10 yrs, would you include it in a re-engagement mail?

A number of people responded that addresses that old should not be mailed. I think the answer is more complex than can be handled in 140 characters.

Five to ten years is a very long time. Think about what you were doing 10 years ago. It’s easy right now, 10 years ago as a nation we were still reeling from the September 11 attacks. On a more personal note, Steve and I were just making the decision to start Word to the Wise. But what about 5 years ago? I can’t remember what we were doing or what our business goals and limitations were.

If you’re going to mail addresses that were collected 5 or 10 years ago, you must give some thought to a number of questions.

1. How has my target market changed in the last 5 – 10 years? How likely is it that customers from then would be interested in my products now?

People grow and change. As we move through different life stages, we have different needs and shop for different products. When thinking about whether or not to send mail to those old addresses, think about customer demographics. Is someone who wanted your product in the past also going to want your product now? What life stages are you targeting?

If you can honestly say that your product has a 10+ year target market, then mailing old customers may be acceptable. But if you focus on a narrow demographic it’s possible that your former customers are no longer interested in anything you have to offer, no matter how compelling the copy.

2. What do I have to offer a customer from 5 – 10 years ago? Is my current product line likely to interest them?

Just as people grow and change, businesses grow and change as well. When we first started Word to the Wise a lot of my consulting was directed at senders who were having blocklist problems and often didn’t have permission to send the mail they were sending. We didn’t have to talk about bulk folders, as most major ISPs hadn’t adopted the bulk folder yet. We didn’t have to talk about Feedback loops or “this is spam” buttons because such things didn’t exist yet. They primarily wanted to know how I could help them get and stay off the RBL or SBL.  In contrast, most of my current customers are opt-in senders who want information about how to engage users and get a better responses to their email.

Sure, old customers may be interested in new products and re-establishing contact with an old vendor. Others may have no interest at all. Some small percentage having an interest in your product isn’t sufficient. You need to be sure that a large percentage of recipients are going to want your new product.

3. How long does my product last? Are older customers still interacting with my product? Or have they forgotten I even existed?

There are pieces of software I’m using from 5 or 10 years ago. I’d be fine with a re-engagement email letting me know about other offers they have. But there are also bits of software I downloaded, tried and promptly forgot. I’d be annoyed if the vendor tried to email me. That really nifty pepper mill we bought 6 years ago? Love to hear from them about new stuff. That random kitchen gadget gathering dust in the back of a drawer? Not so much.

So much of making decisions about email is gauging how receptive recipients are to your message. When trying to decide to email very old customers, it’s important to understand your previous customer base.

4. What value am I bringing to the recipient? Do I have something new to offer? Can I push a new product or new launch?

The core of email deliverability is sending mail that your recipients want to receive. If you’re contacting recipients that haven’t heard from you in years, you need to put extra effort into making the email relevant for their lives. One of the ways you can do that is to share your excitement with a new product line, or a re-brand of your company.

Another way to make the email relevant is to make the email informative. Talk to the recipient about how you’ve changed in the intervening years and how your products can help the recipient. Your old customers are more likely to accept your intrusion if you have useful information for them  with your old customers

5. Where did I get these email addresses? Do I have a good audit trail for them?

This is where we get to those pesky details. Do you actually know where the addresses came from? Do you have even a partial audit trail. Can you tell what product was bought by the address? Do you know when the address was entered into your database? Do you even know if these are addresses of customers or not?

In my experience, most companies don’t have good audit trails for older addresses. They don’t know where the addresses came from. They don’t know if they’re actual customers. These are the things that cause re-engagement to fail totally.

You should NEVER mail old addresses unless you can identify where the address came from and the specific purchase that address is associated with. If you don’t have that data, then your delivery is going to be awful. You can only aspire to get into the bulk folder. More likely, you’re going to end up with mail blocked at many ISPs.

For the sake of argument, let’s say you do have that data. Someone at your company set up a database that captured everything you may need to mail old customers.

It’s not enough to have the audit data, you should take a deep dive into the data itself. How many of the addresses are at any of the dozens of domains that have retired in the last 10 years? How many are,, or None of these domains exist any longer. How many are, or These are domains that were popular long ago, but are no longer in wide use. It’s unlikely your customer still has that address.

Still thinking about mailing that list, because it’s mostly or addresses? That may still risk your delivery. Old addresses at major domains are sometimes turned into spamtraps and mailing these addresses may result in blocking. Even running the addresses through one of the ‘list cleaning’ vendors may not protect you from delivery problems related to old addresses.

Statistics show that 30% of email addresses are abandoned by their owners in a year. That means that even 5 years back only about 20% of those addresses are still in use by your customers. The others are abandoned, turned into spamtraps or just won’t deliver. If 80% of your list goes into a black hole, how much does each sale have to be to make it profitable to contact those old customers?

Each question should take an average business quite a bit of time to answer. The first 3 questions are about the intersection between you and your customer. They’re about you, the business, honestly evaluating your product (then and now), your target market (then and now) and the chance that you will meet their needs now as you met them then. The fourth question is about what you want to tell your old customers. But none of those questions are even worth asking unless you know you have a database worth sending to. And even if you do, will the ROI on a mailing be enough to justify the expense to put together an effective re-engagement campaign?



People are the weakest link

All of the technical security in the world won’t fix the biggest security problem: people. Let’s face it, we are the weakest link. Adding more security doesn’t work, it only causes people to figure out ways to get around the security.

The more secure you make something, the less secure it becomes. Why? Because when security gets in the way, sensible, well-meaning, dedicated people develop hacks and workarounds that defeat the security. Don Norman

This isn’t news to anyone in the security space. Even those of us who are reasonably aware of security issues can still have problems. A few weeks ago I clicked on a phishing link. It was a delivery notification. I’d just ordered something online. It looked plausible. I clicked the link. Lucky for me there wasn’t drive-by malware on the site.

A few years ago, there were a number of email people arguing that two factor authentication (2FA) would fix the security problems. Steve wrote a couple blog posts here explaining why that was unlikely. (Defending against the hackers of 1995, What is Two Factor Authentication, Two Factor Authentication)

What is two factor authentication?

The older blog posts talk about 2FA, but a quick review for folks. 2FA requires two separate factors to identify a user. Many people describe this as “something you know and something you have.” A user might know their password and have access to a phone that will receive a SMS one time code.  Many online services currently offer two factor authentication. Google even provides an authenticator app people can run on their cell phone. Companies that want to offer 2FA using that app can. I set up 2FA for a service over the weekend – it was as simple as taking a picture of a QR code and typing the resulting number into the website.

What’s the problem?

The problem is that it is possible to subvert 2FA. Back in 2011 attackers hacked one of the major 2FA vendors and stole the master keys. A little while later, some government contractors reported attempts to break in potentially using this information.

Now we’re using multiple forms of 2FA, so it’s more secure, right? No.

TechBeacon has a recent article looking at some of the ways that 2FA has been compromised. Most of these involve a human making a decision and taking an action to subvert security through different channels.

For me, one of the most interesting links is a blog post from Justin Williams earlier this month. His cellphone number was transferred, against corporate policy, to another phone. The hacker then used the 2FA to transfer money out of his PayPal account.  This situation is why I cringe when I hear about a service rep bypassing policy to help out a user. Every time this turns out OK it’s great. But it’s also training customer support that it’s OK to make exceptions. No, it’s not. Even when it’s the saddest sob story you’ve ever heard.

Companies train users to be victims

Also this month a health insurance company sent a USB stick to users. The accompanying letter instructed users to plug the web key into their computer. No. Just No. This is training users to be victims when some attacker decides to do the same thing.

Marketers are another big part of the problem with training users to be victims. I wrote about this almost exactly a year ago in Working around email security. Steve walked through how many banks and retailers use cousin domains earlier this year. I saw another example just recently, prompting me to create a meme to share on Facebook.

Security and usability

For many years, there was a belief that security and usability were contradictory. Increasing security leads to less usability. There is certainly some of that in play still. But I think many of us in the email marketing space need to start thinking a little more about security. We are responsible for presenting our brand in the inbox world. Do we want to train our users that every email comes from a different domain? All the authentication and DMARC policies in the world won’t protect us from cousin domains. Marketers that use cousin domains are setting their brands and consumers up for failure.

A brand that is consistent in its sending and authentication not only develops good reputation for delivery, they also help innoculate users against attacks by third parties. Marketing departments can take the lead in creating a more secure environment online. Building security into messaging streams is more than just technical authentication, it’s about the whole message and domains and consistency. Every marketer needs to think about how they’re presenting their brand. How many different domains are you using in your marketing campaigns? How easy would it be for a bad guy to register a similar one?

Don’t set your users up for failure.

No Comments

Happy 80th Birthday to SPAM

Not the kind we hate. The other kind. That’s best served over sushi rice.

80 years of SPAM

No Comments

Searching for a new ESP?

250OK has compiled advice about what buyers should ask when looking at new ESPs. The advice from various folks is spot on.

Changing ESPs is a big undertaking, bigger than most people expect. It’s not like changing vendors for other services. It is a process and most of the time moving creates a short term dip in deliverability. I have a lot of theories and speculation as to why, but the evidence is pretty clear. I think Mike Hillyer summed it up best: “I think the most commonly missed question is ‘will changing ESPs truly affect the outcomes we are looking to change?’”

I also liked the answers to the question about using multiple ESPs. My view is that unless there are specific requirements for different mail streams the answer is no, don’t do it. And don’t think you can keep a “backup” ESP with “partially warmed IPs” and be able to turn it on as disaster recovery. Email doesn’t work that way.

It’s an article well worth a read.


No Comments

Engagement drives deliverability

Return Path released an white paper today offering the Secrets of Successful Senders. I don’t think any of my readers will be surprised that it boils down to identity, reputation, and engagement. Return Path treats these as separate things and I understand why they do. I think however, that the identity and reputation are supporting players to the overarching issue of engagement.

When I’m dealing with clients and troubleshooting deliverability problems and offering solutions, I focus on the root cause. To me the root cause is almost always a data problem. Either there’s a problem with data collection or there’s a problem with data maintenance. These problems result in mail going to people who don’t really want or care about it.

Yes, identity is important. But, realistically, anyone mailing through a decent ESP has SPF and DKIM in place, at least on some level. There may be better ways to authenticate, but the boxes are checked.

Yes, reputation is important. But here’s the thing, reputation just means that the ISP knows how users are going to react to an email. Reputation isn’t some nebulous concept made up by ISPs. It’s an actual measurement. It quantifies the history of an IP or a domain or a mail stream and says we know that this IP sends wanted mail. We know that this domain sends mail our users ignore. It’s a history. Past performance does indicate future results.

Identity says who a sender is. Reputation tells us that sender’s history of sending. Those are the two factors that enable ISPs to make delivery decisions. Mail comes in and the ISP looks at it. They use identity to determine what reputation to assign to a mail. Reputation drives delivery, whether into the inbox or the bulk folder.


Engagement is the key

All of the various metrics we use are proxies for engagement. High levels of complaints tell us users don’t like the mail. Low levels of opens tells us they don’t care enough to read it. Excessive bounce rates tell us that our data collection process is poor.

I see too many deliverability consultants and experts suggest that the fix is to make the numbers look better. Lower overall bounces using a list hygiene company. Remove complainers by using multiple ESPs. Use gimmicky subject lines to get recipients to open. These processes will sometimes fix delivery in the short term. They’re a solution in specific cases, and typically work for companies with high brand recognition and a core of engaged users.

For companies without a core of engaged users, however, all they end up with is a list that has low bounces, low complaints and erratic deliverability. They don’t know how to address the problem because all they’ve done is hide the symptoms.

If I take aspirin for a fever, I haven’t cured the flu. I have just lowered my fever. If I use a list cleaning service to remove bounces, I haven’t suddenly found a list of engaged users. I’ve just lowered my bounce rates.

Why purchased lists don’t work

Lack of engagement is the underlying reason purchased lists don’t work. Companies sending to purchased lists have identity. Sometimes, they even have a decent reputation built on the back of actual opt-in emails. What they don’t have is engagement. The majority of recipients don’t really care about the mail, so they aren’t engaged. Therefore the messages never make it to the inboxes.

The dirty little secret of list sellers is they work very hard to remove negative signals from their product. They’ll remove bouncing addresses, they’ll even try to remove users that will complain about the mail. The measurements say this is a “good” list, but it’s lacking one thing. The recipients on that list don’t necessarily want mail from the final purchaser.

Putting it together

Yes, identity is important. It’s how the filters know what the mail’s reputation is. Good reputation is important, but the only way to build a good reputation is send mail that’s wanted. How do ISPs know what mail is wanted? Their users tell them so.

Engagement is the root of all deliverability. Everything else just makes it easier for filters to see the engagement.


No Comments

Summer 2017: Moving so fast

It’s been a busy summer so far! If you’ve been too busy to read the blog regularly, here’s an early summer wrap up of our posts from May and June.

A small but significant part of our consulting practice is helping people with delivery crisis situations, such as figuring out what to do if you’re listed on Spamhaus or other block lists, or getting delisted at AT&T. People also ask very specific questions about things like text to image ratio. We answer these directly for clients, on the blog generally, and in my Ask Laura column.

Most of what we do, however, is larger strategic work on creating smart email programs that are designed for deliverability. Our primary focus is to help marketers think about how to send email people want — and have asked — to receive. I went into detail on this in my post on how permissions trump metrics. We also help clients with what we call reading between the lines, or useful ways to think about collaboration between ESPs and their customers. Another enormous area of focus is helping people understand filters in a big picture — or gestalt — approach.

We also talk a lot about list purchasing, appending, and all the other ways people acquire email addresses without direct permission from recipients. Our most recent examples: a colleague who added me to a list they’d built from their LinkedIn contacts (using a wholly different email address), Steve’s experience trying to get hotel wifi, and lists passed between political campaigns. Spammers can generate lists that are “clean” enough to fool ESPs just long enough to get a send out the door.

Unwanted email is unwanted email, even when it’s in a B2B context. When someone reaches out “personally” to me to tell me how useful they think I will find their product or service for my business, that’s still SPAM, even if it’s coming from a personal address or a gmail address to try to get around filters. Even if it’s to say Hello from your LinkedIn BFF. Seriously?! More on permission here.

I often use unique email addresses when I interact with companies, and this shows me both when my address is purchased or shared without permission and when a company has a data breach. Sometimes this can be challenging to report, however, as illustrated (hilariously!) in my Shibboleet post.

In legislative news, the FTC would like to know if we still need CAN-SPAM, and other important feedback on the rule. Though it obviously has not entirely saved our inboxes from SPAM, there’s still a lot of good there. Our neighbors to the north have just announced a delay in one of the major provisions of their anti-SPAM legislation, the private right to action provision of CASL. Both the provision and the delay are interesting, so I went into some detail in my post.

Steve wrote several posts about DMARC, starting with The Philosophy of DMARC, which goes into detail about how the method evolved and the thinking behind it. He followed up with another lengthy post about how DMARC breaks, and a solution for that, the Authenticated Received Chain (ARC). He also posted a message from Fedex as an illustration of how DMARC doesn’t fix phishing.

In fact, phishing just keeps getting more and more sophisticated. And sadly, it seems that senders are not necessarily getting smarter in response.

Steve also wrote about how you can figure out (more or less) if a sender is using DKIM. He also added a useful explanation of protocol-relative URLs in email.

In industry news, I added some detailed information from AOL on the final bits of the Verizon migration and a note about how to handle bounces with disappearing domains.

The best part of my early summer was speaking on a few panels at the ESPC meeting and celebrating the one year anniversary of our Women of Email network with an in-person board meeting in Las Vegas. As someone who works mostly remotely, I very much enjoy coming together with colleagues to connect in person and share ideas and stories. Let me know if you know of any interesting events I should attend later this year.


Active buttons in the subject line

This morning I waded into a twitter discussion with a bunch of folks about some issues they were having with delivery to gmail. The discussion started with a blog post at describing how some senders are seeing significant drops in open rates. I thought I’d take a look and see if I can help, because, hey, this is an interesting problem.

I signed up for a bunch of the mail that was seeing gmail problems and discovered that one of them had the confirmation link in the subject line. How cool is that?

I’ve known about the Gmail subscription line functionality for a while, but this is the first time I’ve seen it in the wild.

The action is in a <div> tag at the bottom of the email. Gmail has been allowing actions in subject lines for a while, this is just the first time I’ve seen it used for subscriptions. It’s so cool.

Want to add one to your post? Instructions are available from Google on their Email Markup pages.

1 Comment

5 steps for addressing deliverability issues

Following on from my reading between the lines post I want to talk a little bit about using the channels. From my perspective the right way to deal with 99% of issues is through the front door.

Last week I found myself talking to multiple folks in multiple fora (emailgeeks slack channel, mailop, IRC) about how to resolve blocking issues or questions. All too often, folks come into these spaces and start by asking “does anyone know someone at…” Fundamentally, that’s the wrong first question. Even if the answer is yes. It’s even the wrong question if a representative of the company is on the list where you’re asking for help.

If that’s the wrong question, what is the right question? Where can we start to get help with issues when we’re stuck trying to fix a delivery problem we don’t understand?

1: Read.

Read the full bounce message. The first step is always reading the full bounce message. ISPs are pretty good at providing information in their bounce messages. Look at the full message, and follow any links. Read the information. The links are typically designed for the folks who work in the industry. This means sometimes the language might be jargon. It can take a little work to understand but the help is intended to be there.

In many cases, these information pages will contain links to contact forms for further questions. They’re often not accentuated like a typical call to action. This is intentional. If the visitor is skimming and looking for a contact us button, they’re not actually reading the information on the page. Companies put a lot of time into creating these pages, and try to cover most of the common issues and resolutions in them. Most of the time these pages cover the issue a particular visitor is having.

2: Use the form.

In those cases where the information on the page doesn’t seem to apply, the next step is to use the contact form. Sometimes these forms seem wildly inappropriate, and ask for all sorts of strange bits of information unconnected from the problem. Still, it is best to fill out the form as completely as possible.

There are certain bits of information that are vital for troubleshooting an issue. Things like the sending IP, the domain authentication, any special codes in the bounce string help the sender address the issue. Without those bits of information, it’s nearly impossible for the ISP to answer questions and resolve the blocks.

2a. I can’t find the form.

If you can’t find the form there are a couple things to check. One is to do a text search (⌘-F or alt-F) and search for “contact” or “form” to find the actual link. I do this, sometimes, when I’m in a hurry and my eyes are glazing over the text and I keep missing the link. The second is to search the web. I maintain a list of postmaster pages and links (which is less maintained than I’d like, but I’m working on that). I’m also not the only person who aggregates that data, although most of the links I can find right now focus on the FBL signup pages (ASRG, MAAWG, and Wikipedia).

Sometimes there isn’t a form to fill out. Often this is because the maintainer doesn’t want to or won’t answer questions. There isn’t much to do in these cases.

3: Ask around.

The the previous steps haven’t worked, reaching out for help is the next step. It’s very common for a lot of technical folks to hang out in online spaces to answer questions to help those learning. In the email space, I’d say that was mailop. I regularly see questions in a lot of different places, like public, private and semi-private mailing lists, and slack channels.

There are right ways and wrong ways to ask for help in these fora. That’s probably a whole blog post in itself, but let’s look at some of the highlights.

  • Provide the full bounce message
  • Provide as much information about your network as possible, including domains and IP addresses.
  • State what you’ve done
  • State how long (roughly) the problems’ been going on.

Notice I didn’t add in a state what kind of help you want or will accept in that list of bullet points. All too often messages come in looking for direct personal contacts. That’s usually not going to happen, particularly if no one knows you. I’ve blogged about why using personal contacts is bad practice before: Use the form, Follow the script. As J.D. points out in the comments of the second blog post, some of the technical folks shouldn’t be customer facing, so using the channels is better for everyone.

4. Listen.

The answers we get back from requests are not always the answers we want. I mentioned a few of the issues in last week’s blog post. They’re not the only problems. The biggest problem I see is senders not wanting to believe what’s there in black and white. They don’t want to hear the answer or believe it.

I get it. It’s hard to believe that people don’t want that carefully crafted and targeted email. Therefore, the filters must be wrong, it must be a mistake. More often than not, though, the filters are catching the mail they’re designed to catch.

There are, of course, cases where the filters are wrong. Generally that is the only place to use trusted back channels. The folks managing the filters don’t want to hear or listen that they’ve screwed up any more than email senders want to hear it. But when someone who never argues about a filter or a listing sends and email  asking if they meant to block a particular class of mail, those inquiries are taken seriously. Sometimes, as with the listbombing SBL listings, the answer is yeah, actually, we did mean to do that. Other times it’s a ooh, no, let’s fix that.

5. Interpret and act.

The final step is to take the information and act on it. This can be a challenge as often the replies don’t list a set of changes to make. They’re never going to be specific. To quote a post from the mailop list:

What we do for one, we must do for all.
If we can't do it for all, we can't do it at all.

While this statement is from a single ISP, I believe the sentiment is broadly applicable. ISPs do not and will not provide step by step instructions for delisting. They can’t. The minute ISPs start sharing that type of information spammers will take advantage of that. Once again, we all suffer because spammers are jerks.

The good news is dozens of websites, including this one, provide free advice and assistance on how to fix delivery problems. ESPs have extensive internal documentation for customers. Many ESPs have experts on staff to help customers.

Even better that all the free and included resources, there is usually one underlying issue causing delivery problems. Conceptually it’s easy to fix deliverability problems. Delivery fails because recipients aren’t excited about the messages. Solving delivery problems boils down to sending mail recipients expect and want to receive. Figure out how to do that and you’ve solved the long term problem. Solving the short term problem means focusing mailing engaged users.



  • OTA joins the ISOC

    The Online Trust Alliance (OTA) announced today they were joining forces with the Internet Society (ISOC). Starting in May, they will operate as an initiative under the ISOC umbrella. “The Internet Society and OTA share the belief that trust is the key issue in defining the future value of the Internet,” said Internet Society President and CEO, Kathryn Brown. “Now is the right time for these two organizations to come together to help build user trust in the Internet. At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users,” added Brown.No Comments

  • Friday blogging... or lack of it

    It seems the last few Friday's I've been lax on posting. Some of that is just by Friday I'm frantically trying to complete all my client deliverables before the weekend. The rest of it is by Friday I'm just tired. Today had the added complication of watching the Trumpcare debate and following how (and how soon) it would affect my company if it passed. That's been a bit distracting, along with the other stuff I posted about yesterday. I wish everyone a great weekend.1 Comment

  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments