A number of folks are talking about a significant uptick in Barracuda IP blocks over the last few days. These blocks appear to be affecting wide ranges of IPs across multiple networks.
Folks have been reaching out to Barracuda through their unblocking form. Many of them are not receiving answers, but some are getting answers that say they may be old listings, and there is no current data to support the listing.
This issue is ongoing, as I was writing this post another ESP posted that they were seeing widespread listings affecting multiple customers. As of 1500 UTC folks are still seeing listings populate.
I did reach out on Twitter and their CS folks are passing the reports on to the correct people inside the company. Updates as I get them.
Update (1900 UTC): Barracuda support is actively responding to issues on Twitter. If anyone is actually a Barracuda customer, they’d like a case filed with support about this. Posters on mailop say Barracuda is aware of the issue and are trying to fix.
June 19: The blocks should be resolving now. More information on the update blog post.
Last week news broke that Mailchimp had disconnected a number of anti-vaccination activists from their platform and banned anti-vax content. I applaud their decision and hope other companies will follow their lead in banning harmful content from their network.
These kinds of decisions, where providers say you can’t do that on our network, are because these are private platforms. As I talked about recently, they own the platform, they make the rules.
The same ownership that gives ESPs the right to ban content, also gives them the ability to enforce deliverability standards. These are the rules they enforce on customers to ensure a reasonable reputation. What kind of rules will a good ESP implement and enforce?
Identify yourself and your company with accurate information. Be upfront and transparent about who you are and what you mail at the point of address collection.
Collect permission directly. Do not outsource your permission to a third party. This means no co-reg, no renting lists, no purchasing lists.
Respect your recipients. Do send email at the right cadence for your particular audience. Remove unengaged users who do not interact with your mail for an extended period of time.
Respect the recipient domain rules. Set appropriate limits on the number of connections and sending speed. Handle bounces correctly. Don’t keep connections open for longer than necessary. Don’t allow customers to send spam.
How ESPs enforce these rules depends on the ESP. Some are more proactive than others. Any decent ESP is going to have a deliverability and/or compliance team that monitors for complaints and blocks and other obvious signs of deliverability problems. But the monitoring doesn’t stop there. There are a number of tools that have recently entered the market that allow ESPs to measure the quality of their customers’ data.
ESPs also monitor things like opens and clicks and engagement statistics. Customers who fall below standard thresholds are asked to improve their lists. For some senders this seems invasive and problematic. But responsible and legitimate senders know that removing unresponsive addresses benefits them. Even if they lose a few might-eventually-respond-someday addresses, there is significant long term benefit to maintaining an engaged list.
Enforcing good practices and data hygiene is expensive and can cause some hard feelings among customers. Companies who don’t enforce minimum standards can often find themselves in a downward spiral headed towards failure. I’ve worked with some of the ESPs in the past, and it’s never a good position.
ESPs that do enforce standards and good deliverability practices have customers that reach the inbox more effectively. Their raising of the standards bar often means smaller lists. But those smaller lists have a bigger reach and are more profitable for their owners.
One of the things I’ve been spending a lot of time thinking about lately is how we measure deliverability. Standard deliverability measurements include: opens, bounces, complaints, and clicks. There are also other tools like probe accounts, panel data, and public blocklists. Taken together these measurements and metrics give us an overall view of how our mail is doing.
More and more, though, I see senders meeting all the standard metrics for these measurements, yet still struggling with deliverability. In many ways this isn’t surprising. There are a whole host of tools out there that allow senders to manipulate the underlying metrics without changing their underlying practices. To complicate matters even more, there are tools that manipulate open and click rates by following every link in an email. Finally, we know that some ISPs don’t send 100% of the “this is spam” messages to their FBL. Other metrics, like probe accounts, are inaccurate in an era of personalised delivery based on activity.
All in all, these metrics were built to tell us things about a mail system that no longer exists. Our next challenge is to figure out what metrics to use in the future. How do we monitor the effectiveness of our address collection processes and our deliverability?
One thing I’ve started having customers look at, especially my ESP clients, is how the consumer ISPs are accepting their mail. Are they seeing temp failures and if they are, what specific mailstreams are the temp failures related to? It’s a little early to tell if this is an effective measurement for ESP compliance purposes. It’s definitely helping identify problematic mail streams for my brand clients and allowing us to make adjustments to get to the inbox.
What I do know is that we in the deliverability space need to continue innovating and thinking about how to measure our deliverability. Mail filters are evolving, and we must evolve as well.
A few weeks ago, Return Path announced they were being purchased by Validity, who also own BrightVerify. Last week, they had a round of layoffs. According to sources inside the industry, Validity is closing the New York headquarters and Indianapolis offices and layoffs involved more than 170 staff members.
Return Path has been a fixture in the deliverability space for years. While they didn’t invent email certification, they were the only VC backed company that survived. Their suite of tools was the only major player in the market for quite a while. All of this contributed to creating the deliverability industry as we know it today.
But as I’ve been writing about for a while, things are really changing in delivery. How mail is filtered is significantly different now than it was a few years ago. The changes at Return Path, including some of the positions eliminated during the layoffs, tell me that the new owners see those changes as well.
Over the years Return Path has effectively addressed current deliverability challenges. When deliverability was mostly about IP address reputation and global inbox decisions, they created probe accounts and developed their certification program. As filters changed, they introduced panel data and improved their certification requirements. I attribute much of their success to the company leadership and their focus on supporting the same goals as the ISPs – to get email to the people who want it and minimise the amount of unwanted email.
The purchase announcement from Validity makes me wonder how much of that will continue over the next few years. Part of the reason Return Path has been so successful over the years is their focus on permission and good email marketing practices. I don’t see much of that focus in the Validity announcement. In fact, looking at the products Validity are selling they seem to be building a suite of tools designed to minimise the bad effects of acquiring addresses through channels other than direct opt-ins from recipients.
Will Return Path continue on the path its been on for the last 2 decades or will this change under their new owners? Only time will tell.
Much of the equipment and wires that the internet runs on is privately owned, nor is it a public utility in the traditional sense. The owners of the property have a lot of leeway to do what they like with that property. Yes, there are standards, but the standards are about interoperability. They describe things you have to do in order to exchange traffic with other entities. They do not dictate internal policies or processes.
As the owners of the equipment, companies have a lot of discretion about what they allow on their network, hence their network, their rules. As an example, both Twitter and Facebook are well within their rights to deny or allow traffic on their networks, no matter what the rest of us think about it. As they are not interoperating with other social networks, they make the rules.
This lack of interoperability extends to inbound email filtering as well. The filters can block any mail for any reason, and the sender has no real recourse. There are, of course, folks who can make changes to filters, but they are recipients, customers and business priorities of the filter maintainer.
Recipients are the final arbiters of what mail they want or don’t want. Many of the consumer mail filters are tuned to parse whether a mail is wanted or unwanted based on signals from the recipients. These aren’t the only signals used, mail has to be safe and come from a well behaved MTA. But most of the consumer ISPs care about keeping their users happy.
This is why so much advice, from myself and others, relies on getting the users to interact with the message. Most of the providers want users to be happy and so they will listen when users start complaining. Some providers, like Microsoft, even have formal processes to gather feedback from users on the accuracy of their email filters.
For business filters, customers are the primary driver. Most business filters, even those maintained by consumer ISPs, have an extra layer of filtering. This layer sits on top of the filters sent out to all customers, allowing each individual company to control their own incoming mail. Filtering priorities are set by the company.
Filters do what they’re told to do. Ultimately, business needs and priorities drive what filters do. The reason they can is because mail servers are private property and the owners can manage them the way they want to.
At WWDC 2019 Apple announced “Sign in with Apple.” This is a service that allows iOS users to log into different applications with private, dedicated email address. When developers send mail to that address, Apple will forward it to the email address associated with the users AppleID. App developers that offer any third party log in will be required to also offer AppleID log in.
Apple has set up a private email relay service for this program. Program users must register their sending email domain and addresses and publish SPF records for that domain.
In order to send email messages through the relay service to the users’ personal inboxes, you will need to register your outbound email domains. All registered domains must create Sender Policy Framework (SPF) DNS TXT records in order to transit Apple’s private mail relay. You can register up to 10 domains and communication emails. Configure Private Relay
Not only are Apple protecting their user’s email addresses, but they’re also denying access to anyone who is not preregistered. This means any stolen apple addresses are likely to be invalid after they’re stolen from the initial sender.
I do have to wonder what deliverability will be like. This is just a forwarding service so there are questions about how this will affect marketers.
When registering addresses, do you need to register the 5321.from, 5322.from or both?
Will the relay server rewrite the 5321.from?
If the relay server rewrites the 5321.from, how will that interact with companies using only SPF authentication for DMARC?
If the relay server doesn’t rewrite the 5321.from, how will that interact with companies who use only SPF authentication for DMARC?
Will the relay server make any changes that break DKIM?
When forwarding to domains that have DKIM based FBLs will FBL mails reveal the recipient address to the marketer?
What happens to mail coming from an unregistered email address?
How do users unsubscribe from emails? Will Apple include the private email address in emails?
How is Apple going to maintain the reputation of their relay IP addresses?
I’ve got mail into Apple asking if they’ll answer some technical questions about this. We’ll see if they answer.
Over the last few years I’ve reduced the complaints I send to ESPs about their customers to almost nothing. The only companies I send complaints to are ones where I actually know folks inside the compliance desk, and I almost never expect action, I just send them as professional courtesy.
The sad fact is, many ESPs are really horrible about dealing with spam coming from their networks. The older, larger companies are often a jumble of poorly integrated technologies resulting from a decade of acquisition. More than a decade ago I sat at a MAAWG conference with the director of deliverability at one of the oldest ESPs. We were talking about their recent Spamhaus listings that I’d been hired to help address and their overall complaint processes. One of the issues was, due to multiple mergers and acquisitions, half of their abuse mail went to the wrong place and some of it was being thrown away.
This is an old story, but only as an example of how long this problem has been going on. Even now, companies retire domain names from receiving mail, but still have them littered throughout their email headers. They miss complaints, they miss notices and then they discover they and most of their customers have extensive delivery problems.
The newer companies are lean and agile and don’t think about investing in actual compliance work until they run face first into an escalated Spamhaus listing. Their solution to the problem is to throw machine learning at it, and try and come up with a way to programatically identify bad customers. The problem is this is a moving target and there’s nothing set and forget about it. Algorithms like this need to be constantly maintained and trained. May as well invest in the human element.
Of course, this is all about the customers sending mail through ESPs. But that’s not the only problem. There are any number of ESPs whose own marketing teams use spam. I cannot tell you the number of companies in the space who’ve decided to add me to their marketing list without bothering to ask me if I want to hear from them.
Just last month I started receiving mail from an ESP. “We’ve made an acquisition! We’re growing!” was the first message I received from them. I wasn’t sure what was going on so I contacted their abuse desk asking what opt-in data they have for me. The person I contacted was apologetic and said she’d chase it down. She also informed me I’d be removed from future emails.
A few days later I received an email telling me that they weren’t really sure where I opted-in, but that it was probably a page on their website that they no longer had up. This doesn’t sound right as the address was one I don’t enter into forms. If a form doesn’t take a tagged address, I use a gmail account. But, I want to give the company the benefit of the doubt so I treat it as solved and move on.
Three weeks later I get another email from the same ESP advertising an upcoming webinar. Again, I send mail pointing out that I was assured I’d been unsubscribed. This time my colleague responds and tells me that I signed up for their mailing list because I attended a conference with them in 2016.
I don’t even have words for how grossly inadequate this response is. If it’s true, which I don’t even know any more, it’s horrible marketing to wait 3 years to start mailing someone after acquiring their email address. But the incompetence doesn’t stop there. This was a conference I attended to speak on two different panels, both regarding deliverability and how not to send spam. As a speaker I don’t always visit the trade floor and if I do, I don’t hand out cards or ask for more information. In any case, I can say with quite a bit of certainty this company wasn’t at the trade show, as they announced this version of their name about 6 months after the conference.
Of course, this isn’t as unusual as it should be, one reason I’m not naming names. ESPs hire aggressive marketers who often send spam… er… “cold emails.” It still amounts to the same thing – an unending bombardment of unsolicited emails from companies who then turn around and ask to be added to my list of “good ESPs” that don’t allow purchased lists.
ESPs need to step up and stop allowing spam on their networks. This goes for customer mail and for their own mail. It’s long past time for them to invest in actual compliance desks and start actually requiring customers to send better mail.
A number of folks in the sender space are reporting intermittent “This link may be suspicious” warnings on their emails. I first heard about it a few weeks ago from some clients. One wasn’t sure what was going on, the other found a bunch of malware uploaded into their customer accounts.
At least 3 people have mentioned it today. One of them asked on Mailop, and the couple Google employees over there are generally pretty helpful when issues like this come up.
What we currently know:
Multiple senders are seeing warnings;
The warnings are intermittent and not reproducible;
They’re affecting lots of links, including some ESP click domains.
From the outside, it looks like Google is being overly aggressive with their suspicious link detector and are generating a significant number of false positives. This is something they’ve got to fix. I’ll update when I know something.
Back in 2017 Techdirt wrote a series of articles about Shiva Ayyadura. Shiva claims he invented email. (narrator voice: he didn’t). I wrote about the lawsuit when it was dismissed on First Amendment grounds. The parties cross appealed, and have been in settlement talks for 18 months.
According to Techdirt, the non-monetary settlement they agreed to is that all the articles in dispute will have a link to a statement published by Shiva.
You may wonder how it could possibly take 18 months to negotiate a settlement about adding links to old articles — and, indeed, I wonder that myself. The entire process has been quite a pain for us. I cannot and would not describe this result as a victory, because this has been nearly two and a half years of wasted time, effort, resources, attention and money just to defend our right to report on a public figure and explain to the world that we do not believe his claims to have invented email are correct, based on reams of evidence.
Increasingly over the last few months I’ve been seeing questions from folks struggling with reputation at Gmail and inbox delivery. It seems like everything exploded in the beginning for 2019 and everything changed. I’ve been avoiding blaming it all on TensorFlow, but maybe the addition of the new ML engine really did fundamentally change how things were working at gmail.
What folks are seeing
Cutting back to engaged only users is not effectively improving reputation.
Inboxing is no longer directly tracking with reputation on GPT (high reputation mail is going to bulk, low reputation mail is going to inbox).
Recipients are complaining about mail being misfiltered.
What can we do?
Right now, we’re mostly falling back on the things that worked 6 months ago: cut back sending to the most engaged recipients and then gradually add back in other addresses once you’re back in the inbox. The challenge is we’re not seeing the improvements we’ve become accustomed to seeing when using this strategy.
With one of my clients their reputation, as reported on GPT, actually fell during the period of cutbacks. Based on consistently high open rates and various inbox tests, including my own and those by one of the commercial vendors, we determined that recipients were getting mail in the inbox despite the low reputation.
Other delivery experts have reported similar patterns. Horrible domain and IP reputation (sometime in the deepest, darkest red) but reaching the inbox and seeing open rates in the 20 – 30% range.
I’ve also seen the flip side, green IPs and domain rep, but the mail is going to bulk.
Yup. Sorry. Wish I had better news. Right now we’re falling back to what worked 4 months ago, because it’s what we had and it did work.
One thing that is new information to me is that, according to folks inside Google, the domain and IP reputation showing on google postmaster tools includes all domains handled by gmail, including GSuite hosted domains. Maybe these are having a disproportional effect on reputation, I don’t know.
My current thoughts are:
Pay attention to your engagement and open rates at Gmail
Don’t worry about domain and IP rep too much, if your marketing is performing.
Maybe we need to start including G Suite hosted domains in engagement restrictions, as painful as that’s going to be.
Anyone got any insight? Is there something we’re missing here?