It’s not always easy to know what the actual headers and body of an email as sent look like. For a long time accepted wisdom was that you could send a copy to your gmail account, and use the Show Original menu option to, well, see the original message as raw text. It turns out that’s not actually something you can trust. I used swaks to send a test message with an extra header to my...
About My Email
Happy 2024, everyone! We’ve released a shiny new tool to let folks self-check a lot of common questions we see about email requirements. Go to AboutMy.email and send an email to the email address it gives you. Once it receives that email it will go through it and do many of the basic checks we’d usually do to check the technical health of a client’s email1AboutMy.email is a...
Can you STARTTLS?
Email supports TLS (Transport Layer Security), what we used to call SSL. Unlike the web, which split it’s TLS support off into a completely different protocol – https, listening on port 443 vs http listening on port 80 – SMTP implements it inside it’s non-encrypted protocol. A mailserver advertises that it supports this by having the word “STARTTLS” in the...
Customer subdomain authentication
EDIT: Now with a production-ready implementation I talk about more here. On Tuesday I wrote about using DNS wildcards to implement customer-specific subdomains for email authentication. As I said then, that approach isn’t perfect. You’d much prefer to have per-customer domain authentication, where each customer has their own DKIM d= and ideally their own SPF records, rather than...
Wildcards and DKIM and DMARC, oh my!
If you’re an ESP with small customers you may have looked at the recent Google / Yahoo requirements around DMARC-style alignment for authentication and panicked a bit. Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.…For direct mail, the domain in the...
The trouble with CNAMEs
When you query DNS for something you ask your local DNS recursive resolver for all answers it has about a hostname of a certain type. If you’re going to a website your browser asks your resolver for all records for “google.com” of type “A”1or “AAAA”, but that’s not important right now and it will either return all the A records for google.com it has...
How to Unsubscribe
Eventually our subscribers won’t want our email in their inbox any more. They can stop the mail either by unsubscribing from it, or by marking it as spam. We’d far rather they do the first so we should make it as easy as possible for them to unsubscribe. Also in most jurisdictions you’re legally required to offer a functional, easy to use unsubscription channel. So, how to do...
The Case of the 500-mile Email
I stumbled across this story again this morning, and it’s such a lovely delivery yarn I thought I’d share it. It’s from Trey Harris, and it’s set in the mid 90s. Here's a problem that *sounded* impossible... I almost regret posting the story to a wide audience, because it makes a great tale over drinks at a conference. :-) The story is slightly altered in order to protect...
iOS17 filtering click tracking links
I’ve heard quite a bit of concern about what iOS 17’s automatic removal of click-tracking parameters means, but less discussion of what it actually does. Broadly it’s Apple trying to improve user-privacy by making it harder to do cross-site tracking at scale. Cross-site tracking is the basis of a lot of privacy-violating tracking technologies, and tracking parameters added to...
C is for Cookie
Trekkie Monster. He’s obsessed by social media and isn’t owned by Children’s Television Workshop. What is a Cookie? I’m not talking about biscuits, nor about web cookies, at least not exactly. When you’re talking to a protocol developer a cookie is a thing you’re given, that you hang on to for a while, then give back. If you leave your suitcase with your hotel...