Email

ESP being phished is a Black Friday cataclysm

There is currently a phishing attack against a major ESP. The mail came through what I presume was a compromised account hosted at one of the providers. It’s just as possible this was a domain set up for the sole purpose of phishing, though.

Identifying domains that don’t accept or send email

A couple folks have asked me recently about MX records that they don’t understand. These records consist of a single . or they contain localhost or they are 127.0.0.1.

Techdirt lawsuit settled

Back in 2017 Techdirt wrote a series of articles about Shiva Ayyadura. Shiva claims he invented email. (narrator voice: he didn’t). I wrote about the lawsuit when it was dismissed on First Amendment grounds. The parties cross appealed, and have been in settlement talks for 18 months.

Send Actual SMTP

It’s rare I find mail that violates the SMTP spec (rfc5321 and rfc5322). I’ve even considered removing “send mail from a correctly configured mail server” from my standard Best Practices litany.

Email addiction survey

The great folks over at Zettasphere and Emailmonday have released their Email Addiction Survey. Nothing surprising in the data that I can see, although I suspect one particular data point is going to surprise folks.

Who didn't invent email, part 2

Back in 2014, Steve wrote an article discussing Shiva Ayyadurai,and his claims that he was the inventor of email. In that article he links to a number of articles from Techdirt. Earlier this year, Shiva sued Floor64, the parent company of Techdirt, as well as Michael Massnick the Founder, CEO and editor and Leigh Beadon, a writer for Techdirt. (Original Complaint pdf from ReCAP). Ars Technica has a good article on Shiva and his claims.

The complaint asserts that the defendants defamed Shiva in their articles, caused him economic harm and inflicted emotional distress on him.
Today the judge dismissed the case (Memorandum and Order, pdf from ReCAP) against Michael and Leigh. The legal standard for punishable defamatory statements is there must be a way to prove them true or false. The judge ruled that since there is not a single definition of email, that there is no way to definitively prove Techdirt’s statements as true or false.
No one disputes the Shiva coded a system that encompasses the features we expect of any desktop or web based mail client. As many people have mentioned, the fact he was 14 and put together a complex program is impressive in and of itself. No one is disputing what he did accomplish.
To my mind the fundamental core of email is interoperability. It’s that I can sit in my lab at the University of Wisconsin, type a message, hit send and have someone in Boston receive the message. I can sit here in my office in California and write to my client in the the UK. The bits of the email client, which define email according to Shiva, are not email. They’re important for usability, but they’re not what makes email email.
According to Ars Technica, Shiva is going to appeal the dismissal.
EDIT: Techdirt has posted an article on the lawsuit and the dismissal.

Happy New Year!

Well, we mostly survived 2016. A year ago I was making predictions about how 2016 would be the year of email security. I was thinking of things like TLS and authentication and access to the inbox. It wasn’t out of the question, Gmail said they’d be turning on p=reject sometime mid-year. They also were suggesting that they would be putting more value on messages that aligned, even in the absence of a DMARC signature. The first still hasn’t happened, and the second doesn’t appear to be in place, either.

That doesn’t mean email security wasn’t a hot topic in 2016. In fact, the use of a private email server was a major topic during the US elections. We also had spear-phishing play a major role in the compromise of campaign systems. I didn’t talk much about that here when it happened, but news reports make it clear that Chairman Podesta and others were targeted for compromise. The NY Times has a more in depth article with broader context around the attacks and how emails were used to infiltrate a major political party.
The irony is with all the time spent talking about how insecure the private server was, that server wasn’t compromised. Instead, the compromise was at Gmail.
We all need to pay attention to our email and how we use it. It also means when we’re sending bulk and marketing email we need to consider the private and personal information we’re putting in messages. Do you send PII? Is there a way you don’t have to? What can we do to protect our brand and our users?
It’s not just bulk email we need to think about, either. Personal email can contain PII, or personal information. A common saying among some of my security friends is “never put in email anything you wouldn’t want to see on the front page of the Washington Post or NY Times.” That’s an easy thing to say, but the convenience of email makes it easy to share information that we may not want on the front page of either paper. Many of us aren’t actually targets of malicious activity so we don’t have to worry about being targeted the way elected and other officials are. But that doesn’t mean we are not at risk. It just means we’re at less risk than others.
Email is a frequent vector for malicious actors to access computers. Most, if not all of the major breeches in the last few years have started with a phishing attack of some sort. The attacks are planned out and sophisticated. This is not going to get better. The phishers are smart and plan the attacks. We also need to be more personally aware of security given the current political climate. We need to take steps to protect ourselves more than we have in the past.
Security is more important than ever and we all need to protect ourselves.

September 2016: The month in email

Happy October, everyone. As we prepare to head to London for the Email Innovations Summit, we’re taking a look back at our busy September. As always, we welcome your feedback, questions, and amusing anecdotes. Seriously, we could use some amusing anecdotes. Or cat pictures.

We continued to discuss the ongoing abuse and the larger issues raised by attacks across the larger internet infrastructure. It’s important to note that even when these attacks aren’t specifically targeting email senders, security issues affect all of us. It’s important for email marketers to understand that increased attacks do affect how customers view the email channel, and senders must take extra care to avoid the appearance of spam, phishing, or other fraudulent activity. I summarized some of the subscription form abuse issues that we’re seeing across the web, and noted responses from Spamhaus and others involved in fighting this abuse. We’re working closely with ESPs and policy groups to continue to document, analyze and strategize best practices to provide industry-wide responses to these attacks.
I was pleased to note that Google is stepping up with a new program, Project Shield, to help journalists and others who are being targeted by these attacks by providing hosting and DDoS protections.
I’m also delighted to see some significant improvements in email client interactions and user experiences. I wrote a bit about some of those here, and I added my thoughts to Al’s discussion of a new user interaction around unsubscribing in the iOS 10 mail client, and I’ll be curious to see how this plays out across other mail clients.
For our best practices coverage, Steve wrote about global suppression lists, and the ways these are used properly and improperly to prevent mail to certain addresses. I wrote about using the proper pathways and workflows to report abuse and get help with problems. I also wrote about the ways in which incentivizing address collection leads to fraud. This is something we really need to take seriously — the problem is more significant than some bad addresses cluttering up your lists. It contributes to the larger landscape of fraud and abuse online, and we need to figure out better ways to build sustainable email programs.
Is there such a thing as a perfect email? I revisited a post from 2011 and noted, as always, that a perfect email is less about technology and more about making sure that the communication is wanted and expected by the recipient. I know I sound like a broken record on this point (or whatever the 21st century equivalent metaphor of a broken record is….) but it’s something that bears repeating as marketers continue to evolve email programs.
We had a bit of a discussion about how senders try to negotiate anti-spam policies with their ESPs. Is this something you’ve experienced, either as a sender or an ESP?
In Ask Laura, I covered shared IP addresses and tagged email addresses, questions I get fairly frequently from marketers as they enhance their lists and manage their email infrastructures. As always, we welcome your questions on all things email delivery related.

The perfect email

More and more I’m moving away from consulting on technical setup issues as the solution to delivery problems. Delivery is not about the technical perfection of a message. Spammers get the technical right all the time. No, instead, delivery is about sending messages the user wants. While looking for something on the blog I found an old post from 2011 that’s still relevant today. In fact, I’d say it’s even more relevant today than it was when I wrote it 5 years ago.

Email is a fluid and ever changing landscape of things to do and not do.
Over the years my clients have frequently asked me to look at their technical setup and make sure that how they send mail complies with best practices. Previously, this was a good way to improve delivery. Spamware was pretty sloppy and blocking for somewhat minor technical problems was a great way to block a lot of spam.
More recently filter maintainers have been able to look at more than simple technical issues. They can identify how a recipient interacts with the mail. They can look at broad patterns, including scanning the webpages an email links to.
In short, email filters are very sophisticated and really do measure “wanted” versus “unwanted” down to the individual subscriber levels.
I will happily do technology audits for clients. But getting the technology right isn’t sufficient to get good delivery. What you really need to consider is: am I sending email that the recipient wants? You can absolutely get away with sloppy technology and have great inbox delivery as long as you are actually sending mail your recipients want to receive.
The perfect email is no longer measured in how perfectly correct the technology is. The perfect email is now measured by how perfect it is for the recipient.

Improving Outlook Email Display

Today Litmus announced they had partnered with Microsoft to fix many of the rendering issues with Outlook. Congrats, Litmus! This is awesome. I know a lot of folks have tried to get MS to the table to fix some of the problems with Outlook. Take a bow for getting this off the ground.
According to Litmus, the partnership has two parts.

Internet security is national security?

This popped up on my FB feed yesterday.

What say you? Do we need to create a major effort to improve online security? What challenges do you see to making it work?
Edit: After I published this, I found an article stating that 3.7 million people had their personal health information compromised in a recent attack.

The history of email

My first access to “the internet” was through a dialup modem on a VAX at the FDA. I was a summer intern there through my college career and then worked full time after graduation and before grad school. My email address ended in .bitnet. I could mail some places but not others. One of the places I couldn’t send mail was to my friends back on campus.
A few of those friends were computer science majors, so one weekend they tried to help me troubleshoot things. . There were text files that they ended up searching through looking up how to send mail from .bitnet to .edu. But it was all a baffling experience. Why couldn’t it just work? I had email, they had email, why could we not talk?
I never did figure out how to send email to campus from .bitnet.
Eventually, the FDA moved from BITNET to the internet and I had a .gov address. I could send mail around just by getting the recipients’s address. But the mystery of why I could mail some .edus and not others still lingers. I wonder what our setup was that we couldn’t send mail. I’ll probably never know. I don’t even have enough details to explain the problem to someone who would know. I suspect the answer will be “bang paths” or “host.txt” files, but I really don’t know.

Memories of Spam in May

This morning on Facebook a friend posted a picture saying that 15 years ago was the very first anti-spam conference (Spamcon*). All we have are some blurry scans of pictures and coffee mugs.
.
That 550 sign belonged to the bar where the night out was held. It got bought by K & P and lived in their garden until it rotted away a few years ago. So many folks who are still active in the space, and so many folks who’ve moved on. Names I’d forgotten, faces I haven’t.
Many of those folks are still working in email. Some on the sending side, some on the tools and vendor side, some on the ISP side, some on the consulting side. That conference was one of the very first times people publicly gathered to talk about spam. There were other occasions, but most were invite only with hand picked representatives of specific companies.
At that first Spamcon I was freshly laid off from MAPS (now Trend Micro). I was considering what next. The thing is, I really liked the work I was doing. MAPS had me leading a team to provide abuse desk as an outsourced service. We had a very large network provider as a customer and we were handling all the mail that came into abuse@ there. It was a challenge, I was creating processes and documenting policy, trying to do more with less and managing my first team ever.
Much of what I do now, here, grew out of that position. It was clear even then there was a need for someone who could help navigate the challenges of email.
In the same thread another person posted pictures from a social night in DC during the FTC Spam Forum. More folks, some I have lost touch with and some who are still friends and colleagues.
We were so young. All of us.
This is yet another form of community that email created. Some of it was built over email, but a lot of it happened on USENET and IRC and local meetups. There were so many ways we built community using plain text and dialup. The technology has changed, and that community from a dozen years ago has changed but it’s still all the same deep down inside.

(* If, at any point, you see me type Spamconk instead of Spamcon please blame autocorrect. It’s being difficult and even tries to correct it when I go back and edit sentences.)

Why care about email?

I got my first email address in the very late 80s. I was an intern at a government agency. I learned a lot there: how to sequence DNA, how to handle radioactive material, how to handle human pathogens, and how to send email. I got my first non-work non-school address in the mid-90s. One of the first things I did was join some mailing lists.
One of them was a list for folks who had pet rabbits. I met a lot of people there, both online and in person. As with many people we meet through a shared interest as our interest wanes the relationships change. Some relationships were maintained, but some of us lost touch with one another. Moves, job changes, email address changes, they all affect our ability to maintain relationships online. I kept in touch with some, one was the maid of honor at my wedding and a few years ago I was the maid of honor at hers. I lost track of others.

We joined the i2Coalition

Word to the Wise has joined the i2Coalition. Today they posted our introduction to their blog.
Why did we do it?
Email, and online spaces, are so important to modern life. We shop, bank, communicate, play and interact online. The internet has facilitated everything from political revolution to coffee dates and international friendships. Steve watched the Berlin Wall fall from his college dorm room over the internet. The internet was a major factor in the organization of the Arab Spring and other political movements. And sometimes we just meet people online. BBSes, usenet, email, and social networks let us connect with each other.
With that being said, too many people see online spaces as nebulous and “not real.” But the reality is that people genuinely connect, organize, and participate in online spaces. Those spaces need to be protected so these things can continue. The internet is, in many ways, a very special and unique place that has facilitated the growth of millions of communities. Unless we protect the infrastructure, these communities will fall apart and be useless.

Things to read: March 9, 2016

It’s sometimes hard for me to keep up with what other people are saying and discussing about email marketing. I’ve been trying to be more active on LinkedIn, but there are just so many good marketing and delivery blogs out there I can’t keep up with all of them.

Here are a couple interesting things I’ve read in the last week.
Five Steps to Stay Out of the Spam Folder. Conceptually easy, sometimes hard to pull off in practice, these recommendations mirror many things I say here and tell my clients about delivery. The audience is in charge and your recipients are the best ally you can have when it comes to getting into the inbox.
Which states are the biggest sources of spam?. California and New York top the list, but the next two states are a little surprising. Over on Spamresource, Al points out the two next states have some unique laws that may affect the data. I just remember back in the day there were a lot of spammers in Michigan, I’m surprised there’s still a significant volume from there.
CASL didn’t destroy Canadian email. Despite concerns that CASL would destroy the Canadian email marketing industry, the industry is going strong and expanding. In fact, spending on email marketing in Canada was up more than 14% in 2015 and is on track to be up another 10% this year. Additionally, according to eMarketer lists are performing better because they’re cleaner.
A brief history of email. Part of the Guardian’s tribute to Ray Tomlinson, the person who sent the first email. Ray’s work literally changed lives. I know my life would be significantly different if there wasn’t email. Can you imagine trying to be a deliverability consultant without email? 🙂

Email in 2020

Late last year Litmus invited me to contribute to a whitepaper they were putting together about email in 2020. Today, they released Email Marketing in 2020. I am honored to be included in the list of experts that they chose.
One of the things I find so so much fun in participating in this type of joint project is seeing what other people’s visions are. When Chad first contacted us, his request was very simple. He wanted 400-ish words on what we thought would change. We all approached it from our own perspectives. The final document really touches on a wide range of changes and gives an bright and rosy view of the future of email.
It’s hard to imagine I’ve had email for more than 25 years. It’s become such a fundamental and critical part of my life. I mean, sure I’m an email professional but it’s more than that. Some of my best friends I met over email. I’ve gotten multiple jobs based on my presence on email discussion lists. Steve and I met around email. One of the fun bits of M³AAWG is that I get to see friends I first met almost 20 years ago over email.
Email has really changed in the last decade. It is now a critical part of daily life for many people. Even social networking would be nowhere without an email address. Email really is the key to the digital kingdom. That’s not going to change.
Email being the key to the digital kingdom is a challenge. It lets nefarious people into our homes and into our lives and into our computers. A lot of very smart people are working on how to make email safer for us. I think it will be much safer in 2020, through the hard work and dedication of a lot of people.
I strongly encourage you to download the Email Marketing in 2020 white paper from Litmus. There is a lot of insight. It will be fun to see how much of what was said becomes reality.

What do you think about these hot button issues?

It’s been one of those weeks where blogging is a challenge. Not because I don’t have much to say, but because I don’t have much constructive to say. Rants can be entertaining, even to write. But they’re not very helpful in terms of what do we need to change and how do we move forward.
A few different things I read or saw brought out the rants this week. Some of these are issues I don’t have answers to, and some of them are issues where I just disagree with folks, but have nothing more useful to say than, “You’re wrong.” I don’t even always have an answer to why they’re wrong, they’re just wrong.
I thought today I’d bring up the issues that made me so ranty and list the two different points of views about them and see what readers think about them. (Those of you who follow me on Facebook probably know which ones my positions are, but I’m going to try and be neutral about my specific positions.)

88 Miles per hour!

A lot of advertisers are really getting into this whole Back to the Future Day thing. A number of companies are compiling emails related to the phenomenon.
MailCharts
Milled
What other ads have folks seen referencing Marty and his trip back?

Give Recipients Options

A few years ago I subscribed to a financial website that emails out articles about investing as well as a recap of your investments. For the first few months I enjoyed reading these emails but as time went on, I found them less valuable and receiving them every other day they turned into a burden to clean up and deal with.
My options were to either unsubscribe or I could create a rule in Outlook to file away the emails to possibly read them later.
options What I would really like is the option to define how often I would receive the updates. If I’m actively looking to change my investments, I would want to receive the emails daily. I would also like to have the option for either a weekly or monthly email.
The frequency of mailings should be tailored to the subscriber. Buying a new car? I may want to see emails and reviews daily. Just bought a new blender? I want to receive emails for the first few days learning about the different features and recipes. The idea is to present options to each subscriber on what they prefer. It’s better to treat subscribers as individuals rather than sending the same message to your entire list.
The newsletter I was receiving does not provide me with any type of control over how many times I receive the updates. The newsletter is also lacking a working unsubscribe link leaving me no alternative to clicking “this is junk”.
Senders should consider providing recipients with options:

When to include a physical address

One of the requirements to be CAN-SPAM compliant is to include a physical address within every promotional email that is sent. If your company hires a third party to send email on your behalf, your physical address should be clearly visible within the message when the message is selling your products and services. There is a stipulation that if your message is transactional or a relationship message, then it does not need to adhere to the CAN-SPAM requirements by including your physical address or unsubscribe link.
Examples of transactional mail would be welcome emails, password resets, auto-responders, shipment notifications, or account alerts. While you and I may know that these emails aren’t required to include this information most users would not know.
street-signs The CAN-SPAM Act has been in effect going on 12 years and recipients look for unsubscribe links and physical addresses within the messages. Emails that are missing this bit of information leads the recipient to believing the message is spam. While including the physical address and unsubscribe link are not required for your transactional emails, it’s better to be safe than sorry and include them anyways.
The recipient may have recently received a series of marketing emails from you and when they receive a transactional mail message, they may want to adjust the frequency of the mail they are receiving. By not including an unsubscribe link and physical address, the user may resort to marking the message as spam.
When sending marketing and transactional emails, you want to adhere to the law and then take the user behavior and expectations into consideration. There is no harm in including your physical address in both your marketing emails and transactional emails.

Email can't be dead

Sitting in my drafts folder is a rant I wrote during one of the “email is dead” discussions. I think there’s a core of usefulness in my rant. The discussion was about how many click bait articles claim email is dead because people under 20 don’t have email accounts, or if they don’t, then they don’t check them.
Almost everything online is tied to an email account. Want Amazon prime? You need an email address. Want an Instagram account? you need an email address. Want access to Google docs? You need a gmail address. Want to buy almost anything off a website? You need an email address. Even for stuff that’s ostensibly displayed on mobile (event tickets, plane tickets, hotel check in info) they need an email address. Want to have access to iTunes? You need an email address. Want a blog hosted on blogspot? You need an email address.
Of COURSE people have email addresses. I will say that I’m finding myself using email a little less than I did. Facebook is a bit better at social networking than old school mailing lists and usenet. I mean, nothing will ever replace trn in my heart, but Facebook does remind me of usenet in some ways.
Oh, and yes, you mostly need an email address for Facebook (although I hear you can register an account with just a smartphone).
Email isn’t dead. Email isn’t going to die. Anyone who tells you otherwise is simply looking to monetize your clicks.

Amazon launching new email service WorkMail

Amazon is launching a new email service called Amazon WorkMail. Amazon already offers a Simple Email Service (SES) that allows customers to send outbound-only emails and unlike SES, WorkMail will be a full feature email, calendaring, and client management product. The new WorkMail mail service will compete with enterprise email solutions such as Microsoft Exchange Server. WorkMail will support the Microsoft Exchange ActiveSync protocol, something that Google disabled with Gmail in early 2013, and will include Mobile Device Management and Active Directory Integration. The new service will also utilize Amazon’s AWS Key Management Service that allows the customer to create and control their own encryption keys used to encrypt their data on AWS.
Amazon WorkMail will also scan all incoming and outgoing email for spam, malware, and viruses, however, it’s not clear yet if they are going with a third-party solution or will be creating their own filtering system.

September 2014: The Month in Email

September was another busy month for us, but Steve stepped up and wrote a number of really interesting posts on email history, cryptography, and current technical issues in the email landscape.
We started the month with a look at the various RFCs that served as the technical specifications for developing message transfer protocols in the 1970s. It’s really fascinating to look at the evolution of these tools we use every day 40 years later. We followed up with a second post on the origins of network email, which is a great primer (or refresher) on the early days of email.
Steve’s four-part series on cryptography and email started with an in-depth look at how the industry is evolving with respect to encryption and privacy issues. He then introduced us to Alice and Bob (or reintroduced those of us who have been following the adventures of the first couple of cryptography), and described symmetric-key and public-key encryption. His next post described message signing, and how DKIM is used to manage this. He finished up the series with a post on PGP keys.
In industry news: Spamcop is shutting down its email service. There shouldn’t be any major impact on senders, but the post has some specific notes on DMARC implications. We also noted an interesting mail routing suggestion on Twitter, and wrote a post on using Mail.app for this.
In other DMARC news, we wrote about DMARC and report size limits, which might be useful information, depending on your configuration. We also launched a new DMARC tool to help senders understand who is publishing DMARC. Let us know what you think and if you’re finding it useful.
We couldn’t let a month go by without mentioning filters. We looked at a sector we don’t usually discuss, corporate filtering, and went in-depth on a much-misunderstood topic, content filtering.
Finally, Laura offered a webinar on a favorite topic, deliverability, in conjunction with the AMA and Message Systems. If you missed it, you can watch the recorded version here, or just take a peek at some of the reaction via Twitter.

Lavabit shuts down

Lavabit is a secure mail system. Today their CEO announced he was shutting down the service immediately.

Ads in the Gmail Tabbed Inbox

One of the features of the new Gmail tabbed inbox is email-like ads placed by Gmail.

Boston police using email to warn residents

Jaclyn Reiss tweets:
Town of Watertown email blast sent just now says stay in home, follow police instructions, local businesses should NOT open
Email is not dead, not even close.
Stay safe, Boston.

4 things the new outlook ads tell us about email

Microsoft has a new TV ad showing how trivial it is to remove unwanted email from the inbox. Various busy people use the “sweep” and “delete” functions to clean up mail. The commercial even have a segment counting up the hundreds of emails deleted.
This tells me a few things.

Services, abuse and bears

A couple weeks ago I wrote a post about handling abuse complaints. As a bit of a throwaway I mentioned that new companies don’t always think about how their service can be abused before releasing it on the unsuspecting internet.
Today’s blog post by Margot Romary at the Return Path In the Know blog reminds me that it’s not always new companies that don’t think about abuse potential before launching services.

The Physics of the Email Universe

We talk a lot about rules and best practices in email, but we’re mostly talking about “squishy” rules-of-thumb that are based on simplified models of how mail systems, spam filters, recipients, postmasters and blacklist operators behave. They’re the biology, ecology and sociology of the email ecosystem.
There’s another set of rules we tend to only mention in passing, if at all, though. They’re the steely, sharp-edged laws that control the email universe. They’re the RFCs that define how email works and make sure that mail systems written by hundreds of different people across the globe all work and all interoperate with each other.
Building a message from Zeros and Ones
RFC 5322 – Internet Message Format
This tells you everything you need to know about crafting a simple email, with a subject line, a sender, some recipients and a simple plain-text message. It’s also the foundation of all fancier emails. If you’re creating emails, this is where to start.
A little more than plain ASCII
RFC 2047 – MIME Part 3: Message Header Extensions for Non-ASCII Text
RFC 2047 is one small part of the MIME (Multipurpose Internet Mail Extensions) suite of protocols that allow you to include pictures and attachments and prettily formatted text and comic sans in your email. This part defines how you can put things other than the plainest of plain text in your subject lines or in the “friendly from” of your message. It’s what allows you to put Hiragana, or Cyrillic, or umlauts, or cedillas, or properly matched double quotes in your subject line. It also let’s you put hearts or smiley faces or other little pictograms there – but nothing this useful is going to be perfect.
RFC 2045 – MIME Part 1: Format of Internet Message Bodies
This shows how to send an image, or a plain text mail in a different character set, or an HTML mail. It doesn’t tell you how to send plain text and HTML, or to send HTML with embedded images, or a message with an attached document. For that you need…
Finally, Modern Email
RFC 2046 – MIME Part 2: Media Types
This builds on RFC 2045 to allow you to have many different chunks in a message – this is what you need if you want to send “proper” HTML mail with a plain text alternative, or if you want embedded images or attachments.
Getting From A To B
RFC 5321 – Simple Mail Transfer Protocol
A message isn’t much use unless you send it somewhere. RFC 5321 explains the mysteries of actually sending that message over the wire to the recipient. If you need to know about the different phases of a message delivery, what “4xx” and “5xx” actually mean, why there’s not really any such thing as a hard or soft bounce defined, just temporary or permanent failures, or anything else about actually sending mail or diagnosing mail delivery, this is your starting point.
The Rest Of The Iceberg
I’ve only touched on the very smallest tip of the email iceberg here. There’s much, much more – both in RFCs and ad-hoc non-RFC standards. If you’re interested in more, this is a decent place to start.

Put a fork in it

When FB messaging was announced email marketers had a total conniption. There were blog posts written about how FB Messaging was going to kill email as we know it.
Now, slightly more than a year later marketers have declared FB Messaging dead.
Sometimes I think people spend way to much time believing their own press. FB messaging was never designed as a marketing platform. I said as much back in November 2010 when it was announced.

Think before you mail

I get quite a bit of unsolicited mail. I mean, sure, we all get a lot of spam, but that’s not the unsolicited mail I’m talking about. I’m talking about from people and companies in the email space. They want to make sure I’ve seen their new whitepaper or article about delivery. Or they have a question about something I’ve written here. Or they are looking to hire me.
All of these things are great. I love hearing from readers, either in comments or in email. We have a valid (unfiltered) contact address here on the blog. My email address(es) aren’t difficult to find. I want to talk to people.
Sometimes some of the people who contact me do actually send spam. It’s bulk, it’s impersonal, it’s not about me or my perspective it’s about them trying to sell something (themselves, their newest product, their company) to anyone who is buying.
If it’s clear it’s a one off I’ll generally just move the mail out of my inbox and forget about it. Sometimes, though, there are hints that this is more than just a one time mail. The email will have an unsubscribe link, or it’s the third or fourth time I’ve gotten mail from that sender or it will be from a PR company. I deal with them in different ways. Sometimes I’ll offer a different email address that I route better, or I’ll just filter the mail based on some unique bit of the header.
The ones that really get me, though, are when the senders argue with me that I should feel special to get their bulk mail. “It was individually sent to you!” “I sent it because you’re such a great resource and wanted to say thank you!” But it was bulk mail, mail dozens of other people got (hint: the email / delivery industry is very small. we talk to each other all the time, if you send mail to more than one of us, we’re going to talk about it).
I have no problem with you inviting me to your event. Or telling me about the latest or greatest thing you wrote. I don’t even mind the occasional one-off bulk mail. But if you are sending mail to a specific person, put in the 20 seconds to personalize it and make it feel like it’s special for me.
A few moments to think and personalize before you send that email will make your recipient much more open to your pitch. This is as applicable to one off mail as it is to bulk.

We lie more in email than in person

People are more prone to lie over email than face to face.

Is there really one way to email successfully?

I’ve been watching a bunch of folks discuss someone’s mailing practices. The discussion has been fascinating to me. I’m hearing from the conversation is that there are very specific rules regarding how every company should mail. And that anyone who deviates from those practices is heading down the path to failure. Doing it wrong.
This theme has come up before, when I’ve heard expert marketers comment that Groupon proved how wrong the “daily email is too much” advice was. My response to that is confusion. Who decided daily email was too frequent and wouldn’t work?
I come from a non-marketing background, so maybe I’m missing some essential bit of wisdom or context. But it strikes me that a lot of the rules (no daily email, never establish aggressive engagement metrics) are really stifling innovation. There seems to me to be an unwillingness to think about why it might work if a particular sender does something against the grain.
Of course, once something has proven a success, everyone jumps on the bandwagon. Half my potential clients over the summer told me they “want[ed] to be the next Groupon.” Most of them didn’t make it, though.
I look at email as having a massively diverse user base. There are lots of people who use email in ways I would never consider. There are lots of people who think the way I use email is wrong. Unlimited opportunities for smart marketers exist.
The more cynical part of my brain says that finding and developing an enthusiastic recipient base takes too much time. Companies want to be the “next groupon” or the “next facebook”. But they want to do it by copying the business model, not by being innovative and meeting some need that currently isn’t being serviced.
There are, of course, some models that are never going to work, like randomly harvesting addresses and sending spam. But I don’t think that means email marketing is dying, just that innovation and imagination might be.

Spam lawsuit guide

Mailchimp has released a guide to spam lawsuits with advice on how to not be a target.
I had the pleasure of meeting some of the Mailchimp legal staff last year when I was down there to do on-site training for their abuse desk employees. I was quite impressed with them and their understanding of privacy and email issues.

Email filters

What makes the best email filter? There isn’t really a single answer to that question. Different people and different organizations have different tolerances for how false positives versus false negatives. For instance, we’re quite sensitive to false positives here, so we run extremely conservative filtering and don’t block very much at the MTA level. Other people I know are very sensitive to false negatives and run more aggressive filtering and block quite a bit of mail at the MTA level.
For the major ISPs, the people who plan, approve, design and monitor the filters usually want to maximize customer happiness. They want to deliver as much real mail as possible while blocking as much bad mail. Blocking real mail and letting through bad mail both result in unhappy customers and increase the ISP’s costs, either through customer churn or through support calls. And this is a process, filters are not static. ISPs roll out new filters all the time, sometimes they are an improvement and sometimes they’re not. When they’re not, they’re pulled out of production. This works both for positive filters like Return Path and negative filters like blocklists.
Then there is mail filtering that doesn’t have to do with spam. Business filters, for instance, often block non-business mail. Permission of the recipient often isn’t even a factor. Companies don’t often go out of their way to block personal mail, but if personal mail gets blocked (say the vacation plane ticket or the amazon receipt) they don’t often unblock it. But when you think about why a business provides email, it makes perfect sense. The business provides email to further its own business goals. Some personal usage is usually OK, but if someone notices and blocks personal email then it’s unlikely the business will unblock it, even if the employee opted in.
In the case of email filters, the free market does work. Different ISPs filter mail differently. Some people love Gmail’s filters. Other people think Hotmail has the best filtering. There are different standards for filtering, and that makes email stronger and more robust. Consumers have choices in their mail provider and spamfiltering.

The answer is 42

I continually run into companies that don’t really have a goal or understanding of their email marketing program. They’ve never really asked questions about how they’re using email or even why email is the right answer. Lots of companies are also diving head first into email marketing or the social media craze without having thought about what their goals are and what they want to happen.
What regularly ends up happening to companies that jump in without a clear goal is they get into a situation where their delivery is bad. Then they read a lot of best practice advice on the net and try to implement all of it. Sometimes that works, but other times it doesn’t. Finally they hire me or another consultant to help them sort out where it all went pear shaped.
My consulting isn’t about rote recitation of common best practices. Instead, I want to know about a client’s business and what they think about email. The most frequent question I ask clients is: How does email fit into your business? What are your goals for your business? What is your value proposition?
Some of my clients can’t answer these question. They just tell me they want to use email and they don’t know what they’re doing and that’s why they hired me. Well, I can help them successfully send email, but I can’t help them decide what role email plays in their business. Those are the decisions my client needs to make. I can’t set their business goals for them.
When was the last time you actually sat down and just thought about your business goals? I know that sometimes it’s hard to find the time to look at your business and where it’s going. “Think about it? I’m too busy doing it!” But every business person needs to look at their business goals.
Once you’ve thought about your goals, think about your email marketing program. Is email helping you to reach those goals? How?
If you’ve reached your current business goals, what are your next ones? And how does email fit into those goals?
Sure, having an answer is good, but are you actually asking the right question?

Attention is a limited resource

Marketing is all about grabbing attention. You can’t run a successful marketing program without first grabbing attention. But attention is a limited resource. There are only so many things a person can remember, focus on or interact with at any one time.
In many marketing channels there is an outside limit on the amount of attention a marketer can grab. There are only so many minutes available for marketing in a TV or radio hour and they cost real dollars. There’s only so much page space available for press. Billboards cost real money and you can’t just put a billboard up anywhere. With email marketing, there are no such costs and thus a recipient can be trivially and easily overwhelmed by marketers trying to grab their attention.
Whether its unsolicited email or just sending overly frequent solicited email, an overly full mailbox overwhelms the recipient. When this happens, they’ll start blocking mail, or hitting “this is spam” or just abandoning that email address. Faced with an overflowing inbox recipients may take drastic action in order to focus on the stuff that is really important to them.
This is a reality that many marketers don’t get. They think that they can assume that if a person purchases from their company that person wants communication from that company.

Broken Policies

As an email policy wonk, I think a lot about how specific policy implementations can go wrong. Sure, every policy can go wrong, or not fit a common case. A lot of people only write polices that address common cases and don’t worry about the rarer cases. The problem is there are some rare cases that may cause significant harm and those cases should be addressed.
Consumerist has a case up about email policy gone wrong with a clear path to harm but no policy for handling the issue. There are a couple places I see where this policy hole can be fixed.
Chase Bank does no verification when they collect email addresses, which results in them sending email to a person who does not have an account with Chase. This is not an ideal situation for anyone. Chase is revealing private financial information to an outside party, the actual bank customer is not getting their information and someone is getting email about money that’s not theirs.
In terms of policy for institutions handling sensitive personal information, I would always recommend implementing a verification step. This is mail that people want so they should confirm it. It’s also mail that really should be not going to 3rd parties.
Chase does not implement any verification step for email. This isn’t a fatal problem, as long as there is some process in place to get feedback and then correct the issue.
Unfortunately, Chase’s policies failed here, too. Chase requires an account number to speak to a representative about any issues. In this case, the email recipient does not have an account number. All of Chase’s contact channels rely on an account number: no account number, no talking to a human.
In terms of overall policy Chase is hoping here is that, at some point, their actual customer will notice they’re not getting email and call in and attempt to troubleshoot the problem with Chase reps. I’m willing to bet, though, that their tier 1 people don’t have the training or information needed to troubleshoot this problem. I expect they’re going to read the script that says, “We sent you the mail, it must be a problem on your end. Have a nice day.”
Chase, and other bank analogues that require an account number, that do not verify email addresses should not require account numbers to talk to someone about the mail they are receiving. Why? Because although it’s reasonably rare that the mail is going to the wrong party, the potential harm to the bank’s customer is very high. This danger to customers means the bank should invest in a support pathway that allows non-customers to call, or write, to report misdirected email.
If Chase were my customer, I’d recommend adding a button to the email that says “receiving this mail in error, report here.” Make this a simple form that the recipient can fill out, two boxes one for email address and one optional one for “reason”. Once the bank has the report, they can stop the misdirected email and attempt to contact the customer through another channel. I’d also recommend that customers confirm any new address they add to the account in the future.
I know the bank thinks that by requiring an account number they are protecting their customers. Unfortunately, they’re failing to address a rare but potentially harmful case. Sadly, I expect even after this, they will still fail to implement any changes that will stop this from happening in the future.

Zombie Apocalypse

I hope my series on zombie addresses has convinced you that there are zombie addresses on your list and that you should be concerned about the effect they have on delivery and metrics. Today I’d like to talk about what you can do to get rid of zombie addresses without affecting too many actual subscribers.

One thing that many companies struggle with while dealing with zombie addresses is letting go of addresses. They are so tied up in the idea that a bigger list is better that they can’t let them go. Even if a particular address has not had any activity in 18 or 24 months, they insist that they can’t give it up, it might come back and the customer might make a giant purchase. No. It’s a zombie. It’s not coming back, except to eat your brains.
The first step to dealing with zombies is to acknowledge their existence. They are there, they are on your lists and they are dirtying up your lists. Pretending they’re not there does not make them go away. They are zombies. In no case is there a human inside. There is no potential sale lurking, waiting to jump out and act on that perfectly crafted offer.
The second thing to remember is that the humans that used to have the zombie addresses found you once and they are still interested in what you’re offering then they will find you again. They may even already be back on your list with their new email address.
While you can’t identify zombie addresses specifically, you can identify addresses that act like zombie addresses. These are addresses that have no activity over a long period of time, more than 12 months. For these addresses that haven’t had activity in 12 – 18 – 24 months, you want to confirm with the recipient that they are there and want to continue to receive mail from you.
The best way to notify them is to send an email asking if they want to remain on your list. If they fail to act, you will remove them from future mailings. Short, sweet and will let you drop off zombie addresses without much effort on your part.
I know, I know, you aren’t ready to let go so fast. After all, some people have come back after 24 months and made a purchase from the perfect offer. They’re not dead yet! OK. But you can’t get a response from them through email. They just don’t care enough about what you’re sending. That’s when you contact them through another channel.
For instance, if the email address is tied to a web account, say a social networking site or bank account or a web forum, you can also contact the user through your website. Next time they log in, send them a message that says their email address has been removed due to inactivity, but if they want to reactivate they can do so at the subscriber preference center or profile page. When they do, send them an email to confirm that this is the address where they want to receive mail. At this point you can give them a link or a magic cookie to past into the website to verify the address.
Or if you’re a bigger retailer you can send alerts to your customer service staff, so when the account holder contacts you by phone with a question or an order you can get an updated email address. If you have a loyalty program, have an alert come up at the point of sale and the clerk can ask for an updated email address.
I even know one company that would send postcards to their zombie accounts in an effort to re-engage them and get an active email address from them.
If the person never comes back, if they don’t ever interact with your business again, if none of the channels work to contact them and update the address then it really is best to just let the relationship go. It may not be you, or anything you’ve done. People move on, their interests change and that’s part of life. They may have moved outside of your service area, or they may have joined your list for a specific product that they don’t need or you don’t sell. They may have died and turned into a real zombie. In any case, they are not a viable prospect for your mail.
Email addresses and business relationships are not forever. Letting zombie addresses go is important for the health of any email marketing program.

Zombie email: Part 3

Last week, in Zombie email: part 1 and part 2 I talked a little about the history of email addresses and how changes in the ISP industry in the early to mid 2000’s brought about the rise of zombie email addresses. Today we’ll look at the effect zombie addresses have on email stats and why ISPs are starting to monitor zombie addresses.
A zombie address, despite the fervent belief of some email marketers, doesn’t come back to life. The person who initially registered that address has decided to stop using that email address. The defining factor of a zombie address is that there isn’t now and won’t be anyone in the future reading email sent to that address. There is no human there to read or react to any email sent to that address.
A zombie address does not represent an actual recipient, they’re just remnants of a recipient that once was present.
Having a list containing any significant number of zombie addresses can throw off metrics enough to mislead a sender about the effectiveness of their email marketing program. Sometimes, the zombie addresses make the metrics look worse, sometimes they make metrics look better. In either case, the metrics don’t accurately represent the performance of a marketing program.
Zombie email addresses do bulk out a mailing list, making lists look bigger. They’re not real addresses, so they don’t reflect quality, but they do impress marketers that think bigger is always better. But, in reality, you may as well add thousands of addresses at non-existent domains for the real value these addresses bring to your list.
Zombie email addresses on a list depresses any metric that use “number of emails sent” or “number of emails accepted” as a denominator. If 10% of a list is zombie addresses, then an open rate reported as 15% will actually be an open rate of 16.7%. The more zombie addresses on a list, the more the statistics will be depressed.
In addition to having lower open rates, lists with more zombie addresses also have a lower complaint rate. In fact, in the recent past spammers have padded their lists with zombie addresses as a way to artificially lower their complaint rates.
Spammers using addresses created just to bulk up the denominator and lower complaint rates have led ISPs to start monitoring the types of addresses on a particular list. I first heard about ISPs looking at recipient profiles at a meeting in 2006, so it is not, in any way, a new technique for ISPs. What is new is the number of zombie addresses on legitimate, well maintained lists, and the fact that they are present in high enough volume to affect reputation and delivery.
ISPs use zombie addresses to monitor the reputation of a sender because it is a more accurate way to measure what the recipients think about an email and that sender. Senders ignore zombie addresses because they make some stats look bigger (total list size) and better (lower complaint rates). Many senders also believe that addresses come back to life, despite all evidence to the contrary, and will not purge an address for any reason other than it bounces. They’d rather live with inaccurate and misleading metrics than removing non-performing addresses.
Tomorrow, in the final post of this series, we’ll examine how senders can identify potential zombie addresses and what steps they can take protect themselves from the negative reputation hit from zombie addresses. (Zombie Apocalypse)

Zombie email: Part 1

Zombie email addresses: those email addresses that never really die, eat your brains and destroy your email delivery. To understand zombie addresses and why they’re just now becoming a problem, we really need to understand some of the history of email addresses.
In the early days of the net, people got an email address usually associated directly with their access to the Internet. Many of them ended with .edu or .gov. I even had one that ended in .BITNET for a while. The first ISPs followed this convention. Users signed up for an account at a local dialup and were assigned an email address, and that was their email address. It wasn’t until the late 1990’s where there was widespread access to multiple email addresses.
What this means is that when people left a job, or canceled their Internet access their email address went away. Addresses that were abandoned would, after a short period of time, start bouncing back with user unknown, giving everyone the opportunity to stop mailing that account.
Even with the advent of multiple addresses for a single account and the easy availability of free addresses from places like Hotmail addresses that had been abandoned would still bounce off a list. Why? Because accounts had limited storage. My first dialup account had, I think, 10MB of space. It may have been as much as 20MB, but it wasn’t very much. Accounts receiving a lot of mail that weren’t checked frequently would fill up and start bouncing mail. Senders would be able to remove abandoned accounts because they were full.
Tomorrow we’ll talk about two things happened in the early 2000’s that changed email and led to the rise of zombie email.
Zombie Email: Part 2
Zombie Email: Part 3
Zombie Apocalypse

Email marketing is hard

I’ve watched a couple discussions around the email and anti-spam community recently with a bit of awe. It seems many email marketers are admitting they are powerless to actually implement all the good advice they give to others.
They are admitting they can’t persuade, cajole, influence or pressure their companies to actually follow best practices. Some of the comments public and private comments I’ve heard from various industry leaders:

The return of the Magill Report

After a 6 month hiatus, Ken Magill has returned to offer his insightful, and somewhat snarky, take on email marketing. You can subscribe at The Magill Report.
Ken is really trying to make this report an example of how to do ad supported email newsletters right. When I subscribed yesterday I received the following welcome message:

How not to build a mailing list

I mentioned yesterday one of the major political blogs launched their mailing list yesterday. I pointed out a number of things they did that may cause problems. Today, I discovered another problem.
This particular blog has been around for a long time, probably close to 10 years. It allows anyone to join and create their own blogs and comment with registered users. As part of their new mailing list, they added everyone who has ever registered to their mailing list. They did not send a “we have a new list, want to join it?” email, they added every registered user to the list and said “you can opt out if you want.”
This is such a bad idea. My own account was used once, to make one comment, back in 2005. Yes, 2005. It’s been almost 5 years since I last logged into the site. Sure, I have email addresses that go back that far, but not everyone does. That list is going to be full of problems: dead addresses, spamtraps, duplicates, unengaged and uninterested.
Seriously, they’re adding people who’ve not logged into their site in 5 years to a mailing list. How can this NOT go horribly wrong?
My initial thought was this was going to blow up in a week. I’m now guessing they’ll start seeing delivery problems a lot sooner than that.

Email and politics

I occasionally consult for activists using email. Their needs and requirements are a little different from email marketers. Sure, the requirements for email delivery are the same: relevant and engaging mail to people who requested it. But there are complicating issues that most marketers don’t necessarily have to deal with.
Activist groups are attractive targets for forged signups. Think about it, when people get deeply involved in arguments on the internet, they often look for ways to harass the person on the other end of the disagreement. They will often signup the people they’re disagreeing with for mailing lists. When the disagreements are political, the logical target is a group on the other side of the political divide.
People also sign up spamtraps and bad addresses as a way to cause problems or harass the political group itself. Often this results in the activist group getting blocked. This never ends well, as instead of fixing the problem, the group goes yelling about how their voice is being silenced and their politics are being censored!!
No, they’re not being silenced, they’re running an open mailing list and a lot of people are on it who never asked to be on it. They’re complaining and the mail is getting blocked.
With that as background, I noticed one of the major political blogs announced their brand new mailing list today. Based on their announcement it seemed they that they may have talked to someone who knew about managing a mailing list.

Link roundup June 18, 2010

Hotmail has released a new version of their software with some changes. Return Path discusses the changes in depth, but there are a couple that senders may find helpful.

Improving the email interface

Want an improved email interface? Then build it.
There’s been an ongoing discussion about adding thumbs up / thumbs down style buttons to email clients. While I am dubious this is a useful feature or something that recipients will use, if there are others in the industry that think it would be useful then I strongly suggest they go ahead and create it.
In fact, there are a couple things that have been asked for in email interfaces that aren’t currently provided. Last October I blogged about adding an unsubscribe button to email clients.

Email is dead…

Or so the WSJ technology blog would have us believe.

Email has had a good run as king of communications. But its reign is over.
In its place, a new generation of services is starting to take hold—services like Twitter and Facebook and countless others vying for a piece of the new world. And just as email did more than a decade ago, this shift promises to profoundly rewrite the way we communicate—in ways we can only begin to imagine.
We all still use email, of course. But email was better suited to the way we used to use the Internet—logging off and on, checking our messages in bursts.
Read More