Deliverability.com

At one time or other we've all asked that age old question what's in a name? Well it's not an old age any more, it's the 21st century and the question to ask today is "what's in a path?" In a word, everything. In a few more words, the final destination of your email.

To borrow a little Jack Lalanne here, content is king and architecture is queen but together you have the entire kingdom, or more importantly the inbox. We know for a fact that content and spam filters take a close look at your p's and q's to determine if the message in your email is fit for general consumption. We know that every element in your message contributes to the overall likelihood of your email being filtered to the inbox vs. the spam folder. However I want to look at one specific component of your email's content that may not get the attention it should: the image path and URL.

An image path is simply a pointer to where the image lives out on the internet. Email marketing is sent without any attachments so the images that are rendered in the customer's inbox are by way of image paths or URLs to the images. Easy enough, this has been the way it's done since like forever, or at least 1999. But from to time I've been seeing people forget that the actual link itself is as important as the image it leads to. Let me give you an example:

<img src="http://www.foo.com/images/banners/image.jpg">  >>> What's the problem with this image link?

If you said nothing you're wrong. There is a problem, it's the word banner. ISP filters and other technology deployed across the internet such as Spamassassin or Privoxy, have complicated rule sets designed to block banners, advertising and all other manner of communication deemed to be UCE (unsolicited commercial email). By naming the folder that contains your image "banner" you are increasing the likelihood that your image, if not your entire email will be outright blocked because you've declared it as a banner in so far as a spam filter is concerned.

The idea here is to have intelligent and easy to read paths that don't attempt to obfuscate what's in them, but also take into account the imperfect nature of filtering technology. Avoid using the word banner or variations thereof, in an image path, or for that matter "ad(s)'.

The problems don't stop here, no the rabbit hole goes much deeper. We live in a fast paced world defined, at times, by 140 characters. Our lives move too quickly for war & peace, unless it can be squeezed in between 60 minutes and grey's anatomy, so we short-hand a lot of stuff including paths in our URLs, such as this:

<a href="http://www.foo.com/mar/mktgspcl/index.html">

Yes, it's March and you have a marketing special ad that you want to link to from your email. Ok, so why didn't you say so? Sometimes it pays to include the vowels if for no other reason than to avoid triggering Spamassassin's consonant filter that eagerly checks for any string of consonants with no vowels greater than 7 characters. By the way, the 7 character length is configurable to be 6 or 5 or anything the operator wants it to be. The net-net here is that although the internet is full of gibberish behind the scenes using plain English doesn't hurt once in a while.

One last thing to keep in mind, image paths, or URL paths for that matter, you should always make folder more than 2 characters. There are specific rules that look for 2 character paths, and 3 character paths at times, so an image folder called /img/ or /im/ should be named /image/ to avoid potential unpleasantries.

I know what's on your mind right now, "will any of this truly condemn me to the spam folder?" Any of this? Hm, possibly not any of this, but in conjunction with the 800 number in your email footer, the dollar signs in your subject line, well you get the picture. To quote Depeche Mode "everything counts in large amounts." Take control of your content and steer the ship to where it needs to go. These are pretty simple things to avoid and once you get the hang of it, you'll find you worry less and sleep more. Cheers!

Good news today was posted by Return Path. For those using Return Path Certified, you now will receive automatic image and link enabling at both Hotmail and Yahoo!

What do you have to do to get this privilege at Yahoo?

1. Be a Certified level member in the program. Apply right now.
2. Have IPs that are rarely, if ever, suspended from the Certified list 
3. Authenticate your email with Domain Keys and/or DKIM and have unique domain/selector pairs dedicated to your Certified IPs
4. Submit domain [d=] and selector [s=] values associated with your Certified IPs

Pretty simple I say. This should help anyone in the program to clearly communicate their value proposition and provide your customers the best possible experience.

Congratulations Return Path and Yahoo! for making this a reality. Membership DOES have its privileges.

-Dennis
Eloqua

Don't Just Send, Deliver!

Spamhaus is announcing this week that they are launching their Domain Block List (DBL). The Spamhaus DBL is a realtime database of Uniform Resource Identifiers (URIs), typically web site domains found in spam messages. Mail server software capable of scanning email message contents can use the DBL to identify, classify or reject spam containing DBL-listed domains and other URIs.

What's this mean for you? Not only are your IP's a thing to watch over when it comes to reputation, but now your domains in your email are also.

Does this count as reputation for domains? In my eyes, YES!

They plan on launching this March 1, 2010.

For those who don't know, The Spamhaus Project is an international nonprofit organization whose mission is to track the Internet's spam operations, to provide dependable realtime anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spammers worldwide, and to lobby governments for effective anti-spam legislation.

Spamhaus maintains a number of realtime spam-blocking databases ('DNSBLs') responsible for keeping back the vast majority of spam sent out on the Internet. These include the Spamhaus Block List (SBL), the Exploits Block List (XBL), the Policy Block List (PBL) and the Domain Block List (DBL). Spamhaus DNSBLs are today used by the majority of the Internet's Email Service Providers, Corporations, Universities, Governments and Military networks.

-Dennis
Eloqua

Don't Just Send, Deliver!

Quick note this morning. SpamAssassin has notified the industry that a bug exists in their software.

What's the deal here you ask? Well it seems that SpamAssassin had a rule in their default installations YEARS ago that would catch any spam with the date 2010+. Yes, believe it or not, but spammers forged their dates to confuse filters at one time or another. 

Well, email HAS survived up to 2010 now and the rule was never updated. Any emails sent as of January 1, 2010 to servers running SpamAssassin before the fix was made available, and to any servers running SpamAssassin that have not implemented the fix, will experience a higher than normal SpamAssassin score. This will effect delivery for messages where the score increase is significant enough to put the email's score above a filtering threshold

A fix to this issue has been made available, but it may take some time for servers running SpamAssassin to make the necessary updates since administrators are the ones who have to make the fix happen.

Make sure you poke as many people about this.

-Dennis
Eloqua

Don't Just Send, Deliver!

Not to big of a surprise in terms of a stat headline, but Return Path today released a new Email Deliverability Benchmark Report that shows marketers may not be still not getting it or that some just can't get a break no matter what they do right.

For those who monitor and suppress against the U.S. Federal Communications Commission (FCC) Wireless domain list, it seems that verizonwireless.com was removed from the list. Not sure why, but you should be aware of this in case you have customers in that domain who have never seen email sent to them because of the past suppression. This could cause complaints, unsubscriptions, hard bounces, and other issues.

In the past, we have discussed in much detail the ways in which email is examined for spam and phishing properties. Some of these emails and properties are contained in the things you might send out to your targets...

I joined Genius.com a few months ago as a member of their Deliverability and Anti-Abuse team. My focus is on deliverability and managing the email servers. Genius has a great application that gets marketers and sales people working together. The Genius application relies heavily on emails being sent to the right people at the right time.

In addition to email deliverability, I have a background in system admin, programming (among other nerdy pursuits) and I am active in the technical (and sometimes political) Internet community which helps me in the world of deliverability . I look forward to sharing my experience with you over the coming weeks.

The world of DKIM: Domain Keys Identified Mail.

One of the challenges in identifying suspicious email is knowing reliably where it came from. With email coming from a wide variety of machines, it’s possible that a machine has been compromised and a malicious sender is spoofing mail headers, injecting false headers and essentially misrepresenting a third party. A lot of spam is generated by compromised machines which are part of botnets, networks of thousands (even millions) of remotely controlled machines. Some of these machines can be even legitimate mail servers, some can send email via ISP or ESP mail servers (ISP: Internet Service Provider, ESP: Email service provider). How do we know who is who? Who should we complain to? Some services like spamcop.net, try to analyse emails headers and figure out who was responsible for sending the email but they often also target whoever is managing the networks used to relay the emails. They aim wide, to ensure they will alert someone that will care and fix the spam source.

Would it not be easier to know who is sending emails?

There are some old techniques like Pretty Good Privacy (PGP) and S/MIME but they are heavy to implement because they require the cooperation of all of the users. Besides, we often do not need to authenticate the emails, but have a way to validate where the email is coming from. That is, to identify which system administrator configured the mail server that sent the email. This is the person we want to talk to for any problem. Hopefully he/she is a little bit more clued than the user who sent the email and can take remedial methods. Fixing problems on the Internet involves often finding the person that understands what you want and knows what action to take. End users are rarely in this category, but systems and network administrators are.

Several industry groups tried to solve this problem, the two main technologies that emerged were DomainKeys and Sender Policy Framework (SPF).

Ideally, emerging technologies will evolve to become standards. The Internet Engineering Task Force (IETF) does not generally create new Internet technologies, but they are very good at taking something that a group submits for standardization and making it rock solid because the peer review is strong. This has been the case for example for http (the web protocol), ssl/tls (securing connections between applications) and many others.

They did the same thing with DomainKeys and SPF and issued the DKIM specification. DKIM is now in the Internet Standard track of the IETF. It means if you like it you have a fixed specification you can follow that will work with various and disparate systems. It really become a de-facto standard when a large group implements it.

The main problem with SPF (and a bit with the Sender-ID upgrade) is that emails move from machines to machines before reaching the final destination. In many cases there are only two mail servers involved. The sender and the receiver. SPF inserts a header that tells if you check this domain, it will tell you that this IP address (of the sender) is authorised to send emails for this domain. But if you add a mail relay server, the whole scheme falls flat, as the receiver will have the ip of the mail relay not of the original server. On the other hand DomainKeys has another problem, it can only validate headers that contains the same domain name as the signature. So for instance you can relay a signed message but you cannot sign a message that you relay (like for a mailing list).

DKIM solves all these issues.

At the moment the DKIM Working Group at the IETF is working on specifying a standard for defining policies for the use of DKIM. But first you noticed, I did not say that DKIM authenticates an email, as it is not true. It just validates some headers. It is up to the receiver to process the email based on the successful validation of certain headers and deliver it to your inbox, junk folder, etc. DKIM allows a mail admin (or rather a mail server) to take responsibility for sending/forwarding an email and let other servers know.

This is convenient for instance, to build reputation based on who takes responsibility for sending/forwarding the email. For instance AOL has announced that they will move from IP based reputation to Domain based reputation using DKIM. Similarly, Yahoo provides a feedback loop based on the domain validating the email using DKIM. It does not matter which IP the email comes from.

But what are DKIM policies?

For instance, e-Bay and Google have announced that all the e-Bay emails will be DKIM validated and that Google will use this information to trash any email supposedly from e-Bay which is not DKIM validated. Imagine if all the banks were following this policy. It would seriously reduce the amount of phishing.

Third party validation.

I spoke earlier, that a relay mail server can validate an email. For instance in the case of mailing lists. The mailing list software receives an email, and decides to use its reputation to forward the email to all the subscribers. It can do a third party validation on an email it is forwarding. There is no requirement that any headers in the email (From, Sender, …) contain the same domain name as the domain name of the mailing list. This opens other possibilities. Let's take the bank example, instead of each bank having their own DKIM validation, they could also have a validation done by a bank confederation, authority or regulator (third party). This would add another level of reputation on the email (while they can still add their own DKIM validation to the email).

Genius is providing third party validation on all our customers’ emails. We are taking responsibility for the emails we send on behalf of our customers by ensuring they are DKIM authenticated. There is no silver bullet in ensuring a high rate of email deliverability and DKIM is just one of the layers that help deliverability from a technical perspective. The Genius Email Deliverability and Abuse team in addition to DKIM ensures high rates of deliverability through close and proactive management of its customers email campaigns, education and best practices.

PS: feel free to contact me with comments and suggestions and email delivery related topics you'd be interested in learning more about.

A few days ago, I posted a comment on a Yahoo delivery issue I encountered. A few persons emailed me to have more info on how we solved this issue at m--x--m. This is the purpose of this post. I will describe how a new company overcame recent delivery issues with Yahoo Mail. I hope this will be useful to others.

Context
I am an engineer for m--x--m, a new email delivery company. We use a number of new ways to deliver emails and we mostly focus on transactional and newsletter emails.

Problem
With no increase in deliveries, nor in user complaints (as inferred from other FBL since we could not get one from Yahoo), we got completely blacklisted on Yahoo with the following message.

Aug 31 14:06:36 dserv128-mtl3 m--x--mail/smtp[8516]: 4D7F314C86A3: host e.mx.mail.yahoo.com[216.39.53.1] refused to talk to me: 421 Message from (xx.xx.xx.xx)temporarily deferred - 4.16.50. Please refer to http://help.yahoo.com/help/us/mail/defer/defer-06.html

We kept having this message and sometimes some messages were delivered... directly in the junk folder.

Therefore I started investigating and understood a few tricks.

What I have understood so far
Some of this points may be out of date. Please share with us any of your insight in the comment.

1. Yahoo does not offer anymore a FBL. This is the root of most issues.


2. Yahoo's filtering system is not compatible with the way most MTA handle their retries. In practice when a minor delivering issue arises, it can sometimes blacklist completely the IP.
   
3. Yahoo uses the following graduation when dealing with a temporary blocked IP:
   
   

   [TS01] -> [TS02] -> regular deferred message. (you will find these messages in your logs)
   
   

   Your goal is to stay at TS01. I did not find a way to go back from TS02 to TS01, so be careful.



4. When encountering a serious delivery issues, Yahoo wants you stop delivering for four hours. Doing so seems to reset Yahoo's « reputation counter ».


5. It seems Yahoo signals sometimes user complaint even without FBL. This happens when you see a « deferred » error message only for a specific user (while other emails to the same MX are still delivered).


6. Yahoo ends the block progressively, you can send before the end of the four hours but you take the risk to reduce your reputation.


7. Yahoo filtering algorithms seems to be of the form number of user complaint per unit of time -- as opposed to a percentage formula (like Hotmail for instance). For instance, 100 user complaints might trigger a block even if they happened on 100 million emails.

Solution
I wrote a MTA dedicated for Yahoo delivery (our delivery architecture is very flexible in this aspect). Its main points are:

1. When presented with a 4XX.*deferred error, it equates it to a user complaints.


2. When presented with a TS01 message, it stops delivery for four hours on this MX DNS (but it keeps going on the others).


3. It smoothen deliveries so there is no burst (which might overcome the user complaint quota).


4. It uses a cluster of « smart shared IP » to ensure delivery even when temporary blocked.


5. It uses a smart backoff algorithm to increase a lower user complaint per unit of time.

This post was written in collaboration with Krzysztof Jarecki and Nicolas Toper (http://www.m--x--m.net) based on an idea from Krzysztof.

It's been somewhat of a running joke in the email marketing community that the spam filtering companies don't really have any incentive to "solve" the spam problem. After all, if they were to fix it, then they would be out of business!

In many ways, the spam filter companies could be compared to weapons manufacturers. Now, McAfee certainly isn't as bad as Haliburton, in fact I think they are a good company that helps protect millions of people from spam and viruses. But like the weapons manufacturers don't really want the wars to end, I don't think the executives at McAfee are really interested in solving the spam problem.

This week BBC reported on the results of a study commissioned by McAfee to try and justify their perpetual existence. They came to the conclusion that you need a spam filter. "Surfing the web unprotected will leave the average web user with 70 spam messages each day."

Wow, that was a striking conclusion. Who doesn't have a spam filter? Every free email account, broadband email account, and most corporate email accounts have spam filters.

The BBC article ended with a quote that shows how self serving the whole thing was, "It is such an immense problem and it's never going to go away. It's no longer a question of solving it but one of managing it," said Mr Dave De Walt, chief executive of McAfee.

Well Mr De Walt, OtherInbox hasn't given up yet.