Deliverability.com

So a few weeks ago, GMAIL launched a beta test called "Sponsored mail with enhanced content" which in basic terms means that if your an approved vendor by GMAIL that your marketing or transactional emails will also have a little icon to the side of the email showing off your recognized branding.

Also, supposedly if the sender authenticates their email (SPF/DKIM), the branded content will help identify emails as being legitimate and not spoofed (GMAIL will only show branded content when the sender authenticates their mail).

Do I think it's worth wild option? perhaps, but only time will tell. If I knew more about how GMAIL is preparing to "approve" vendors so they may have their icon showing that might make it easier to understand or know whether or not this will help them address some of the phishing emails or mistaken marking of email as spam. What I can say about this is it might be a cheaper option to having some of your email arriving in the inbox and recognized. Could this be a pay for enhanced whitelist?

I also hope it doesn't complicate the email anymore in terms of how it loads or what browser support you might need.

I for one might take more time to read an email that had a branded icon to the side of it vs. a overused blue ribbon (not attacking GoodMail Systems). I'm overloaded on email (1,000 per day). Lists, corporate, personal, etc.

• What happens if your using IMAP or POP to see your GMAIL email in a thick client like Thunderbird, Outlook, or Apple Mail? Do you see the icons there? Probably not. I use IMAP with Apple Mail so I can see all my email accounts while I travel.
• What happens if you forward this trusted email within GMAIL to another GMAIL user? to an outside user? Does the icon or trust survive? probably not since the author has changed.
• What happens if now senders have to buy into all these enhanced programs like Sender Score Certified, GoodMail Systems, GMAIL's icon whitelist? Who's next in this AOL? HotMail?

thoughts anyone?

-Dennis
Eloqua

Don't Just Send, Deliver!

I'm very excited about Google Wave and have been playing with the developer preview for a few months. On the one hand, I see how this could someday replace much of current email conversations, IM, Twitter,  and Campfire. I'm trying to figure out how this interacts with deliverability. Do you think Wave will be used for convesations and you'll still have an old school email address for getting receipts, shipping notices, newsletters, new friend notifications? Is it just the same game with a different name?

Please share your comments and suggestions! If you're on Wave, my account name is "joshuabaer". I will send one Google Wave invite to one of the people who comments on this blog post with a suggestion.

LashBack has long recommended the best practice of using the List Unsubscribe Header (RFC 2369) as the mechanism to unsubscribe consumers from commercial email. Every receiver needs to adopt this standard. It’s great to see Google recently offering this powerful feature to Gmail users and more receivers need to follow their lead. We have to give props to Hotmail for being first out of the gate and seemingly taking the service one important step further. In nearly 6 years of monitoring unsubscribe performance, LashBack can publish a fascinating statistic showing how using the List Unsubscribe Header does work, but also offer critical insight on that same data when not to trust a seemingly worthy sender’s unsubscribe process.

Current LashBack data shows there is a 1 in 10 chance that a sender using the List Unsubscribe Header will not be successful in unsubscribing consumers.

In this 10% of unsubscribe failures, believe it or not, a best case scenario for the consumer is that they continue to receive email from only the original sender. Don’t get me wrong, if this continues it annoys the consumer and has serious negative consequences for the marketer. It will lower the marketer’s UnsubScore- a measure of unsubscribe performance, and probably cause consumer spam complaints, further harming the marketer’s email reputation which defines deliverability. The worst case scenario for consumers, in .5% of failed unsubscribes for organizations utilizing the List Unsubscribe Header- is when the process breakdown causes the consumer’s email address to end up on a compromised suppression file (opt-out list) which ends up getting hammered with spam. The consumer unsubscribes once, and in return gets even more email. Trust then becomes the real issue.

Hotmail is not only using the List Unsubscribe Header, but also checking the reputation of the sender for that 1 in 10 chance it might not be a good idea to unsubscribe from a source that would most likely appear to be trustworthy as part of the  List Unsubscribe user segment of the email sender population. However, appearances do not define reputation. Historical unsubscribe performance data does show who can be trusted with a consumer’s unsubscribe based on several datapoints derived from constant monitoring and testing over time. That’s why LashBack implores all commercial email senders to follow all unsubscribe best practices and constantly monitor and test their unsubscribe process and that of their sending partners, to protect reputation and most importantly the email experience of consumers.

More LashBack Resources:

List Unsubscribe Domain Reputation Data

Reputation ToolBox

Coverage:

Unsubscribing Made Easy from Google's Blog

Gmail Tries To Make It Easier To Unsubscribe From Spam Newsletters, But Fails from TechCrunch

UPDATE
Gmail adds in sole unsubscribe feature in message details. So, there are two ways to have Gmail notify a sender about a recipient's request - one via the message details (pic below) and the other via marking it as spam and getting the unsubscribe option.
It's been spreading around the net like wildfire, but the rumors were finally put to rest this afternoon when Gmail itself officially announced it's usage of the unsubscribe feature within their web client. For senders, this requires DKIM and/or SPF authentication, a good reputation (as decided by Gmail) and a List-Unsubscribe: header in the form of an email address.

What I'm dying to see is this in action.

I haven't been able to reproduce this myself (after trying with a bunch of senders in my Gmail account) and would love to hear back from anyone who has.

Full post from the horse's mouth here.

Chris Wheeler
Director of Deliverability, Bronto Software

Google announces they're rolling out their own version of anti-phishing protection - the super trustworthy, anti-phishing key . Unless you're a financial institution, you probably won't be able to get this for your own email for some time. But, at least you'll know it might be coming out of beta at some point.

From Brad Taylor, Gmail's Anti-spam Czar:

"Super trustworthy...means 1) the sender, usually a financial institution, is a target of phishers, (2) all of the sender's email is authenticated with DKIM, and (3) Gmail rejects any fake messages that claim to come from this sender, but actually don't."

Full story here.

I joined Genius.com a few months ago as a member of their Deliverability and Anti-Abuse team. My focus is on deliverability and managing the email servers. Genius has a great application that gets marketers and sales people working together. The Genius application relies heavily on emails being sent to the right people at the right time.

In addition to email deliverability, I have a background in system admin, programming (among other nerdy pursuits) and I am active in the technical (and sometimes political) Internet community which helps me in the world of deliverability . I look forward to sharing my experience with you over the coming weeks.

The world of DKIM: Domain Keys Identified Mail.

One of the challenges in identifying suspicious email is knowing reliably where it came from. With email coming from a wide variety of machines, it’s possible that a machine has been compromised and a malicious sender is spoofing mail headers, injecting false headers and essentially misrepresenting a third party. A lot of spam is generated by compromised machines which are part of botnets, networks of thousands (even millions) of remotely controlled machines. Some of these machines can be even legitimate mail servers, some can send email via ISP or ESP mail servers (ISP: Internet Service Provider, ESP: Email service provider). How do we know who is who? Who should we complain to? Some services like spamcop.net, try to analyse emails headers and figure out who was responsible for sending the email but they often also target whoever is managing the networks used to relay the emails. They aim wide, to ensure they will alert someone that will care and fix the spam source.

Would it not be easier to know who is sending emails?

There are some old techniques like Pretty Good Privacy (PGP) and S/MIME but they are heavy to implement because they require the cooperation of all of the users. Besides, we often do not need to authenticate the emails, but have a way to validate where the email is coming from. That is, to identify which system administrator configured the mail server that sent the email. This is the person we want to talk to for any problem. Hopefully he/she is a little bit more clued than the user who sent the email and can take remedial methods. Fixing problems on the Internet involves often finding the person that understands what you want and knows what action to take. End users are rarely in this category, but systems and network administrators are.

Several industry groups tried to solve this problem, the two main technologies that emerged were DomainKeys and Sender Policy Framework (SPF).

Ideally, emerging technologies will evolve to become standards. The Internet Engineering Task Force (IETF) does not generally create new Internet technologies, but they are very good at taking something that a group submits for standardization and making it rock solid because the peer review is strong. This has been the case for example for http (the web protocol), ssl/tls (securing connections between applications) and many others.

They did the same thing with DomainKeys and SPF and issued the DKIM specification. DKIM is now in the Internet Standard track of the IETF. It means if you like it you have a fixed specification you can follow that will work with various and disparate systems. It really become a de-facto standard when a large group implements it.

The main problem with SPF (and a bit with the Sender-ID upgrade) is that emails move from machines to machines before reaching the final destination. In many cases there are only two mail servers involved. The sender and the receiver. SPF inserts a header that tells if you check this domain, it will tell you that this IP address (of the sender) is authorised to send emails for this domain. But if you add a mail relay server, the whole scheme falls flat, as the receiver will have the ip of the mail relay not of the original server. On the other hand DomainKeys has another problem, it can only validate headers that contains the same domain name as the signature. So for instance you can relay a signed message but you cannot sign a message that you relay (like for a mailing list).

DKIM solves all these issues.

At the moment the DKIM Working Group at the IETF is working on specifying a standard for defining policies for the use of DKIM. But first you noticed, I did not say that DKIM authenticates an email, as it is not true. It just validates some headers. It is up to the receiver to process the email based on the successful validation of certain headers and deliver it to your inbox, junk folder, etc. DKIM allows a mail admin (or rather a mail server) to take responsibility for sending/forwarding an email and let other servers know.

This is convenient for instance, to build reputation based on who takes responsibility for sending/forwarding the email. For instance AOL has announced that they will move from IP based reputation to Domain based reputation using DKIM. Similarly, Yahoo provides a feedback loop based on the domain validating the email using DKIM. It does not matter which IP the email comes from.

But what are DKIM policies?

For instance, e-Bay and Google have announced that all the e-Bay emails will be DKIM validated and that Google will use this information to trash any email supposedly from e-Bay which is not DKIM validated. Imagine if all the banks were following this policy. It would seriously reduce the amount of phishing.

Third party validation.

I spoke earlier, that a relay mail server can validate an email. For instance in the case of mailing lists. The mailing list software receives an email, and decides to use its reputation to forward the email to all the subscribers. It can do a third party validation on an email it is forwarding. There is no requirement that any headers in the email (From, Sender, …) contain the same domain name as the domain name of the mailing list. This opens other possibilities. Let's take the bank example, instead of each bank having their own DKIM validation, they could also have a validation done by a bank confederation, authority or regulator (third party). This would add another level of reputation on the email (while they can still add their own DKIM validation to the email).

Genius is providing third party validation on all our customers’ emails. We are taking responsibility for the emails we send on behalf of our customers by ensuring they are DKIM authenticated. There is no silver bullet in ensuring a high rate of email deliverability and DKIM is just one of the layers that help deliverability from a technical perspective. The Genius Email Deliverability and Abuse team in addition to DKIM ensures high rates of deliverability through close and proactive management of its customers email campaigns, education and best practices.

PS: feel free to contact me with comments and suggestions and email delivery related topics you'd be interested in learning more about.

Per CircleID and for those marketers looking for a good ISP point of view.

What Google Sees While Processing 2 Billion Enterprise Emails Per Day

While the news will not be terribly surprising to CircleID readers, Google's latest report on the status of spam and 2009 predictions posted today, might be of particular interest due to the company's shear email processing volume at 2 billion enterprise email connections per day (drawn from company owned Postini Message Security network).

What Google Saw: "Spam threats rose visibly in 2008, reflecting the overall trend of rising attacks. Even with the drop in November 2008, spam levels climbed 25% over 2007. Our statistics show that the average unprotected user would have received 45,000 spam messages in 2008 (up from 36,000 in 2007). All indicators suggest this trend will continue as virus, malware, and link-based attacks become both more frequent and more ingenious."

Heuristic Virus Detection: Last year we released advanced new anti-virus heuristics that specifically targeted zero-hour vulnerability (the period of time between when a new virus enters the wild and the release of the anti-virus signature file). When the zero-hour protection identifies a suspicious message, the message is scanned using the new anti-virus heuristics, and if confirmed as a virus, the message is quarantined

Read the entire blog post here

-Dennis
Eloqua

Don't Just Send, Deliver!

Brian Krebs at the Washington Post reports that "Google's free services are being heavily exploited by spammers to redirect visitors to sites touting knockoff designer drugs and scams, according to the latest rankings from Spamhaus.org, a group that tracks unsolicited commercial e-mail.

"Last month, Security Fix called attention to Microsoft's persistent ranking on Spamhaus's running list of the "Top 10 Worst Spam Service ISPs". Now that Microsoft has cleaned up its act, it appears the bad guys are moving on to Google, which is now ranked #4 on the list (#1 being the worst).