Recent Posts

Verizon agrees to buy AOL

Verizon Agrees to Buy AOL for $4.4 Billion

Read More

What is the Mail From field?

When emails are sent, there are two from fields, the Mail From and the Display From address.  The Display From address (technically referred to as RFC.5322 from address) is the from address that is displayed to the end user within their email client.  The Mail From (technically referred to as RFC.5321 from address) is the email address to which bounce messages are delivered.  The Mail From field is sometimes referred to as the Return Path address, Envelope From address, or Bounce address.
It may seem confusing to have an email with two from fields, but knowing the difference is important to properly setup your SPF records.
Taking a look at this email I received from GoPro, the Return-Path (5321.From) goes back to @bounce.email.gopro.com.  If I were to reply to the email, the message would go to @email.gopro.com. The Display From (5322.From) address is gopro@email.gopro.com.
GoPro-Headers
I would want to add the email address GoPro@email.gopro.com to my address book because that is the email address that is displayed in my email client. The reason why the Return-Path is different from the From address is because GoPro likely has an automated system that will process the bounce back messages (sent to @bounce.email.gopro.com) and automatically flag or unsubscribe those email addresses. This allows GoPro to setup automatic processing of the different mail streams sent to them, one stream being the bounce backs after a mailing and the second being an automated customer service system.
Where does SPF fit in?
SPF checks the Mail From (5321.From) address, not the Display From (5322.From) address.  In the example above, there should be an SPF record for the subdomain of bounce.email.gopro.com.  I can check the SPF record using our Authentication tools http://tools.wordtothewise.com/spf/check/bounce.email.gopro.com and I receive the following results:
SPF_GoPro
Checking the headers shows that GoPro does have a SPF record setup and the message was authenticated with SPF.
Authentication Results
For SPF records, make sure the SPF record matches the Mail From (From.5321)/Return-Path domain name.  Have your recipients add the Display From (From.5322) email address to their address book so they will continue to receive your mailings.

Read More

4 things spammers do legitimate marketers don't

I’ve never met a spammer that claims to be a spammer. Most that I’ve met claim to be legitimate marketers (or high volume email deployers). But there are things spammers do that I never expect to see a legitimate marketer doing.
I’ve written about these things throughout the blog (tag: TWSD), but it’s probably time to actually pull them together into a single post.

Read More

Four things to check before your next mailing

Like many bits of technology, email is often set-and-forget. Everything is checked and rechecked during setup, and then no one goes back and looks at it again. But mail programs are not static, and people make changes. These changes don’t really break things, but over time they can create their own set of problems.
Setting aside some time every quarter or even every year to check and make sure all the bits of mail are configured correctly is a good idea.

Read More

Lyris to be acquired by Aurea

Aurea, a technology solutions provider, has signed a definitive agreement to acquire Lyris.

Read More

April 2015: The Month in Email

We started the month with some conversations about best practices, both generally looking at the sort of best practices people follow (or don’t) as well as some specific practices we wanted to look at in more depth. Three for this month:

Read More

Office365/EOP and Outlook.com/Hotmail will converge

Terry Zink posted two informative blog posts recently, the first being the change to unauthenticated mail sent over IPv6 to EOP and the second post about EOP (Office365 and Exchange Hosting) and Outlook.com/Hotmail infrastructure converging.
Exchange Online Protection (EOP) is the filtering system in place for Office 365 and hosted Exchange customers. Outlook.com/Hotmail utilized its own mail filtering system and provides SNDS/JMRP programs.  EOP is setup for redundancy, failover, provides geo-region servers to serve customers, and has supported TLS for over a decade.  Terry explains that Hotmail’s spam filtering technology is more advanced than EOP’s, but EOP’s backend platform is more advanced. The process to convert Outlook.com/Hotmail to use EOP’s filtering system started six months ago and is still a work in progress. Once completed, Outlook.com/Hotmail and Office365/EOP will share the same UX look and feel. The anti-spam technologies will be able to be shared between the two as they will share the same backend infrastructure.
Some of the challenges of merging the two systems include:

Read More

Email verification services

Just yesterday a group of delivery folks were discussing email verification services over IRC. We were talking about the pros and cons, when we’d suggest using them, when we wouldn’t, which ones we’ve worked with and what our experiences have been. I’ve been contemplating writing up some of my thoughts about verification services but it’s a post I wanted to spend some time on to really address the good parts and the bad parts of verification services.
Today, Spamhaus beat me to the punch and posted a long article on how they view email verification services. (I know that some Spamhaus folks are part of that IRC channel, but I don’t think anyone was around for the discussion we had yesterday.)
It’s well worth a read for anyone who wants some insight into how email verification is viewed by Spamhaus. Their viewpoints are pretty consistent with what I’ve heard from various ISP representatives as well.
In terms of my own thoughts on verification services, I think it’s important to remember that the bulk of the verification services only verify that an address is deliverable. The services do not verify that the address belongs to the person who input it into a form. The services do not verify that an address matches a purchased profile. The services do not verify that the recipient wants email from the senders.
Some of the services claim they remove spamtraps, but their knowledge of spamtraps is limited. Yes, stick around this industry long enough and you’ll identify different spamtraps, and even spamtrap domains. I could probably rattle off a few dozen traps if pressed, but that’s not going to be enough to protect any sender from significant problems.
Some services can be used for real time verification, and that is a place where I think verification can be useful. But I also know there are a number of creative ways to do verification that also check things like permission and data validity.
From an ESP perspective, verification services remove bounces. This means that ESPs have less data to apply to compliance decisions. Bounce rate, particularly for new lists, tells the ESP a lot about the health of the mailing list. Without that, they are mostly relying on complaint data to determine if a customer is following the AUP.
Spamhaus talks about what practices verification services should adopt in order to be above board. They mention actions like clearly identifying their IPs and domains, not switching IPs to avoid blocks and not using dozens or hundreds of IPs. I fully support these recommendations.
Email verification services do provide some benefit to some senders. I can’t help feeling, though, that their main benefit is simply lowering bounce rates and not actually improving the quality of their customers’ signup processes.

Read More

Political Fraud & Spam

The Conservative Party is one of the largest political parties in the UK. They’re center-right politically (by European standards), nationalist and pro-business. You’ll often see them called the Tory party or Tories – a pejorative nickname they acquired 350 years ago.
While they’re part of the ruling coalition today, there’s a general election coming up in the next couple of weeks and they’re, well, campaigning aggressively. A group of 500 small business owners co-signed a letter to the Telegraph (a mainstream UK newspaper that supports the Conservatives consistently enough that it’s widely known as the Torygraph) expressing strong support for Conservative economic policies and drumming up votes for the election.
So far, nothing unusual. So why am I talking about it? And why am I talking about it here, on an email blog?
As people began to look at the letter, the story began to unravel. First, the letter was published on the Telegraph website as  a PDF – and the PDF metadata showed it had been written by the Conservative’s press office, not a group of small businesses.
 
https://twitter.com/GabrielScally/status/592476275362529280
 
Then it turned out that many of the signatories seemed to have signed it multiple times, each representing slightly different company names. Somebody didn’t dedupe their purchased list, it seems.
When contacted, many of the signatories denied signing anything. Several of them did mention receiving email (spam?) and clicking on a link.

Read More

Compromises and phishing and email

Earlier this month, Sendgrid reported that a customer account was compromised and used for phishing. At the time Sendgrid thought that it was only a single compromise. However, they did undertake a full investigation to make sure that their systems were secure.
Today they released more information about the compromise. It wasn’t simply a customer account, a Sendgrid employee’s credentials were hacked. These credentials allowed the criminals to access customer data, and mailing lists. Sendgrid has a blog post listing things customers should do and describing the changes they’re making to their systems.
Last month it was Mandrill. Today it’s Sendgrid. It could be anyone tomorrow.
Security is hard, there’s no question about it. Users have to have access. Data has to be transferred. Every user, every API, every open port is a way for a bad actor to attempt access.
While it wasn’t said directly in the Sendgrid post, it’s highly likely that the employee compromise was through email. Most compromises go back to a phish or virus email that lets the attacker access the recipient’s computer. Users must be ever vigilant.
We, the email industry, haven’t made it easy for users to be vigilant. Just this weekend my best friend contacted me asking if the email she received from her bank was a phishing email. She’s smart and she’s vigilant, and she still called the number in the email and started the process without verifying that it was really from the bank. She hung up in the transaction and then contacted me to verify the email.
She sent me headers, and there was a valid DMARC record. But, before I could tell her it wasn’t a phishing email, I had to go check the whois record for the domain in question to make sure it was the bank. It could have been a DMARC authenticated email, but not from the bank. The whois records did check out, and the mail got the all clear.
There’s no way normal people can do all this checking on every email. I can’t do it, I rely on my tagged addresses to verify the mail is legitimate. If the mail comes into an address I didn’t give the sender, then it’s not legitimate – no matter what DMARC or any other type of authentication tells me. But most people don’t have access to tagged or disposable addresses.
I don’t know what the answers are. We really can’t expect people to always be vigilant and not fall for phishing. We’re just not all present and vigilant every minute of every day.
For all of you who are going to tell me that every domain should just publish a p=reject statement I’ll point out DMARC doesn’t solve the phishing problem. As many of us predicted, phishers just move to cousin and look alike domains. DMARC may protect citi.com, but citimarketingemail.com or citi.phisher.com isn’t.
We’ve got to do better, though. We’ve got to protect our own data and our customer’s data better. Email is the gateway and that means that ESPs, with their good reputations and authentication, are prime targets for criminals.

Read More
Categories
Tags