Word to the Wise
Meanwhile… I apparently gave chess.com an email address in 2007 – probably due to a client engagement? I don’t know. I unsubscribed from their mail at some point as there has only been one email from them between 2010 and 2021. Maybe this time they’ll actually unsubscribe me.
Since I wrote about it last month the requirements for bulk senders to Yahoo and Google have changed a little. The big change is that bulk senders need to authenticate with both SPF and DKIM, rather than SPF or DKIM. Only one of those has to align with the 822 From: header.
Email supports TLS (Transport Layer Security), what we used to call SSL. Unlike the web, which split it’s TLS support off into a completely different protocol – https, listening on port 443 vs http listening on port 80 – SMTP implements it inside it’s non-encrypted protocol. A mailserver advertises that it supports this by having the word “STARTTLS” in the banner it sends after you connect to it. Before you do much else you send the command “STARTTLS”. At this point the tcp connection to the mailserver stops speaking SMTP and is ready for the complex binary dance that is a TLS handshake. Once the negotiation of protocols and ciphers and session tokens is done SMTP comes back. It looks just like it did before, but now it’s all being tunneled over a secure, encrypted TLS session. Sometimes you want to find out a few more details about how a
On Tuesday I wrote about using DNS wildcards to implement customer-specific subdomains for email authentication. As I said then, that approach isn’t perfect. You’d much prefer to have per-customer domain authentication, where each customer has their own DKIM d= and ideally their own SPF records, rather than having all customers sharing those records and relying on loose DMARC alignment to have them to work with a per-customer subdomain in the 5322 From: header. But doing that with DNS wildcards would have some odd side effects, such as TXT records appearing where they weren’t expected, in ways that could trigger bugs in rarely tested code paths at mailbox providers and potentially even open up security problems. I mentioned using a “stunt” DNS server would be one option to do that, and then quite a few people asked me what I meant by that. A stunt DNS server is one that doesn’t
If you’re an ESP with small customers you may have looked at the recent Google / Yahoo requirements around DMARC-style alignment for authentication and panicked a bit. Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.…For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment. So everyone who’s using their gmail address to send bulk mail is going to have to stop doing that within the next few months if they still want their mail to be delivered. For any ESP customer that already has, or can be convinced to buy, a domain for their web presence maybe they can be persuaded to switch to using that – though even if they can, onboarding 100,000 technically naive users
If you’re seeing a lot of “451 4.7.500 Server busy. Please try again later” from Office365 this morning you’re not alone. Microsoft are aware of the issue, and incident EX680695 says: Current status: We’ve identified that specific IP addresses are being unexpectedly limited by our anti-spam procedures, causing inbound external email delivery to become throttled and delayed. We’re reviewing if there have been any recent changes to our anti-spam rules to understand why the IP addresses are being limited. In the meantime, we’re manually adding reported affected IP addresses to an allowed list to provide immediate relief.
A lot of beginner questions about email delivery aren’t about broad strategies for success, or technical details about authentication, or concerns about address acquisition. They’re something like: My mail to $ISP is being blocked. How do I contact someone there? Asking a question to your peers about how to deal with a concrete problem you’re having is a great thing to do – you might get immediate help, and hopefully you’ll pick up some technical or industry information and level up some skills along the way. But there are good questions and good ways to ask them, and bad questions and bad ways to ask them. You really want to get the most value out of the answers you get, and you don’t want to waste your peers valuable time. Lets talk about the “My mail is blocked, who do I ask to fix it?” sort of question on an
Google are circulating a new set of requirements for bulk senders on their blog. So are Yahoo. It’s almost like postmasters talk to each other or something. If you dig through the links in the Gmail blog post you can find this summary of what they’ll be requiring from bulk senders by February: Set up SPF or DKIM email authentication for your domain. Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records. Learn more Keep spam rates reported in Postmaster Tools below 0.3%. Learn more Format messages according to the Internet Message Format standard (RFC 5322). Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery. If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email. ARC headers indicate the message was forwarded and identify
History Return Path was a major driver for the establishment of Feedback Loops (FBLs) back in the mid to late 2000s. They worked with a number of ISPs to help them set up FBLs and managed the signup and validation step for them. In return for providing this service to senders and receivers, they used this data as part of their certification process and their deliverability consulting. Return Path had a strong corporate ethos of improving the overall email ecosystem that originated from the CEO and permeated through the whole organization. In 2019 Validity acquired Return Path and within two months closed two offices and laid off more than 170 employees, many who are industry leaders and long time colleagues. In 2020 Validity acquired 250OK, one of their major competitors. Over the next year they then ended long term agreements with ESP partners, sued competitors and significantly raised prices for
When you query DNS for something you ask your local DNS recursive resolver for all answers it has about a hostname of a certain type. If you’re going to a website your browser asks your resolver for all records for “google.com” of type “A”1 and it will either return all the A records for google.com it has cached, or it will do the complex process of looking up the results from the authoritative servers, cache them for as long as the TTL field for the reply says it should, then return them to you. There are dozens of different types of records, AAAA for IPv6 IP addresses, MX for mailservers, TXT for arbitrary text, mostly used for various sorts of authentication (including SPF, DKIM and DMARC). And then there’s CNAME. CNAME stands for “Canonical Name” and means “Go and ask this different question instead”. If you have a DNS record