FAQs
Frequently asked questions relating to our data and research.Categories
- Botnet Controller (BCL)
- Commercial Data
- Consumer
- CSS Blocklist (CSS)
- DNSBL Usage
- Domain Blocklist (DBL)
- DROP
- Exploits Blocklist (XBL)
- General Definitions
- General Questions
- Hacked - General Help
- Hash Blocklist (HBL)
- ISP General Questions
- Legal Questions
- Marketing Consent
- Marketing Email
- Media Enquiries
- Online Scams
- Organization
- Policy Blocklist (PBL)
- ROKSO
- Spamhaus Blocklist (SBL)
- Zero Reputation Domain (ZRD)
Categories
Marketing Email
This seems like a silly thing to say, but it is not. In the world of sending email and spam filtering, intention matters less than appearances. If a company that is sending legitimate, COI email in a manner that is indistinguishable from the bad guys, no spam filter will understand the difference. It is important to follow best practices in order to avoid this pitfall. Legitimate mailers work hard to build brand reputation based on a real business address, a known domain and a small, permanent, well-identified range of sending IPs. - All emails should be correctly authenticated with DKIM & SPF at a minimum
- The SPF record should be as narrow and specific as possible. If the entire internet is designated as “permitted sender”, that is not useful and opens the domain to abuse by spammers.
- Do not use anonymized or unidentifiable whois records. Legitimate businesses should have no reason to hide their online identity using whois privacy or proxy services.
- Limit domain usage. The more unique domains are used to send the same emails, the more red flags are raised; use the primary business domain whenever possible.
- Use clear and consistent naming schemes in DNS – keep it simple.
- The best option is delegating a subdomain of the brand’s primary domain to the ESP: email.customerbrand.com
- Next best would be: “customerbrand.espdomain.com”
- Last (and to be avoided if at all possible) resort: customerbrand-email.com – if this is necessary, it is crucial to use a cousin domain that has a clear relationship to the primary brand name. Phishing has made people very wary of look-alikes.
- This allows receivers to easily distinguish the ESP and customer and reduces the chances of blocks or reputation damage due to unclear identification
- Use properly registered domains with working mail AND web addresses. There should be a website for every domain/brand that is being sent. Not having one looks shady and is something that spammers do all the time.
- Every domain that sends email should have functional abuse@ & postmaster@ addresses
- Use contiguous IPs if possible. Use the same network.
- If not possible, do not use more IPs than needed.
- Most brands do not need 100s of IPs scattered across multiple networks – this is in fact the definition of snowshoeing.
- For more information on snowshoeing please see the Spamhaus FAQ
- For ESPs: have a published AUP/TOS that is easy to find and read…enforce it.
|
Such requests should be honored as quickly as possible. Ideally, anyone that has requested to be removed from a marketing email program should not get any additional mail after the removal request was made. The length of time allowed for suppression to occur varies by law and country, so ‘immediately’ is the best practice.
A general unsubscribe request applies to all marketing and non-transactional mail from your companyregardless of what list or division the mail is coming from. After an unsubscribe request is received, all mail to that recipient must cease. The sole exception is if the recipient is clearly notified of what mail they can expect to continue to receive and given the ability to unsubscribe from all mail, such as through an account preference center.
Furthermore, creating a “new” marketing segment and adding previously unsubscribed addresses to it is considered sending unsolicited bulk email (i.e. spam) in Spamhaus policy and may violate laws in certain areas.
A spam complaint (also known as an abuse report) is defined as “the result of the action taken by an email subscriber when they click the ‘report as spam”‘ button in their inbox, which is then directed back to the originating sender in the form of an ARF-formatted Feedback Loop (FBL). Most major ISPs offer a ‘Feedback Loop’ as a free service. The list of ISPs that offer such a service change frequently. ARF (Abuse Reporting Format) is a machine-readable format called that redacts some personally identifiable information. These reports should be processed promptly, and the complainants removed immediately upon receipt. Most of the time, this process will be handled by the ESP that is sending the email. The length of time allowed for suppression to occur varies by law and country, so ‘immediately’ is the best practice. The number of complaints generated is given great weight by receivers, though ISPs will not reveal what the threshold is as it is part of their spam filtering recipe and will vary from ISP to ISP. A good reputation allows slightly more forgiveness than a poor one. That being the case, keeping complaints as low as possible is the prudent thing to do. This is intended only as a basic outline of what it takes to manage a legitimate and successful commercial e-mail marketing program. Please seek expert advice from appropriate companies or consultants for a more complete understanding of the complicated issues involved. Spamhaus believes the only way email will stay a valid and useful channel is if users only receive mail they asked for. No email should be sent until and unless there is direct and verifiable permission. Our standard recommendation is to only send mail to addresses that have gone through a confirmed opt-in process. Address acquisition: Make sure it is Confirmed Opt In (COI). If the recipient did not request the email, the rest of the list management processes are irrelevant. For more on COI, see: - http://www.spamhaus.org/whitepapers/mailinglists.html
- http://www.spamhaus.org/whitepapers/permissionpass.html
- http://www.spamhaus.org/news.lasso?article=635
Truth in advertising: The policies and nature of the e-mail program should be stated at the point of subscription. Appropriate expectations should be set and delivered: how often, what kind, what topics and content, etc. Information about the subscription should not be hidden on remote pages, behind hyperlinks, or buried in jargon, legalese, and obfuscation. Appropriate Identification: The company should be properly and clearly identified in the message itself and in Internet records such as Whois. Properly registered domains with working mail and web addresses should be used; every domain in use should identify the company and lead to a website that identifies that company. Hiding behind ever-changing mazes of nonsense domains is not a best practice and violates Spamhaus policy.
- Anonymized Whois records should be avoided. Legitimate companies have no need to hide their identities.
- Proper email authentication via the use of SPF records and DKIM signatures should always be used. Domain and IP reputations affect each other!
- Mail server IPs should be identified with proper rDNS (PTR) and mail servers should identify themselves with a proper “HELO/EHLO” value.
- The forward DNS lookup (domain name to IP address) of your IP should match the HELO value set in your server.
An online identity should be as solid as a brick-and-mortar business! Maintenance: Mailing lists need to be kept current. Unsubscribe requests and user-unknown bounces should be removed promptly, without delay. The list should be mailed at regular intervals. Stagnant lists provoke high complaint rates when they are reactivated, even from truly COI addresses. Addresses are constantly abandoned or re-used. For most commercial lists, a good rule of thumb is to mail at least once per week and remove any address with three sequential bounces, or that provoke sequential bounces for more than two weeks concurrently. Feedback Loops: Many ISPs offer feedback loops (wherein a spam complaint is redacted, converted to ARF and sent back to the originating sender. These complaints should be used both to remove any complainants from the marketing program, and as a “canary” that warns of problems with the marketing program. They are an extremely useful and valuable source of information and are offered free of charge. Secure Webforms: As of October 2016, webforms that accept email subscriptions need to be protected in some manner due to systemic abuse. CAPTCHA is a good solution but there are others. See this Spamhaus blog article about subscription bombing. Bounce processing: The recipient’s server bounces communicate a lot of valuable information that should be reviewed regularly. Errors that indicate backoff or cessation need to be respected. SMTP “5xy” codes mean “Do not try again”. SMTP “4xy” codes – also known as temp fails – mean “try again later” and can be issued for many reasons, ranging from “too many complaints generated by the incoming IP”, a sudden decrease in domain reputation, all the way to “not enough resources to handle the incoming load at this time”. All standards-compliant servers will automatically retry such deferred deliveries at increasing time intervals. Generally, retries cease and the message is considered undeliverable after 5 days. The interval before pruning a deferred address from a list is usually longer and takes more bounces than a hard “5xy” rejection, but eventually such addresses should also be retired. Unsubscribes: Unsubscribe requests must be honored promptly. The unsubscribe process must work via e-mail and many laws also require a web link and a postal address to be included in the message body. If a subscriber wants to be removed, that request should be honored regardless of the method of submitting that request. Seek expert advice! There are highly qualified deliverability consultants (and some who aren’t so qualified; buyer beware). Using a reputable E-mail Service Provider (ESP) to manage and maintain marketing programs is the most common method of handling the complexities involved. If any delivery consultant or ESP is not aware of the terms and problems in this very brief outline, or if they make promises that they can get you “whitelisted” at ISPs, that choice should be reconsidered. (Note: No one but Spamhaus decides what IPs or domains Spamhaus lists or removes. The only way to be removed from a Spamhaus listing to is to fix the problem that caused the listing.) |
SPF, DKIM & DMARC (and TLS) SPF and DKIM are authentication protocols that should be considered a must-have requirement in any modern email marketing infrastructure. - The lack of SPF and DKIM authentication will damage deliverability and affects reputation and inbox placement. Both SPF and DKIM protocols are used for DMARC, which is increasing rapidly in its importance, particularly for financial institutions.
Sender Policy Framework (SPF) allows the authoritative owner of a given domain to specify to a receiver which networks or IPs are authorized to send mail using that domain as a ‘from’ address.
- The Sender Policy Framework is defined in RFC 7208.
- Single IPs, IP ranges, or hostnames can be used.
- An SPF TXT record should be as exclusive as possible for greatest security.
- This TXT record lives in the DNS zone file for the sending domain.
- Email should not be sent without verified SPF authentication.
DomainKeys Identified Mail (DKIM) allows the cryptographic signature of a designated portion of the email header so the receiver can verify the authority of the sending domain.
- It makes use of both public and private keys.
- It has become a crucial part of deliverability and email should never be sent without it.
- Failure to include a valid DKIM signature will affect deliverability and inbox placement at many ISPs.
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an authentication policy that allows senders to specify to receivers how to respond when email fails SPF or DKIM checks.
- It is published by means of a short entry in DNS.
- It allows senders to request aggregated and anonymized reports from recipients regarding unauthenticated email that claims to be from their domains.
- It creates a way for ISPs to supply that data in a standardized format.
- These reports allow domain owners to monitor possible spoofing of their domains. This is especially useful for commonly abused businesses such as banks, online payment systems, various social media, etc.
- DMARC does not allow senders to bypass spam filters.
Some ISPs take DMARC alignment into consideration in their filtering decisions.
- In DMARC alignment: a message must pass ‘SPF authentication’ and ‘SPF alignment’ and/or ‘DKIM authentication’ and ‘DKIM alignment.’
- DKIM alignment: ‘d=’ must match FRIENDLY FROM
- SPF alignment: RETURN-PATH must match the FRIENDLY FROM domain
Transport Layer Security (TLS) is an encryption method used to encrypt the communication channel between two computers.
- It is the successor to SSL, and the two terms are often used interchangeably.
- SSL/TLS are widely used to encrypt connections over the internet. For example: whenever a lock appears in the browser bar, the browser is encrypting communication between you and the website that has been connected to.
TLS can be used to encrypt email during the transmission stages. Some recipients require it and will refuse mail that is not TLS encrypted, but that is not very common yet. Many MTAs have the option to request TLS if it available, and will fail over to an unencrypted connection if it is not. |
Deliverability is all about sending mail users want and expect to receive. The key to good deliverability is getting permission from recipients and meeting their expectations, as well as creating and maintaining an excellent IP address and domain reputation.
There are some technical and process pieces as well, including:
- Authentication
- Sending mail users want
- Address acquisition and list hygiene
- Complaint management
- Frequency and engagement
It is strongly recommended that work be done to segment out anyone that has not actively engaged with your email in a chosen amount of time. The usual starting place is 1 year, and then moving to 6 months, 3 months, etc. depending on results.
Flawed address collection processes and bad sending practices result in spamtraps being added to mailing lists. The presence of spamtraps confirms the underlying data problems, so we would furthermore recommend:
- A rigorous review of how data is collected and verified,
- Adding CAPTCHA to any webforms that may be insecure,
- Ensuring that a confirmation email is sent to any new subscribers. This helps prevent both malicious signups and typographical mistakes. If the prospect does not respond to the confirmation email, no further email should be sent to that address.
- This process will greatly improve the quality of mailing lists, increase ROI, and significantly reduce the possibility of hitting spam traps.
Sending bulk marketing email is the act of sending an email campaign to a large group at once. - This method of email can be employed to send marketing messages, newsletters, updates, coupons, invitations, product updates, etc.
- Bulk email can also be called mass email or email blasts.
- The majority of companies hire an Email Service Provider (ESP) to handle the creation, scheduling, and sending of marketing email. These same systems are often used for transactional emails as well – password resets, airline ticket confirmations, bank statements, etc.
The key to successful marketing email deliverability is to consistently send correctly authenticated, carefully targeted email to an engaged audience. A meticulous maintenance of email best practices leads to the establishment of an excellent IP and domain reputation. |