Frequently Asked Questions relating to Spamhaus data
Frequently asked questions relating to our data and research.Categories
- Botnet Controller (BCL)
- Commercial Data
- Consumer
- CSS Blocklist (CSS)
- DNSBL Usage
- Domain Blocklist (DBL)
- DROP
- Exploits Blocklist (XBL)
- General Definitions
- General Questions
- Hacked - General Help
- Hash Blocklist (HBL)
- ISP General Questions
- Legal Questions
- Malware Questions
- Marketing Email
- Media Enquiries
- Online Scams
- Organization
- Policy Blocklist (PBL)
- Port 25 General Questions
- Reputation Statistics
- ROKSO
- Spamhaus Blocklist (SBL)
- Zero Reputation Domain (ZRD)
Categories
Marketing Email
Sending bulk marketing email is the act of sending an email campaign to a large group at once. - This method of email can be employed to send marketing messages, newsletters, updates, coupons, invitations, product updates, etc.
- Bulk email can also be called mass email or email blasts.
- The majority of companies hire an Email Service Provider (ESP) to handle the creation, scheduling, and sending of marketing email. These same systems are often used for transactional emails as well – password resets, airline ticket confirmations, bank statements, etc.
The key to successful marketing email deliverability is to consistently send correctly authenticated, carefully targeted email to an engaged audience. A meticulous maintenance of email best practices leads to the establishment of an excellent IP and domain reputation. |
This is intended only as a basic outline of what it takes to manage a legitimate and successful commercial e-mail marketing program. Please seek expert advice from appropriate companies or consultants for a more complete understanding of the complicated issues involved. Spamhaus believes the only way email will stay a valid and useful channel is if users only receive mail they asked for. No email should be sent until and unless there is direct and verifiable permission. Our standard recommendation is to only send mail to addresses that have gone through a confirmed opt-in process. Address acquisition: Make sure it is Confirmed Opt In (COI). If the recipient did not request the email, the rest of the list management processes are irrelevant. For more on COI, see: - https://www.spamhaus.org/resource-hub/spam/mailing-lists-vs-spam-lists
- https://www.spamhaus.org/resource-hub/deliverability/permission-pass-what-how-and-when-to-use/
- https://www.spamhaus.org/resource-hub/deliverability/confirmed-opt-in-a-rose-by-any-name/
Truth in advertising: The policies and nature of the e-mail program should be stated at the point of subscription. Appropriate expectations should be set and delivered: how often, what kind, what topics and content, etc. Information about the subscription should not be hidden on remote pages, behind hyperlinks, or buried in jargon, legalese, and obfuscation. Appropriate Identification: The company should be properly and clearly identified in the message itself and in Internet records such as Whois. Properly registered domains with working mail and web addresses should be used; every domain in use should identify the company and lead to a website that identifies that company. Hiding behind ever-changing mazes of nonsense domains is not a best practice and violates Spamhaus policy.
- Anonymized Whois records should be avoided. Legitimate companies have no need to hide their identities.
- Proper email authentication via the use of SPF records and DKIM signatures should always be used. Domain and IP reputations affect each other!
- Mail server IPs should be identified with proper rDNS (PTR) and mail servers should identify themselves with a proper “HELO/EHLO” value.
- The forward DNS lookup (domain name to IP address) of your IP should match the HELO value set in your server.
An online identity should be as solid as a brick-and-mortar business! Maintenance: Mailing lists need to be kept current. Unsubscribe requests and user-unknown bounces should be removed promptly, without delay. The list should be mailed at regular intervals. Stagnant lists provoke high complaint rates when they are reactivated, even from truly COI addresses. Addresses are constantly abandoned or re-used. For most commercial lists, a good rule of thumb is to mail at least once per week and remove any address with three sequential bounces, or that provoke sequential bounces for more than two weeks concurrently. Feedback Loops: Many ISPs offer feedback loops (wherein a spam complaint is redacted, converted to ARF and sent back to the originating sender. These complaints should be used both to remove any complainants from the marketing program, and as a “canary” that warns of problems with the marketing program. They are an extremely useful and valuable source of information and are offered free of charge. Secure Webforms: As of October 2016, webforms that accept email subscriptions need to be protected in some manner due to systemic abuse. CAPTCHA is a good solution but there are others. See this Spamhaus blog article about subscription bombing. Bounce processing: The recipient’s server bounces communicate a lot of valuable information that should be reviewed regularly. Errors that indicate backoff or cessation need to be respected. SMTP “5xy” codes mean “Do not try again”. SMTP “4xy” codes – also known as temp fails – mean “try again later” and can be issued for many reasons, ranging from “too many complaints generated by the incoming IP”, a sudden decrease in domain reputation, all the way to “not enough resources to handle the incoming load at this time”. All standards-compliant servers will automatically retry such deferred deliveries at increasing time intervals. Generally, retries cease and the message is considered undeliverable after 5 days. The interval before pruning a deferred address from a list is usually longer and takes more bounces than a hard “5xy” rejection, but eventually such addresses should also be retired. Unsubscribes: Unsubscribe requests must be honored promptly. The unsubscribe process must work via e-mail and many laws also require a web link and a postal address to be included in the message body. If a subscriber wants to be removed, that request should be honored regardless of the method of submitting that request. Seek expert advice! There are highly qualified deliverability consultants (and some who aren’t so qualified; buyer beware). Using a reputable E-mail Service Provider (ESP) to manage and maintain marketing programs is the most common method of handling the complexities involved. If any delivery consultant or ESP is not aware of the terms and problems in this very brief outline, or if they make promises that they can get you “whitelisted” at ISPs, that choice should be reconsidered. (Note: No one but Spamhaus decides what IPs or domains Spamhaus lists or removes. The only way to be removed from a Spamhaus listing to is to fix the problem that caused the listing.) |
This seems like a silly thing to say, but it is not. In the world of sending email and spam filtering, intention matters less than appearances. If a company that is sending legitimate, COI email in a manner that is indistinguishable from the bad guys, no spam filter will understand the difference. It is important to follow best practices in order to avoid this pitfall. Legitimate mailers work hard to build brand reputation based on a real business address, a known domain and a small, permanent, well-identified range of sending IPs. - All emails should be correctly authenticated with DKIM & SPF at a minimum
- The SPF record should be as narrow and specific as possible. If the entire internet is designated as “permitted sender”, that is not useful and opens the domain to abuse by spammers.
- Do not use anonymized or unidentifiable whois records. Legitimate businesses should have no reason to hide their online identity using whois privacy or proxy services.
- Limit domain usage. The more unique domains are used to send the same emails, the more red flags are raised; use the primary business domain whenever possible.
- Use clear and consistent naming schemes in DNS – keep it simple.
- The best option is delegating a subdomain of the brand’s primary domain to the ESP: email.customerbrand.com
- Next best would be: “customerbrand.espdomain.com”
- Last (and to be avoided if at all possible) resort: customerbrand-email.com – if this is necessary, it is crucial to use a cousin domain that has a clear relationship to the primary brand name. Phishing has made people very wary of look-alikes.
- This allows receivers to easily distinguish the ESP and customer and reduces the chances of blocks or reputation damage due to unclear identification
- Use properly registered domains with working mail AND web addresses. There should be a website for every domain/brand that is being sent. Not having one looks shady and is something that spammers do all the time.
- Every domain that sends email should have functional abuse@ & postmaster@ addresses
- Use contiguous IPs if possible. Use the same network.
- If not possible, do not use more IPs than needed.
- Most brands do not need 100s of IPs scattered across multiple networks – this is in fact the definition of snowshoeing.
- For more information on snowshoeing please see the Spamhaus FAQ
- For ESPs: have a published AUP/TOS that is easy to find and read…enforce it.
|
SPF, DKIM & DMARC (and TLS) SPF and DKIM are authentication protocols that should be considered a must-have requirement in any modern email marketing infrastructure. - The lack of SPF and DKIM authentication will damage deliverability and affects reputation and inbox placement. Both SPF and DKIM protocols are used for DMARC, which is increasing rapidly in its importance, particularly for financial institutions.
Sender Policy Framework (SPF) allows the authoritative owner of a given domain to specify to a receiver which networks or IPs are authorized to send mail using that domain as a ‘from’ address.
- The Sender Policy Framework is defined in RFC 7208.
- Single IPs, IP ranges, or hostnames can be used.
- An SPF TXT record should be as exclusive as possible for greatest security.
- This TXT record lives in the DNS zone file for the sending domain.
- Email should not be sent without verified SPF authentication.
DomainKeys Identified Mail (DKIM) allows the cryptographic signature of a designated portion of the email header so the receiver can verify the authority of the sending domain.
- It makes use of both public and private keys.
- It has become a crucial part of deliverability and email should never be sent without it.
- Failure to include a valid DKIM signature will affect deliverability and inbox placement at many ISPs.
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an authentication policy that allows senders to specify to receivers how to respond when email fails SPF or DKIM checks.
- It is published by means of a short entry in DNS.
- It allows senders to request aggregated and anonymized reports from recipients regarding unauthenticated email that claims to be from their domains.
- It creates a way for ISPs to supply that data in a standardized format.
- These reports allow domain owners to monitor possible spoofing of their domains. This is especially useful for commonly abused businesses such as banks, online payment systems, various social media, etc.
- DMARC does not allow senders to bypass spam filters.
Some ISPs take DMARC alignment into consideration in their filtering decisions.
- In DMARC alignment: a message must pass ‘SPF authentication’ and ‘SPF alignment’ and/or ‘DKIM authentication’ and ‘DKIM alignment.’
- DKIM alignment: ‘d=’ must match FRIENDLY FROM
- SPF alignment: RETURN-PATH must match the FRIENDLY FROM domain
Transport Layer Security (TLS) is an encryption method used to encrypt the communication channel between two computers.
- It is the successor to SSL, and the two terms are often used interchangeably.
- SSL/TLS are widely used to encrypt connections over the internet. For example: whenever a lock appears in the browser bar, the browser is encrypting communication between you and the website that has been connected to.
TLS can be used to encrypt email during the transmission stages. Some recipients require it and will refuse mail that is not TLS encrypted, but that is not very common yet. Many MTAs have the option to request TLS if it available, and will fail over to an unencrypted connection if it is not. |
Deliverability is all about sending mail users want and expect to receive. The key to good deliverability is getting permission from recipients and meeting their expectations, as well as creating and maintaining an excellent IP address and domain reputation.
There are some technical and process pieces as well, including:
- Authentication
- Sending mail users want
- Address acquisition and list hygiene
- Complaint management
- Frequency and engagement
It is strongly recommended that work be done to segment out anyone that has not actively engaged with your email in a chosen amount of time. The usual starting place is 1 year, and then moving to 6 months, 3 months, etc. depending on results.
Flawed address collection processes and bad sending practices result in spamtraps being added to mailing lists. The presence of spamtraps confirms the underlying data problems, so we would furthermore recommend:
- A rigorous review of how data is collected and verified,
- Adding CAPTCHA to any webforms that may be insecure,
- Ensuring that a confirmation email is sent to any new subscribers. This helps prevent both malicious signups and typographical mistakes. If the prospect does not respond to the confirmation email, no further email should be sent to that address.
- This process will greatly improve the quality of mailing lists, increase ROI, and significantly reduce the possibility of hitting spam traps.
Such requests should be honored as quickly as possible. Ideally, anyone that has requested to be removed from a marketing email program should not get any additional mail after the removal request was made. The length of time allowed for suppression to occur varies by law and country, so ‘immediately’ is the best practice.
A general unsubscribe request applies to all marketing and non-transactional mail from your companyregardless of what list or division the mail is coming from. After an unsubscribe request is received, all mail to that recipient must cease. The sole exception is if the recipient is clearly notified of what mail they can expect to continue to receive and given the ability to unsubscribe from all mail, such as through an account preference center.
Furthermore, creating a “new” marketing segment and adding previously unsubscribed addresses to it is considered sending unsolicited bulk email (i.e. spam) in Spamhaus policy and may violate laws in certain areas.
A spam complaint (also known as an abuse report) is defined as “the result of the action taken by an email subscriber when they click the ‘report as spam”‘ button in their inbox, which is then directed back to the originating sender in the form of an ARF-formatted Feedback Loop (FBL). Most major ISPs offer a ‘Feedback Loop’ as a free service. The list of ISPs that offer such a service change frequently. ARF (Abuse Reporting Format) is a machine-readable format called that redacts some personally identifiable information. These reports should be processed promptly, and the complainants removed immediately upon receipt. Most of the time, this process will be handled by the ESP that is sending the email. The length of time allowed for suppression to occur varies by law and country, so ‘immediately’ is the best practice. The number of complaints generated is given great weight by receivers, though ISPs will not reveal what the threshold is as it is part of their spam filtering recipe and will vary from ISP to ISP. A good reputation allows slightly more forgiveness than a poor one. That being the case, keeping complaints as low as possible is the prudent thing to do.
Confirmed Opt-In (COI) is considered to be the industry gold standard. It is a simple and powerful method of building and maintaining a clean, high-quality contacts database.
- A potential customer submits their email address via a website, form, or at point-of-sale
- The marketer then sends a confirmation email to the provided address, which contains a link that must be clicked to confirm consent and contains information that sets the recipient expectations.
- If the recipient does not click to opt-in, he will receive no further email of any kind from that marketer.
While this method requires more work and investment than others, the payoff in list quality more than offsets it.
- It increases the integrity and reputation of the sender in the eyes of the recipient.
- If a recipient’s inbox and time are treated with respect, recipients are less likely to report that email as spam, less likely to unsubscribe, and happy customers tend to make more purchases.
- Spam traps do not interact with email, so the likelihood of a contact list being poisoned by traps is greatly reduced.
ISPs often block email that generates a lot of spam complaints, or that hit their traps, resulting in a loss of inbox delivery, reputation and revenue. Confirmed opt-in provides a low risk, high ROI method of reaching clients.
When an ISP, filter vendor, or reputation provider refuses a sender’s email, as part of the investigation they often require proof of consent. This cannot be provided if consent has not been sought and granted via COI. They also can require a ‘re-permissioning’ pass, which demands that all subscribers be offered the chance to opt out, or to remain subscribed, and that those choices must be honored.
Note: while this is Spamhaus’ recommendation for confirming permission, it is not the only method. Any process that confirms that the email address belongs to the person giving permission, and confirms that permission, will meet this standard.
A corollary question: “If the recipient is given the choice to opt-out or remove, is it still spam?”
Yes, it is. If clear, informed consent to send marketing mail to an individual is not gained at the point of collection, prior to any email being sent, it is not COI and therefore considered spam.
Never buy or rent email addresses from anyone.
No legitimate company will ever sell or rent a list of “confirmed-opt-in” email addresses. Selling third-party e-mail addresses is inherently contradictory to the concept of “confirmed-opt-in”, because:
- Permission is not transferable!
- This practice is illegal or very restricted by law in many countries, including the EU and Canada.
European Union GDPR:
The General Data Protection Regulation 2016/679 is a regulation in EU law regarding data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. It is a very complex regulation that was enacted on May 25, 2018; violations of this regulation can carry some severe fines and should be taken into account when building an email marketing campaign that involves anyone residing in the EU. For more information please consult qualified legal counsel.
After 25th May 2018, a person must actively consent for their data to be processed and used by the actual company using it. This means that mailing list companies can no longer sell data that is “fully opted-in”. To opt in, people must opt in directly with the company using the data. Unless your company name was mentioned when the person’s email address was collected, you can no longer rely on consent as a reason to process personal data.
Canada CASL
See the CASL Guide for more information or read the text of the law. Senders MUST comply with CASL if email is sent to:
- a Canadian domain
- a Canadian user
- or is transmitted through Canada
United States Federal CAN-SPAM law:
This law states that an opt-out must be provided, that no part of the email can be forged, and that a postal address must be included. Marketers MUST comply with this federal regulation to legally send marketing email: violators can and have been successfully sued by the FTC. For more information about CAN-SPAM, see this link: US Federal Law CAN-SPAM information.
CCPA
California passed its California Consumer Privacy Act (CCPA) on Jan 1, 2020. It’s a law that protects the privacy rights of consumers within the state. Like to Europe’s General Data Protection Regulation (GDPR), the CCPA will affect many businesses who collect personal information from those in California.
For questions about any of these regulations, please seek appropriate legal counsel.
Inevitably, purchased lists contain spamtraps or generate abuse complaints and bounces, and then the buyers find themselves blocklisted for spamming, causing extensive and expensive reputational damage to the company that sent the purchased list.
All advertisements for lists of “opt-in email addresses” are fraudulent.
The exception that proves the rule is when a legitimate confirmed opt-in (COI) list is transferred from one owner to another owner, exclusively, such as in a company buyout, with all the subscription agreements retained including the topic of the list. COI records should be transferred as part of the agreement.
See also the M3AAWG Position on Selling Email Address Lists from the Messaging, Malware and Mobile Anti-Abuse Working Group.
This can be a tricky process to navigate, and the solution will vary with every specific situation. We suggest that the company engage a good ESP or Deliverability consultant to assist, and that legal counsel also be consulted if appropriate. Data protection laws exist in one form or another in more than 70 countries, and they are very often applicable to email marketing. There are many avenues that can be taken to address this situation, once of which is a “re-permissioning” pass. A Permission Pass involves sending out a new bulk email to the problematic list, asking the recipients to confirm that they wish to remain subscribed to it. **Only those who confirm are then kept on the list.**Those who do not answer affirmatively (or whose addresses bounce) should be flagged as “do not mail”, or whatever makes sense for the platform in use. The resulting list will be a clean, 100% Confirmed Opt-In list that provides a low risk, high ROI method of reaching clients.
Email appending, e-pending, or “enriching” is the supplementation of existing email databases by cross-referencing them with information from other databases. The presumed goal is to add email addresses for customers or prospects for whom the sender has other information.
M3AAWG has published a very clear statement about e-pending: The practice of email appending is in direct violation of core M3AAWG values.
The Spamhaus Project is fully aligned with M3AAWG’s position; we never have and never will support e-pending. Both e-pending services and marketers using e-pending to enlarge their audience risk being listed by Spamhaus.
This is a complicated question and the answer will vary for every situation. With that in mind, we would advise that appropriate legal counsel be consulted to ensure that the actions taken are in compliance with whatever laws are applicable in your part of the world, and to your business model.
Once that has been done, we would then suggest that a qualified Deliverability Consultant be engaged to help with the intricacies of the email related aspects of this merger or acquisition.
“Listwashing” is defined as the removal of spamtraps and the email addresses of “complainers” or “litigators” from a list that is not confirmed-opt-in, while retaining the other email addresses. This is often used as an attempt to clean up a rented, purchased, or very old mailing list.
“Waterfalling” is a technique wherein a list owner “waterfalls” the same illicitly obtained address list through a series of usually unknowing, innocent ESPs, each time cleaning bounces, complainants and maybe non-respondents, with the end goal being to send the final result through a good ESP with solid deliverability. The result of this process is damage to the reputation of each ESP involved, as well as being a violation of ethics, counter to best practices and against Spamhaus policy.
Some verification/validation companies offer a service that promises to remove “spamtraps, complainers, litigators and all other perceivable threats” from email marketing lists. However, the presence of traps highlights a data collection problem. Going trap hunting is merely treating the symptom.
The focus should be on fixing the collection issues, and segmentation of the existing list with exacting care, with close attention paid to recipients that do not engage. These services go against the best practices of building a legitimate and successful email marketing list. Also, these services simply do not work as claimed: Spamhaus frequently sees mail in its spamtraps from “cleaned” lists!
All firms engaged in marketing via email should read the following documents:
- Spamhaus News Blog:
Subscription Bombing: COI, CAPTCHA, and the Next Generation of Mail Bombs, 2016-09-16
A Snowshoe Winter: Our Discontent with CAN-SPAM, 2009-02-25
Confirmed Opt In – A Rose by Any Name, 2008-08-11
- Spamhaus: The Definition of Spam
- Spamhaus: Responsible Mailing Lists -vs- Spam Lists
- Spamhaus: Permission Pass – How to rescue your mailing list
- Spamhaus: What is the right way to send marketing e-mail?
- Spamhaus: Feedback Loops and Role Accounts
- M3AAWG: M3 Email Marketing Best Practice Document:
- M3AAWG: M3’s Position on Selling or Purchasing Email Address Lists
- Marketo Blog: Email Filters appear to be Clicking Links by Kiersti Esparza, Jun 25, 2018
- Certified Senders Alliance: Help! I hit a spamtrap! and how to avoid spamtraps in the first place
To ensure uninterrupted email delivery, it is critical that all technical settings be correct. In case of difficulty, they should be double checked.
- Misconfigured SMTP servers may have problems delivering email to many networks, including ones that do not use Spamhaus data.
SMTP servers should be configured with correct forward
and reverse DNS and HELO/EHLO values.
- DNS is used to resolve a domain name to an IP address. This act is known as a forward DNS and is performed every time you visit a site on the internet. Reverse DNS (rDNS) is a method of resolving an IP address back to a hostname. Your hosting company or email service provider can help set this up or correct it.
- If you need to correct your rDNS and are using OVH cloud, or Amazon Lightsail, Amazon Port 53, or Amazon EC2, they have information on their websites that can help.
- The forward DNS lookup (domain name to IP address) of your IP should match the HELO value set in your server.
- HELO is an SMTP command sent by an email server to identify itself when connecting to another email server, to start the process of sending an email. It is followed with the sending email server’s hostname.
- One way to test whether an SMTP server is misconfigured is to send an email from it to helocheck@abuseat.org. A bounce will immediately be returned that contains the required information.
- Common misconfigurations of HELO are: “localhost.localdomain”, “WIN-XYZPDQ01” or “mail”.
- A HELO/EHLO value should be a fully qualified domain name (FQDN)
- Correct HELO/DNS/rDNS alignment for domain example.com:
- Mail server on 192.0.2.12: HELO mail.example.com
- Forward DNS: mail.example.com -> 192.0.2.12
- Reverse DNS: 192.0.2.12 -> mail.example.com
- About loadbalancers:
- Some sites place their mail servers behind load balancers. While this may have some advantages, this practice has the side-effect of giving the public-facing IP the appearance of being infected by malware. If this is the issue, then the solution may require an engineering design change.
NOTE: If the IP is not a mail server, or the HELO settings are in fact correct, check for malware or a misconfigured process. You may need to contact your IT department, network engineer, MTA vendor or hosting company for help.