Aol Follows Suit On DMARC Reject Policy

Aol announced little more than an hour ago that they’ve published a reject policy in their DMARC record, just as Yahoo did around April 6th. Batten down the hatches; here comes another bounce storm:

Today we moved to change our DMARC policy to p=reject. This helps to protect AOL Mail users’ addresses from unauthorized use.

It also stops delivery on what previously would have been considered authorized mail sent on behalf of AOL Mail users via non-AOL servers. If you’re a bulk sender on behalf of AOL addresses, that probably includes mail sent from you.

“Probably”.

I think I’ll hit the sack early tonight. I want to be well-rested for tomorrow. Do I get credit for making the prediction just a few hours ago?

Who Does That, Anyway?

Yahoo’s big change to their DMARC policy has sparked a remarkable amount of debate among stakeholders in the email and security ecosystems. As is usually the case with these crowds, there’s a lot of religion both in support of and against the change. I’m trying to stay out of it, but I’m not sure I’m succeeding.

So, to take a small detour, I thought it might be interesting (or at least somewhat less exasperating) to advance some sort of answer to a related question I’m hearing from both sides: who in the actual heck would use an address from a free inbox provider as the From: address for their own marketing and newsletter mail? Continue reading

Yahoo Mail Brings the Pain with DMARC Policy Change

It’s going to be a busy Monday for many ESPs and small senders out there today.

Recently, Yahoo Mail appears to have changed its DMARC policy to “p=reject,” meaning that ESP customers who send using a Yahoo email address in the From: line are going to see a spike in hard bounces. In many cases, that will trigger support calls to their ESP’s deliverability teams.

The change doesn’t affect just mail sent to Yahoo, but to any domains that are participating in DMARC. By making the change, Yahoo is essentially instructing any receiving domain that checks Yahoo’s DMARC policy to reject mail that purports to originate from Yahoo’s domain, but that comes from an IP address belonging to someone else.

On a first take, that might sound like a perfectly reasonable security measure. However, lots of mom and pop shops and other small senders who rely on ESPs for their mail programs are using From: addresses (e.g., business_name@yahoo.com) that are serviced by a free inbox provider, including Yahoo, Gmail, and Aol. It’s not an optimal way of doing things, but there’s nothing inherently abusive about it, either.

I’m hoping that Yahoo will consider reversing the change – and soon! – as it is very likely to result in the inadvertent rejection of a lot of wanted mail. I’ll keep you posted.

Edit: Here are samples of bounces from different large ISPs that you can use to grep your own MTA logs:

smtp;550 5.2.0 mav01n00T5PRKmP0Fav191 Message rejected due to DMARC. Please see http://postmaster.comcast.net/smtp-error-codes.php#DM000001
smtp;550 5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's DMARC policy. Please contact administrator of yahoo.com domain if this was a legitimate mail. Please visit http://support.google.com/mail/answer/2451690 to learn about DMARC initiative. 100si2781324qgv.4 - gsmtp
smtp;550 5.7.1 DMARC failure for domain yahoo.com, policy reject

The ISPs’ Stupid Rules

A while back, I worked with a company that publishes a stable of well-established retail catalog brands. At the time, they’d just launched a new catalog to coincide with a holiday.

Unbeknownst to me, they had started mailing offers from the new catalog to recipients who had opted in to mail from one or more of their other catalog brands, with entirely predictable results. Continue reading

M3AAWG Shows Senders Some Love

Like A BawsI’m a little late with this bit of news, but I hope readers will indulge me nonetheless.

Lots of great things happened at the most recent M3AAWG general meeting in San Francisco last month, particularly for the Senders’ Special Interest Group, which I co-chair with my friend and colleague Tara Natanson of Constant Contact.

For the first time, postmasters from all four of the major free inbox providers shared the stage to take questions on a range of anti-abuse and policy topics. Gmail selected a M3AAWG Senders session as the venue to announce the launch of their feedback loop program (which my team helped to beta test) and header unsubscribe link implementation. We had some outstanding email and data science presentations that drew overflow attendance. All of these are remarkable. Continue reading

Updates to Gmail’s Inbox Ads

Once the initial furor over the appearance of Gmail’s new ads in the Promotions tab died down, the ads themselves seem to die down, too. Until today, I hadn’t seen any of the new, email-like promotions appearing in my accounts for what must be at least two months. They were back this morning, and with a new and interesting change:

Gmail's reformatted inbox ads in the Promotions tab

The ads now feature a graphical element in the preview pane that wasn’t there before. One of the many complaints from senders and marketers about the ads when they were first introduced is that they too much resembled actual e-mail, and therefore were an attempt to deceive recipients. Indeed, some marketers suggested in semi-private forums that Gmail should be sued for CAN SPAM violations in a class action (never minding that senders have no standing under the law). Continue reading

Assessing ESP Liability Under The Canadian Spam Law

Andrew:

So, now that we know when CASL will become enforceable, the next question in the minds of companies who send bulk mail on behalf of other companies is, “What specific liability accrues to the ESP that is used to transmit an infringing message under CASL?” I explore some answers here – reblogged from March of 2010.

Originally posted on The Email Skinny:

Much analysis and guidance has been written about the new requirements (and significant penalties) imposed on senders of unsolicited e-mail by the Canadian Anti-Spam Law set to go into effect in the fall. What seems less thoroughly addressed to my non-lawyerly eyes is what specific liability is created by violations of CASL upon the ESP used by their clients to transmit the infringing commercial electronic message (CEM).

I put the question to Neil Schwartzman, a long-time colleague and Executive Director of CAUCE North America, one of the very earliest anti-spam advocacy groups and the primary driver of CASL through its storied journey across the Canadian legislative landscape. Neil recently left ReturnPath to start CASLconsulting.com, a firm offering expertise on CASL compliance. He and consulting legal counsel Shaun Brown of nNovation LLP respond:

View original 411 more words

The Ten Million Dollar Spam Law

Andrew:

Canada’s anti-spam law becomes enforceable on July 1st. Here’s a quick summary of what the law means for senders that I wrote just after the law was passed.

Originally posted on The Email Skinny:

Our neighbors to the north may be the last of the G8 countries to adopt an anti-spam law, but when it’s enacted later this year (as most analysts agree it will), Canada’s new law will be among the very strictest, creating penalties of up to 10-million Canadian dollars (or just under 9.87-million U.S. dollars) for businesses who send spam into or within Canada.

Bill C-28, dubbed the “Fighting Internet and Wireless Spam” Act (or “FISA”, for short) imposes new requirements on senders of just about every type of electronic messaging, including mandates that stretch well-past the minimal requirements for e-mail under the U.S. CAN SPAM Act of 2003.

Under CAN SPAM, senders are required to abide by a series of labelling requirements, provide a working unsubscribe mechanism, and honor unsubscribe requests within ten business days. CAN SPAM, however, has never required that senders obtain prior consent from recipients. FISA requires…

View original 500 more words

Are the New Gmail Inbox Ads Subject to CAN SPAM?

The new tabbed Gmail interface and the new ads that come with it has ruffled the feathers of many marketers and senders for a variety of reasons. In the course of the discussion of those reasons arises an interesting question:  are the new ads subject to CAN SPAM requirements?

Possibly: they are presented in the inbox in a manner that very much resembles all of the other e-mail messages you’d expect to find there. Recipients can interact with the ads using the same Gmail interface metaphors as any other e-mail message received in Gmail. Viewers can even forward, “Star” and dismiss the new ads.

Possibly not: they are not actually e-mail messages – they’re web-based advertisements formatted and presented in such a way as to closely resemble actual e-mail messages, but are otherwise very much like the ones Gmail users are accustomed to seeing to the right and above the inbox. There’s even some evidence to suggest that the new ads employ the same engine as the ordinary Gmail display ads to select and present those that Google deems a viewer is most likely to click. Continue reading