A bunch of them are still active, but there’s a good dozen or so that haven’t been updated in months. I realize I’m getting most of my current news from Twitter (or, Facebook) not from my actual RSS feeds.

So what email / marketing / delivery / internet security related blogs are people reading these days? What should I add to my list to keep up to date on the pulse of the email industry?

Apparently, some time back in 2002 someone opted in an address that didn’t belong to them to a marketing database. It may have been a hard to read scribble that was misread when the data was scanned (or typed) into the database. It could be that the person didn’t actually know their email address. There are a lot of ways spamtraps can end up on lists that don’t involve malice on the part of the sender.

But I can’t help thinking that mailing an address for 10 years, where the person has never ever responded might be a sign that the address isn’t valid. Or that the recipient might not want what you’re selling or, is not actually a potential customer.

I wrote a few weeks back about the difference between delivery and marketing. That has sparked conversations, including one where I discovered there are a lot of marketers out there that loathe and despise delivery people. But it’s delivery people who understand that not every email address is a potential purchaser. Our job is to make sure that mail to non-existent “customers” doesn’t stop mail from actually getting to actual potential customers.

Email doesn’t have an equivalent of “occupant” or “resident.” Email marketers need to pay attention to their data quality and hygiene. In the snail mail world, that isn’t true. My parents still get marketing mail addressed to me, and I’ve not lived in that house for 20+ years. Sure, it’s possible an 18 year old interested in virginia slims might move into that house at some point, and maybe that 20 years of marketing will pay off. It only costs a few cents to keep that address on their list and the potential return is there.

In email, though, sending mail to addresses that don’t have a real recipient there has the potential to hurt delivery to all other recipients on your list. Is one or two bad addresses going to be the difference between blocked and inbox? No, but the more abandoned addresses and non-existent recipients on a list there are on a list, the more likely filters will decide the mail isn’t really important or wanted.

The cost of keeping that address, one that will never, ever convert on a list may mean losing access to the inbox of actual, real, converting customers.

Well, that got someone’s attention. The person managing their twitter account tweeted at me with an email address and a suggestion to send him my address so he could take care of it. I sent the mail as asked and even got a reply.

Unfortunately, the reply was “I clicked the unsubscribe link at the bottom of the message for you.”

I dunno, maybe his mouse is a magic mouse and, somehow, the click from that magic mouse will be more effective than a click from my not-magic mouse. I’m not holding out much hope, though. I have no doubt that my sales address will keep getting invited to raves in London long after I retire.

DMARC is working on a standard to allow senders to publish sending policies and receivers to act on those policies. Currently, senders who want receivers to not deliver unauthenticated email have to negotiate private agreements with the ISPs to make that happen. This is a way to expand the existing programs. Without a published standard, the overhead in managing individual agreements would quickly become prohibitive.

It is an anti-phishing technique built on top of current authentication processes. This is the “next step” in the process and one that most people involved in the authentication process were anticipating and planning for. I’m glad to see so many big players participating.

I disagree. Appending, and other non-permission based sending cause a lot of costs to trickle down on the ESP. Many of the large ESPs have teams of 8 or 10 people working to manage delivery, deal with blocks and keep the mail flowing. In fact, I once had a client say “We want to be as clean as ExactTarget” only to choke when I told them how many people are on the compliance and delivery team at ET.

That’s not even looking at the cost of a SBL listing. One company estimated the cost of a slightly less than 24 hour block at over $1,000,000 in lost opportunity costs and in actual staff costs to deal with the listing. I know of one Fortune 20 company who had to re-engineer their entire customer and prospect databases due to a blocklist. And, yeah, that one was actually due to an append. They did an append and the append not only added a “new” address to a record where the person had previously opted out, but that person worked at a major spam filtering company. They experienced a whole world of very expensive pain.

Many ESPs are actually making a sound business decision by refusing to deal with non-permission mail, whether it be a purchased list or an appended list. The sender does not have permission to send to the addresses. That causes all sorts of delivery problems, which costs the ESPs lots of money and staff time to deal with. Most marketers won’t actually pay for the resources they use when appending or buying lists. Then they blame the ESP when their mail ends up in the bulk folder or is blocked outright.

I don’t think many marketers fully integrate the cost of dealing with a poor list into their decisions. My tweet from earlier today “If you have to “ignore all the costs associated with complaints” to find a positive ROI on opt-out mail, is there really a positive ROI? is a paraphrase of one of the things I heard.

ESPs can’t avoid those costs, they’re stuck with them. Lowering those costs by requiring senders to only send to recipients who have given permission is a smart business decision. Marketers don’t pay those costs, but if they even acknowledged them I suspect that there would be a whole lot less sloppy email marketing.

This first post is about IP address reputation with some background on why IPs are so important and why ISPs focus so heavily on the sending IP.

Why IP addresses?

ISPs built reputation around IP addresses because it was one bit of data that malicious senders / spammers couldn’t forge. The connecting IP is a fundamental part of the network transaction and if you forge an IP then SMTP can’t work. Because that was the reliable data they had to work with, that’s what they used. Even now, when there are other kinds of data, the IP address is still the first thing the receiving MTA sees.

What is IP reputation?

IP reputation can best be summed up as “past performance is an indicator of future results.” In other words if recipients responded well to mail from an IP address in the past, then they’re likely to respond well to new mail from that IP address.

How is IP reputation measured?

While each spam filtering company and ISP have their own ways of calculating the reputation of an IP address, there are some similarities in what they measure.

• How many non-existent email addresses is this IP attempting to deliver to?
• How many abandoned email addresses is this IP attempting to deliver to?
• How many “known bad” email addresses (spamtraps) is this IP attempting to deliver to?
• How many recipients complain about receiving this mail?
• How many recipients complain about not receiving this mail?
• How respectful of my resources is this IP?
• Does this IP keep connections open for long periods of time?
• Does this IP retry deliveries too aggressively?
• Does this IP stop mailing addresses after receiving a “user unknown” message?
• Is this IP address configured as if the associated machine was infected by a virus?
• Is this IP address listed on blocklists we use?

That is by no means an exhaustive list of what ISPs measure. If they can measure it they’ve tried. If the measurement helps them separate spam mail from not-spam mail then they’re using it.

How fast does IP reputation change?

IP reputation is often measured over multiple time periods. ISPs can look at a 1 day, 7 day, 30 day and 90 day reputation. A good analogy is stock prices. Prices can be very volatile in the short term, but more consistent over the long term. A single bad day, where one or more reputation measurements go bad, may affect delivery that day or the next day but won’t damage an overall good reputation. Likewise, a few days of improved mail may not be sufficient to counter months of poor reputation.

How is IP reputation used?

Mail from IPs with a high reputation is accepted faster and at a higher rate than mail from IPs with a lower or unknown reputation.  IP reputation can also influence whether mail is delivered to the inbox or the bulk folder.

Key IP Reputation takeaways

• IP reputation is about how recipients react to mail from that IP. Happy, content recipients turn into good delivery.
• Brief changes (for good or bad) don’t necessarily ruin delivery over the long term.
• Steady improvements will result in improved reputation.
• It may takes as much time to change a reputation in one direction or another as it took to establish the reputation in the first place.

Next we’ll look at content reputation, how it’s measured and used.

EDIT: A version of this information is available at the Word to the Wise wiki

EDIT: This post was also shared at CircleID

Yes, there are APIs that can be queried at some of the larger ISPs to identify if an account name is taken, but this doesn’t mean that there is an associated email address. Yes, senders can do a real time SMTP transaction, but ISPs are quick to block SMTP transactions that quit before DATA.

I decided to check out one service to see how accurate it was. I’m somewhat lucky in that I created a username at Yahoo Groups over a dozen years ago but never activated the associated email address. This means that the account is shown as taken and no one else can register that address at Yahoo. But the address doesn’t accept any mail.

The address verification for Yahoo addresses

There is a service that offers real time verification and allows potential customers to check an address on their website. I plugged my Yahoo address into their text box. They verified it as active and connected to all networks. Just to make sure I checked my existing Yahoo address as well, and that shows the same: connected to active online networks.

I next sent an email to both Yahoo accounts. Yahoo accepted mail to my working account but bounced mail to the Yahoo Groups only account.

Final-Recipient: rfc822; biskybabe@yahoo.com
Original-Recipient: rfc822;biskybabe@yahoo.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; mta5.am0.yahoodns.net
Diagnostic-Code: smtp; 554 delivery error: dd This user doesn't
   have a yahoo.com account (biskybabe@yahoo.com) [-5] -
   mta1289.mail.ac4.yahoo.com

This tells me that for Yahoo addresses, Briteverify is using some sort of API call to identify whether or not an account name is taken. But just because an account name is taken doesn’t specifically mean that an account is a valid email address. It’s probably better than no verification, but usage of all real time verification isn’t going to help in all cases.

What about email accounts that don’t provide an API or a way to check the validity of an account? In that case it appears that they are using an aborted SMTP transaction. we tested

Jan 24 15:20:00 misc postfix/smtpd[28917]: connect from
   smtpout9.briteverify.com[107.20.232.98]
Jan 24 15:20:01 misc postfix/smtpd[28917]: NOQUEUE: reject:
   RCPT from smtpout9.briteverify.com[107.20.232.98]: 550 5.1.1
   <mu/er9w9kmbyg+s5uehqdxqe@blighty.com>: Recipient
   address rejected: User unknown in virtual alias table;
   from=<admin@origindata.com>
   to=<mu/er9w9kmbyg+s5uehqdxqe@blighty.com>
   proto=SMTP helo=<emailver.briteleads.com>
Jan 24 15:20:01 misc postfix/smtpd[28917]: lost connection after
   RCPT from smtpout9.briteverify.com[107.20.232.98]
Jan 24 15:20:01 misc postfix/smtpd[28917]: disconnect from
   smtpout9.briteverify.com[107.20.232.98]
Jan 24 15:20:01 misc postfix/smtpd[28915]: connect from
   smtpout7.briteverify.com[184.73.155.120]
Jan 24 15:20:01 misc postfix/smtpd[28915]: NOQUEUE: reject:
   RCPT from smtpout7.briteverify.com[184.73.155.120]: 550 5.1.1
   <aardvark@blighty.com>: Recipient address rejected: User
   unknown in virtual alias table; from=<admin@origindata.com>
   to=<aardvark@blighty.com> proto=SMTP
   helo=<emailver.briteleads.com>
Jan 24 15:20:01 misc postfix/smtpd[28915]: lost connection after
   RCPT from smtpout7.briteverify.com[184.73.155.120]
Jan 24 15:20:01 misc postfix/smtpd[28915]: disconnect from
   smtpout7.briteverify.com[184.73.155.120]

The verification service did correctly identify both addresses as invalid. However, this is exactly the kind of SMTP behaviour that is blocked by many places.

Real time address verification for 100% of addresses is incredibly difficult. As I demonstrated above, their use of testing APIs makes the assumption that everyone with a login at Yahoo (or google or other places) has an email address, but this isn’t necessarily true.

There are other assumptions that realtime address verification makes.

1. No one ever typos the left hand side of their email address into an address of another user at the site. This isn’t true, for instance, I entered a common typo of my email address into the form and the service verified it as accurate. It probably is a valid, deliverable account but that doesn’t mean that it’s a good address.
2. Spamtraps are always undeliverable addresses. This is not true and the above form did verify a spamtrap address that a friendly blocklist admin checked for me.
3. No one typos the right hand side of an address to a valid domain. This is not true. For instance, I know a number of spamtrap domains used by Trend Micro. The form validates addresses there and tells me I’m good to send.

I’m not trying to knock the real time address verification services, I think what they’re attempting to do is good. I think the glossy marketing, though, will lead senders into a false sense of security. Just because a 3rd party service tells you an address is deliverable, doesn’t mean that the address is deliverable or that the address is safe to mail.

I do think potential verification customers deserve to understand how the services work so that they can make good decisions about purchasing those services.