It's kind of a bummer that small companies and home users can't send email through their own servers any more.
I have this idea for a "bonded email server". The idea is that smaller senders would pay a bond (say, $200) plus a small monthly fee to a bonding company, which has a trusted relationship with Google, Yahoo, Hotmail, etc. The bond ensures that you won't send spam through your mail servers and in exchange, the big hosts agree to whitelist the mail you're sending. After some period of time, you get your bond money back if you've been true to your word. You'd still pay your small monthly fee to the bonding company.
The database of "certified good" hosts could be maintained by means of DNS run by the bonding company.
The problem with the idea is that there's so little incentive for the big mail hosts to accept email from small senders. They'd much rather you use a Mailchimp for bulk sending and their own service (or one of their large competitors) for individual sending because they know that these are reliable partners.
I'll beg to differ. I've been running my own email for almost two decades and although the environment has changed, it is still perfectly accommodating of small operators that keep themselves up-to-date with context (e.g dnswl listing, notifications to major recipients, signed headers, best practise DNS records etc etc).
I changed IP address in the last 18 months and despite great trepidation, was pleasantly surprised that deliverability was not degraded.
Paying a bond feels like protection money for something I think my domains/hosts already have: a good reputation.
So have I, and I have experienced mounting difficulties over the last couple of years, despite decent efforts to keep up with protocol and defense mechanisms. Delivery to gmail and hotmail/outlook accounts is becoming a game of chance.
I shall probably, with huge regret, hand over the delivery process to an external operator in the near future.
> Delivery to gmail and hotmail/outlook accounts is becoming a game of chance.
I haven't had any issues recently, but wonder... Are the failures still well-noticeable? I mean, when Gmail/Hotmail reject the letter - do they do it properly (SMTP 4xx/5xx rejection) or maybe they're now silently discarding it?
When I had the issues (even with large mail providers), my MTA had always generated me a bounce, and it had always contained something sensible and immediately useful - like a message that my DNS records got messed up or IP got in a blacklist. Every error message I saw contained links or clues to how the delivery problem could be resolved. Had this changed?
Dropping the connection with mere TCP RST (or whatever it is) is fine by me. Accepting the message, saying 200 and then not delivering it (not even to the "spam" folder) — that's what I feared.
We used to have issues sending password reset emails to users with Outlook hosted email - Outlook would return a 250 status code, then silently discard the email. It never turned up, not even in the spam filter.
Interesting. If you would write a blog post or a Show HN on this, I'd love to hear more. I ran my own servers for years but the spam arms race (as a recipient, not a sender) persuaded me to switch to using one of the big providers. I miss the flexibility and privacy of running my own email and if there's a way to do this without a bonded sender program, I'd love to see how it's done.
That was called "Bonded Spammer", from Ironport. They were trying to get ISPs to accept their whitelist.[1] (Ironport tried to call it "Bonded Sender", but nobody in anti-spam took that seriously.)
Ironport was selling mail filtering appliances. They also sold dedicated spamming engines that were whitelisted by the mail filtering appliances. This playing both sides of the street made them something of a joke, and they had to drop the spam engine business. They were eventually acquired by Cisco after that.
$200 is kinda expensive for a lot of people who may wish to self-host a personal email server, but also kinda too cheap for a spammer who may gladly pay that for improved deliverability.
Hm. I run my own MTA since 2005 or so. I'm not much of a sender, but haven't had any spam/delivery issues (even though I had double bounce misconfiguration and hit a RDNSBL once).
Because lots of big companies are aware of it and do use it. Plus checks for it are written into Spamassassin.
So my point is, lots of anti-spam services check it, but few people sending mail make an attempt to get their server listed in there properly.
Mail Servers get listed in there automatically, but if you go in there and vouch for your mailservers properly you're get a more trusted ranking, which translates into a higher anti-spam ranking when checks are done.
It's strange to me that we need these gyrations to detect and thwart spam. I can detect spam with high accuracy based on nothing but the subject line and sender.
People keep repeating that. I not only run my own but I've helped other organizations do it, and if you have a clean IP range it's usually not a problem. No, you can't do it from your home DSL line, but that doesn't mean you can't do it.
Actually, I'd love a good SMTP service that had a good reputation, but most of what's out there is more bulk-mail oriented. I just want to own my own domain and send email but not be beholden to gmail nor deal with deliverability headaches.
Personally I find that services like Mailgun, Mandrill or SES work well enough for this purpose and are not particularly expensive if your volume per month isn't huge. On Mailgun for example you can send up to 10k emails per month for $0. And that's 10k emails that you can send on your own terms, not just in bulk.
That's just not correct, I run MTA's for many of my clients on their static IP's with no outbound issues. It sometimes takes a few days to settle into a new IP but that doesn't happen that often.
You could have it tied to the business registration like EV certificate. I wish that the yahoos and microsofts of this world would just treat mail from a business with an EV certificate as non-spam by default.
That might be a useful tactic but it would require a lot more work to implement than current/existing solutions...
Let's say a remote mail server connects to mine to deliver an e-mail purporting to be from example.com (your business, which has an EV SSL/TLS certificate for the example.com web site).
The first thing to be done is to somehow verify that the mail is legitimately being send by the company. The best way we have to do this presently is via SPF and DKIM. We query DNS and the IP address of the remote mail server is listed in the TXT RR, so the SPF check passes. We query DNS for the key that the mail is DKIM-signed with, and that passes.
Now what? At minimum, we have to do another DNS query for the A RR for example.com, establish a TLS connection to example.com, retrieve the presented certificate, verify the certificate is valid (date, hostname match, etc.), verify the certificate is chained to a trusted root, and -- somehow -- check that the presented certificate is an EV cert. I don't know enough about EV certs to know if there's an easy, programmatic way to verify that a cert is EV vs. DV, etc., but let's assume that there is. There's also revocation/OCSP, etc., checks to be performed. And so on...
What you're proposing might work. That is, a company with an EV cert is probably unlikely to be sending out blatant spam, but I don't know of any existing tooling to do these types of checks. If it existed and were easily integrated, I would at least be willing to test it and see what the real-world results were (and it would be much more likely to become an acceptable tactic to use for distinguishing spam from non-spam). A plugin for amavis and/or SpamAssassin would probably go a long way towards making this happen.
All that said, do CAs publish lists of EV certs? It would be relatively easy to import a list of domains with valid EV certs and then say "if mail from one of these domains arrives with a valid DKIM signature, assume it is not spam".
I run a number of mail servers -- my own (for myself, friends, and family) and for my employer (an ISP/hosting provider) and just wanted to mention something.
If you are sending out "legitimate" bulk mail, one of the best things I think you could do is use one of these E-mail Service Providers that will use a dedicated IP address for your email. That is, all mail you -- and only you -- send via Mailchimp/SES/etc. will always be sent from IP address a.b.c.d.
Everyday, I see many IP's belonging to these ESPs that end up blacklisted (either on public blacklists or our own, internal, automated blacklists). If you're using a service that sends out mail from multiple customers from a "shared" IP address, you WILL have delivery problems WHEN (not if) that IP address gets blacklisted or flagged.
I've managed and ran my own servers for years, including mail servers. I've never ran into any issues that so many others seem to when doing this, but I always make sure that I follow best practices and do things The Right Way(TM). This includes, nowadays, SPF, DKIM, DMARC, DNSWL, and so on.
We're fairly small and yet I can detect and put a stop to "spam outbreaks" quickly when they happen (such as when an e-mail user responds to a phishing e-mail, gives out their credentials, and their account is hijacked to send out spam), so these other providers (especially those who provide/specialize in e-mail services) certainly should be able to as well.
Hi, I'm the product manager on Postmark, and wanted to chime in with a bit more of our rationale for mostly using shared IPs. With our exclusive focus on transactional email and high deliverability, an existing reputation is extremely important. By using shared IPs customers can leverage our reputation, which we police and protect heavily. And since transactional email has better engagement overall, it increases our deliverability even more. Most senders don't need dedicated IPs since an IP with no reputation is worse, so we believe it's better for the majority of our customers and their deliverability to use shared IPs.
That said, there is a case to be made for very large senders to have their own IPs. We agree with that. Our point is mainly that the vast majority of senders don't need it, and should rather use the stellar reputation of our shared IPs to ensure good deliverability.
The rationale seems to be that shared IPs are cheaper for them (and the customer). It's also possible that Postmark doesn't have the capacity to operate a large number of dedicated IPs for individual customers.
Any large-scale sender for whom deliverability is critical should be using a dedicated IP. By virtue of hosting multiple customers, shared IPs appear to send more frequently, and any behavior on a shared IP resulting in a blacklist entry affects everyone else on that IP.
We're pretty aware of this problem at SendGrid. Even though we make every effort to cull bad senders from our shared pools, our enterprise senders nearly always prefer dedicated IPs, which let them build up a trusted reputation without interference from others.
If we only send a few hundred emails a month, but need everyone to reach customer's mailbox (transactional emails, not marketing emails), would you recommend a dedicated IP? how would I know if the dedicated IP has ever been/is blacklisted too?
We're using Mandrill, but we am looking at alternatives longer term.
If you're only sending a small amount of desirable transactional email, you're the perfect model of a good sender and your blacklist risk will be vanishingly low. Sending from a shared IP will still expose you to the behavior of the other customers using it (like a VPS, you'll have neighbors). We actively police our shared IPs for bad sender behavior.
Dedicated IP packages won't be affected by the sending habits of other users. They are more cost-efficient for high-volume senders, but we do have dedicated IP tiers starting at the $80/mo. mark, which allows up to 100k mails a month.
With either option, we're always happy to work with you if you're having deliverability issues - and that includes checking IPs for blacklist status.
Postmark App has been very effective for our platform. Very little gets flagged and they have an easy way for users to "appeal" and have their emails approved. The only thing (good and bad) is that if a vendor erroneously flags our emails to our provider team as spam, Postmark won't event attempt to deliver it. It's a hard no. So, we have to have an email sent from that address to Postmark to (in essence) re-subscribe /verify that they want the emails to come through. This happens even though people aren't manually flagging them as spam, it's something on Y!, Gmail, Hotmail, etc. are doing on the back end.
I think they present a reasonable argument (and their methods obviously work for them), but I don't agree with them 100%.
They present several arguments both for and against dedicated IPs. From my own experiences, I don't believe that the "cons" outweigh the "pros".
FTA:
> By offering a dedicated IP for the majority of customers the ESP is basically saying “You do what you want, if you get blocked it’s your fault.” It also places a lot of heavy lifting on the customer, which defeats the purpose of paying for an infrastructure product in the first place.
No, by offering a dedicated IP the ESP is saying, "I don't want ONE customer to ruin things for all other customers". It doesn't one you can be careless or not take basic safeguards. It means that any "fallout" is contained and collateral damage is minimized.
> In addition to this, new dedicated IPs are just as bad as IP addresses with a bad reputation, since it has no reputation at all.
I'm not sure that's the case. Anecdotally, I've brought up additional mail servers at times and put them into service without doing any "warming up" and not ran into issues. My servers aren't sending out any bulk mail, however, so perhaps this is why it hasn't been an issue.
> The other misconception with dedicated IP addresses is that each one is completely independent. For instance, if one customer gets blocked, all other IPs are fine, right? Wrong. ISPs and blacklists will monitor entire IP ranges and domains. If one IP causes enough problems, traffic from the entire subnet or domain could be blocked.
Yeah, some of the RBLs as well as myself sometimes block ranges. That typically only happens when there are $bignum IPs in that range that have already been blocked. Pretty much everyone blocks individual IPs at first. If it happens that, for example, I end up blacklisting 15 IPs out of a /24 (allocated to somewhere in China, perhaps) then yes, I'll often just list the whole /24 instead. That's not the first step, however.
> The final reason, and this one is important, is that ISPs are starting to place a lot of weight on domain reputation, not just IP reputation. My guess is that over time IP reputation will slowly fade away while more weight is given to domain reputation along with authentication standards like DKIM.
I certainly agree that domain reputation is becoming more important. It's not an "either or", however. While the reputation of the sending domain (assuming valid DKIM signatures) is certainly one factor to consider, IP reputation isn't going away any time soon. Domain reputation is just an additional attributes that will be considered when making the "spam/not spam" decision.
One certainly shouldn't use IP reputation, in isolation, to make that "spam/not spam" decision but as just one variable in the whole formula. The first time I blacklist an IP, it's automatically removed after 12 hours. Shit happens sometimes, even with many protective measures in place. Every subsequent time a "repeat offender" gets listed, however, the length of time it remains listed grows until, eventually, it just stays on the list. In addition, as mentioned above, ranges sometimes gets listed as well. A quick glance shows that the largest netblock I've listed is a /12, as well as a handful of /15s and /16s, but those are exceptions. The overwhelming majority (of ranges) are /24s or smaller.
Considering that mailchimp is one of the big names in the business i don't think this is submarine PR (Although the article is good PR for mailchimp). Do you assume every article about a Google or Microsoft product is submarine PR?
[I am not in anyway affiliated to Mailchimp, and don't even use their services. We use Amazon SES]
I work for a large ESP. The main reason this doesn't help is that spammers are happy to sign up and use stolen credit cards to pay any fee. You can't dissuade them with monetary cost.
So in Gmail's case, Gmail does cache the image. But.. every email goes out with a slightly different open graphic URL, and Gmail only fetches the image when the user actually opens the email, so the open is still tracked. Further opens by the same user are not tracked, however.
The reputation scoring has arisen by necessity (not drowning in spam), but it does feel like a much less open internet when anybody can't setup their own (truly functional) email server.
I occasionally receive spam via MC, which I then forward to MC's abuse desk along with a polite note. Every time they have responded quickly and effectively. (Don't forget to tell them that their efforts are appreciated - they do a hard job, and they like attaboys.)
It's why I don't blacklist MC; in my experience they are trustworthy, and bulk mail does have limited, legitimate use.
Resemble: have qualities or features, especially those of appearance, in common with (someone or something); look or seem like: some people resemble their dogs | they seemed to resemble each other closely.
Resent: feel bitterness or indignation at (a circumstance, action, or person): she resented the fact that I had children.
I think the second one fits better, you resent that the parent poster called MailChimp "spam"
The article covers the fact that while you can in a literal sense setup your own mail server, the mechanisms used internet wide to curb spam (the reputation systems) will penalize you for doing so as compared to using an ESP like Mailchimp.
I read the article. It depends on your use case but you most certainly can successfully run your own small mail server with your own domain. I've done it for many years without issue.
It's the other side of the same 'openness' coin. You can chose to set up your own mail server. You can chose not to deliver email from other mail servers if you want.
AWS SES is equivalent in terms of delivery compared to Mailchimp at least in my tests of both services. I couldn't see a difference. AWS SES is 10x cheaper or more than MailChimp though.
MailChimp does have a nice WYSIWYG editor that SES is missing. But I can not justify paying many thousands a year extra just for a nice WYSIWYG editor.
We tried SES first, but despite doing all the required stuff (SPF, DKIM), our delivery was very poor, especially to corporate emails. Used Mandrill and it's better now. Although, the biggest benefit we saw was switching to text-only emails. That improved delivery on several corporate networks.
For a nice compromise - much cheaper per-mail costs with a WYSIWYG editor, give SendGrid a shot. I'd say we occupy the middle ground between the historically marketing-focused MailChimp and the no-frills (not very marketer friendly) Amazon SES.
Disclosure: I'm an engineer there. Let me know if you have questions.
Mailchimp's a lot more than the editor, though. Comparing it to SES is comparing apples to oranges. Mailchimp's now-neutered offering Mandrill is more akin to SES. Until recently it was quite comparable to SES in pricing and still more fully featured.
We use Sendy (using Amazon SES) to send email newsletters for some our our clients. Recently, recipients have been complaining that newsletters are landing in their spam.
Does anyone have any experience with deliverability, comparing Amazon SES to something like Mailchimp? Are the deliverability rates of Mailchimp really that much better?
I mentioned briefly in an earlier comment on our experience using SES vs Mailchimp/Mandrill.
Our emails sent through SES, often ended up in people's spam folder despite doing the requisite verifications (SPF, DKIM).
We switched to Mandrill and noticed significant improvements. We don't send alot of emails, but for transactional emails, it's important those are delivered.
Sending emails without images, in plain text, also does improve delivery especially to corporate emails.
We were exploring dedicated IPs, but those require warming up, so frankly we don't send many emails.
Love to hear any other advise for improving email delivery.
I don't know how SES works. Some of the other providers lump groups of users together. If you get in a group with spammers, your sending server gets tarnished. You can usually email support and get moved to a different group.
Not sure if SES offers this. The other guys will. That alone could be reason to try it out? Shouldn't be hard to with gateways for 1 blast and see how it performs.
Indeed, I see connection attempts everyday from mail servers on SES, Mailchimp, Sendgrid, etc., that are blacklisted. That mail will never get delivered to my customers, even if it's 100% legitimately non-spam.
Talking about deliverability, I've got a gmail contact whom I've been mailing for 10+ years, almost daily using my gmail account. One day that person mistakenly marked a single email as spam (instead of clicking delete). From then on, all my future emails to that person started going to spam for a month before we realized what was happening.
Spam filters are so aggressive & dumb that they can't filter out a false spam report. Moreover, if I've explicitly added a contact to my address book & that contact has done the same for me, and we've been mailing for 10+ years, almost daily, often multiple times a day, then it's really annoying & unexpected for our email to end up in spam.
Hate spammers who've made a simple communication so complex for everyone.
This article reads like a product brief and skims over several important aspects very lightly.
TL;DR of this comment: Mass email is almost a lost cause, and even MailChimp cannot really help everyone because of the players in email platforms.
I have a very limited experience where I tried MailChimp for a small set of committed people (about 100) who had voluntarily given their email addresses for receiving notifications for a specific purpose. It didn't really work for the first (and important) email and we had to resort to just mailing people in BCC and hoping they'd receive it. The content was also reviewed a few times to make sure it didn't look like a spammy email.
There were multiple problems, and I didn't know (and there was no way to know) if the problems were on MailChimp's side or Gmail or both. Worse, there is no way to help oneself in such situations to increase the email delivery rate.
1. On follow up, several recipients said that they didn't even receive the mail. It wasn't in the spam folder or the "Promotions" folder of Gmail either. MailChimp's statistics didn't indicate any delivery issues or that it wouldn't deliver them (am not referring to the mail opening click tracking/beacon tracking). It showed all of them as sent.
2. Gmail by default seems to classify emails as promotions when they come from Mailchimp or other providers. This means, for all practical purposes, the emails are invisible to people using the web interface. People aren't used to checking anything other than the inbox there and ignore that increasing count of unread mails in promotions.
3. For most people who now check emails on mobile devices, they do not look at the spam folder at all. With every person having multiple email addresses, they seem to have a list of inboxes they look through and act. All the other folders in every mailbox are ignored. So any email that goes into spam is more likely to be missed, and later gone forever after the limited retention period of the providers.
4. Though email is the only (?) federated, widely and easily available communication platform, providers like Gmail have cornered the market and dictate with a very heavy hand what ought to be delivered and what oughtn't. At least in my case, I may have had better luck using Google Groups instead of trying MailChimp just for the templates, personalization and all the nice features that can never trump emails being delivered to the recipients. But even that may not have worked.
5. In my observation, Gmail doesn't trust users sending mails to multiple people and likely doesn't deliver mails or puts them in the spam folders. I can't imagine that at its scale, Google seems incompetent in differentiating one person, using Gmail from a specific location boundary (IP address range, browser, OS) for quite sometime who wants to send a mail to several people, from spammers and bots. It ends up punishing everybody.
To MailChimp's credit, the free tier is generous for people with very low to moderate frequency and subscriber needs. MailChimp's website has a lot of useful information on email campaigns.
Overall, mass email of any kind is fraught with more problems in getting the message to others than other media like the walled garden variety of chat and social media platforms. I wouldn't rely on MailChimp or any other platform for anything that needs time bound and reliable delivery. You might as well collect people's phone numbers and call them instead.
People have been foolishly saying for a long time that "email is dead" every time they see a new social network or a chat platform, but I'd say that "mass email is dead" for most people (personal emails, small businesses, organizations and small communities) without them even knowing what went wrong or what they could do to change things.
I have this idea for a "bonded email server". The idea is that smaller senders would pay a bond (say, $200) plus a small monthly fee to a bonding company, which has a trusted relationship with Google, Yahoo, Hotmail, etc. The bond ensures that you won't send spam through your mail servers and in exchange, the big hosts agree to whitelist the mail you're sending. After some period of time, you get your bond money back if you've been true to your word. You'd still pay your small monthly fee to the bonding company.
The database of "certified good" hosts could be maintained by means of DNS run by the bonding company.
The problem with the idea is that there's so little incentive for the big mail hosts to accept email from small senders. They'd much rather you use a Mailchimp for bulk sending and their own service (or one of their large competitors) for individual sending because they know that these are reliable partners.