Best Practices – DELIVERY COUNTS

Haunted by phantom clicks?

October 26, 2018October 26, 2018 Brad

30934456975_ffeba8fb7e_b With Halloween just around the corner, it’s common to see all sorts of scary surprises pop up in your home, neighborhood, or even workplace. But over the past few months, an increasing number of senders have been experiencing a more sinister surprise in their email metrics: phantom clicks.

What are phantom clicks, exactly? They go by various names – some in the industry call them “URL checks during the SMTP transaction,” while many senders refer to them as “bot clicks” or “link crawlers.” All of these terms are used to refer to clicks that are made not by a person, but by an automated anti-abuse system before the mail is delivered. When these systems receive a message, they will follow one, some, or all of the links in the message to determine their target. These checks are designed to ensure redirects are not being abused by spammers and scammers to hide the true destination of their links.

If you track clicks via ESP link tracking or another analytics solution, this can cause your metrics to indicate a recipient clicked in your email even if they never did. And even worse, these phantom clicks can activate ‘single-use’ links like one-click unsubscribes or opt-in confirmations. Many senders have reported contacts being unsubscribed because of this type of link checking.

When a message is sent to a recipient using these services, the system makes a determination whether or not to check the links in the message. Depending on that decision and on the specifics of the service, they will check either certain links, all links, or no links in the given message. But how do they decide? As with most filtering algorithms, the specific methods are proprietary and well-guarded. Even so, there are a few practices and factors that are more likely to cause your links to be validated:

Multiple levels of link redirects. Are you using your ESP’s tracking link along with a separate analytics redirect? You’re likely to be targeted for link validation. Limit your link tracking to a single redirect if you must.
Single-use or encoded URLs. Links that are recipient-specific or otherwise unique from the other URLs in the message can be a red flag as well. If your links are encoded, the filter may see each link as a separate domain and therefore suspicious. Disable link encoding and avoid links that perform an action with a single click if possible.
Domains with poor reputations. This one can be tricky if you are linking to third-party websites. If the target of your link is a site that is known to be referenced in a lot of spam messages or has a poor web reputation, filters are likely to follow the link. If it’s your own domain that has a poor reputation, you’ll continue to see these issues until you resolve that. Otherwise, keep your links to third-party sites to a minimum.
(Our Resources page can help if you need to check the reputation of a domain.)
Misaligned domains. The more different domains linked your message (including the header), the more suspect your message appears. When possible, ensure your message’s return-path, mail from, and link tracking domains are all the same. If you use an ESP, many allow a ‘whitelabel’ option that allows you to make this happen with only a few DNS changes on your end.

This is by no means an exhaustive list – hundreds of factors come into play for each decision made by these systems – but following these guidelines should help minimize your chances of sighting these phantom clicks.

– BG

Fact or Fiction: Can you REALLY clean spam traps from your email list?

October 27, 2017October 26, 2017 Brad

320px-busted_in_rust Earlier this month I spent a week in sunny Toronto for the Fall M³AAWG meeting, featuring a variety of sessions and conversations around all things anti-abuse. At any industry event like this, spam traps are usually a popular topic of discussion (check out this post for a primer on spam traps and why they matter). Senders want to know how to avoid or get rid of them, while many blacklist operators consider them a necessary evil to help identify poor sending practices. One of the most hotly-debated questions regarding spam traps surrounds how to remove them from your list. Many senders and solution vendors claim to be able to identify and remove spam traps, while trap operators go to great lengths to keep their traps anonymous. Let’s look at a couple of the most commonly-cited ways of identifying spam traps and how effective they really are.

List Validation & Hygiene Vendors

As mailbox providers have made it harder to reach the inbox, list hygiene services have become a booming segment of the industry. While some employ dubious methods, even prompting a warning from Spamhaus, there are a number of services that are considered reputable and are commonly used by legitimate marketers and even ESPs. For our discussion, let’s focus on these more reputable vendors.

As a basic rule, list validation services will take your file of contacts and provide a grade or score for each record. The data will indicate whether the email address is confirmed valid, confirmed invalid, or somewhere in between. Most of these vendors claim (some more prominently than others) to be able to identify spam trap addresses. Therefore, if you believe or know you have traps in your list, you should be able to purchase these services and solve your problem, right?

Not so fast, hot shot. Spam traps are secret by nature – if you know an address is a spam trap, then it has lost its effectiveness. As a result, trap operators make efforts to ensure traps are not identified by any outside party, including validation services. The traps identified by these services may have been actively used in the past, but at this point have likely been abandoned by their operator. Even those traps that are still in use would represent only a fraction of the spam traps that exist in the wild. So you may clean a few traps off your list, but you’re not going to solve any major spam trap issues using one of these services.

Effectiveness grade: F

Segmentation and isolation

Over the years I’ve run across many senders (and even some vendors) who believe that identifying spam traps in your list is as simple as pinpointing the time of the trap hits and/or the affected message(s) and/or the group that contains the traps. These senders will often slice up affected lists, sending to smaller and smaller segments of contacts until they have isolated a very small number of records that are, or may be, traps. They can then remove these bad apples from the list and go on sending willy-nilly to the rest of the recipients.

In reality, there are a couple of problems with this approach. First, most trap operators or blacklist admins aren’t going to provide you with the type of data that is required for this process. If you are considered a relatively trustworthy sender, you might get very limited data about trap hits – a date or a subject line, perhaps – but this is almost always just a sample of the full data set. If you get details on a single trap hit, there are likely 10 or 20 or 100 more hits that you can’t see. Trying to narrow down your list based on incomplete data is not likely to generate accurate results.

Effectiveness grade: D

Nullification

Similar to the previous method, this process involves using data provided by the trap operator to isolate and remove affected recipients. This is most often implemented by senders who use highly targeted segments and who may be sending to only a few dozen or hundred recipients at a time. Because of the small segment size, the sender often finds it more appealing to simply remove the entire list that was targeted on the specific day or with the specific message identified as hitting traps.

While removing the entire recipient list could be a slightly more effective solution, this method suffers from the same deficiency as the last: lack of data. This method is only effective if the trap operator provides the full list of trap hits with timestamps – which is extremely unlikely. So even if you suppress the list of recipients called out for one hit, you are likely to be missing the lists that contain additional traps. .

Effectiveness grade: C-

As you can see, none of these methods are especially effective at resolving spam trap issues, and it’s for a simple reason: they address the symptoms (spam traps) instead of the underlying problem (poor list acquisition or hygiene practices). Many trap operators will recommend reconfirming your contact database, the only truly effective method to remove spam traps from your database. However, you’re likely to lose some valid recipients in the process so most senders will only do this as a last resort. We’ve found that a better solution is a hybrid approach that includes both engagement and confirmation elements.

Engagement-based list cleanup

One fact we know about spam traps is that they don’t open email (with very few exceptions). As such, excluding recent openers and clickers from your confirmation efforts will help minimize potential losses to your list. Once you’ve identified those recipients who haven’t engaged in the past 6-12 months, you can temporarily suppress them from further mailings, then send them a confirmation request. Those who engage with the confirmation request can be returned to your active mailing list, and the rest should remain suppressed.

Effectiveness grade: A

It’s nearly impossible to isolate and remove spam traps from your database, so it’s best to stop them from getting there in the first place. Getting clear permission for all new recipients and using an engagement-based list hygiene process can all but eliminate the risk of spam traps in your list and make sure you never need to put these methods to the test.

– BG

Best Practices, Delivery Essentials

Zombies are everywhere…including your member database

September 21, 2017September 21, 2017 Brad

WARNING: PLEASE DO NOT FEED THE ZOMBIES Yesterday morning I received a bit of a surprise in the form of an email from Tumblr congratulating me on the 9th “birthday” of my blog. I checked and it seems I last posted on Tumblr just over 3 years ago…and only three times ever. In March 2013, I posted a photo from a photo sharing app called Streamzoo – an Instagram alternative that, apparently, wasn’t a good enough alternative and shuttered in 2014. In 2012 I posted a photo from Instagram, but from an account that no longer exists (it was deleted among the wave of privacy concerns about Instagram around that time.)

The fact that I got this notification is a good thing, as it means I’m still using the email address I used to create the Tumblr account – but what about all those accounts I created with previous addresses?

As I dug through websites I hadn’t thought of in years – MySpace, LiveJournal, even Angelfire! – it brought to mind a common issue for the association groups I work with: zombie members. While the use of zombie imagery in reference to old email addresses and web accounts isn’t new, paying attention to those undead records is more relevant than ever for organizations whose email program relies heavily on membership rolls.

Too often when troubleshooting delivery issues, membership organizations completely exclude their active member list from any sort of list hygiene initiatives. The reasoning makes sense on the surface: if someone is an active (often paying!) member of your organization, clearly they want your emails, right? Unfortunately, that often doesn’t take into account some of your most loyal members.

It’s an oft-quoted statistic that 20-30% of email account owners change their email address each year, often due to a change in internet provider or employer. Over the course of 5 years, that equates to a greater than 1 in 3 chance a recipient has changed their email address – but did they tell you? How would you know?

Let’s talk through some of the most common assumptions used to justify why an email address shouldn’t be subject to list hygiene practices and how they can lead to trouble.

1. “They logged into our website.”

This seems like a slam dunk: your website uses email address as username, and the member had to log into their account to renew (or you can see a record of their login.) That definitely means the address is good, right? Nope. Every web browser since Netscape Navigator (and probably before) has been able to save login information so you don’t have to remember those pesky passwords. If members aren’t required to confirm their email address regularly, they have little incentive to change their username (assuming they even realize they’re using the old address).

2. “They attended a conference.”

Like logging into your site, this is a great sign they’re engaged with your organization, but not necessarily with your emails. If the registration for the event took place on your org’s website (that same one with the saved password, above), attendees may be using the same saved information to register. It may seem unlikely, but I’ve worked with many orgs who were unpleasantly surprised by the number of recent event registrants whose information was out of date.

3. “CAN-SPAM says we can send to members no matter what.”

It is true that CAN-SPAM has an exemption for messages deemed to be pertaining to a transaction or ongoing relationship. The FTC has issued some guidelines around this, but there’s still quite a bit of grey area. Sending a message announcing conference registration to your members? Maybe a promotion for a Continuing Ed course for industry professionals? Most experts would tell you these aren’t exempted messages.

Truth be told, whether they are or aren’t exempt is irrelevant to the discussion. CAN-SPAM allows you to send almost any sort of unsolicited email as long as you provide contact info and an unsubscribe method. This is the bare minimum required to comply with the law (and any reputable ESP will require permission.) However, every major email provider has implemented complex spam filtering systems designed to block or reject mail their recipients don’t want. If their recipients don’t open your emails, or they mark them as spam or unwanted, your mail won’t get delivered. So yes, you may have legal permission to send them email, but that means absolutely zero when it comes to whether your message reaches the inbox.

How can you be sure your members’ information is valid?

While none of the above methods should be considered a reason to keep an email address in your list, there are a few options for confirming addresses that are a bit more reliable.

Send a reconfirmation email

The gold standard of email verification is the confirmation email. Once per year (often at the time of renewal), send an email to the address on file that requires a click on a confirmation link to stay on your list. If someone clicks, you know you’ve got the right person and the right address. If they open but don’t click? That’s a bit more of a grey area. Depending on the language in your email, you may want to keep them around but limit the emails they receive. Non-openers should be suppressed from your email campaigns going forward.

Look for recent opens or clicks

Most orgs are hesitant to require annual confirmation, which is understandable. It’s likely to shrink the size of the email database, a prospect that rarely elicits a thumbs-up from the executive team. In those cases, you can still look for recent activity from the recipient in the form of opens, clicks, and replies. If you have records indicating a recipient opened, clicked on, or replied to an email in the past 12 months, it’s generally a safe bet to keep them around. You may even want to use this in conjunction with the annual confirmation – only those records with no activity have to reconfirm. That will require a bit of additional work, but could pay off in spades if you avoid the loss of legitimate member email addresses.

Conduct an outreach campaign

If a member has no recorded interactions with an email, they’re not dead to you just yet. Many orgs conduct targeted outreach via phone, postcard, or even in-person meetings to get updated information from members. We’ve seen a number of associations have success driving traffic to their online information forms through these offline methods.

Once you’ve gone through these steps, you’ll likely have to decide to suppress some email addresses from your member list to maintain good deliverability. When this happens, remember that removing a member from your email list doesn’t negate their membership – they may still attend events, participate in forums, and engage with your organization. And each of those interactions is another opportunity for you to get updated information from them and bring them back into the email fold.

– BG

Best Practices, Industry Updates

Microsoft rejecting your mail? You may be suspected of email harvesting

September 6, 2017September 5, 2017 Brad

www.volganet.ru [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0) or GFDL 1.3 (www.gnu.org/licenses/fdl-1.3.html)], via Wikimedia Commons — via Wikimedia Commons

If you’ve been noticing your mail is rejected by Microsoft lately, it’s a good idea to take a look at the Smart Network Data Solutions (SNDS) dashboard. If you’re not aware, SNDS is Microsoft’s tool to show senders how their mail performs to recipients at MS domains. You can sign up for free (assuming you own your IP addresses); if you use an ESP, they’ll have SNDS set up for your sending IP and generally monitor it regularly.

If you do have SNDS access, you can check the IP Status heading to see any blocks that are currently in place for the IPs you own. Over the past few weeks I’ve been seeing a lot of IP addresses listed there due to “E-mail address harvesting.” After working with the Postmaster team, it seems the issue occurs when too many RCPT commands are sent without valid recipients. In other words, the sending server attempted to validate the existence of a lot more email addresses than they actually sent mail to. These blocks are most commonly associated with dictionary attacks, or sending to many usernames at the same domain (aaa@domain.com, aab@domain.com, aac@domain.com) with the purpose of finding good addresses. This tactic is often used by spammers who are – you guessed it – harvesting email addresses for their mailing list.

However, the instances I’ve seen have all been legitimate senders, sending mail to people who have signed up to receive it. In one case, a human error led to sending mail to a list of unsubscribed addresses, but the rest appear to simply be senders whose list hygiene needs improvement. In addition to dictionary attacks, these blocks seem to be triggered by high rates of invalid recipients. These recipients are counted in the number of RCPT commands but not in the total delivered. In one case, the difference between the two was only around 10% – certainly not ideal, but also not indicative of a spammer harvesting addresses.

When working with the Postmaster team, they’ve been very helpful in getting the blocks resolved once we explain the circumstances around the sends and how we’ve taken steps to prevent a recurrence, but these blocks have stopped all mail to Outlook.com users for days in some cases before they are removed. For a sender, this could mean a substantial loss of revenue while the block is in place…so what can you do?

Now more than ever, list hygiene is paramount. Be sure you aren’t sending to old or stale contact lists and target recipients with recent open or purchase activity. Keeping your bounce rates as low as possible will minimize the chances you run into one of these MS blocks.

Been flagged as a harvester yourself? Just having trouble getting delivered to Outlook? Let me know in the comments or via email!

– BG

Best Practices

Don’t give a damn ’bout my reputation

August 25, 2017October 20, 2017 Brad

Chances are, you’re reading this on the internet right now. And if so, you’ve probably heard the word “reputation” thrown around a lot this week thanks to Taylor Swift and her new album announcement (I prefer Joan Jett, thanks). While reputation may be seeing a moment in the pop culture space, its place in email has been long established. A good sender reputation is paramount for a successful email program, and a bad reputation can lose you thousands in revenue on a single campaign. So why, then, do so many organizations treat it so carelessly?

Taylor Swift's Reputation album cover — Mert & Marcus

Case in point: I’ve worked with marketers who have partnerships with other organizations in which they cross-promote each other’s products. A common arrangement, no doubt, and in most cases mutually beneficial. Often one party reaches out to me or another consultant asking how they can protect their domain reputation from any damage caused by the cross-promotion.

When I get this question, I typically first ask if they believe there is a legitimate risk of damage to their sender reputation. If so, why? Are they partnering with an organization with poor email practices? And if they are that concerned about the reputation of this partner “bleeding over” into their own domain, why do they continue to do business with them?

Many senders seem to feel they can overcome these risks with some technical sleight-of-hand: using a different IP address or domain, redirecting links through different servers, etc. While these tricks may work temporarily, mailbox providers have become extremely advanced in their filtering. These practices are often associated with spammers and malicious senders, so using them can cause even more damage to your reputation when the providers start to associate them with your brand.

In email, just as in life, the parties with whom you associate can tarnish your good name. Doing business with disreputable email senders will start to impact your deliverability and brand reputation. In fact, Google even uses factors like web and search reputation as part of their mail filtering algorithms. Technology has led to the increasing intersection of our public and private lives – we’ve all heard the stories of folks who got fired after an inflammatory social media post was discovered. In the same way, every aspect of your brand’s digital presence is connected and has the potential to impact your email program.

If you have a high level of concern that your actions or partnerships will cause damage to your sender reputation, you’re probably right. Instead of looking for ways around it and causing more damage, explore ways you can generate additional traffic and revenue without the additional risk. Vet your partners carefully – make sure their practices don’t sink the hard work you’ve put in to establish your own good reputation.

– BG

Best Practices

Spammers Anonymous, or How I Learned to Stop Worrying and Send Email

July 14, 2017December 14, 2018 Brad

Hi, my name is Brad, and I’m a spammer.

Recently I discussed how the perception of consent often varies pretty widely from sender to recipient, and asserted that sending any unsolicited mail (no matter how innocuous) makes one a spammer. In retrospect, and in light of a rousing debate currently occurring in a popular industry forum, it may be helpful to expand a bit on that statement.

Much like politics, most of the voices you hear in the email industry tend to vary between two extremes. On one hand, there are the anti-abuse crusaders, those who propose hefty penalties for anyone who sends even a single unsolicited email. On the other, you have those who believe that because someone provided their email address somewhere public (i.e. on their employer’s webpage), they are giving free reign for marketers to send them anything they want. Most of us, thankfully, are somewhere in between. Those of us who send email on behalf of others (email service providers, particularly) generally have to be closest to the median as we balance the needs of senders who want to keep their business growing with the ability to reach recipients (more accurately, their mail providers) who don’t want to receive spam.

To that end, I say this: unsolicited mail is spam. Unless your intended recipient asked you directly to receive what you’re sending, you’re sending spam. The thing is, we’ve almost all done it – even those of us on the anti-abuse side of things. If we haven’t sent spam directly, we’ve been party to it. Maybe it was the marketing team at our company. Maybe it was a salesperson, contractor, or vendor. No one likes spam, but very few of us can say we are completely removed from it.

Go ahead, let it out. It’s cathartic.

Does that excuse sending sending spam? Not even close. Just because we’ve all likely done it doesn’t mean it’s okay. What it does mean is that the damage can be fixed – but how? In Spammers Anonymous, there are just 3 steps on your path to email enlightenment:

Get permission.

This one is the simplest, but often causes the most problems. Don’t send to addresses that were found on a website or forum. Don’t purchase lists or use any list generated by a third party (including government lists obtained via the Freedom of Information Act – those are some of the worst). If someone makes a purchase from you or joins your organization, give them the option to receive your marketing emails. In some jurisdictions (I’m looking at you, Canada) it’s a requirement that you provide separate consent options.

Set expectations.

When someone provides you their email address they’re trusting you to send them the information they’ve requested, and not to send them other, unwanted mailings. Honoring that trust helps build loyalty and keeps your recipients happy. One of the best ways to ensure your trustworthiness is to set clear expectations at sign-up. At the point of email collection, make clear designations of the type and frequency of mailings you’ll be sending. It doesn’t have to be hyper-specific; something like “weekly informative newsletters” does the trick without excessive wording. Bonus upside: when your recipients expect your email, they’re ready to engage when it shows up and often tell you when it doesn’t (which helps identify potential delivery issues).

Acknowledge there is a higher power.

OK, so this one may sound familiar – but in this case we’re talking about mailbox providers. Google, Microsoft, Yahoo, and AOL, among others, provide mailboxes to millions of recipients and their primary focus is ensuring those recipients get only the mail they want. One of the biggest ways they do this is through engagement monitoring. Recipients who read and reply to your messages are more likely to see them front and center in their inbox. This means that your job is not only to get the initial opt-in, but to ensure your recipients continue to want your mailings. One of the best ways to do this is through re-engagement campaigns. Every 6-18 months (depending on your sending frequency), reach out to recipients who haven’t engaged and ask if they still want your mailings. For those that don’t, purge them from your list and look at other ways to market to them, such as phone outreach or snail mail.

If you’re sending unsolicited email, attempting to justify your practices won’t matter to the mailbox providers who are routing your mail to Spam, or to the blacklist admins who have flagged your IP address for hitting spam traps. Instead of hiding behind the “everyone’s doing it” mantra, take action and make your program better than everyone else’s. It takes some work to follow best practices, but taking these steps will help ensure your mail gets delivered and boost your business in the long run.

– BG

Best Practices, Delivery Essentials

Recipients (and their mail providers) don’t care if you think they want your mail

June 26, 2017June 26, 2017 Brad

There, I said it (and so did Laura at Word to the Wise, among others).

tumblr_mslx9kwdn11rkumvuo1_400

During my years in the email industry, I’ve heard countless senders try to explain to me and others why their messages really aren’t spam. Usually it involves the fact that the messages are personalized, the recipients have been highly targeted, and the products or services advertised aren’t illegal or inherently spammy (you know, like male enhancement and Nigerian princes). If I had a nickel for every time I’ve heard “We’re sending email people want to receive,” I’d probably be swimming in nickels Scrooge McDuck-style. I’d have to think that phrase is probably right behind “Let me tell you about my business model” in the lexicon of things spam fighters and anti-abuse staff never want to hear.

Many of the senders making these arguments fall into the B2B market Laura mentions in the above-referenced WttW article. They are often sending to companies or individuals in a specific industry or who they believe are in the market for certain products or services, who are just waiting for some shrewd marketer to find their email address and send them an unrequested solicitation for a product they didn’t even know they wanted.

If your recipients didn’t ask for your emails, they’re spam. You are sending spam and are, by definition, a spammer. That doesn’t make you a bad person, or mean that your business is illegitimate. It also doesn’t (necessarily) mean your mail will get filtered or blocked, but it does mean you’re at a higher risk of your mail being rejected or sent to the spam folder because technically it is spam. It means the major mailbox providers are working to prevent mail like yours from reaching their users’ inboxes. And if you’re sending in certain jurisdictions, it may even mean you’re committing a crime.

All the major mail providers are using engagement metrics to determine how to route mail. Mail that consistently gets opens, replies, and other positive engagement is going to end up in the inbox. And consistently, the mail that gets that type of interaction is permission-based. All the subject line optimization, flashy promotional content, and discount offers in the world can’t give you the kind of consistent engagement you’ll find from sending to people who asked for your emails. It’s an extremely simple concept – but one that many marketers seem to not quite grasp.

– BG