A deep dive into email deliverability in 2024

A webforum I know has a rule against marking email notifications they send at spam (You can opt out of receiving them through the site, they just don't want you doing it on the email client end) to avoid this happening to them. For a small org, it's kind of a real risk?

I'm not sure how larger orgs mitigate it.

That’s why most e-commerce sites send their marketing stuff from a different domain. If it gets flagged they can still send transactional e-mails from their main domain. Assuming that both mail servers are on different ips.

I don't think this would work in practice. My employer sends daily deal emails without using a third-party service like SendGrid or SES and what we do is pay a company like Validity who interface with the big email providers for us. They have honeypot emails that get and validate our emails, they get feedback from the providers on how much they like/dislike us, and we get reports on this.

So an attack like this would be very obvious very quickly, even leaving aside that we'd notice a huge spike in email sign-ups and probably kill their accounts (especially since they're not going to be buying anything from those sock puppet accounts!).

Yea I've thought about this but not from the "attack on entities" angle but moreso a consumer-rights / boycott angle. I've had a negative enough experience with a large "maximizing shareholder value" company that I went back through my email history and marked every single one of their comms as spam.

Might be a drop in the bucket, but it doesn't take many votes to make a difference in the spam world.

I'm sure this will evolve soon enough and email delivery might increasingly become pay-to-play with all sort of backroom agreements, if it isn't already.

political mailing lists would lose donations

Now you have me rooting for the bad guys.

Isn't that what DMARC policy would prevent? If the emails being sent by the attacker are failing SPF/DKIM, then we can configure the DMARC policy so that Gmail never delivers those fake emails in the first place. So that attack would not be happening.

This is Google's business model, they throw completely legitimate emails your business sends into spam/marketing, so you're forced to pay them for gmail ads.

Do political mailing lists get through in the first place? I don't live in the US, but someone must've sold one of my throwaway gmail addresses thinking I did.

Every couple of months I end up checking its spam folder and it's just a daily barrage of spam from both DNC and RNC, 1-2 emails per day like clockwork. None of them ever got through to the inbox though.

That's just email working as intended. You pay a third party a small monthly fee to handle email blasts via a relay.

You don't typically use your main email system for bulk sending, you use a third party for that who is used to taking that heat.

I know of victims who had their legit email template lifted by actual slammers. The spammers would embed the legit template invisibly in their emails and then only have a few short lines visible with the actual scam. The idea being that filters would see the majority of the email is legit looking and let it in. Eventually users would flag enough of these as spam and the template itself would trigger the blocks. Then the spammers would move on to the next victim who's email template still gets through filters.

Meanwhile the first victim is left to pick up the mess where none of their email gets through anywhere.

The condition about "significant volumes" is not true.

Google states that the new requirements are mandatory only when you send at least 5000 messages per day.

This is a lie. I send at most a few messages per day and usually less than one per day was towards a gmail account and I had implemented a part of the requirements, but not all of them.

Nevertheless, Google has started to reject my messages, so I was forced to waste time with the implementation of all requirements, even if they are somewhat redundant.

As a sys admin, what do you do when you see 5% of your email hitting spam because the recipient’s Office365 mail server is misconfigured?

Agreed it’s a net positive, but it kills me when the reason emails land in spam is misconfiguration at the recipient’s end. (Like forwarding emails which breaks SPF)

Agreed, this is the upside for sure. Despite frustrations, I'm hoping this cleans things up.

We also slowly but surely are moving towards IPv6 which will make reputation based on IP somewhat useless when I can have as many new IP addresses as I want. They would have to make all newly seen IPv6 addresses not trusted by default when bad actor could send each email from different IPv6 address.

That sucks! And fixing reputation is at best a nightmare. I've seen suggestions about purchasing / sending email from other domains - to protect your primary domain. Not something I really care to do.

The problem is that your VM provider is (unwittingly) offering the same address space to spammers. Maybe the spammer was using random addresses in the range? Or someone was starting up misconfigured smtp servers permitting relaying.

Running an outbound smtp server on a customer ip-range is going to be problematic anyway. All such ranges can be considered suspicious since the spammers who use them don't care about their standing.

yes, this is a pain. the blocklist operators either seem to be not so good at vetting abuse reports, or cause collateral damage to get network operators to take action (while i don't like getting on a blocklist, perhaps it is having a net positive effect for the wider internet?).

i do think mail servers/services are using ip-based blocklists wrong. yes, you can use it as one of many signals. give it some more weight for first-time senders. but if you've been mailing (with spf/dkim/dmarc-authenticated messages/transactions), from an ip that suddenly gets on a blocklist, the previous positive reputation should be stronger than that blocklisting, and you should be able to keep communicating with your known correspondents (until they mark your message as spam after which future deliveries can be rejected/junked). it seems those mail servers/services cheap out and apply ip blocklists early in the smtp process. good for their system load, bad for their analysis performance.

in general, it seems even bigfreemail services are bad at using existing reputation in their ham/spam decisions. i recently switched an online webservice i made (that is about sending certain notification by email) to signups via email (like how you can signup to mailing lists: by sending an email to an address). the idea: if you send my service an email, i'm in your list of known correspondents. so the confirmation reply from my mail server (spf/dkim/dmarc-aligned) should certainly be accepted by yours (you much more opt-in do you want?). i tested with some bigfreemails, and yahoo put my reply with confirmation (that even references the original message) in the junk folder. to people who think you can't compete with bigmail: the bar isn't as high as you may think.

Isn't there any open source project that solves the e-mail delivery problem?

Aplogies if you do, but it sounds like you misunderstand how email works.

The problems are stricly in policy, not in software. So there is nothing an open source project can do. The problem is that "too big to fail" megacorporations like microsoft just randomly decide to block incoming email from most of the Internet.

If email was fully decentralized (everyone runs their own server) this centralized power could not exist and there wouldn't be any problem.

(That all said, I run my own email infrastructure since long ago and it works fine. But I know some people struggle, which is contrary to the intent of the Internet.)

There's some online tools out there, and an OSS project that'll scan DKIM reports for you - but this was all I could find. Beyond this, there's commercial tooling / services. I may implement something that keeps a tab on things if I come across any issues.

Please elaborate on this, as I'm not exactly sure what you mean. The email deliverability problem is a side effect of false positives in spam filtering. Unless you have a proposal to completely eradicate false positives?

for a long time it hasn't been a software problem. It's been a reputation problem, the only recent change is we're more interested in the domain then the IP now.

What do you mean by the email delivery problem? Do you mean setting up DKIM, SPF, and DMARC? It's not that hard, compared to setting up an email server in the first place.

I'm certainly not saying it's right - but it works.

Gmail's spam filter (and promotions filter) works with >99% reliability as a user, with really trivial numbers of false positives.

Unfortunately a lot of legal protections for unsolicited spam only apply to consumer usage. For b2b, every marketer with the ability to know your email address is entitled to send you as many messages as they want.

If it wasnt walled, it would be completely unusable.

Corporate email isn't email anymore. It's a walled garden

Thank god.

Otherwise I'd drown in cold email spam.

edit: But on a serious note — I'm using Gmail for all companies because I gave up trying to run and administer our own server. It's a travesty that this has become so hard. I feel if you're not on a well-configured Gmail Workspace there's no chance your email gets through, even if legit.

indeed very annoying. my understanding is they don't want to give spammers any signal whether their messages was recognized as ham or spam.

i would love some insights in how smart spammers are in actually leveraging such information. most spam seems to be hammering attempts that don't take failure feedback into account.

in my mail server, messages classified as junk keep getting temporarily rejected with a generic error message. at least the (legitimate misclassified) sender gets a delayed dsn, and finally feedback that a message wasn't received.

it seems many mail servers/services think it's more important to not give a signal to spammers than it is to give a useful signal to legitimate but misclassified users. perhaps they think their classification is really great and doesn't misclassify...

Why will it no longer work?

When you forward an email, unless the email forwarder modifies the message content, it should still match the DKIM signature, so it still passes.

This isn't a change. SPF has always broken forwarders that don't touch the envelope from address, and that is right and proper. You can still forward mail, but your forwarder must rewrite the return path.

That seems really significant, email fowarding won't work anymore?

Yep. It seems to be from stolen accounts, maybe gathered from leaked account/password lists.

The result is that outgoing hotmail/outlook smtp servers are added to blacklists until they start content filtering their own users.

What exactly are they doing about that ?

Nothing at all, because they are too big to care.

Aggressive decentralization is the only way to save the Internet. Host your own email, get everyone you know to host their own email.

They may not - but you fail to properly set up DMARC.

I don't unsubscribe from emails I haven't opted in to. So report spam it is.

I'm using NextDNS with AdBlock list, which is effectively a Pi-hole on the cloud.

The most annoying this is when email senders use click tracking on domains that are blocked by those AdBlock lists. I keep a separate browser instance to copy-paste those links into, but then I have to login again.

I prefer sending unsubscribe emails instead of clicking links. Gmail can automate it.

Agreed, I think of it was a simple UI competition. Customers will do whichever is must convenient: unsubscribe or report spam.

I’ll unsubscribe, but now call BS on the “this may take 14 days to take effect…” nonsense in 2024. If I’m getting more emails in a couple of days, they’re getting marked as spam. (Looking at you, TripAdvisor. If you can figure out how to build AI-generated itineraries, you can figure out how to not email them.)

I have the same gripe and in response published the notes to set up my self hosted email on my blog a few months ago [1]. It's really not that hard but yet we constantly see this topic on HN. I understand there are people who've set it up properly and still have their mail end up in spam. Maybe we're just lucky. But there's no need to write long pieces about this going into detail what this tech giant and that tech giant do. All you can do is set up DMARC, DKIM and SPF - that's it.

EDIT: Admittedly this post is also about bulk sending where other metrics like unsubscribe links and spaminess matter. But for the self hosted crew it really just comes down to DMARC, DKIM and SPF.

[1] https://tschumacher.net/self-host-email/

I agree on the technical part, but:

A problem is that you can do everything technically right, and sitll land in spam, because some big players don't play by the usual rules.

For example, Microsoft apparently has an allowlist for IPv4 -- or equivalenty, blocks all IPv4 by default, until you manually de-list them at sender.office.com. At least I haven't found an IP yet for which I didn't have to do that (self-hosting email for 15 years).

(Imagine every provider did it like MS; you'd be sitting there and filling out web forms with 1000s of providers.)

So you have a technically perfect setup and MS stil rejects you.

--

That said, using some provider to send emails for you doesn't solve deliverability either. There, many customers share the same sender IP. If one of them sends marketing/spam, the entire IP gets bad reputation. In such cases, providers recommend to upgrade to "bring your own IP", which then needs to "gather reputation" [0]. Great, might as well have self-hosted in the first place, as repuation is the only thing I bought the service for.

[0]: Example: https://www.mailgun.com/blog/deliverability/dedicated-shared... -- Especially entertaining is "Use a shared IP if: Your shared IP partners have built a good reputation." As if you had any control over that.

Without knowing everyone’s domains and IPs and history, it’s hard to judge competency in a thread like this. SPF, DKIM, and DMARC are important to set up correctly, but doing so is NOT sufficient for good deliverability. In fact it is only a small component of success.

Well-established organizations that have a long history of sending steady volumes of high quality content with low complaints have a huge leg up. So if you work at such a place, or you contract with such a vendor, you’re going to feel like it’s obvious that the DNS entries work well.

As usual in any email thread about email deliverability, the amount of FUD in these comments is absolutely mind-boggling to me. [...]

What type of "FUD" are you talking about? The objections in the thread seem pretty well founded (eg. being shadowbanned despite complying with SPD/DKIM, or this requirement breaking email forwarding), and there aren't really any that are against implementing SPF / DKIM.

Yeah it takes like 5 minutes. I have no idea what people are crying about. On a tech site no less. This is entry level have the intern do it stuff.

Congratulations for being lucky enough to have big actors accept your e-mails, this is not the case for many of us who do understand and apply SPF, DKIM and DMARC. Guess we'll just try being luckier...?

Gmail does not require one-click unsubscribe, what they actually require is that you include the “List-Unsubscribe” header in bulk emails, with a functioning mailto or http target.

If I forward your newsletter, that’s not a bulk email and it won’t include that header.

This is an important distinction that seems to get glossed over in a lot of the coverage and guides about the recent Gmail and Yahoo changes.

Why would apple identify the domain used for unsubscribes as in use solely for being a bounce tracker?

2. At the same time, Apple’s ITP will start removing all the information from the URL and only leave the domain, if it classifies your site as a “bounce tracker”. This means you won’t even know who to unsubscribe on one click!

https://getcake.com/apples-intelligent-tracking-prevention-2...

Your source doesn't actually say that "ITP will start removing all the information from the URL", only that it will "limit it the same way as third-party cookies" and will be "purging website data in such instances".

You can do one-click unsubscribe with headers as well, those aren't usually forwarded by MUAs.

perfectly configured SPD, DKIM, and DMARC

Just having them perfectly configured doesn't mean that the receiving servers will also see it that way.

Microsoft servers are particularly prone to randomly failing perfectly fine dkim setups for no reason whatsoever.

Because it’s not just about configuration, it’s also about reputation and a low sending volume you are in danger of getting dropped merely out of not being a well known sender

I've been wrestling with this for years as well. I hope with these guidelines being published / transparent by the big 3, things behave consistently.

DKIM hasn’t been necessary in my experience, and is still not necessary according to the new Google guidelines if you use SPF.

I am surprised people think deliverability consists of configuring SPF (SPD is Seattle police), DKIM and DMARC. Spammers can do exactly same given low entry barrier.

It's important but have very little connection to deliverability in real world.

And it's for a company? OP you might want a part-time PR person to review these...

Very valid point. I just removed my poor attempt at political humor. It was not meant in support of any candidates.

Are you a truth seeker or attention seeker manifesting your political preferences instead of focusing on what article actually discusses?

that's a rhetorical question - you already answered it.

Yes, this put me off enough that I was no longer interested in reading the article. The silly reference is one thing, but was a link to that YouTube video really necessary?

I’ve been running a personal mail server since 2016, and I’ve been struggling mostly with Microsoft off-and-on. I haven’t make any changes since setting up DMARC, SPK, and DKIM in 2016, but I’ll still sometimes randomly get blacklisted for 2~30 weeks for seemingly no reason, and then get unblocked again for seemingly no reason.

It’s recently started happening with iCloud too. For 5.5 weeks any email I sent would either get bounced or land straight in Junk, until yesterday when the powers that be decided my mail was worth delivering again.

I’ve somehow never had an issue with Gmail or Yahoo, and of course never with any other non-big-three mail servers.

This was my initial thought too. These guidelines have been around for ages, and just now being officially implemented in 2024.

ProofPoint is indeed disgusting service. Wonder how they proliferated into corporate world so much and so fast.

but an email without SPF/DKIM, good luck having it hit any inbox

And that's a decent thing.

Someone that doesn't do that has no business sending email.

The problem is that even doing that and even sending only a couple of emails a day is still usually considered SPAM.

At an even more basic level than what you described here, I recently improved my delivery rate by adding a name to the transactional emails that we send (from: 'My Name <admin@foo.com>') where previously we didn’t have a name. As well as cleaning up subject lines - where previously we included some abbreviations. Providers like mac.com were previously soft bouncing some emails, and now they seem to accepting them.

Hotmail/yahoo/aol all still seem to shove our transactional emails into spam pretty often (judging purely on the amount of those users who fail to confirm their accounts).

Senders that apply dmarc and want their emails to be forwarded should use dkim. Forwarding a dkim signed message doesn't break dmarc at all.

I haven't got any since I switched to Android. Same with spam calls. Their crowdsourcing really works.

I have received exactly 2 such messages in the 25+ years I've had a mobile phone. I imagine this is a regional thing, and that where you are eithet mobile networks are insecure, or operators are in cahoots with spammers?

I totally agree, and also unsolicited calls. Right now the only options that I'm aware of are:

1) Blocking numbers (which is pointless because they rotate them and spoof residential numbers).

2) Whitelisting numbers and blocking everyone else (this would cause me to miss legitimate calls).

3) Blocking entire ranges (this doesn't work because of the spoofing).

4) Using one of those spam screening services (currently looking into this). Still a bit concerned about missing valid calls and the privacy issue with this.

Use rspamd?

It doesn't affect deliverability in a measurable way compared to DKIM/DMARC.

Gmail and Microsoft require a certain volume of email hitting their servers otherwise they forget you exist. I ended up switching to using Amazon's SES service to keep my selfhosted server running.

I use seperate emails for each service much like a seperate password so I'm heavily invested in keeping my own server at least for recieving.

Fair assessment. Which email service provider do you use?

Sometimes it's not about competence but about priority. If email is something a business does as a side thing and not a core thing, and if email keeps working without changing anything, there's no need or priority on setting up newer things. From a priority perspective at least.

But yes if it's a recent setup, or email is a core part of the product, any competent sysadmin should have been doing this.