[HN Gopher] Gmail, Yahoo announce new 2024 authentication requir...
___________________________________________________________________
Gmail, Yahoo announce new 2024 authentication requirements for bulk
senders
Author : ilamont
Score : 205 points
Date : 2023-10-30 20:07 UTC (2 hours ago)
(HTM) web link (blog.google)
(TXT) w3m dump (blog.google)
| ilamont wrote:
| Yahoo:
| https://blog.postmaster.yahooinc.com/post/730172167494483968...
| teruakohatu wrote:
| Most of the spam I get in gmail apparently comes from other gmail
| accounts. Presumably google already filtered out senders
| pretending to be gmail, so I am not sure what a big improvement
| this will be for the average user.
| chimeracoder wrote:
| > Most of the spam I get in gmail apparently comes from other
| gmail accounts.
|
| Are they actually from Gmail accounts, or are they simply
| spoofing the sender? My bet is on the latter, because Google
| has heavy restrictions on Gmail that make it impractical to use
| for sending bulk spam.
|
| > I am not sure what a big improvement this will be for the
| average user.
|
| It's not going to be particularly noticeable for the average
| user, except for the second part (single-click unsubscribe, as
| opposed to a multi-step flow, is slightly stricter than what's
| required by CAN-SPAM). It will probably make Google's work
| easier, though, by having a publicly-known policy of rejecting
| emails without DKIM, as opposed the the status quo of having
| that be merely an open secret.
| andersa wrote:
| Spoofing the sender to show up as gmail.com on gmail.com is
| not possible.
| ericpauley wrote:
| Gmail also has DMARC quarantine enabled. What's more likely,
| that someone broke DMARC or that they stole someone's
| password? My bet is on the latter.
| maybeben wrote:
| The vast majority of spam we get that isn't trivially
| rejected (DMARC, malformed HELO, etc) is from real, actual
| gmail. But they sure do care about _incoming_ spam.
| asddubs wrote:
| I've gotten a few emails from my own gmail account, spoofed,
| which inexplicably did not land in the spam folder. This
| happened to me on multiple different gmail accounts, too.
| benatkin wrote:
| Perhaps they wanted you to see that someone was trying to
| spoof you. They should have a better way of doing that though
| :/
| partiallypro wrote:
| This happens to me all the time, I honestly am not sure this
| measure is going to solve much.
| NullPrefix wrote:
| Click "Mark as spam" and the all mighty machine learning
| might decide that the sender address (your address) is a spam
| sender
| tornato7 wrote:
| I receive a lot of scam emails from Google Docs - ie random
| users 'sharing' Google Docs with me that are either ads or
| viruses or both.
| foobazgt wrote:
| I got one of these once. Google does run spam classifiers for
| docs and you can report them as spam:
| https://support.google.com/drive/answer/13305033
| queuebert wrote:
| The majority of my spam is to firstname.lastname@gmail.com,
| because I have a common name. I assume spammers put together a
| list of common names and infer addresses from them. This would
| probably help me a lot.
| zitterbewegung wrote:
| Oh fun so basically no one will be able to setup their own email
| servers by themselves anymore. Antispam is killing the open
| internet now.
| solardev wrote:
| ...and saving email at the same time. It's totally unusable
| without spam filters, and the open models/blacklists don't come
| anywhere close to Gmail's capabilities.
| candiddevmike wrote:
| Ironically, most of my breakthrough spam seems to come from
| @gmail.com addresses...
| solardev wrote:
| Same, but that's because all the other hundreds of pages of
| spam got filtered away already.
|
| I wouldn't be surprised if Gmail spam is higher-effort
| (like those individual SMS spam apps that politicians use)
| but higher-breakthrough.
| supertrope wrote:
| I read years ago a hijacked Gmail account was worth $10
| on a black market while a Yahoo! Email account was worth
| $0.10.
| rurp wrote:
| Perhaps, but it's hard to say. False positives are much more
| harmful than false negatives. I have peronally had Gmail flag
| a number of legit emails as spam, and those are just the ones
| I know about! It's almost certain that I have lost valuable
| messages because I didn't check the spam folder in time.
| These aren't transactional emails either, I'm talking about
| messages from real people that I know personally.
|
| I would be willing to wade through a number of additional
| spam emails to avoid losing important ones but of course this
| is Google so there is no user facing dial to adjust the
| sensitivity. Users just have to trust that Google's
| generalized approach is well calibrated for them.
| solardev wrote:
| I'd take the false positives, personally. If someone really
| needs to reach me and doesn't get to me on the first try,
| they usually just email or text back and go "Hey, did you
| get my email?". Or, just quickly skim through the spam
| folder once a week.
| jghn wrote:
| Unless they _always_ get filtered. Which has happened to
| me before where people wondered why I was ghosting them.
|
| I now skim my spam filter regularly because of this, but
| not everyone realizes they should do this.
| ahoka wrote:
| Most people I know regularly read their spam folders...
| which kinda defeats the purpose.
| fiddlerwoaroof wrote:
| My personal mailserver works just fine with some rudimentary
| anti-spam measures (mostly manual filter lists).
| muppetman wrote:
| "open models/blacklists don't come anywhere close to Gmail's
| capabilities"
|
| I disagree with you. I use Postfix with rspamd plugged into
| it for my personal email account. I get way more spam to my
| gmail than I do to my personal account, and I sign up to
| everything with my personal account.
|
| rspam also dkim signs my emails when I send them etc,
| verifies SPF/DKIM/DMARC on recipet etc.
|
| Now to counter that - I am a TINY mail server - Probably 100
| emails a day tops.
| solardev wrote:
| FWIW, this would make a great blog post (or Show HN) with
| details!
|
| "I run my own mail server and get better spam results than
| Gmail"
| martin_a wrote:
| I think that's pretty standard for everybody who runs its
| own mail server (like "shared webhosting"-running even).
| Owning your mail should also be standard for everybody in
| tech, you don't want to rely on Google for something that
| important.
| muppetman wrote:
| Exactly. I rely on Google for a number of things, the
| primary thing being photos. But I've read too many horror
| stories (on here) of people losing their Google account
| and thus their life. So all my photos are also backed up
| locally and then into a BackBlaze bucket.
|
| Using Postfix+Rspamd gave me good insight into SPF, DKIM
| and DMARC and how to use them effectively.
| muppetman wrote:
| It's really just postfix + rspamd.
|
| rspamd is very, very impressive. I guess most of the hard
| work I've put into it is adding some of the not-turned-
| on-by-default things, like Pyzor and Razor. Also adding
| some other RBLs that weren't included by default (I spent
| a lot of time personally researching them and only
| picking ones that I believed to be of high value) The
| other big thing that I think is important is the RBL
| whitelists - DNSWL.org and HostKarma have a whitelist as
| well.
|
| About one a week I spend 10-15 minutes looking at the
| logs of what it's accepted/rejected during the week to
| see if I can spot any obvious mistakes - it's pretty
| rare. If I do spot something I make config changes to
| address it. That said there's been months before where I
| haven't done this and none of the users of my platform
| have complained about spam (or missing email)
|
| rspamd really is that amazing. I don't understand why
| more people don't scream it's praises from the rooftops.
| megous wrote:
| Any data? Or just "I say so"...
|
| Before I decided to leave it due to its horrendous false
| positive rate, gmail was driving like half of notification
| emails from my servers and mailing lists to spam, despite me
| never marking them as such. I was regularly missing important
| things.
|
| It's much better with just regular client side bogofilter and
| some training on my personal mail/spam archive. And I do zero
| server side filtering, it's just all content based.
|
| I don't care about capabilities, I just want near 0 false
| positive rate on the kind of email I receive (and not some
| common model), even at cost of some false negatives, and
| Gmail doesn't deliver there at all. And I don't want any
| arbitrary 5xx rejections for my senders, since I know how
| annoying that is on the sender side. Gmail will not guarantee
| that.
| einpoklum wrote:
| email is perfectly usable without _Google_'s spam filters.
|
| And if you use non-GMail email providers, you would know they
| do fine. Not perfect, and of course it differs among
| providers, countries and accounts, but it's generally fine.
| Kye wrote:
| Did we read a different article? DKIM is a simple DNS entry.
| One-click unsubscribe should be standard.
| amluto wrote:
| Also:
|
| > So today, we're introducing new requirements for bulk
| senders -- those who send more than 5,000 messages to Gmail
| addresses in one day
|
| If you run an email server for personal use, you are quite
| unlikely to send more than 5k messages per day.
| pixl97 wrote:
| Heh, I see someone has never had an automation script go
| bad.
| amluto wrote:
| That one time I spammed myself egregiously, I would have
| appreciated a 5k/day limit.
| superkuh wrote:
| It's also standard practice to use self-signed certs with
| mail DKIM. Mail as a protocol has, for the most part, tried
| to stay true to it's federated roots and most things can be
| implemented without dependencies on third party corporations.
|
| I avoided DKIM till 2018 when google started accepting my
| mail but silently sending it to the spam folder; so I
| wouldn't even get a reject message. I thought it'd be to
| onerous to implement but rspamd's dkim signing feature made
| it easy to use with my locally generated self-signed certs
| (and postfix).
| chimeracoder wrote:
| > Oh fun so basically no one will be able to setup their own
| email servers by themselves anymore. Antispam is killing the
| open internet now.
|
| It's been a long time since you've been able to set up your own
| email servers without DKIM and expect that your emails will get
| reliably delivered to Gmail users, especially for bulk mail.
|
| The second requirement is more or less already a legal
| requirement in the US, and the third is literally how anti-spam
| has _always_ worked - the only difference is that Google is now
| saying that they 'll publish the threshold publicly, rather
| than keeping it a secret.
|
| This is technically news, but it's hardly a major shift.
| atomicnumber3 wrote:
| This is my impression too. I briefly used emails from a
| domain I own to my gmail account as a way to send myself
| "notifications". My impression was that absolute table stakes
| to even make e-mail deliver work AT ALL were:
|
| - non residential IP (I had to proxy through my VPS) - SPF -
| DKIM - use TLS with a modern cipher
|
| And even with this, I still had to "favorite" (or whatever)
| AND set up a rule to "never send to spam" for my alerts@
| sender address because I would still get them going to spam
| for no reason that I could find - I'd check the message and
| would see that SPF and DKIM PASSED and yet it was still going
| to spam.
|
| I ended up switching to using webhooks to send alerts to a
| discord channel for a server that only had me in it. It works
| fine. It's a lot more surefire than trying to figure out
| email delivery
| abdullahkhalids wrote:
| I have my personal mail hosted on a hetzner server using
| mailinabox. I didn't do anything fancy except whatever
| mailinabox's default config is.
|
| I have no problem with email deliverability to
| gmail/outlook. I think the difference is that my emails are
| two-way communication. I email someone, they email back or
| vice versa. Not a continuous stream of unreplied emails
| from my personal server to some gmail address (which does
| look like spam).
|
| I imagine if you set up a script to reply to these emails
| from your gmail account with lorem ipsum and then deleted
| those replies after a few days, your problems will
| disappear.
| koito17 wrote:
| I rarely get spam in my inbox, if at all, but I also never sign
| up for newsletters nor give airlines, grocery stores, etc. my
| e-mail address.
|
| I get spam messages once in a blue moon on my iPhone
| (specifically, on iMessage, I get recipients with a string of
| random letters ending in gmail.com). Ironically, it's ALWAYS a
| gmail.com or hotmail.com address. Funny how the overwhelming
| majority of spam I can remember comes from Gmail and Outlook,
| both of which love sending everyone else's messages straight
| into the spam tray, despite having DKIM + DMARC set up, static
| IP not on any Spamhaus blocklist, etc.
| 0xbadcafebee wrote:
| I mean... No? You can set up your own mail server all you want,
| it's just that few people will take your mail. Just make
| friends with other people who hate managed mail companies,
| you'll be able to email them just fine.
| sltkr wrote:
| That's too facile. Email was intended as a federated service
| that allows anyone to send mail to anyone. Privileging large
| companies over small companies and individual users is a
| clear violation of that principle, and a danger to the open
| and impartial internet. I get that spam is annoying (I hate
| it too) but letting giant American tech companies decide who
| is allowed to send email and who isn't is not the solution.
|
| Imagine you live in an apartheid state and the people in
| power say: "White people will now refuse mail coming directly
| from black people. If black people want their mail to be
| received, they are required to send it through a trusted
| white liaison. If you're black and you don't like it, just
| make friends with other blacks and the tiny minority of
| whites who will accept mail from undesirables like you."
|
| The above analogy is exaggerated of course, but I think there
| is a fundamental truth for it: large tech companies like
| Google have cornered the market by offering free solutions,
| and now they are imposing an apartheid system where mail sent
| through big companies is given priority over mail sent by
| real people who run their own email system.
|
| (Personally, I've disabled all spam filters in Gmail since
| I've noticed that Gmail is likely to filter out legitimate
| email while the amount of spam I receive is actually very
| low.)
| chimeracoder wrote:
| This isn't as big of a change as it sounds.
|
| There are three requirements. The first requirement - DKIM - is
| already a _de facto_ must-have when sending emails to avoid
| getting marked as spam. The second is also a legal requirement in
| the US for all commercial email under the CAN-SPAM act[0]. And
| the third is more or less how email delivery has worked for the
| last 20 years or so anyway.
|
| [0] The "one click" and "within two days" parts are a little
| stricter than the bare minimum CAN-SPAM requirements, but not
| much, and they are not difficult for any legitimate sender to
| implement.
| nerdo wrote:
| The one-click part I believe is referring to the unsubscribe
| smtp header.
|
| CAN-SPAM is ignored for the most part anyway, e.g. LinkedIn
| requires recipients to authenticate in order to unsubscribe and
| openly violates the letter and spirit of the law to the point
| scripts are required: https://github.com/chengyin/linkedin-
| unsubscribed
| pixl97 wrote:
| Unsubscription requirements are a pain in the ass in the
| sense that anyone that steals a large list of emails (from
| any service, not yours in this particular case) could now run
| it against your service and unsubscribe a million users
| before you realize what's going on via a botnet.
| TheCycoONE wrote:
| The opaque id is suppose to not be guessable. I does mean
| you can't batch send emails by calling RCPT TO though which
| will hurt bandwidth.
| chimeracoder wrote:
| > CAN-SPAM is ignored for the most part anyway, e.g. LinkedIn
| requires recipients to authenticate in order to unsubscribe
| and openly violates the letter and intent of the law to the
| point scripts are required:
|
| There are several known-bad actors. LinkedIn isn't even the
| worst offender - Amazon is much more brazen, though they get
| less flak for it because the number of violating non-
| transactional emails they send is lower.
|
| Regardless, I stand by my point that this isn't a big shift.
| Google stating publicly that they will penalize people who
| are violating an law that turns 20 years old this year, and
| which has generally been implemented by almost all legitimate
| bulk email providers[0], is not something I'm particularly
| surprised about or worried by.
|
| Again, the first and third bullet points in this press
| release are already _de facto_ policy at Gmail, and have been
| for over a decade. The news is that Google is stating this
| publicly, not that they 're doing something new.
|
| [0] The notable exceptions notwithstanding, it's quite rare
| to find a bulk email sender who violates this, because very
| few legitimate mail providers will allow it, and it's pretty
| difficult to set up your own mail server with decent inbox
| delivery rates.
| corentin88 wrote:
| Agreed. I shared the same view here:
| https://mailmeteor.com/blog/new-gmail-protections
| tiffanyh wrote:
| > _" Gmail's AI-powered defenses stop more than 99.9% of spam,
| phishing and malware from reaching inboxes and block nearly 15
| billion unwanted emails every day."_
|
| This will be a pain for legit use cases but will net to a better
| place for the ecosystem.
|
| Much like strong KYB/KYC for bulk text messaging.
| joering2 wrote:
| You joking right? The amount of text messages spam I receive
| now on Verizon, and some 8 months ago before on T-mobile is
| staggering.
| tiffanyh wrote:
| Are you suggesting that _because_ of stronger KYB /KYC for
| sending bulk, that _increased_ the amount of spam text you
| get?
| 998244353 wrote:
| I think they are suggesting that the stronger KYB/KYC was
| ineffective at reducing the amount of spam.
| supertrope wrote:
| They're cracking down with "10DLC." Mass SMS senders must
| identify themselves, pay a fee, and register each campaign
| including its content.
| ilyt wrote:
| > To help ensure messages you send to Gmail accounts are
| delivered as expected, you should set up either SPF or DKIM for
| your domain.
|
| But spammers already do that, why would enforcing that even help
| ?
| overstay8930 wrote:
| Doesn't matter to me, if an email doesn't have a one click
| unsubscribe I just mark it as spam. Messes with their email
| reputation so they hopefully get kicked off of reputable email
| services.
| notwhereyouare wrote:
| biglots is horrible about this. I have unsubscribed MULTIPLE
| times and I keep getting emails. Now marked as spam
| kevincox wrote:
| I do exactly the same. I give them one chance to let me
| unsubscribe. If it is more than 2 or 3 clicks I give up and
| mark as spam. If they keep sending I mark as spam.
| LeifCarrotson wrote:
| I honestly don't care about their reputation, I just mark
| anything I don't want as spam. It's easier than finding the
| tiny 8-point link at the bottom and rolling the dice on whether
| their unsubscribe is one click or not. I don't feel obligated
| to protect their shitty business model.
| eastbound wrote:
| I once went to an Atlassian conf and they resold all our
| emails to dodgy people. Or perhaps leaked them over the black
| markets.
|
| Not only I keep receiving almost the same email suggesting to
| buy 5,000 email addresses of Atlassian customers with always
| the same fields, but it's always from different domains.
|
| I didn't think of submitting an Atlassian ticket for each
| spam I receive. That would teach them.
|
| NEVER give your true email to Atlassian.
| xnx wrote:
| "!" key shortcut to mark as spam in Gmail web interface. I use
| it all the time. If I didn't expect and don't want the email
| you sent, then it is spam, regardless of what fine print I
| clicked through unknowingly at some point.
|
| Would love for an "Unsubscribe Sunday" unofficial holiday to
| catch on to the same degree as "Cyber Monday".
| eastbound wrote:
| Why would you ever unsubscribe? Unless I remember
| subscribing, then this is spam.
|
| I don't ever remember subscribing to anything. Almost all
| email is undesired, apart from password reset emails.
| legitster wrote:
| Unfortunately for us, the Privacy team at our org has
| determined that a one-click unsubscribe link in the body of the
| email is unacceptable (passing an identifier into the URL of
| the link). So we accept either the client unsubscribe link, or
| users who click the unsubscribe link in the email have to
| provide their email address on the unsubscribe page.
| albertgoeswoof wrote:
| This might be good news, but as it comes from Google and involves
| email centralisation, I'm sceptical.
|
| At MailPace we already enforce DKIM, it's pretty basic stuff. But
| list-unsubscribe is optional for our senders.
|
| We can make this a requirement and manage lists for senders who
| don't / can't implement a webhook to handle it (we already
| default to blocking resends to emails that hard bounce).
|
| However I am curious how Google will track this. Just because the
| header is set, it doesn't mean it'll do anything. In fact it can
| be used by spammers to identify legit email addresses and spam
| them separately.
| j45 wrote:
| I'm wondering if they see enough gmail traffic receiving such
| an email that maybe they can infer how much funny business
| might be going on?
| pirsquare wrote:
| Why would you allow users to unsub from transactional emails?
| queuebert wrote:
| Because you're not evil?
| albertgoeswoof wrote:
| Because (according to this announcement) if you don't, Google
| will put you in the spam folder.
|
| Edit: I suppose it does say "unsubscribe from _commercial_
| email in one click ". But it's hard to say exactly what they
| mean. They also don't define Bulk Senders - is that the
| domain or the sending SMTP server?
| evangow wrote:
| They defined bulk senders in the 3rd paragraph: "bulk
| senders -- those who send more than 5,000 messages to Gmail
| addresses in one day"
| albertgoeswoof wrote:
| > is that the domain or the sending SMTP server?
| rbut wrote:
| I'm having the same thoughts.
|
| On one of my SaaS apps workers receive details on their
| shifts via email. If I allow them to one-click unsubscribe, I
| know there will be many who do so accidentally, with no idea
| how to resubscribe.
|
| Currently they need to sign in and manage their contact
| methods in settings (email, SMS, etc). Thus they know how to
| re-enable it if they disable it.
|
| I can see many support requests from managers saying "X
| worker isn't getting emails". Sigh.
| toomuchtodo wrote:
| I suppose the best you can do is indicate how to re-
| subscribe in the unsubscribe confirmation email and say,
| "you should save this email! Here are alternate channels to
| receive your schedule if needed."
|
| Perhaps you could notify the manager when a user
| unsubscribes? Puts the ball in their court to notify the
| user (their employee) they aren't going to get critical
| emails. Make sure any unsubscribes show up in a log
| available to your customer.
| kvakerok wrote:
| You can simply put two buttons on the email, one for
| unsubscribe, one for re-subscribe. If they unsub by
| accident they can simply pull the last email and re-sub.
| It's not rocket science.
| rbut wrote:
| AFAIK Google shows you an unsubscribe button/link
| separate to the email and performs the POST request to
| your server. There's no option to ask Gmail to show a
| resubscribe button/link.
| wredue wrote:
| Or, send an email saying
|
| "Hey. You unsubscribed. Here's a link to resubscribe if
| you happen to want to!"
|
| Right after someone unsubs.
| albertgoeswoof wrote:
| You could also send them a reminder a few days later,
| just to be sure that they meant it. And then perhaps
| every week or so for good measure.
| TylerE wrote:
| The problem comes, as I know very well, is that when you have
| a common sounding email, all kinds of people use it for all
| kinds of things. I get dozens of transactional emails a week
| from stores multiple states away.
|
| A big part of why I'm stuck on/with gmail is that filtering
| redirects about 90% of those to spam.
| jsnell wrote:
| > A big part of why I'm stuck on/with gmail is that
| filtering redirects about 90% of those to spam.
|
| That doesn't really make sense? If you used an address on
| your own domain, other people would be pretty unlikely to
| enter that email address instead of their own. The problem
| with misaddressed email should be limited to domains with
| really high username density; nobody else than the Gmails
| and Outlooks of the world need to solve the problem because
| nobody else also _has_ the problem.
| TylerE wrote:
| Becaus having used an address personally and
| professionally for close to 20 years, I can't really
| abandon it, and I honestly get way too much important
| stuff to only go I. There once a month or so. If I
| forward all emails to the new address, I get buried under
| the avalanche.
| jsnell wrote:
| Why limit yourself to only either forwarding emails or to
| "check for important emails" once per month?
|
| For example, email clients generally allow you to use
| multiple accounts at the same time. Configure your client
| to read emails from both accounts at the same time, and
| any time an important email arrives at the legacy account
| try to update the sender.
|
| (I mean, I'm sure that xkcd.com/1172 applies, but still
| this seems like an odd thing to be blocked by.)
| taveras wrote:
| Transactional email intended for other people is exactly
| my problem.
|
| My name is common in certain areas, and I consistently
| get transactional email from banks, telecoms, and
| insurance companies around the world.
|
| These businesses do not verify that their customer's
| email is truly their own prior to sending emails.
|
| Framing custom domains as the solution to this problem is
| a bit rash, no?
| jsnell wrote:
| I'm not framing it as a general solution. But _the GP was
| already migrating to a different domain_ and claimed this
| was the main blocker.
| tomjen3 wrote:
| Because its better than me just sending it to the spam box.
| Or worse, not interacting with your service.
|
| At this point something as simple as ordering something
| online means I get 4-7 emails and then some growling "please
| rate us" shit. And if I am stupid enough to do so, but only
| rate it 4 our of 5, another "we are sorry, please tell us
| what we did wrong" email.
| mauriciob wrote:
| Wrong address is one reason. For example, I receive
| transactional emails from a US-based ISP for someone else and
| the only way to unsubscribe is calling their customer service
| line. I'm not even in the same country.
| amalcon wrote:
| I get a number of these for some reason. If they don't let
| me unsubscribe, I just report it as spam. It's not perfect,
| but it's what little I can do.
| crazygringo wrote:
| Exactly, seriously -- I get monthly+ e-mails from a gym and
| a car dealership and some golf course because somebody else
| put in my e-mail.
|
| I contacted the customer support for all of them and they
| said they can't do anything about it. To change the
| customer's e-mail address, I need to prove I'm the
| customer, and obviously I have no idea who they are.
|
| So I gave up and implemented a Gmail filter in the end, but
| I definitely wish that parallel with the traditional
| unsubscribe, there was a way to say "this isn't that
| person's e-mail". Where I don't have to prove I'm the
| person, I just have to demonstrate I receive the e-mails.
| ska wrote:
| The best part is when they aren't in a language you
| understand, and the site doesn't have one available.
|
| I have in the past had very good data on how often a
| russian guy got a haircut.
| yard2010 wrote:
| I have that friend that whenever I don't feel like
| putting my own email or phone number I just put his. You
| probably have that friend too, the other way around
| airstrike wrote:
| Something something the customer is always right?
| tempnow987 wrote:
| So they don't start getting blocked as spam? For
| transactional emails deliverability is often CRITICAL.
|
| Oddly, on the cash app thing, I have a very basic username
| and seem to constantly have folks sending me money, sometimes
| good amounts. I never use the app, and eventually I hope the
| money goes back if I don't collect it.
|
| More annoying on email but much less than it used to be - I
| think more systems require email verification now so a bit
| less common to get the misdirected order emails etc.
|
| But yes, if I can't unsubscribe - then I block and report
| spam - even if it looks like transactional email (some is a
| lead-in to a scam where they will refund you for the "bogus"
| purchase).
| knodi123 wrote:
| I got a really cool vanity email address, back in the early
| days of gmail. But the downside of that is 100s of goofball
| people around the world randomly guessing it when they want
| to put some bullshit value in a field on a web form. The
| worst was when my address got posted to to some indian jobs
| forum, under a title like "test job" - I got dozens of
| applications per hour for a few days. I had to make filters
| to block all email that included the words "bangalore",
| "delhi", or "hyderabad".
|
| Anyway, the job applications have died down, but I still get
| plenty of others for people who are creating accounts. I
| unsubscribe when I can, and "mark spam" when I can't.
| iamacyborg wrote:
| You wouldn't, if they're true transactional messages instead
| of poorly veiled marketing ones.
|
| Think of it the same way Canada's anti spam law (CASL) works.
| https://emailkarma.net/2016/09/qa-transactional-emails-
| unsub...
| dmitrygr wrote:
| Perhaps I do not care to receive them? Why does a store allow
| me to say "no receipt please", but you think your
| transactional spam needs to reach me?
| michaelmior wrote:
| > Just because the header is set, it doesn't mean it'll do
| anything.
|
| True, but I think when you're processing the volume of email
| that Gmail is, you'll have enough data to be able to infer
| whether the unsubscription was processed.
| WirelessGigabit wrote:
| Side-note: for list-unsubscribe, do you determine the
| subscriber's identity that needs to be unsubscribed based on
| the sender or the receiver (like
| <guid>@unsubscribe.service.com)?
|
| Reason I'm asking is Unsubscribe rarely works for me due to my
| catch-all not SENDING emails from the address it was received
| on. It sends it from my actual address. Very annoying.
| albertgoeswoof wrote:
| The RFC https://www.ietf.org/rfc/rfc2369.txt Section 3.2 is
| not specific on this - but the examples only show the To
| address, and no unique identifier beyond that, so it might
| not work out well for you for mailto list-unsubscribes. It
| also prefers mailto over https.
|
| If we build this as a mandatory feature at MailPace, we'll
| use an HTTPS webhook with a unique identifier for the email,
| so if you unsubscribe from a list sent via us, it will work
| for you.
| CobrastanJorji wrote:
| Why is list-unsubscribe is optional for your senders?
| albertgoeswoof wrote:
| It's transactional email - so generally speaking it's not a
| subscription list that recipients are on per se. This is in
| line with the CAN SPAM guidance (although that is a US law
| it's good guidance to follow globally).
|
| Also it requires senders to actually implement it, which is
| not possible to confirm. Although we could add a catch all
| service that does this automatically, which I think we'll do.
| jedberg wrote:
| It's not clear to me how this is any different than before? Most
| of my spam that I actually see already has all those things
| (valid DKIM, one-click unsubscribe link, and a rate limit per
| sender).
|
| If you really want to fix email spam, create a micro-payments
| system. One cent for every email you send, the user has two
| options after they open the email: mark it as spam and keep the
| penny, mark it as legit and give the penny back. If they don't
| act on it within a week you get your penny back.
|
| Legit senders won't be harmed because they will get their pennies
| back, spammers won't be able to afford sending messages anymore.
| The real interesting part would be stuff like LinkedIn
| notifications -- if people find them useful they'd give the penny
| back, but companies would have to decide how many people might
| actually find it useful for their cost analysis.
| theglenn88_ wrote:
| If I had a penny for every legitimate email I marked as spam,
| I'd be a billionaire.
|
| Jokes aside, why wouldn't you just farm pennies by marking all
| emails as spam?
|
| You could say, "well you could detect people that abuse the
| system" - and now the mouse is chasing the cat.
| jedberg wrote:
| Because people would stop sending you email.
| AnthonyMouse wrote:
| The flaw is in giving the penny to the user instead of the
| email provider. If an email provider is claiming everything
| you send them is spam, you stop sending to them, which for a
| real email provider is a problem _if_ you 're sending non-
| spam email their customers actually want.
| butlike wrote:
| You bring up a vaid case. People farming pennies could be an
| issue, but on the other hand, farming pennies is a more noble
| cause, and one that ostensibly seems far easier to catch. I'd
| rather do a lookup to find the outliers who are harvesting
| pennies than to try and cat-and-mouse spammers who are
| masquerading as legitimate senders.
| ahoka wrote:
| You have invented bitcash, the ancestor of bitcoin.
| jedberg wrote:
| Well not exactly. The currency isn't the hard part, it's the
| payment transfer infrastructure that would be hard. If the
| big players all go on board and agreed to one thing we'd be
| off to the races.
| EvanAnderson wrote:
| Hijacking the thread: I do some "bulk" sending for a 501(c)3 I
| volunteer for. I include unsubscribe links that go to a form with
| a submit button (because I want the unsubscribe to be a POST
| request). Each link has a random opaque identifier in the query
| string. Something like:
|
| hxxp://example.com/unsubscribe?id=abcd1234
|
| A couple years ago I noticed that MSFT IPs hitting my unsubscribe
| links with invalid identifiers on the quest string. Anybody ever
| seen that?
| nwienert wrote:
| I thought it was part of CAN SPAM that you can't require a
| second action and that was why the big email sending providers
| moved to that.
| KeepFlying wrote:
| Probably true but how do you handle autodetonation of email
| links in that case? Too many emails servers will click links
| automatically to check for issues.
|
| That was my understanding at least.
| justinator wrote:
| Unsubscribe link goes to a page that has a form that's
| automatically submitted via JavaScript. Disable that for
| the first 5 minutes of that link's life to get around
| automated things.
| EvanAnderson wrote:
| So many email security systems preemptively access every URL
| in messages. I found that I receive a GET for virtually every
| unsubscribe URL I send out.
|
| I don't read clicking a "confirm" button as a second action.
| The attorney didn't either. He also said CAN SPAN doesn't
| apply to a 501(c)3. I still try to comply to be a good
| citizen.
| jabroni_salad wrote:
| You can require a second action such as clicking a button.
|
| What you can't do is take them to a page that says "to
| unsubscribe, send a certified letter to our headquarters and
| wait 90 business days". The entire transaction must be
| completed at the page you link to.
| jcrawfordor wrote:
| It's not really common for clicking a link to immediately
| unsubscribe, almost everyone requires you to click a button
| after navigating to the unsubscribe link. Otherwise you have
| issues with link scanners unsubscribing your recipients
| without their knowledge. There are some more complex ways to
| approach this with JavaScript checks for "real browser" but
| IMO these are more likely to create frustrating friction to
| unsubscribing (by not working if the user has an adblocker
| for example) than having the user click a button.
|
| I've seen this pattern of unsubscribe link, then click button
| approved as CAN-SPAM compliant more than once so I don't
| think there's a legal concern. The CAN-SPAM rule seems more
| targeted at the systems you used to see a lot that required
| the user to log into their account, type in their email
| address, or figure out a complicated "communications
| preferences" list to use the unsubscribe form.
|
| check out https://www.ecfr.gov/current/title-16/chapter-I/sub
| chapter-C...
|
| It's a little fuzzy to me how exactly to interpret this but I
| think you could reasonably read it as allowing even
| unsubscribe pages that require you to type your email address
| in again (even though I detest these and don't think the
| problem they're intended to solve is a meaningful one).
| ClassyJacket wrote:
| Yes, I know I've seen someone talk about this before, I think
| it's their link safety checking thing:
|
| https://techcommunity.microsoft.com/t5/security-compliance-a...
| EvanAnderson wrote:
| It's odd that they're, essentially, fuzzing my app.
| vaporary wrote:
| Agreed, it's curious! I wonder if they would still fuzz it
| if you changed the URL scheme to include the identifier as
| part of the URL path, rather than as a parameter? e.g.,
| hxxp://example.com/unsubscribe/abcd1234
|
| Please report back if you try it :-)
| local_crmdgeon wrote:
| You may not have to comply with CAN SPAM legally, but I
| absolutely hate when orgs do this.
|
| Please try to make the world a better place instead of doing
| the legal minimum.
| EvanAnderson wrote:
| What else should I do? The list is double opt-in, every
| message includes a one-click unsubscribe link, full contact
| info for the organization is included, and I send text-only.
| austhrow743 wrote:
| My reading is that in your comment they replied to, you
| said you require confirmation for unsubscription.
|
| One click unsubscription is presumably what they want.
| EvanAnderson wrote:
| I require a button to be clicked to confirm. No entry, no
| JavaScript, nothing else. Just something to make a POST
| request because I receive GET requests for almost every
| URL I send out.
|
| My experience is that every unsubscribe goes to a form w/
| a submit button. Shitty ones make you type your email
| address. (Mine doesn't.)
| austhrow743 wrote:
| I dont have a problem with that but it's definitely a
| second click.
|
| Just did a bit of unsubscribing and sydneytools.com.au,
| abc.net.au, squabblr.co, bundlehunt.com, and
| healingstreams.tv all one click unsubscribe.
| jacobwg wrote:
| I've seen a hybrid where you have a form with a button to
| confirm, but include JavaScript to auto-submit the form
| on load. For the crowd that has JS disabled, they can
| click the button, but otherwise it's one-click from the
| email.
|
| No idea if this holds if/when the email crawler bots
| start executing JS on crawl.
| tomjen3 wrote:
| If you are sending out HTML emails, cant you just make the
| unsubscribe button a submit button in the form?
| EvanAnderson wrote:
| I am sending text-only messages. (I hate HTML email,
| personally.)
| exabrial wrote:
| In a previous life, we prevented the GET url problem by having
| a javascript POST and forward to a secondary URL.
|
| This allows everything to be "one click" (which honestly is a
| good thing) but prevents crawlers from accidentally triggering
| the unsubscribe.
|
| Not sure this still works today and obviously this is not legal
| advice.
| cxr wrote:
| Not an answer to the question they asked.
| Zambyte wrote:
| It seems like the more ideal solution would be to block the
| malicious IPs instead of lowering the accessibility of your
| site, no?
| sbuk wrote:
| It'll likely be the URL rewriting feature in Microsoft 365 and
| Outlook.com. The URL will be scanned before it's rewritten.
| pirsquare wrote:
| This is the direct link to the guidelines.
| https://support.google.com/mail/answer/81126
|
| Strange there's no mentioned about transactional emails. Since we
| wouldn't include unsubscribe link for transactional emails.
| cuu508 wrote:
| Depends. I suppose it would not make sense to have
| "unsubscribe" for "reset password" notifications, but for
| "there's a new event in your account, come log in to see it"
| type notifications it would.
| justinator wrote:
| I'm a little unclear how these requirements differ from just
| setting up correct DKIM/SPF records, and having a one-click unsub
| link - or is this all they're saying?
|
| If so, sounds good to me.
| donmcronald wrote:
| That's what it sounds like to me.
|
| The cynic in me thinks it's a prelude to stuff like BIMI
| because that lets them add a large annual cost for anyone that
| wants decent deliverability. It's a way for large senders to
| use their market position to invent a new industry with a
| service we all have to pay for. Free money!
| johnklos wrote:
| You mean Yahoo isn't the rotting carcass of the company it once
| was? I see nothing but decay: their abuse addresses don't work,
| nor do any of the addresses they have in WHOIS, either for their
| domains or their networks, that haven't been switched to
| oath.com. Their SOA isn't real. They've basically stopped
| accepting abuse complaints.
|
| Is Marcel Becker, supposedly the "Sr. Dir. Product at Yahoo",
| according to this article, the only person working at Yahoo
| handling email these days? I'm only half joking - Yahoo is
| incredibly unresponsive when it comes to abuse.
| exabrial wrote:
| > Enable easy unsubscription
|
| Does that include the spam I get from Google? Because you guys
| have been sending non CANSPAM compliant emails lately with
| "Account Updates" which are thinly veiled marketting emails.
| Semaphor wrote:
| The only spam I get on my old Gmail account, is some democratic
| party people who think opt in is for chumps. So whenever I check
| that account, I click report spam for all their spam mails. Maybe
| their successor won't be such an ass. One of them recently lost
| his election and I was very happy about that.
|
| Edit: no idea why I only get democratic spam, maybe people with
| my name in the USA too dumb to enter their actual email don't
| like republicans. But I have no acceptance for spammers, no
| matter their politics.
| jabart wrote:
| Right now google allows the SPF domain, and/or the DKIM signing
| domain to be different than the From domain, not just a subdomain
| but an entire different domain. From an ESP perspective, will
| this drop shared SPF(Return-Path) domains? I'm assuming DKIM has
| to match, just not sure about the return-path side. It's a bit
| vague in the support article.
| tempnow987 wrote:
| Does anyone know if this will stop NGP Van emails (seems to be
| dem party platform). I cannot get off their mailing lists - they
| seem to resell the email constantly. I've probably unsubscribed
| from NGP emails 50+ times. It's crazy. How are they not entirely
| blocked?
| joering2 wrote:
| if you mean the email marketing software for political
| campaigns, then yeah sorry you are toasted (your email is) -
| they resell lists and spam everyone into oblivion. Apparently
| (as per Can-SPAM Act) politicians are (obviously) exempt from
| spam practices, so if you are mailing on behalf of politician
| or his campaign, its all wild west no limits and no rules
| apply.
| thiht wrote:
| > It's clear that email has become an essential part of daily
| communication.
|
| Wow, I almost missed that!
|
| Apparently even Google has to start their blog articles with SEO
| crap like this
| killthebuddha wrote:
| If I wanted to learn everything there is to know about email and
| SMS spam/abuse policies, technical best practices, important
| standards, etc, what would be a good strategy? It feels like a
| super important but ridiculously intractable subject.
| adrr wrote:
| Can we add a TTL to marketing emails? Max length is two weeks
| before the email is automatically deleted.
| einpoklum wrote:
| We should all stop using email providers who are known to
| massively compromise our privacy, build profiles of our online
| activities, manipulate us through ads, pass lots (or all)
| information to the government, and consolidate ownership of too
| much of Internet communications and activity.
|
| Specifically, we should stop using GMail (and Yahoo), and
| encourage our friends to leave those services as well.
___________________________________________________________________
(page generated 2023-10-30 23:00 UTC)