Category Archives: Deliverability

Privacy Report 2020

data privacy
The second decade of the 21st century is shaping up to become known as The Privacy Decade. Recent legislation, both internationally and in the United States, is primed to change the parameters regarding what information about a person you can or can’t collect, and the limitations on what you can do with that information. One thing these regulations have in common is that they don’t restrict their data privacy requirements to emails sent from within their borders. If your emails are sent to subscriber inboxes within any of these states, you are deemed culpable for those violations and can be subject to hefty fines. Unlike previous legislation, such as CAN-SPAM and CASL, these new laws are not aimed specifically at email but are intended to address privacy issues across all devices, platforms, and services. They all do affect email because email involves the gathering of private data in the form of email addresses and, in some cases, names and locations. Each of these laws comes with its own set of restrictions, some more draconian than others.

More Restrictions

While some people might not care if everyone knows where they are every hour of the day, most of us value our privacy and like to have some say over what a company may or may not know about us. Accepting this and working with it is the best tactic for any email marketer. Try to game a subscriber’s private data was never a good idea, but all signs point to more restrictions and greater penalties for doing so as every country gets into the act. While there are no plans for upcoming legislation in this Congress, states such as California and Vermont have created their own stringent privacy laws and 2018 saw the passage of data breach notification laws in several states.

GDPR Arrives

The legislation that started the privacy protection ball rolling was the European Union’s General Data Protection Regulation (GDPR). This regulation set a high bar for an individual’s rights to access any data about them that a company gathers, as well as the right to have that data deleted (for more on GDPR, see our three-part series on the subject). It covers a staggeringly wide range of data—everything from a person’s email address to the geolocation featured in many digital cameras. It extends to any person living within the European Union, regardless of their nationality. If you send email to a person in the EU, you need to be GDPR compliant. Full stop.

California Picks Up the Torch

Taking its cues from the GDPR, the state of California came up with its own privacy regulation. Passed in 2018, the requirements of the California Consumer Privacy Act (CCPA) goes into effect January 1, 2020, and features many of the same restrictions as the GDPR, including the right to obtain one’s data from a company and the right to be forgotten. No other state has, as yet, passed such a strict law, but it looks like Washington State is set to follow suit with their Washington Privacy Act, which is also modeled after the GDPR.

As strict as the CCPA seems, it’s got nothing on the GDPR. The California law applies only to for-profit businesses, so nonprofits can breathe easy. Additionally, for-profit businesses need to have a gross annual revenue exceeding $25 million for the law to take effect, and your active email list must exceed 50,000 subscribers. It also only applies to tax-paying residents of California.

Brazil Follows Suit

In August of 2018, the Brazilian government signed into law the Brazilian General Data Protection Act (Lei Geral de Proteção de Dados Pessoais or “LGPD”). Like the GDPR, after which it was modeled, its scope is global, with companies in any country facing fines for violating its rules. As with the CCPA, the Brazilian law goes into effect in 2020. One notable difference between the GDPR and the LGPD is the latter’s inclusion of terminology pertaining to “non-discrimination”). It also addresses credit and health records with more specificity. Originally, the law had provisions for the establishment of an independent data protection authority, but the President rescinded that in a line item veto. The LGPD is more punitive than California’s law but less so than the GDPR. The maximum fine under the LGPD is 2% of a company’s Brazilian revenue up to 50 million in Brazilian Reals per infraction (about 13.4 million in U.S. dollars). Compare that to the GDPR’s 4% of an organization’s annual revenue or 20 million Euros (about 22.6 in U.S. dollars), whichever is greater.

And Then There’s India

Also getting in on the post-GDPR drive for stronger privacy controls, the Ministry of Electronics and IT (MEITY) in India has been hammering out its own privacy regulations—a process they started back in 2010. Following the 2017 Indian Supreme Court ruling declaring that privacy is a “fundamental right,” the MEITY finally got on the ball and drafted the Personal Data Protection Bill 2018 (PDP Bill), which contains many of the same features as GDPR, but with a few curveballs that already have companies crying foul. The main one is the requirement that all “personal data” on people residing in India must be maintained at a facility within India (although the bill doesn’t define what constitutes personal data—they’re leaving that up to the government). India isn’t the only country mandating such a restriction. China and Vietnam have similar restrictions, but neither of those countries could be considered free. Their governments exert a great deal of control over every aspect of data transfer and Internet use.

India, on the other hand, has a free market economy—some might say too free. It also has an online market second only to China in size, with close to 500 million Internet users. Restrictions making it harder for companies to conduct business aren’t welcome, and this requirement is already meeting with criticism and opposition. When the MEITY requested feedback on the bill, they received nearly 600 recommended changes, from both businesses and governments, including the United States.

Perhaps this is why, since its introduction, the government has had a few opportunities to pass the PDP Bill, but decided to wait until June 2019, after the new government is in place.

Congress Changes Its Tune

In 2009, U.S. Senator Patrick Leahy of Vermont tried to get his Personal Data Privacy and Security Act passed, but the bill never reached the floor. It was too much, too soon, and nobody had any idea yet the extent to which sites such as Facebook and Google would use personal data. Still, data privacy restrictions would be a hard sell in Congress, even today, if not for the increasing number of states tackling the problems on their own. All fifty states have laws concerning the reporting of data breaches, and 35 states have laws regarding the disposal of data. To complicate matters, the laws in each state are different. Some state laws apply only to business, while others only restrict the government, leaving private businesses to do what they want with your data. Some are quite stringent, while others are written in such general terms as to be virtually unenforceable.

Mostly in response to California’s legislation, the U.S. Chamber of Commerce and several other business-based groups are lobbying Congress to pass a federal omnibus privacy and data protection law that would pre-empt the CCPA and other existing and future state data protection laws.

Email’s Role in All of This

Unlike CAN-SPAM and CASL, this recent legislation doesn’t focus exclusively on email. In the case of GDPR, it regulates everything from website visits to in-camera geolocation. They all affect email marketing, although how much depends on your subscriber list. If your list is exclusive to the United States, and your gross revenues don’t exceed $25 million, then you can go about business as usual. None of the recent legislation will have that much impact on your email efforts. There is a lot more legislation on the books now concerning data breach notification, but that’s of more concern for the IT department than the marketing department.

If you have international subscribers or own a business that brings in over 25 million a year, we recommend you follow the rules of the GDPR. It is still the strictest of the current laws, so if you are in line with it, you should be fine for the others. For everyone else, there are a few things you can do to avoid problems. They include the following:

Make Your Terms Clear

Spell out in the clearest possible language exactly what you plan to do with the data you collect and make sure you include a statement to the effect that you will not use this data for other purposes or sell it to other companies.

Leave Boxes Unchecked

If you do any business in the European Union, this isn’t simply a suggestion, it’s the law. It’s less important in the States, but, like the single- vs. double-opt-in controversy, each approach has its supporters and detractors.

Respect the Privacy of Your Subscribers.

Email marketing is a double-edged sword. On one hand, we all like our privacy, but on the other, we also prefer receiving emails about things we are actually interested in. As an email marketer, the only datum you actually need is the email address, but, by itself, that makes for generic, “batch-and-blast” emails. Personal data helps improve the engagement and the receptiveness of your subscribers to your mailings. But don’t abuse it. Just because you can send an email saying “Hey Jill! I noticed you just visited our website fifteen minutes ago” doesn’t mean you should. It makes you look like a stalker, so avoid it.

The Ground’s Still Shaking

One thing is certain: This story is far from over. Right now, most of the fretting over the new laws has been a waste of time. How much they affect you is extremely variable. New legislation is cropping up in countries around the world every day and, as time goes on, it appears more and more likely that some national legislation in the United States will be enacted to bring the various states back into line. When that happens, we’ll take a look at this subject again.

The Year in Email

Happy New Year
Here we are again. Another year has come and gone. As always, there was no shortage of email flubs this years and we’ve collected a few of our favorites. Interestingly, we saw fewer of the “Dear [customer name]” errors that used to plague email marketing. Either people have finally made sure that their name fields contain information, or they’re starting to use dynamic content more. Either way, it’s nice to see that one go away. We’ll start the list with the one thing that doesn’t appear to be going away: the inactive unsubscribe link and CAN-SPAM violations.

Don’t You Dare Unsubscribe

unsub failAfter receiving ten unsolicited emails in just a few days from a company pretending to be Dawgs—a purveyor of ugly sandals—I tried to unsubscribe. This is what I got. How much of this is the sender’s fault and how much is the fault of their ESP, I can’t say, but needless to say, all of their emails went straight to the spam folder.

Unsubscribe? Never heard of it!

no unsub
How do I count all the things wrong with this email? From the needless word breaks to the disconnect between the offer (car rentals) and the company offering the deal (North Hills Clothing), this email cries “spam” at every level. How it ended up in my inbox is beyond me. I never would have clicked on the unsubscribe link on such a suspicious email, but this one doesn’t even have an unsub link!

See, We’ve Got an Unsub Link. I Think…

inactive link
East Midlands Trains does a good job of providing their physical address, and it looks like they’ve provided an unsubscribe link, but click on that link and nothing happens. A look at the email’s source code show where the problem lies:

<a href=”<%unsubscribe_link_text%>” target=”_blank” style=”text-decoration:underline; color:#333333;”>How to unsubscribe.</a>

There should be an actual URL listed in this href. Somewhere along the line, the unsub link got screwed up. Whether this was the email’s creator typing it in and accidentally using the wrong number of percentage signs, or HTML that was copied verbatim from a different ESP is hard to say.

Click Here. Go ahead. I dare you.

spammerYou can click on that unsubscribe link all day and nothing will happen. This is an odd one. If you look at the email’s source code, you’ll find an unsubscribe link that works and a physical address (Royal Caribbean Cruises), but you won’t find either in the email when it’s opened. There is an unsubscribe, but the one that’s displayed is missing its URL. It’s a sloppy piece of coding that has the body copy closing before the final content. Add to all of this that the email supposedly comes from Amazon but clearly does not. This is either badly designed spam, or phishing or both.

We’re Experts!

white text errorThe above example is the bottom of the page on an email. Yes, that blank white area below the signup button is part of the email. At first it may look like the information required by CAN-SPAM is missing, but it’s there. The problem is that the sender decided to use a dark orange background image and set the overlaying type (the physical address and links) in white. This email looks fine as long as images are turned on, but not everyone turns the images on. When the images are off, you end up with a seemingly empty white space at the bottom of the email. This error is bad enough on its own, but this particular email came from another email marketing service provider. Out of professionally courtesy, I won’t name them, but the “Friendly From” in their sender line refers to them as an “Email Markeitng” (sic) service. As if all this isn’t enough, the mailing is filled with buttons asking readers to “Read More” or “Check It Out!” but none of these buttons are linked.

We Prefer to Call It…

sneaky unsubThis runs dangerously close to violating CAN-SPAM, which specifies that mailings must have a clear unsubscribe link. Here they’re trying to be clever. It didn’t help that clicking on the link went to an unsubscribe page that requires one to enter their email address. Guess which email went into the Spam folder?

Readability is So Last Year

GucciGucci likes to stay fashionable, but sometimes fashionable and readability collide. Pink and gold might be an interesting combination for apparel, but it makes a lousy combination in a text box.

Did You Say &⁠#38 or &⁠#48?

weird codingThis one confuses us. The HTML clearly shows that special characters labeled “&⁠#38” were inserted between each word in this headline. That’s the HTML code for an ampersand, but there’s no reason for for ampersands to appear between each word in the headline. The most likely cause is the code was copy and pasted from one program to another, leading to the insertion of this character for no good reason.

Button, Button, Who’s Got the Button?

bad buttonsIn the grand scheme of things, this is a pretty minor infraction, but it’s if you are going to make a table cell in your email look like a button, it’s better to put the <a> tags around the cell instead of the type. In this example, you’ll only activate the links by clicking directly on the type. Clicking within the boxes has no effect.

We’re a Real Company, Honest!

stock photosWe can’t tell whether or not the way the words “social media” run down the left side of the image is some misbegotten design idea (we think not), but the CanStock watermark on the image is unforgivable. If you plan to use an image, either pay for it, or create your own version (paying for it is usually cheaper). Sending out email like this makes a company look suspiciously like a fly-by-night affair. Marketing Knowledge Cloud isn’t such a company, but you couldn’t tell it from this email.

Even Alt Tags Can Be Wrong

bad code
This one nearly caused my brain to explode. You can see in the text I’ve highlighted in yellow that the HTML codes for the right and left curly quotes are displaying instead of the curly quotes. That might have been okay, except that below it on the right, another article on the same page is displaying curly quotes in the same content. It that weren’t enough, as soon as I choose “display images” the HTML code disappears. A closer examination of the code revealed that this text appears as part of a styled alt tag (for more on stylized alt tags see The Finer Points of Styled Alt Tags). The code for the right curly quote reads: “&amp;#8220;” which will display as “&⁠#8220;” which is the correct code for that curly quote. Either somebody really wanted this to look exactly wrong, or they got confused. The right curly quote on the headline to the Page-Turner article has a value of x201C, which works, but it is hexadecimal code instead of the more common HTML code. If I had to guess, I’d say that the two article were written and formatted by different people and then assembled in the newsletter. One of them knows more about HTML than most people, while the other needs to go back to class.

All Tests Are Not Created Equal

media query errorThis looks pretty bad doesn’t it? The code contains media queries to make sure the content adjusts its size across various devices. The problem is, it’s wrong. This screenshot was taken from an iPhone. The first table is behaving as it should, but then the rest of the email goes all cattywampus. We suspect the person that created this simply tested the responsive results by resizing the window on their browser—a kind of poor man’s test environment. If you do that, this email looks fine, proving that there’s no substitute for the real thing.

I Are An Expert!

Speaking of testing, here’s an email from a company that that specializes in providing testing environments for all the various browsers and phones. Either they missed one, or they decided that the Mail program in Microsoft’s Windows 10 wasn’t worth worrying about. Either way, this isn’t something a company whose raison d’etre is testing email should ever be guilty of (to prevent further embarrassment, we’ve removed the company’s logo).

I Heard You the First Time

Amazon errorAmazon likes to send out notifications about newly available movies and TV shows. We’re not sure what happened here, but suspect that the API call that was suppose to register that the email had been sent wasn’t receiving the proper information and decided to keep sending until it was told to stop.

There’s Always One More Typo

misspelled glassTypos are the bane of every writer’s existence. So what’s worse than a typo in your content? How about a typo on the actual product you’re selling. This glass, offered by Bourbon & Boots, has what should have been a clever quote by Mark Twain, but we’re sure Mr. Clemens knew the difference between “then” and “than.” This error has gone uncorrected for over a year now.

Hey Everybody! We Value Your Privacy!

GDPR goofWhen the GDPR came into effect, lots of businesses scrambled to make sure they were compliant. Sometimes, these efforts were counterproductive to say the least. One of the worst came from Ghostery, who sent out an email explaining the steps they’d taken to ensure GDPR compliance. Too bad the included everyone’s email addresses in the “To” field.

Did I Say Mail Merge Errors Were Gone?

mail merge errorPerhaps I spoke too soon. Just when I thought I’d see a year without mail merge errors, this one landed in my inbox. It’s such an easy error to avoid with the careful use of dynamic content.

Our Next Speaker: Wyatt Earp

dead speakerOne of the more amusing apologies came from b8ta—a tech gadget store than sponsors meet-ups with inventors and start-up founders. We’re not sure how you’d confuse Ben Holt with Ben Einstein, but we guess it could be worse: They could have announced that Albert Einstein was going to appear at the b8ta store instead.

Don’t Do This. Not Ever.

fake oopsApology emails have a higher open rate than other emails, so one can see why a marketer might want to use this to their advantage. But apologies are a serous thing and pretending to apologize for the sake of sales puts you just one step away from being labeled a spammer. Don’t do it.

Okay, that’s it for this year. We hope you enjoyed that. In the end, the lesson to be learned is always the same: Test, test, test.

It’s Holiday Season again, and in keeping with past Holiday Seasons, here’s this year’s email game. This one is based on the classic “Shut the Box” but with an email delivery theme. We’ve modified the rules slightly to reflect aspects of email marketing and we’ve added a rule that simulates the difficulty of getting email delivered during the holiday season. It’s a very easy game to play and lots of fun. Enjoy!
Email Game

Rules

Players: Can be played by any number of players but will require additional printouts for more than two players. It may also be played as a solitaire game in which the player tries to beat their own score.

Requirements: Two dice.

Object: To get the most emails delivered. The winner is the person with the fewest remaining undelivered emails at the end of a round.

Before you begin: Print out the game, then cut out the player cards and the individual “Delivered” tags. Each player should have one player card and ten “Delivered” tags.

Start: Players choose who goes first by rolling one die. The player with the highest die roll goes first.
The first player rolls both dice and covers the numbered envelopes with the Delivered tags so that the total number on the covered emails matches the number on their dice roll. They may cover any number of envelopes as long as the total matches their roll. For example, if a player rolls a three and a six, they may cover the #9 envelope or cover smaller numbers to total nine (e.g., 5 + 4, 2+3+4, etc.).
It is then the next player’s turn to roll.

A player’s game ends when they cannot make any more moves. For example: If the player rolls a two and a four, but none of the remaining envelopes can be marked delivered to make a total of six (e.g., 2,5,7,8,9) that signals the end of their game. If the other player(s) can still roll and deliver emails, they continue until they have no moves left.

Scoring: At the end of their rounds, when no player can deliver any more emails, the players total the number of the envelope that has not been delivered. The player with the lowest score wins that round.

NOTE: In some versions of the game, the total number of points left are added to determine the score, but the goal here is to get the most email delivered, so the points don’t matter as much. A player who only had the #10 email left undelivered (total = 1) has a better score than the player who has the #1 and #2 emails left undelivered (total = 2).

Optional Holiday rule: From Thanksgiving until Christmas, getting your email delivered is notoriously more difficult. Mail that got through in October suddenly is landing in the bulk folder as the Holiday Season nears. To simulate this effect, we’ve created the Holiday rule. If you play the game using this rule, after you’ve finished your move the player on your right (or opposite player if two are playing) has the option of removing the delivered tag from one of your delivered emails. Using this rule does increase the strategic potential of the game.

A couple years ago, as a gift to our readers for the holidays, we offered The Email Game, a simple luck-based game that also served as an instructional tool for learning what to do, and what not to do when sending out your mailings. This year we’re back with a game we call Spam Attacks, based on the subscription bomb attacks that plagued ESPs everywhere in late 2016. The game is a dice and board game similar to Backgammon where each player moves from opposite points on the board and landing on an opponent’s piece will send it back to the beginning (or, in this case, into the Blacklist area). unlike the previous game, this you can win this game with strategy, although a certain amount of chance will still keep things exciting. Enjoy, and Happy Holidays!

Email Gameboard
Pieces:

Playing pieces

How to Play:

Before you begin: Print out the game board and playing pieces (envelopes and bombs). Cut out the six playing pieces separately. You will also need a standard, six-sided die.

Number of players: Two. Each player has three pieces
These are designated as the Email Marketer and the Spam Attacker. The Email Marketer uses the three envelope pieces. These are referred to as emails. The Spam Attacker uses the bomb pieces. These are referred to as spam attacks.

Object: For the Email Marketer, it is to get at least one of their emails delivered before all three are blacklisted. An email is considered delivered when it successfully moves off the playing board. For the Spam Attacker, it is to get all three of the Email Marketer’s emails blacklisted before they can be delivered. The Spam Attacker causes an email to be blacklisted by landing on the square occupied by an email. That email is then sent to the bottom of the blacklist (the square labeled “Blacklisted!”). The Email Marketer must restart the journey for that piece from that point. The first player to achieve their objective wins the game.

Rules:

The Email Marketer begins their journey around the game board by placing a piece on the square in the upper left corner of the board (labeled with a ►), They then move their pieces clockwise around the board to the finish line. The Spam Attacker starts by placing a piece in the square in the lower left corner (labeled with a star) and initially moving counterclockwise. The spam player pieces cannot leave the board once they are in play, nor can the enter the blacklist area. If a spam attack piece reaches either end of the playing area, it continues its journey back in the opposite direction. The Email Marketer may only move forward in a counterclockwise direction. They do not need an exact count to leave the playing area. The Spam Attacker can move in either direction, so it’s possible for the Spam Attacker to double back and tag a piece they have already past.

Each player can decide at what point they wish to add each piece to the playing field. If they have more than one piece in play, they can choose which piece they want to move next. They can only move one piece with each die toss, but they must move one of their pieces with each toss.

Safety Zones: There are three Safety Zones on the board (labeled with the Goolara rings). The Spam attacker cannot land on these squares. The Spam Attacker must jump over them in their move counts. The Email Marketer can land on these squares, and can keep a piece on one of the these squares as long as they want. Two emails cannot occupy the same Safety Zone. If an envelope lands on Safety Zone that is already occupied, the second piece must move to the next square after the Safety Zone. The email marketer can, however, create a temporary Safety Zone by placing two pieces in the same square (see Special Cases).

Winning the game: The Email Marketer wins the game when at least one of their pieces moves off the board. The Spam Attacker wins if they get all three of the Email Marketer’s pieces in the blacklist area.

Special Cases: If the only move an Email Marketer can make causes that piece to land on a Spam Attacker’s piece, the Email Marketer cannot move and loses that turn. If the Email Marketer has two pieces on the same square, that square becomes a safety zone as long as two pieces of email occupy it, and the Spam Attacker cannot land on it.

Variation: The game can be played with four players: Three Email Marketers and one Spam Attacker. Each player must move on their turn, so the Safety Zones offer limited protection. Play continues until one of the Email Marketers has successfully moved their piece off the board. The first player to do so wins the game. The Spam Attacker wins if they manage to get all three players in the blacklist area.


Special kudos to Sabine Kroschel of Pixaline for her lovely background image.

The Year in Email: A Look Back At 2016

By all accounts, 2016 was an extraordinarily eventful year. It saw the deaths of Fidel Castro, Muhammad Ali, David Bowie, Leonard Cohen, Carrie Fisher, George Michael, Leon Russell, Debbie Reynolds, Gene Wilder, and a whole host of others. Politically, it was the year of Brexit and a presidential election that caused the New York Times to take a hard look at their polling methodology. In sports, it was the year that the Chicago Cubs, after 108 years of losing, finally won a world series in a final game that played out like a movie script.

It was an eventful year in email too, but not necessarily in a good way. Some might argue that email—or, at least, email that wasn’t meant to be seen by the general public—helped lose the election for Hillary Clinton. August saw an organized subscription bomb attack of suspicious origin that temporarily landed several respectable news organizations on spam lists and caused Spamhaus to update their opt-in verification recommendations. In one respect, 2016 was a better than previous years. We saw fewer of the kind of clumsy design errors that we’ve seen in the past. Most of the really terrible errors came from sources that were questionable to begin with.

The Importance of Testing Across Platforms

It should go without saying that whenever you send out a message you should test it. If you are using Goolara Symphonie, or another ESP that has a preview feature built in, I’d start there. If you want to be extra careful, you can also send test mailings to several different addresses, or use the email previews available from Litmus and Email on Acid. Sometimes, a message looks fine in one email reader, but not so good in another. Here are some examples.

Aw Gee-Mail

misaligned iamges

If you’re going to have a problem displaying your email design in one provider, the provider should never be Gmail. After all, it is the most popular email reader out there, and it doesn’t cost anything to get an address, so what’s the problem? The folks at Orchard apparently didn’t learn this lesson, though. This particular email looked fine everywhere else, including the always problematic Live Mail, but completely fell apart in Gmail.

Dynamic Content Mishap

Bad dymamic content

One time when you absolutely must test before sending is when you are using mail merge or dynamic content.1 The example above is an actual email, sent to us with the subject line: “Your email.” A blank space between “Hello” and the comma would have been better than this. Well constructed dynamic content instructions would have prevented this from happening.

Hide and Seek

images covering type

A picture’s worth a thousand words, but this is email is pushing it. At first glance, it looks like Wired expects these images to do all the work, but look closely at the right edge of the top photo, just below the horizon. There’s a series of small dots there. A closer investigation reveals that those dots are the text hidden under each photo. This particular problem occurs in Microsoft’s recently abandoned Live Mail, and if Live Mail was the only email reader that had trouble with this mailing, I probably wouldn’t bother mentioning it. But Thunderbird also has trouble with the file, pushing the text and social links out to the right of the main table. Live Mail, at least, brings the text and social links back into the area where they belong, but then plops the photo down on top of everything. This wouldn’t matter if Wired bothered to provide meaningful alt tags, but the alt tags read: “Image for story 1,” “Image for story 2,” etc. Not exactly helpful.

A close inspection of the source code reveals the problem. Whoever put this email together did go to the trouble of using tables, but then they inserted divs into the mix. The code is also littered with ids and class tags that have no corresponding style instructions. It’s worth noting that all of the other mailings from the magazine look fine, and the ones for subscription offers include highly descriptive alt tags.

Honestly Missing Logo

Missing logo

That “Honest Mail Email Marketing” logo, looks suspiciously like nothing at all. A quick check of the HTML code reveals the problem:

<img src=”” alt=”Honest Mail Email Marketing Logo” width=”160″ height=”50″ border=”0″ style=”width:160px; height:50px;” />

They remembered to include the height, width, and border information. They even added alt text There’s only one thing missing: the actual source location for the image. Honestly, one test preview would have revealed this problem. There’s no excuse for it.

Code Fails

Some problems are simply the result of bad HTML. Sometimes it’s an out-and-out typo, but sometimes the problem is something subtle like including the DOCTYPE and HTML tags when you paste the email into the ESP app. Test previews and test send should catch most of these problems.

It’s Important, Procrustes

Bad image sizing

This email from Keurig suffers from a few problems. The image of the people chatting over coffee and the “Shop Today” button are obviously stretched. The designer put the correct size information in the properties for each of these images, but they forgot to add !important, so the sizing information was overridden in favor of the master table, stretching the images to match the master table’s 100% width requirement.

Knowing When to Link

button design

Having linking buttons is always a good idea, but knowing where to put the link is important. In this example from Camper, only the words “Women,” “Men,” and “Kids” are links. Since this text is placed in its own table, and that table has a bordered cell, it would make more sense to add the link to either the table or the cell. As it stands now, clicking anywhere inside the black border does nothing unless you click directly on the words. It’s a minor thing, but one worth remembering. Judging from the number of div tags in this email, I suspect that the author of this email is new to the form.

Button, Button, Who’s Got the Button?

fake button

Providing buttons that link to web content is never a bad idea. What is a bad idea is providing a button that is not a button at all. This email from Template Monster makes that mistake. Clicking on “Learn Now” simply brings up the image. To make matters worse, they’ve given it a blue border, further enforcing the perception that this is a link and not just an image.

Oops, I Did It Again!

Not to rag on Template Monster, but they don’t seem to have anyone checking the email before they send it. Here is the top of one of their emails:

Missing code

And here is the code for the logo at the top:

<a href=”#” style=”border:none;” target=”_blank”><img alt=”TemplateMonster” border=”0″ height=”40″…

Look at the href at the beginning of the line of code. This should link to their website, but it doesn’t. The pound sign (#) is a placer that indicates that although there is a link, it’s not going anywhere. Hover over it and it appears active, but clicking on it accomplishes nothing.

A little further down the page in the same email we get this:

Typo

The text in the orange button reads “Download You Gift.” I confess, I am always typing “you” instead of “your” so I can relate to this one, but a second pair of qualified eyes would have caught this immediately.

In the same email, every headline and image has a different link, even when they go to the same place. The headline about 20 free writing tools goes to the same page as the image next to it. I’m going to give them the benefit of the doubt on that one, and say that they did this to find out whether the images or the headlines are responsible for the most clickthroughs, but in the long run, isn’t that less important than the fact that they did click through?

That’s Code for …Code!

badly coded spam

I love it when spammers screw up. This was already obviously a spam message without having to even open it, but upon opening you’re presented with the HTML code for the message. When putting together a mailing in your ESPs visual editor, always make sure you are in the right tab (usually marked HTML) before pasting HTML code. Otherwise this might happen to you. Of course, any decent email marketer would have previewed the mailing, but these people tend to work fast. I’m surprise this doesn’t happen more often, actually.

Shopping Links

Sometimes there’s nothing wrong with an email, until you click on one of the links. Then you suddenly find yourself staring at a page that has nothing to do with anything. Retail stores appear to be the worst offenders, which is odd since so much of their business is contingent on people getting to the right page and ordering the product they want.

I Know It’s Here Somewhere

missing products

Fab has, in the past, shown products in their mailings that aren’t on the landing page. In most cases, the products shown are available, but buried on the second or third page of the sale listings. That’s fine. Lots of companies do this, so the public is used to it. But in the email shown above, the “Cosmo Complete Set” and Captain America print don’t even show up in any of the lists. Clicking on them takes you to the a sale page, but neither product is on any of the sales pages. If you want to buy either of these items, you’ll need to enter them as search queries on the web site.

Now Go and Find Me

not on site

Normally, Bed, Bath & Beyond is one of the better companies when it comes to email marketing, they always provided meaningful alt tags, their design is easy to read on both a desktop computer and a mobile phone, and their links, in most cases, go directly to the products shown. Here is one of their rare missteps. Clicking on this product does not take you to the products, or even anywhere near the product. A clue lies in the button labeled “Find a Store”—only it’s not a button. Clicking anywhere in the image will take you to BB&B’s Find a Store page. I suppose they justify this by pointing out that the product isn’t available online, but that’s no reason that this couldn’t be included on a page with more information on the product.

Alt, Right?

I bring it up every year, but every year there are plenty of examples of companies forgetting to add alt information to the img tags. While it’s true that services such as Gmail and the iPhone display images as the default, some people still prefer to keep the images turned off. Alt tags not only impart information on what they are missing, they also can provide incentive to display images as well. Here’s an example from Warby Parker that demonstrates the worst case scenario:

no alt tags

Now here’s a company that knows how to do it right, Bed, Bath & Beyond:

Good alt tags

Quite a difference. Perhaps the guys at Warby Parker assume that people will always want to display their images, a questionable assumption.

Unsubscribe Catastrophes

Unsubscribing should never be a hassle. Nobody is happy when a recipient unsubscribes, but it’s better than having that person mark your mailings as spam because they can’t figure out how else to get you to stop sending them things. Some marketers go to extraordinary lengths to making unsubscribing difficult, treading very close to the legal requirements of CAN-SPAM. A few cross over to the dark side. Here are this year’s worst offenders.

Unsubscribe? fUGGedaboutit!

No unsub link

CAN-SPAM has a few hard and fast rules. One of them is that you have to have an unsubscribe link. You also have to have a physical address. This email has neither. The supposed unsubscribe link takes you to the home page for the company. Not surprisingly, this email is not from an official UGG site at all, but a spammer that is trying to make their site look as legitimate as possible.

Email Purgatory

Missing unsub link

Unlike the previous email, this one is from a legitimate company (T-Mobile). This part of the email—which is commented in the HTML as “legal footer”—contains the physical address, privacy policy information, links to their various plan options, and instructions for how to ensure that email from them does not wind up in the spam folder. What it doesn’t include, however, is an unsubscribe link—an unequivocal violation of CAN-SPAM.

Go Ahead and Try to Unsubscribe! I Dare You!

bad unsub link

When it comes to anti-spam laws, the USA is about the most lax, but they still require two things: A physical address and an unsubscribe link. So when I get an email like this, it makes my blood boil. Here’s what you get when you click the unsubscribe link:

unsub fail

As one might imagine, this one went straight to the spam folder.

Crouching Promo and Hidden Unsub

unsub in image off

A nearly as devious method of hiding the unsubscribe was used by Lids, a company that specializes in sports caps. Here’s the bottom of their email with the images turned off:

You can see there’s a physical address, but where’s the unsubscribe link? Now here’s the same section of the email with the images displayed:

unsub in image on

Ah, there it is! They’ve made unsubscribe part of an image. To make matters worse, they used an image map to separate the various categories shown. I’m not sure what the thinking was here. Attempts to reach them went unanswered. Just to add insult to injury, I never signed up for this email, it was someone entering the wrong address either accidentally or on purpose.

Sure, There’s an Unsub. It’s Just Not Yours.

Another highly questionable approach to handling unsubscribes came from, of all companies, Salesforce:

Salesforce CAN-SPAM violation

I’ve blurred the names to save some embarrassment, but I can verify that the author of this email comes from Salesforce, promoting a webinar Salesforce has co-sponsored. Yes, there’s an unsubscribe link, but only in the forwarded content. Presumably that will only work for the original recipient, not for the person to whom the email was forwarded. This means that Salesforce, the largest SaaS-based, customer relationship management (CRM) provider on the planet, a company with its own email marketing solution, just sent me a promotional email without an unsubscribe link. It is a tactic worthy of a Viagra spammer. It doesn’t help that there’s a typo in the very first sentence. I dearly hope the author of this email is new to Salesforce.

Subject Line Fun

The subject line is the most important part of your mailing. If a subject line doesn’t provoke the recipient to open the email, then all your hard work providing good content and responsive design is for naught. Here area few subject lines that either failed miserably or worked brilliantly, or, in the case of the first example, simply overdid things.

Hello, It’s Me Again

Too many emails

Some email marketing experts are big fans of the practice of sending high quantities of email to your recipient list. It is a topic hotly discussed on email marketing forums, and each side can back up their position with plenty of facts and figures. But even the most ardent fan of high-volume sending would agree that Travelocity is pushing it here, sending an email every hour or so from two in the morning to five. It doesn’t help that all of these were sent at times when no others were sending out email, leading to all four messages being bunched together. Perhaps that was the idea, to create a sort of billboard for Travelocity residing in the inbox.

Did I mention…?

same email

It’s not usual for companies to offer multiple newsletters. Nor is it unusual to send these newsletters out on the same day. What is unusual is the use exactly the same subject line and content on both mailings, right down to the “You are subscribed to PCMag Tech Deals as…” at the bottom of each page. Given that a normal announcement from PCMag reads “You are subscribed to PCMag Announcements as…” and is usually some sort of deal on a PCMag subscription, I’d chalk this one up to either a mistake or laziness.

I’m Either a Realtor or a Marketer

email goof

Even we email marketers make boneheaded mistakes. To their credit, the folks at EEC caught this and quickly followed up with an apology.

A Special Odaer, Ordrre, Ordeorr…Oh Forget It!

typo in subject line

“Order” is a hard word to screw up, but whoever put this email together seems to have had a terrible time with it. They misspelled it in the subject line, and then again in the content.

Okay, I’m not REALLY Out of the Office

Out of Office trick subject line

I think I know what Sephora was trying to do here. This was an attempt to equate being out of the office with their summertime contest. Sending a fake out-of-office autoreply isn’t the worst misuse of a subject line, but it’s pretty sneaky and isn’t likely to endear you to anyone.

You know nothing, Jon Snow.

Game sof Throne subject line

As a fan of Game of Thrones, I enjoyed the use of GoT references in the subject line and “friendly” from, but I’m not sure that a company that specializes in predictive marketing is the right place for this approach. This link leads to a series of videos in which they try to show the marketing lessons available in the HBO series. That is more a testament to the ability of the human brain to find patterns where none exist than any marketing subplots lurking in George R.R. Martin’s on-going saga. This kind of subject is better served on a site such as ThinkGeek, which specializes in products attached to all aspects of geekdom, from TV shows or computer games. For them, even this is acceptable:

Konami Code subject line

A combination of keystrokes known as the Konami Code, a cheat that gives gamers additional powers while playing. If you’re in the real estate business, this probably isn’t a good subject line, but it works quite well for a company whose primary audience resembles the cast from The Big Bang Theory.

Location, Location, Location!

Deliverability fail

Sometimes, a subject line, by itself isn’t anything special, but where you find it makes all the differences. I found this one in my spam folder. I could say “Physician heal thyself,” but this just demonstrates what a complicated subject deliverability is.

That’s it for this year! We can’t wait to see what 2017 will bring. We predict more email address providers will follow Gmail’s lead in allowing CSS in email. On one hand, this means we can get more creative in our email designs, but on the other hand, it means more places for things to go wrong. If there is a moral to this blog post, it should be obvious by now: test, test, test. For more on the subject of how to deal with email mistakes, check out our white paper on the subject: Oops! – Handling and resolving email marketing mistakes.


1. If you’re not using dynamic content, you’re missing a real opportunity to improve your email engagement results. Jordie van Rijn explains how and why in his article, Making the most out of Dynamic Email Marketing. For more on Goolara Symphonie’s powerful dynamic content visits, visit our dynamic content page.

CAPTCHA and Release

captchas drive me crazy
[Note: This is the second in a two-part series on subscription bombing and how to defuse it. Last time, we looked at the techniques used to create recent attacks. The time we look at the technique Spamhaus recommends as the best way to avoid ending up the victim of a subscription bombing: the CAPTCHA.]

As we discussed in our last blog article, the best way to prevent subscription attacks, according to spam listing companies such as Spamhaus, is to use a verification test in your email signup form. The best known of these, and the one that Spamhaus recommends by name is the CAPTCHA. CAPTCHAs can be a pain in the neck sometimes, and when they are not easy to solve they can cause people to just give up trying and leave your site. But newsletter signups that don’t require CAPTCHAs are just what subscription bombers look for. If you find yourself on the receiving end of one of these attacks, you’ll have a lot more work to do to recover your reputation score, and will, after that, have to use a CAPTCHA anyway. Having accepted, however unhappily, that CAPTCHAs are a necessity, we’ll look at different CAPTCHA technologies that are available today.

The best known form of CAPTCHA is the reCAPTCHA, version 1, which consists of a small box displaying two distorted words (usually consisting of one real word and one that is gibberish). You are asked to enter the words you see, and if your answers are incorrect, you are presented with two new words and asked to try again.

sample captcha

ReCAPTCHA was developed by a group of computer scientists at Carnegie Mellon University who recognized that CAPTCHA technology offered a great crowd-sourced way to achieve better OCR. If the OCR software couldn’t identify a word, sometimes humans could, which meant you could feed words to people that computers couldn’t recognize. That’s why in 2009, the ReCAPTCHA technology was acquired by Google for their Books project, and was used by the New York Times to digitized their archives. This seemed like a good way to block fake signups, but they didn’t factor in either advances in OCR software, or the low costs of doing business in third world countries.

Capturing CAPTCHAs

Almost as soon as they appeared, people started working on ways to crack the CAPTCHA codes. One company we found in India offers workers around 90¢ and hour to solve as many CAPTCHA codes as humanly possible. Those who can’t do it quickly or who make too many mistakes are kicked off the service. This is a time-consuming way to crack CAPTCHA codes, but by offering wages far below anything most people could live on the authors presumably make it worth the effort. Just to pour salt in the wound, anyone interested in doing this thankless work is expected to pay a fee to join.

Meanwhile, OCR software kept getting better, so it wasn’t long before someone had the bright idea of creating a bot that used OCR to identify the words in a CAPTCHA. It doesn’t always get it right. In fact, it often gets it wrong, but it doesn’t matter. Unlike a human, who is going to give up in frustration after a few tries, a bot can keep trying and trying until it gets it right. Since their advent, bots have become a major problem for word identification types of verification. To counter this, word-based CAPTCHAs became more distorted and harder to decipher for humans and bots alike. We’ve all seen the results of this battle over decipherability. We’ve all encountered CAPTCHAs so hard to identify that it takes us a few tries to get them right, and we all have better things to do with our time than enter meaningless words in an attempt to receive more email.

captcha collection

An assortment of actual CAPTCHAs collected from various sites.

To solve this problem, a new kind of ReCAPTCHA was created that relies on the natural differences between software and the human brain. This made it easier for humans to recognize the words, while keeping it hard for the bots the do the same. In recent variations, a reCAPTCHA might ask users to identify images instead of scrambled type relying on human intuition to solve. Take this example:

image captcha

At the top of CAPTCHA we are presented with an image (in this case, a cat) and asked to find all the images with matching content. This is a mixed bag. It will certainly block bots from finding a solution, but it also presents us with instructions that those of us who skew towards the Asperger‘s end of the spectrum and tend to take things too literally might also find perplexing. The picture at the top is an adult gray tabby, but the pictures below are all of kittens and only two are gray tabbies. We realize most people won’t get this granular with the data, and that’s what Google is counting on. The top picture is a cat, so humans will click on all the pictures of the same animal, even when every other aspect of the picture is different.

I’m Not a Robot

No Captcha

Two years ago, Google introduced a version of the ReCAPTCHA they call a “No CAPTCHA reCAPTCHA.” With this type of CAPTCHA, there’s no need to try and decipher heavily distorted words, or squint to make out blurry photographs of street numbers, or identify various animals. You check the box labeled “I’m not a robot” and you’re done. The No CAPTCHA reCAPTCHA uses Google’s Javascript API and a form, and appears, for now at least, to be an excellent choice for verification. Spamhaus likes it, and it produces the least amount of hassle in the signup process.

Gamifying the Process

A variation on the CAPTCHA that is designed to alleviate the annoyance of typing in meaningless words is the addition of gaming elements to the verification process. With this technique, you are asked to complete some simple task to verify that you are a human being. The task is always simple and resembles a children’s game in its approach. You might, for example, be asked to “put the carrots in the shopping cart.” The picture will show an image of an empty shopping cart with images of various groceries floating next to it. By clicking and dragging the image of the carrots to the image of the shopping cart, you verify that you are a human.

gamify

gamify2

These gamified verification techniques are effective approaches to the problem, although we haven’t seen that many instances of their use. They appear to be acceptable to Spamhaus as well. According to them, “…any mechanism that successfully keeps bots from abusing signup forms is good and absolutely necessary nowadays. Captcha is currently the best mechanism, and whatever the captcha test does (task, game, whatever) is also fine as long as bots can not easily defeat it.”

Alternatives to CAPTCHA

CAPTCHA is, by no means, the only way to verify a signup. Programmers continue to invent new ways to foil the bad guys. A couple alternatives are the Honeypot and the Social signup. Before choosing either of these, you should note that Spamhaus prefers a CAPTCHA verification that requires the user to perform a task. That’s not to say these are not effective in blocking bots, only that implementing them might not help you get off the SBL. As of right now, a CAPTCHA-type mechanism is the safest way to go.

Honeypot Verification

One of the earliest attempts to simplify the process of signing up and restrict it to real people is the use of a honeypot. The idea is simple: A form is hidden in the HTML for a page, but it isn’t visible on the page, so no human visitor to the site should ever know about it. Since bots don’t visit pages this way, but, instead, look at each page’s code for forms, they will see the form and attempt to fill it out, thus identifying them as bots and not humans. It is a wickedly clever technique for fooling the bots, although, as we’ve already discussed, bots have gotten much more sophisticated over the years and are seldom fooled by this technique anymore. It can also cause problems with browsers that have CSS turned off, and with ones such as Safari that autofill forms. It is still in use, but is often combined with a more interactive signup.

The Social Approach

facebook signup

As social sites become more and more important to people’s daily lives, we’ve seen a corresponding growth in sites that require social signups. Instead of entering words or playing games, you are offered a button that says “Sign Up With Facebook.” This approach lays everything on the line, but it also stands a significantly higher chance of losing the audience. Several studies have shown that people just don’t like using their Facebook accounts for promotional purposes, still preferring email as the main source for sales announcements. We don’t recommend using this approach except for those rare cases where your Facebook profile is your main sales mechanism.

At this time, we recommend the “No CAPTCHA reCAPTCHA” for your verification purposes. It satisfies Spamhaus’s requirements, and it makes the signup process as easy as possible for your subscribers. Of course, if history is any indication (and it usually is), it’s just a matter of time before this approach is compromised, and we’ll have to find a new way to verify newsletter signups. It is important to remember that nothing in the field of email marketing remains static. There’s no set-it-and-forget-it solution. You’ll still want to keep track of your email data to see if there are any anomalies occurring.

Defusing Subscription Bombs

subscription bombs
On Monday, August 15, people all over the world woke up to find their email inboxes stuffed with unwanted email, victims of an organized and relentless “subscription bombing” attack. This attack used a bot designed to find sign-up forms and enter thousands of email addresses on a site before moving on to the next one, where the process was repeated. Before the bot was through, each address ended up subscribed to hundreds of newsletters. The owners of the email addresses remained unaware of what had happened until they started receiving the emails. Faced with what appeared to be unsolicited emails, they did what many people would do in this situation: they flagged the mailings as spam, which sent the reputation scores for the attacked companies spiraling down.1

Most of the companies that were victims of this attack were respectable, legitimate companies whose only crime was that they made their newsletter sign-up processes too easy, also making it easy for attackers to enter false information. Many well-respected email senders suddenly were having trouble landing in the inbox and were getting relegated to junk status. Even the New York Times felt the effects of this attack.

The attacks started over the weekend, but because not everyone checks their mail services on Saturdays and Sundays, by Monday morning some accounts were packed with new, unwanted emails. In many cases, the amount of emails was massive enough to make it impossible to identify and separate the legitimate mailings from the junk. More diligent people took the time to try and unsubscribe from these emails, but as security expert Brian Krebs noted, “By the time I’d finished deleting and unsubscribing from the first page of requests, there would be another page or two of new newsletter-related emails.” For most people, the easiest solution was to select all the new email and either delete it or mark it as spam, which sent reputation scores spiraling. Suddenly, hundreds of a company’s mailings were being identified as spam, landing several legitimate companies on blacklists.

High-profile companies that use a single opt-in method without a verification test appeared to be the most at risk, but were, by no means, the only ones affected. Many of the sign-up email addresses ended in “.gov,” suggesting that the attack might have had a political motive behind it. A belief strengthened by the recent Russian hacker reports. Some people have speculated that it was simply the work of bored computer geeks out for kicks. Whatever the reason, it caused many legitimate companies to wind up being blacklisted.

No Easy Unsubscribe

The problem was exacerbated by the fact that, by its very structure, there’s no quick way to mass unsubscribe from several email subscriptions. It’s easy to select a dozen emails and either delete them or send them to the spam folder, because both of these actions occur within the mail reader. Unsubscribing is a little trickier. Each piece of email must be unsubscribed from separately. There’s no way to select a batch of emails and unsubscribe from them en masse because the unsubscribe information for each piece of email is going to a different place and is handled in a different fashion. Some require verification, others present a display of settings that need to be unchecked.

Some services, such as Gmail, Outlook.com, and the latest update to the iPhone’s Mail app feature an unsubscribe button, but only when the unsubscribe link in the email leads to automatic unsubscribe. Links with multiple choices, or multiple step unsubscribes don’t show up. So when hundreds of emails arrive in the inbox at the same time, nobody (Brian Krebs notwithstanding) is going to go to the trouble of trying to unsubscribe separately from all those mailings. It is far easier to accomplish the same effect by selecting everything and deleting it, but since none of these emails were actually solicited, it is even more likely for people to use the spam button to show their dissatisfaction. When enough people do this, blacklisting services, such as SpamCop, Junk Email FIlter, Barracuda, and especially Spamhaus, sit up and take notice.

Blacklists

How each of these blacklist services handles junk mail varies, with equally varied results in terms of effectiveness. The most well-known and commonly used blacklisting service is Spamhaus. When Spamhaus decides to put you on their “Spamhaus Block List” (SBL), you’ve got a serious problem. Everyone from Yahoo to McAfee, and Gmail (to some extent) use the SBL data, so staying off this list is mandatory of you ever want your mailings to be read.

After this latest subscription attack, we saw several obviously legitimate news organizations end up on blacklists after this attack. Getting on this list is relatively easy. Getting off it often takes a concerted effort by your ESP or deliverability team. How difficult that process is will depend on several factors, such as past transgressions as well as subjective considerations, such as the general impression of your site by the people at the blacklist service (and not just Spamhaus either).

The Double Opt-In

Spamhaus has always maintained that the double opt-in (DOI—also known as the confirmed opt-in) will help prevent surreptitious sign-ups. Some services, such as MailChimp, now use double opt-ins exclusively (much to the dismay of their subscribers if the questions Quora and Reddit are any indication). But a DOI doesn’t solve the initial problem of bot sign-ups. Even Spamhaus acknowledges that a DOI does not automatically prevent your company from landing on their blacklist. The recipients will still receive that annoying first deluge of DOI verification mail, which, when thousands have been entered, is enough of a problem by itself. The double opt-in might keep the problem from compounding though, which is certainly preferable than continuing to send emails to increasingly more annoyed recipients.

For Canadian and European emails, where adequate verifications of acknowledged sign-ups are required, the double opt-in is already the safest option. While most ESPs (Goolara included) let you decide what sort of opt-in procedure you want to implement, you should be aware that a single opt-in puts you in greater danger of a malicious and erroneous sign-ups. If your site is popular enough to experience more than one or two sign-ups a day, you should consider switching to a double opt-in.

CAPTCHAs

Currently, Spamhaus recommends the use of a CAPTCHA as part of your sign-up process. A CAPTCHA requires an action by the user, such as solving an equation or identifying two words that are either distorted or partially obscured by a pattern. They are easy to implement and may be the only way to get your company off the SBL. The most common one is ReCAPTCHA, which is provided by Google, but there are others on the market. We also recommend using a CAPTCHA, but this technology brings its own set of issues, which we’ll take a look in more detail in our next blog post.

Worst Case Scenario

So what do you do if you’ve already fallen prey to an attack? Preventative maintenance is always the best course of action. Besides double opt-ins and the use of a CAPTCHA, a regular practice of looking at your report metrics and subscription sign-ups can alert you to potential problems before they get out of hand. Noticeable increases in the amount of email being greylisted or sent to the junk folders might be a warning sign of worse things to come. Sudden increases in sign-ups from “gov” sources can also indicate potential bot attacks, so you may want to segment out these mailings for closer examination. In most cases, though, these attacks are sudden and unexpected, and nothing you do once the attack starts will stop the problem from escalating.

If you do end up on a blacklist, you should notify your ESP immediately and see what steps they can take to solve the problem. Some ESPs, such as Goolara, also offer deliverability services, and they can help you get your IP removed from the blacklist. Otherwise, you might want to seek the services of a professional deliverability expert. As long as you don’t have a history of sending to spam traps (which will normally only occur if you don’t keep your list up to date, or have a nasty habit of buying questionable lists), you should be okay.

Next time we’ll take a closer look at CAPTCHAs and other methods of sign-up verification.


1. The reputation score is how email services identify whether a mailing has any value. The higher your reputation score, the better your chances of ending up in the inbox. For more information on this, see our white paper Deliverability Enhanced.