Email: Spam/Ham and Some Indigestible Acronyms

This posting has been a long time coming, and is probably longer than ideal, but for those who send bulk emails, there may well be some useful tips in here. And for convenience those who use cloud-based services that also send email can also be classified as bulk email senders.

Some bits get very technical but if you want to skip over those details, feel free but bear in mind that email without the technical bits won’t work. Whatever the sales person tells you!

Ham is of course email that isn’t spam.

But what is spam? It depends on who you ask but :-

  1. It is email that the recipient doesn’t want to see. Whilst this is the least specific definition and the hardest to work to, it is perhaps the most important definition. If the recipient doesn’t want to receive your email, and hits the “This is Spam” button, your emails will be added to a statistical model and/or a machine learning neural network as an example of spam and make it less likely that future emails will be delivered without being filed away into the dreaded “Spam” folder.
  2. It is unsolicited bulk email which is the original technical specification of spam – unsolicited because it isn’t asked for (but what qualifies as “asking”?), bulk (but is generating individually customised versions mean it is no longer bulk?), and email (because sending unsolicited bulk instant messages isn’t quite so annoying?).

There is also a legal definition of what counts as spam but that is beyond the scope of this article.

Phishing can be considered a sub-type of spam – it is bulk email designed to fool you into doing something that you should not – such as “log in” to an attacker’s portal designed to look like a Google authentication page, or less technically, designed to get you to pay for something.

As one of the techniques used to try and fool recipients, phishing very often tries to forge the sender email address to make it look more official. For this reason, technical controls to make forging email addresses harder are frequently in use.

Tracking

One of the selling points of cloud-based bulk email senders is that they try and offer a control panel to indicate just how many recipients have received and read your emails. Perhaps unfortunately, email just doesn’t work that way.

Bulk email senders have been engaged in a low-level war with email privacy activists with one side inventing new ways to track what the recipients are doing with your email, and the other side trying to prevent that “invasion of privacy”.

Whilst the standard for “Do Not Track” has failed, there is still widespread support for it (as shown above), and some people are using “ad blockers” as a more effective alternative.

In summary: You cannot be sure that the control panels of cloud-based bulk email senders are actually tracking what they claim to be.

The Indigestible Acronyms

Email by itself is not secure in any way. You can pretend to be anybody you want, and the contents of the email are not secure either – if an attacker can intercept your email, they can read the contents.

The early solution to this problem was PGP, but whilst an excellent solution technically it really requires senders and recipients to actively participate and to have a rather high level of technical expertise. So it was widely ignored, although it remains an excellent solution for communication requiring very high levels of assurance.

But the problem of forged emails not only remained but increased so other solutions were developed … solutions that resided within the email infrastructure and did not require sender or recipient participation.

DNS

Whilst the Domain Name System sits underneath email, it also sits underneath every single Internet (and many other) applications. It is most commonly used to lookup names such as “www.example.com” and return network addresses (such as 192.168.172.31).

But it can be used to publish other information, and is widely used within various email security enhancements. The various standards are often implemented as a record added to the DNS – for example, the SPF standard requires publishing a text record in the DNS of the form “v=spf1 include:_spf.google.com ip4:148.197.0.0/16 -all“.

SPF (Sender Policy Framework)

The SPF standard publishes a record within the DNS for an organisation that allows that organisation to specify what network addresses can be used to send email addressed from that domain. For example, we have an SPF record that specifies that @port.ac.uk can come from 148.197.0.0/16 (the UoP public network address), Google’s network addresses, plus a rather large number more.

This SPF record is limited in size, and the more we add to it, the more likely we are to break email. For this reason there is an initiative to try and coalesce bulk email services to reduce the number that we are using.

DKIM (DomainKeys Identified Mail)

The DKIM standard also publishes a record (actually commonly more than one) within the DNS to specify the public key of a public/private key pair which is used to verify that a sending server is authorised by an organisation to send email.

The sending server uses a private key to sign a header, and the receiving server uses the public key published in the DNS to verify the signature. If the verification succeeds, the recipient’s mail server can be confident that the sending server was authentic.

A DKIM record looks something like :-

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAfEB8lKdN9PEGll4hxix17dnvGFbvjiIfrIq/E3Yi5rePbLfOHQ1lnJwG54mdA8AFQjgJ4hKiC8++JGog/v4RiamLdq7csjuz7erUvjoC3VSco8K33iNRWskgTFnwuJj2BwC89F3GZjBBZ0cKvim+OHi/jHSuk+4vR1z21He4LwIDAQAB

And yes that has to be entered exactly as given with no risk of mistakes – a text-based cut and paste is required to create a new DKIM record for a new email sender.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

The DMARC standard is yet another DNS record published by an organisation that specifies how messages should be permitted, rejected, or quarantined (put in a “spam” folder) depending on whether they pass SPF and DKIM verification.

Membership Management

When running a mailing list, it is important to manage the members of that list :-

  1. Removing addresses that don’t work.
  2. Removing members of an “opt in” list who expressed a desire to opt out.

These two tasks may be managed automatically, but it is worth bearing in mind that these are both tasks that a bulk emailer is responsible for. Sending to broken addresses may well increase the likelihood that email to a similar destination will be marked as spam; and of course sending email to those who don’t want to receive it will result in it being manually marked as spam.

Content

In addition to getting the technical configuration right to not fall afoul of DMARC,DKIM, or SPF checking, it is also important to optimise the content of messages to minimise the chances of being marked as spam. This is definitely the trickiest bit to advise on because the “markers” for spam tend to be based on statistical models and in some cases advice may be in conflict for the purpose of the message!

  1. Email with “rich” content (fonts, colours, embedded links, etc.) is normally sent as two parts – an HTML version (with the “rich” bits) and a plain text version. Email sent as only HTML is quite likely to be marked as spam. Depending on your email sender, this may be an option to turn on or off although Mailchimp at least sends plain-text versions alongside HTML messages by default.
  2. When composing email with “rich” content, avoid making it too “rich” – the use of JavaScript, external CSS, Flash, embedded video, etc. will most likely not work, and will make your email look like spam.
  3. Don’t! Get!! Too!!! Excited!!!! Spam often seems to be very excited in its tone (and is often guilty of using too many exclamation marks) – try and avoid getting too overenthusiastic in tone. This doesn’t mean try to be too bland though. On a related note, DON’T SHOUT (uppercase only text is perceived as shouting).
  4. Using punctuation like “!” or “?” in Subject headers is also ‘spam-like’.
  5. No matter how urgent it is, don’t try to push people into doing something urgently (“Urgent! Bank fees to go up!”) – they won’t, and it is a very spam-like (and phishing) thing to do.
  6. Avoid spam-like phrases such as “business offer”, “free”, “best price”, “cash”, “no obligation”, “wrinkles”, “mortgage”, “valium”, “weight-loss”, “guaranteed”.
  7. Never mention ‘impossible’ percentages (anything greater than 100%) – it is a clear sign of spamminess, and causes mathematical inclined people to grind their teeth.
  8. Use correct English.

There are other guides to avoiding being marked as spam – search for them.

In general, it is also important to “stick to the subject” – use mailing lists for the purpose for which they were created, avoid sending unnecessary messages, minimise the number of emails sent, and keep them interesting.

This entry was posted in Email and tagged , , . Bookmark the permalink.