Happy new year!

Microsoft Exchange finally has its Millennium-bug. Only two Decades late: https://twitter.com/JRoosen/status/1477120097747677184.

According to reliable rumors, Google Postmaster is showing data again. It is not known yet if and when the missing data will become available.

Important news for HORDE admins: https://thehackernews.com/2022/02/9-year-old-unpatched-email-hacking-bug.html

Today is a lovely day to set up a TOR bridge:

https://blog.torproject.org/tor-censorship-in-russia

1&1 (hosting gmx.net, web.de and more) has made policy changes today. The new policy can be found here, here or here. You'll find 2 major changes:

1) Strict DKIM alignment is very strongly recommended. Bulk senders not aligning DKIM to the From:-header domain can expect to be blocked.
2) DMARC (with a reject-policy, of course) is now recommended.

We expect other ISPs to follow this example soon, if they haven't already.

"Email Authentication für Empfänger" is German for "Email Authentication for recipients". This is a document by the ECO Competence Group Email, describing Email authentication from a recipient's point of view. It's amongst the most comprehensive guides to E-Mail authentication I've seen so far.

I'm not sure if an English translation of the document is planned, but I have heard of efforts to write a second piece named "Email authentication for senders".

Perhaps you have noticed Gmail becoming stricter about RFC violations. Maybe you've read about it on a mailing list. Somehow it's unbelievable we still have to talk about this in 2022, 30 years after RFC821 described a clear mechanism to do exactly that: block E-Mail. Not only Google is more strict on RFC violations, but also other ISPs are playing with the subject. For example, Mail.de has created a postfix milter that detects RFC violations: https://github.com/mail-de/mailheadercheck. This milter also has a dry-run mode, so you can test it without any risk. I've installed it two days ago and when I check my postfix log, I can see I would have blocked 7 E-Mails if it wouldn't be in dry-run mode:

$ grep mailheadercheck /var/log/mail.log | grep 'result=reject' | awk -F 'error_response_text=' '{print $2}' | awk -F '"' '{print $2}' | sort | uniq -c | sort -n
      2 Missing Date:-Header
      5 Zero or too many addresses in From:-Header

Try it out and don't hesitate to use the comment-function!

English translation can be found here.

Last week, we received the following message from Validity:

Dear Valued Subscriber,

We are thrilled to announce some exciting changes coming in September to our Feedback Loop service!

What's Changing:

Service Model Enhancement: Moving forward you will only have access to aggregated data insights within the application. To continue receiving spam complaints (ARF reports) you will need to upgrade your package.

Login Method Update: We are introducing a new, more secure login method. Email authentication will change from a secure email link to a username and password method supported by Auth0.

You will receive an additional reminder one week before the launch with additional information to ensure that you are well-prepared for the transition and have all the information you need to securely log in to your account.

Thank you for your continued support.

Money for nothing and the chicks for free! 🤨

Only Eartlink, Yahoo and Microsoft still provide Validity-independent FBLs:

* fblrequest@abuse.earthlink.net
* https://senders.yahooinc.com/contact
* https://postmaster.live.com/snds/JMRP.aspx

Edit: Also 1&1 and Mail.ru have Validity-independent FBLs via their postmaster page once you have an account. - Thanks for that, Sergey!

We received further information today:

To continue receiving Abuse Reporting Format (ARF) reports, you will need to upgrade your plan. The price will be $1,500 US annually, for up to 100,000 complaints.

Probably, this is just the beginning and you need to pay to get a SenderSore higher than 60 soon, or something like that. For 1500 annually, you can also have a dedicated InboxSys DMARC monitor.

When they were still called "Returnpath", they were a ripp-off. I'm surprised they can go even lower under the name of "Validity". What a bunch of crooks!

The full list of Validity-independent FBLs:

* Earthlink (E-Mail registration)
* Microsoft (JMRP, not exactly ARF)
* Yahoo (Domain based)
* mail.ru (via Postmaster page)
* 1&1 (mail.com, web.de and various gmx domains. Via Postmaster page)
* Google Postmaster (No ARF reports)
* SpamCop (indirect reports, various ISPs, valuable)

This posting was updated to reflect the comments posted

This draft would make it impossible for companies like Validity to hijack and abuse complaint feedback loops the way they do.

A little while ago, we posted a link to a file named "E-Mail Authentication for Receivers" from the German internet association, "ECO". Meanwhile, also "Authentication for Email Senders" from ECO is available for download. It's documentation at a relatively high level and full of useful tips and tricks.

Further documentation about E-Mail Authentication can be found in our Deliverability Wiki. Our Deliverability Wiki is work in continuous progress.

To give an example of work in progress: we have just published a full list of free and independent feedbackloops in our Deliverability Wiki. Bookmark it! We will keep this list updated.

This video is highly interesting! It shows why SPF should be optional in, if not removed from, DMARC. It also shows why ARC is pretty useless as it is.

Here is a short version of the story.

Credit where credit is due: Thanks again, Sergey!

Abusix may be the first to respond to your new CFBL header! We like that! ☄️

https://www.rfc-editor.org/rfc/rfc9477.html is now in "experimental" status. Not a draft anymore! 😊