> we’ll enforce a clear spam rate threshold that senders must stay under
I hope they make it really strict. I'm sick of companies that send you spam ("newsletters") just because you interacted with them once, then when you unsubscribe, you get unsubscribed from that one list, so they keep spamming you just with a slightly different newsletter type. (Edit: Also, everything requiring a notification - by e-mail if they couldn't get me to install their app - just to get me to engage with their site.)
Once such behavior has the potential of landing your entire domain in the spam folder, maybe they'll be more careful.
Edit: For example, I can't imagine LinkedIn being able to pull of their "phish people, steal their address book, spam each contact three times with no opt-out" bullshit for so long if strict spam thresholds were in place.
Just a perspective from the other side of the coin: I host various services for schools like online registration for parent - teacher conferences. When the platform is live hundreds of parents are logging in, choosing their appointments and have to confirm them via email (only one email per person not per appointment)
And Yahoo is the Single worst email service to send to. I have correctly configured sfp, dmarc, dkim, reverse dns for the Mailserver and have tested the wording with multiple mail testing services to make sure it doesn't have keywords that get automatically flagged.
And yet after like 50 emails to parents with yahoo email addresses they are giving me errors because of "unusual volume of emails from your domain"
There is no form, no human to talk to and they just block you.
Angry parents come to me or course because they never redeived the activation link so I had to put up a disclaimer stating that if they should not use a yahoo email address if they have a different one
I have no idea if this still works, and it probably wouldn't work for a school, but 15-20 years ago the way to get Yahoo to stop blocking your emails was to call up your ad rep and say something like "Why the heck should we keep spending $10000/month buying ads on Yahoo when any new customers we get from those ads that use Yahoo email end up pissed off at us and maybe even charge back because it looks like we are completely ignoring them because they don't see our emails????".
That would get you added to a "never block mail from this domain" whitelist that had higher precedence than everything else.
There is a form and people you can talk to if the form doesn't work. The form should have been mentioned in the reject message but is at <https://senders.yahooinc.com/contact#sender-support-request> though you should first review their information, rules, etc, starting at <https://senders.yahooinc.com/>, and the mailop mailing list at <https://list.mailop.org/listinfo/mailop> is where you can ask for help if the former doesn't suffice that will often result in direct contact with someone at Yahoo! that can get things done or at least give knowledgeable advice.
> And yet after like 50 emails to parents with yahoo email addresses they are giving me errors because of "unusual volume of emails from your domain"
Scandalous, it's almost as if the established major providers have a financial interest in making it difficult for smaller providers and individuals to send mail using their own domains!
> And Yahoo is the Single worst email service to send to.
During the pandemic we had a lot of problems with the confirmation email for our 5000 T.A. in the virtual campus of the university. I had to guess what was happening because I was not part of the administration team, just collecting forwarded messages form the T.A and guessing:
* Gmail: Most of the time it works.
* Yahoo: The server receives a few hundred emails per day and the other are delayed. These were confirmation emails with half an hour tolerance, if they were lucky to pass the next day they were not useful. (After a week the sending server stops retrying.)
* Hotmail: Sometimes the email is received and sometimes it just disappears. No spam folder. No bounce email. It just evaporate. (Try sending an email from hotmail to the no-reply address and cross your fingers.)
> sometimes it just disappears. No spam folder. No bounce email. It just evaporate.
Gmail will do this too. Happened a few months ago with a single (important) message from a private individual sender on Hotmail, one unknown to my Google account. The fix was adding the Hotmail address to a Google Contact.
I seriously don't get why we can't have some sort of licensing authority for this type of thing. Maybe they issue you a secret key to include in email headers, or put your entire domain on some sort of whitelist. And complaints get handled by a human to confirm that it's not a "oh I don't like this, or I don't remember signing up for this" non-sense complaint that would get you blocked or have your license revoked with a normal provider.
Am I crazy or just missing some super obvious gap with this path?
You should try starting one. You'd just need to work with every email provider on the planet (including people running personal email servers) and convince them to let you decide for them what is spam or not, get them to implement a massive list of IPs/domains to whitelist on their servers, get them to let you edit that list whenever new mass mailers sign up for your "We're totally not spam" service, and then get them to provide some way for complaints to come back to you so that you can enforce your rules. It'd be a hard sell for mail providers, and it wouldn't solve the spam problem for any messages that aren't sanctioned by your service.
You'd also have to do a lot of work to validate new senders long before they send their first message and you start getting complaints or else you're just letting spammers pay you to completely bypass every mail provider's spam filters until they finally get blocked and have to create a new account with you under a different company name.
If you can convince everyone to trust you, and your service, and that it'd be worth it for mail providers to do all that work on their end on top of everything they're doing currently to prevent spam, it really could improve deliverability.
Would email providers pay for it at all? I suspect it'd be easier to take money from the would-be spammers than to get mail providers to do a bunch of extra work and then pay you for the privilege just so that your clients can send messages that look like spam a little easier.
I suppose that really you'd be able to get a lot of utility by convincing just a handful of very popular email providers (gmail) to trust that your service will never be used to send spam (or that they should let spammers who slip by you right past all of their spam filters). The more email providers you can get to use your service though the more you could charge the mass mailers for guaranteed message delivery.
Such a service could lead to two very bad outcomes though. Parents being told that if they want to get email from the school they'd better sign up for an email account at one of the few supported email providers (gmail) and/or (if it becomes successful) any sender who isn't paying for the privilege of sending email being treated like a spammer.
This is a requirement in some jurisdictions (double opt in) for some cases.
Not sure about "User has a confirmed email + account at our service, he wants to sign up for a reminder" use case though.
NextDoor is the absolute fucking worst with this. They sign you up to 10+ lists each in over 9+ categories that results in what feels like 100 different "notification types".
Unsubscribing from an email just unsubscribes from that one list. They don't show any other lists or categories (or imply there are more) during this process.
Once you login you are greeted with a multi-page disaster to manually untoggle each of the near 100 list types.
Then when they add new notifications it is auto-on for everyone.
Why do you bother fighting to unsubscribe properly with a company like that? I have a rule: I will try 1 time to legitimately unsubscribe, using the normal flow. If you keep sending me email after that, I will mark every email you send as spam and my email provider will stop delivering your mail.
I started doing this years ago after watching a talk by some Gmail devs on how they think of spam. They said they internally - controversially - redefined spam to be any email the user doesn’t want to receive. Well guess what? I don’t want to receive shitty marketing emails after I unsubscribe. If you send them to me, I’ll get you listed as a spammer.
I encourage everyone else to do the same thing. Life is too short to put up with this crap.
I was taking a low-effort apporch of just unsubscribing from emails and newsletters as they came in. I saw a huge decrease in unwanted emails at first but NextDoor kept coming _no matter what_. Finnally in frustration I logged in, did half the above unsubscribing, then just deleted my account instead. I agree.
Another for the hall of shame: MyHeritage. They will never, ever stop spamming you if they get your email. Set your language to Chinese and delete your account, now they will spam you in Chinese.
The special award though, must go to Wal-mart. That company doesn't exist in my country. I obviously never interacted with them in any way. I still get their "newsletter", and sure enough, it's authenticated to come from their domain.
Yes I ran into this the other day when I tried Nextdoor out for the first time. I was actually so in awe of the insane and sociopathic dark pattern that is their email/notification subscription system that I immediately deleted the app. I don’t want to be a user on a platform that treats its users with so little respect.
I did the exact same thing a few days ago. I thought NextDoor would be social media that connects me with my local community. Nope. It’s overwhelmingly “recommend me someone for <service>”, camera footage of shady people or crime reports, and complaints about neighbors. The excessive emails were the final straw that took me from indifference to actively excising NextDoor from my phone.
So if anyone has ideas for connecting with your local community, I’m still looking…
If I'm certain I don't know the company, or I know the company but there is no unsubscribe button, it goes straight to Spam, no questions asked.
A decade ago I went to my country's embassy to renew my passport, and they now use my email to subscribe me to the newsletters of any new political party. All unsubscribe links just 404s. Shameful behaviour.
Anything I receive from any of their political candidates goes straight to spam now. The hope is that I am training the spam filter so it marks those as spam for all other users as well.
It's simple really: have clearly visible, working unsubscribe link in the body of the email that doesn't require jumping through hoops, and be from a company I know and use. Otherwise the spam filter learns about it.
There's worse. An unsubscribe link that asks you to submit your email. Few things anger me more, because they went through the trouble of pretending to comply, and a decision was made to make my day more difficult.
Hulu did (does?) this and the form rejected my email address as invalid because the domain portion had three parts to it. Of course, they were able to continue sending me emails so some system knew it was valid. It was likely a bad assumption an engineer made somewhere, but all the more reason to use unsubscribe links that are already tied to the email address.
You can probably guess how effective that is.
In practice, unless you can get the FTC or a state attorney general to sue an actual company for you, nothing will ever come of it.
I report spam that I'm unable to unsubscribe from to the FTC via their online page[0]. I've never gotten any response but it does seem to work. I've been dropped from several marketing lists after reporting them to the FTC, and it's unlikely that these marketers decided on their own to remove me from their lists.
Especially if your account is no longer accessible; a problem I had with Uber after changing my phone number. Bombarded with "Uber Eats" spam and no way to unsubscribe without going through some kind of ridiculous process to reactivate the account.
I have that problem with a former utility company that keeps sending updates about the business that I've unsubscribed from multiple times. The one that irks me the most is TP-Link Kasa who has a marketing opt-out in the account creation flow and they still send repetitive spam without honoring the unsubscribe link.
That exists for a reason, and it's not nefarious at all.
Lot of people, especially of the older generation, forward all sorts of emails to their friends and family every day. If one person who received a forwarded email doesn't like it and clicks the unsubscribe link, the original recipient (who clearly likes the email enough to forward it around) gets unsubscribed. That's a bug. If you don't like the unfunny newsletter your uncle keeps forwarding you, that's a problem between you and your uncle, not between your uncle and his newsletter!
The email submission form exists to ensure that the person unsubscribing is the person who is actually on the mailing list. It will not prevent an annoyed nephew from deliberately unsubscribing the original recipient, but it will prevent most cases of mistake by third parties.
Similarly, many unsubscribe links require two clicks instead of one, because some email services used to automatically check out every link they found in the body of an email. A one-click link would unsubscribe everyone before they even saw the email. Nowadays we have better protocols and better email scanners, but old industry habits die hard.
Email senders are trying to solve a problem no one asked them to solve. Me unsubscribing from emails from my grandma is her problem and eventually someone should/will help her find another way to share. Let's not pretend that email senders care about my grandma.
Email providers autoclicking on links, is the recipient's problem. This is the same flow used for account verification links and yet you do not see them adding an additional step to it.
And then we have the large number of users complaining about this, and yet they feel they simply know better and reserve the right to impose themselves on us?
This decision is purely self serving, let's not pretend otherwise.
Many websites actually do this. It significantly weakens the defense against the forwarding problem because people will blindly click submit. But IMO it's an acceptable compromise for anything not business-critical.
Some people have come up with a trick to hide the unsubscribe link with CSS when it is inside a <blockquote> tag, as in a forwarded email. It doesn't work reliably, though. HTML email is still stuck in the 90s, it's impossible to do anything fancy inside of it. Much easier to send the user to a real web page for an actual transaction.
There is no "mistake" in wanting to unsubscribe from a mail list. This is just dark pattern to increase friction, whatever scenario they try to come up to justify.
I share your frustration, but there is no evidence that you read the comment you're replying to.
That comment explains that there's a scenario where people can be accidentally unsubscribed in the presence of mail forwarding, and the requirement to enter an email address can patch over this.
I think you are mostly wrong. OP is complaining they sometimes have to enter their email address - that is absolutely unnecessary make-work.
The page can prompt the email address, and have a simple unsubscribe button. Not perfect, but okay.
Even better, one-click unsubscribe features (e.g. Gmail's App) are presumably set up to work for the current recipient (not the original sender) so the problem is resolved for anyone using an email client with inbuilt unsubscribe.
The forwarding problem is only for html link unsubscribe. Personally I hate trying to play find-the-ubsubscribe-link, so I use the email client feature where possible (which also helps Gmail rate/flag spam).
Mostly I haven't had problems with repeat spammers, except a republican politician (I'm not in the USA so doubly annoying).
Not everyone uses Gmail or a modern email client that understands the one-click List-Unsubscribe protocol, so senders must include an HTML unsubscribe link in the body of the email in order to comply with relevant rules in all jurisdictions. That link, unfortunately, can fall prey to the shenanigans I mentioned above.
I understand the parent's sentiment because we all want to unsubscribe from unwanted emails. But technical standards can't distinguish unwanted emails from business-critical emails. You could legitimately cause someone damages by silently unsubscribing them from an important news feed. (Imagine that you silently unsubscribed an open-source maintainer from all github notifications!) Even worse, this kind of vulnerability disproportionately affects senders who try to follow the rules and make it easier for people to unsubscribe. Spammers don't care and keep spammin'.
Ideally, an email would have both a one-click List-Unsubscribe header and an HTML unsubscribe link in the body. The latter need not be one-click, and in fact, if it's anything remotely important, should not be.
> Imagine that you silently unsubscribed an open-source maintainer from all github notifications!)
Do open-source maintainers forward around their unsubscribe links in practice?
The other problem with email scanners clicking links automatically can be solved without prompting for the email address. One simple solution is: if the link is clicked within a minute or so after sending the email there's a chance the clicker is an automated system. Instead of unsubscribing right away, serve a HTTP POST form with a single "Confirm Unsubscribe" button. Normal users will rarely see the form, automated systems will hesitate to fire off HTTP POST requests.
> Mostly I haven't had problems with repeat spammers, except a republican politician (I'm not in the USA so doubly annoying).
I’m a republican (also not in the US sense — I want to get rid of the tie to the monarchy) but I also find that republican politicians seem to be really annoying!
> I hope they make it really strict. I'm sick of companies that send you spam ("newsletters") just because you interacted with them once, then when you unsubscribe, you get unsubscribed from that one list, so they keep spamming you just with a slightly different newsletter type.
Never interact with spam. Unsubscribing just tells spammers that your email address is actively being checked, and that you're the kind of person who clicks on links found in unsolicited messages. It can even end up getting you more spam (as you've noticed), and what looks like an innocent unsubscribe link can actually take you to a malicious website instead. You've really got nothing to gain by touching spam at all.
The best way to deal with the spam that makes it into your inbox, especially spam that comes from specific senders with predictable subject lines/body content like newsletters, is filtering. For example, just auto-delete anything from a domain you never want to hear from again. You never see it, and you leave them spending at least a little time/effort shouting uselessly into the void.
I tend not to auto-delete directly, but have things filtered into specific folders just in case. It takes almost no time to clear out when they get very full. Most filters are set once and forget.
>Never interact with spam. Unsubscribing just tells spammers that your email address is actively being checked, and that you're the kind of person who clicks on links found in unsolicited messages.
This only applies to scam emails like newsletters from sketchy domains that you never signed up for, which are sent out specifically to find active email addresses. For those, clicking the "unsubscribe" link is indeed counterproductive.
For actual businesses like Linkedin though, it makes more sense than not to unsubscribe from unwanted emails anytime they're sent. On occasion you'll find yourself back on a different newsletter list, but it's relatively rare and more often than not just incompetence rather than malice; legitimate companies want to send their emails out to people who buy stuff, not people who mark them as spam and lower their reputation.
> For actual businesses like Linkedin though, it makes more sense than not to unsubscribe from unwanted emails anytime they're sent.
Why? What's in it for you?
You filter them = never see the spam they send you again
You unsubscribe = pray that it's not a phishing email disguised as linkedin spam, hope that if it's real they don't just start sending you different spam, and that maybe they haven't agreed to sell your (now confirmed as more valuable) email address to 3rd parties (aka, their "partners") now that you've made that email address worthless to them otherwise.
The absolute most you can ever hope for in the "unsubscribe" case has the exact same outcome as the "filter" case, while the filter case has less risk and as a bonus lets the spammers waste their time.
>Never interact with spam. Unsubscribing just tells spammers that your email address is actively being checked, and that you're the kind of person who clicks on links found in unsolicited messages. It can even end up getting you more spam (as you've noticed), and what looks like an innocent unsubscribe link can actually take you to a malicious website instead.
Yet there are people here on HN telling us that we have some kind of responsibility to watch ads, not block them, and support the kind of people who do this slimy, evil, unethical bullshit.
At mailpass.io we tried to embed some of these ideas straight away. Easy to ignore certain domains. Easy to delete all messages from a specific domain without sending any kind of tracking this was done
Interacted with the company, as in filed a support request, bought something from them, etc.
They already have my e-mail address, likely even verified. They're also somewhat normal companies, i.e. they have an address where the local DPA can send a friendly reminder, and while they will happily pass your (likely hashed) e-mail address to Facebook for ad targeting, actual selling to spammers is incredibly rare.
I often can't just filter the domain because I might actually need to deal with the company again (if I boycotted everyone who acts like a dick I'd be living in a cave).
The threshold is "spam rates reported in Postmaster Tools below 0.3%".
That sounds pretty low to me, but I'm not in the bulk email business. I guess maybe a very small number of users actually report spam? Or maybe Google is being strict.
One of the key problems is that both gmail and Yahoo UIs actively encourage users to report messages as spam rather than unsubscribing. Yahoo is particularly bad at this; it's common for me to receive spam reports from yahoo on an entirely double-opt-in social site I run. My reaction there is to remove the reporter from all lists because the amount of damage a single spam report can do is immense; a single spam report can block delivery for weeks at a time to the 10k others that legitimately requested messages. Hotmail/outlook/live is much the same in encouraging spam reporting over unsubscribe, however, their penalties are not as excessive as Yahoo's.
> One of the key problems is that both gmail and Yahoo UIs actively encourage users to report messages as spam rather than unsubscribing.
I think this is, generally, the correct approach. There isn't really a salient reason to discriminate between "email I don't want from someone I don't know" ("true spam", if you will), and "email I don't want from someone I do know" (aggressive newsletter campaigns et al). Spam is the button to send a signal that you got an email you didn't want.
> My reaction there is to remove the reporter from all lists because the amount of damage a single spam report can do is immense; a single spam report can block delivery for weeks at a time to the 10k others that legitimately requested messages.
This is the system working as intended to me, as the customer of the email service. I like that my email provider is throwing their weight around to put the fear of God into bulk senders and forcing them to think about how this campaign will impact their sendability. I would much rather annoy the hell out of bulk senders than cede emails to spammers like we have with phones.
There is one case where differentiating makes sense: Sometimes users sign up for newsletters, want the newsletters, would re-confirm if asked... and later change their mind and no longer want those newsletters. Here, marking as spam is unreasonable.
In most other cases (e.g. newsletters sent based on a tiny pre-checked checkbox or without asking for consent), the spam button is of course the right tool.
The worst offenders are those without a link to unsubscribe, and who instead ask you to "reply unsubscribe", which happily for them is also a signal to the email provider that you've interacted with them and therefore are not spam.
I hope they not. Gmail spam filter is far from being perfect and classifies many non spam messages/senders as spam. May be because they heavily rely on user reports (to train AI?) and email users tend to report all kind of emails as spam including clearly ham messages like bank statements, appointment notifications, password reset emails e.t.c.
Even gmail's own marketing messages (that I never asked for!) end up in my spam folder. If google can't even reliably send emails to themselves I don't know how they expect anyone else to succeed.
Nextdoor is the absolute worst about this. Selecting unsubscribe only lets you unsubscribe from the "type" of email they're sending you. After unsubscribing 7 or 8 times I just reported the whole domain as spam and blocked it.
I share my domain with my parents, so I use my_name@XXX.my_domain.tld instead, whereas XXX is replaced by the service I sub to. That gets routed to my inbox and I have some server rules that sort them in sub-dirs.
For more shady stuff I have some throwaway mail at some free mail provider.
I've started doing this about a year ago, but I haven't nailed down an easy way to blacklist addresses from my catch-all. Do you know of a painless way to do that?
In fastmail, rules for specific addresses take priority over catchalls. So if I have a catchall and tell it to bounce emails to spamco@, the bounce rule applies properly.
i can't be the only oldskool person on hacker news who knows not to click on unsubscribe buttons because it just identifies you as a legitimate email/mark...
these are spammers, not cases where you ever actually signed up to some kind of legitimate newsletter or discussion group. to pretend good faith is your first mistake...
I don’t think this is a legitimate concern any more. There’s basically zero value in “confirming” an email address is legitimate. Between all of the data breaches and various other ways to get actual email addresses this isn’t a problem. It’s also so cheap to send email there isn’t an operational cost where you need to optimise for sending only to know addresses.
There is definitely a punitive cost for sending emails that are repeatedly marked as spam though. You also can’t just cycle IPs because a brand new IP with zero sender reputation is treated with almost as much suspicion by the big player as one that is known to be a spammer.
It’s much better to give people an option to opt out, and to honour it. Most of the email sending providers (e.g., SendGrid, mailchimp, etc) force you to include the link and automatically block future sending to that address. Some will even provide you the option to provide a reason, where you can specify “I did not sign up for this” which in sufficient number will flag the sender account. I suspect the vast majority of cases where people unsubscribe but continue to get email is actually some incompetence from not having multiple disparate email systems sync back to a shared do not contact list (rather each system is maintaining its own).
there's a line in the movie the incredibles where robert (the hero) is meeting with the designer (edna) of super suits to design him a new suit even though such activities are technically illegal.
The dialogue goes something like this:
robert: you know I'm retired from hero work.
Edna:As am I, Robert, yet here we are.
so now it's 2023. you're telling me it's now safe to click on unsubscribe to the spam emails.
yet here we are.
no, the strait forward response is to ignore and mark as spam any unsolicited emails you did not explicitly sign up for. don't try to interact through the desired or expected channels of any entity that spams you.
surely this depends on the actual mail provider you use.
i appreciate its impossible to prove a negative (everyone could be doing something they have no evidence or documentation of doing), but given my mail provider both says that you have to mark a selection before they'll share such information with partners and that marking emails as spam still trains your own user specific spam filter, i don't think (and an really hoping) this is not a universal thing.
I worked on an email system that sent billions of emails a month. We used these messages from providers to ensure we never sent them an email again to prevent hurting our reputation. (Marking an email as spam, is by itself, a very low signal on reputation, unless some massive % of recipients mark it as spam. Sending an email to someone who has already indicated you are sending them spam is a high signal that you’re sending spam, however).
It doesn’t even matter when you do it. We had people (outliers) who would go back and hit every single email we sent them for the last 6 years as spam, after a bad customer service interaction, not getting a refund, or whatever pissed them off. We actually investigated all outliers. Most people didn’t report spam on anything older than 6 months.
That's the case for spam sent by illegitimate parties (actual spammers), but any real company (what OP is referring to) will respect the unsubscribe button because they're at risk of being sued otherwise. Clicking unsubscribe in those cases actually does work & doesn't put you at risk of anything.
I get spam from legitimate companies who don't honor the unsubscribe links. The problem is that many of them use third-party services to handle the unsubscription server so you're feeding the data broker ecosystem with confirmation that you're an active address.
This is an irrational reason. When you click “mark as spam” the sender can configure the email so your email provider notifies them that you marked it as spam. (See email feedback loop).
Further, pixels can be embedded in the email so they can see when you open the email and how many times.
The sender has every incentive to properly handle unsubscribe to avoid spam traps. If you get big enough, users WILL come sign up for your service with a known spam trap email. If your operations are as sloppy as you’re suggesting, your email sending capabilities go poof.
I think this risk is overstated. Individual spam recipients in the United States have no standing to sue under CAN-SPAM; only the FTC does, and there's a high bar to get their attention.
I find the venn diagram of spammers and "legitimate" companies increasingly overlaps and it's impossible to cleanly differentiate the two.
my university spams me. i bought a torch from olight. they spam me. i get food deliveries. they spam me. i bought some tech. they spam me. i look for real estate they spam me. i get a delivery. they spam me.
it's differentiating between the two that's unrealistic.
I just had this experience today. The problem is that at least in the States the regulation is ambiguous enough to be abused to hell and back. Unsubscribe in the States could mean “Unsubscribe from all” or “Unsubscribe from 1 of 20” or it could mean “unsubscribe from all now, but we will arbitrarily resign you up for some new newsletter whenever we feel like it”. I got a spam email today from some no name dropshipper I bought contacts from probably a decade ago, I got LASIK 3 years ago and haven’t needed contacts since.
Some large companies even flagrantly violate the extremely lax rules that exist in the States. Guitar Center has infamously been sending me emails that are in direct violation of the one click unsubscribe regulations for almost a decade now. I can’t even sign in to the account to cancel the emails (which is in direct violation of the regulation- it is ambiguous on a lot of things but the one thing that it isn’t is that you aren’t supposed to be required to log in to opt out of email communications) because it was made with my dad’s email from 20 years ago yet I’m the recipient of the spam.
I did report them; but of course nothing must have happened because they are still doing it.
I don't know the legality of this in the EU but often it is required that you opt-in to these marketing emails to create an account or do other basic things on a website.
And then there's those online stores that cover the entire page in a popup that you can get a 20% discount code if you give your email. Technically I've opted into their marketing. But I always just use the coupon and then report the email as spam without bothering to unsubscribe.
If you need to opt-in to create an account then it is illegal.
Yes the discount code for newsletter signup is a result of GDPR consent requirement along with growth hacking technique popularity that is incredibly annoying.
Even European Websites do this. I know that in principle I never check the "I want to receive spam" but I still do and still have to unsubscribe later.
It covers instant messengers too. You need to obtain the consent of the person receiving the message, before prefilling the message with the URL and text for their FRIEND to send them. Sorry buddy. That road is closed for you too!
Social media MAY be an exception, but that's because people are already used to receiving a ton of spam on it, so your "viral post" will be ineffective to begin with, and probably filtered by Facebook and not shown to most people at all. Enjoy.
All the original social platforms such as Facebook and Twitter used ways to invite others by email (famously in Harvard etc.) So now they are burning the bridges behind them and no one can do it anymore.
I was recently subscribed to ~500 newsletters within 10 minutes, and the most annoying ones to unsubscribe where from Brasil, US, India, etc.
(An attacker used the paypal guest account feature and used my IBAN [european bank account number] and tried to hide the mail within those hundreds of mails. They were successful for some days, until the purchase showed up on my bank account)
This is my experience as well. US emails are one-click unsubscribe almost without fail, while EU and AU especially require multiple clicks and often entering my email address to unsub. Extremely annoying.
It’s fair to say any traditional email provider will still struggle to prevent this ‘legit spam’.
We took a different approach at mailpass.io where we assume most of the messages are not important for the majority of inbound email. We suggest giving it a go for then forgetting / not caring about whether unsubscribe actually works
The Information are so incredibly bad for this. I've requested unsubscriptions multiple times from them and they just can't seem to manage it. Like, presumably their audience won't use them but still it rankles.
Honestly I prefer to subscribe to those kind of newsletter in the form of a RSS feed. They just publish passively, and I choose when to subscribe and unsubscribe on my own term, and it doesn't clutter my mailbox.
This might be good news, but as it comes from Google and involves email centralisation, I’m sceptical.
At MailPace we already enforce DKIM, it’s pretty basic stuff. But list-unsubscribe is optional for our senders.
We can make this a requirement and manage lists for senders who don’t / can’t implement a webhook to handle it (we already default to blocking resends to emails that hard bounce).
However I am curious how Google will track this. Just because the header is set, it doesn’t mean it’ll do anything. In fact it can be used by spammers to identify legit email addresses and spam them separately.
> Just because the header is set, it doesn’t mean it’ll do anything.
True, but I think when you're processing the volume of email that Gmail is, you'll have enough data to be able to infer whether the unsubscription was processed.
All it would take is one human to review the email, but sadly given Google's aversion to humans in the loop I predict it will be inferred by an algorithm and subject to false positives with no practical way to escalate for review.
Side-note: for list-unsubscribe, do you determine the subscriber's identity that needs to be unsubscribed based on the sender or the receiver (like <guid>@unsubscribe.service.com)?
Reason I'm asking is Unsubscribe rarely works for me due to my catch-all not SENDING emails from the address it was received on. It sends it from my actual address. Very annoying.
The RFC https://www.ietf.org/rfc/rfc2369.txt Section 3.2 is not specific on this - but the examples only show the To address, and no unique identifier beyond that, so it might not work out well for you for mailto list-unsubscribes. It also prefers mailto over https.
If we build this as a mandatory feature at MailPace, we'll use an HTTPS webhook with a unique identifier for the email, so if you unsubscribe from a list sent via us, it will work for you.
> Just because the header is set, it doesn’t mean it’ll do anything
But they can track proxy metrics for this. For example people using GMail's builtin unsubscribe feature more than once with the same unsubscribe link for different emails is a pretty good indicator the unsubscribe did not work.
I'm cautious as well. We all hate the spam and dark patterns, and Google is a relatively responsible citizen of the email world in my experience so I hope this will be a positive step.
However if email blocking becomes too aggressive then it can easily result in mails containing information that senders are literally required by law to provide to the recipient being silently dropped, which essentially means the mail service has caused the sender to unknowingly break the law. The penalties for not providing required information under consumer protection rules can be extremely serious in jurisdictions like the EU.
And Joe Random can be a real customer who you are really required to provide with information but can still hit the "this is spam" button if they don't particularly care or want to see it so reading too much into self-reported spam flags is a bit of a slippery slope. Combine that with mandating one-click unsubscribe but possibly without recognising types of emails that again the subscriber literally can't legally not send (at least not without sending the same information to the same recipient some other way instead) and there could be some real danger here.
It's transactional email - so generally speaking it's not a subscription list that recipients are on per se. This is in line with the CAN SPAM guidance (although that is a US law it's good guidance to follow globally).
Also it requires senders to actually implement it, which is not possible to confirm. Although we could add a catch all service that does this automatically, which I think we'll do.
As someone who gets tons of transactional email I didn't sign up for (wrong address), please do implement your catch-all service and make unsubscribe mechanisms mandatory. If I can't stop it, I mark it as the spam it is, which can't be great for deliverability.
Oh lordy this so much this. As a holder of a beloved 5 character gmail address that is a common first and last name let me tell you that the misdirected email I receive is insane and countless. Services with an reputable unsubscribe get unsubbed and then I moved on. Services with no way to unsubscribe get marked spam each and every single time. Services that do that are effectively dead to me because if they ever do send a legit email gmail will automatically flag and remove them for me and I can't help but believe (with some insider knowledge) that this also impacts deliverability to other gmail accounts.
There’s nothing to unsubscribe from if it’s transactional email. You aren’t on a mailing list. You can’t be removed from a non-existent list you aren’t on.
Are you asking to be blacklisted from all future transactional email from a particular service? That’s something very different to being unsubscribed. You’re asking to be added to a list, permanently.
Most of these transactional messages are associated with customer accounts. They absolutely can remove email addresses from those accounts. The problem isn't emailed receipts from typing in your email address at a brick and mortar checkout or "guest" checkout on an online store.
As I was writing this message, Florida Power and Light sent me yet another "transactional" message I can't unsubscribe from because they're under the mistaken impression I'm their customer.
I get tons of messages from otherwise reputable companies (household names) that have no "unsubscribe" options because they consider the messages required for active account holders (and I'm not ready to close my account) but the messages certainly aren't triggered by a transaction that I'm party to. For example, banks will periodically inform me about how I should stay vigilant to avoid fraud, and all sorts of similar concepts. Any thoughts on whether this type of stuff violates CAN SPAM?
This is the definition of spam. Unsolicited email with no way to revoke consent. Your user’s recipients should be able to revoke consent whenever they feel like it. If they can’t reply to the email, or unsubscribe, and the only choice to revoke consent is to mark an email as spam … you are sending spam.
No, it is not. You're missing a few key qualifiers that will depend on the country but generally include the notion of "bulk" email (thus directly excluding transactional emails).
A couple examples of such nuancing qualifiers:
- "unless prior permission has been obtained or unless there is a pre-existing commercial relationship between the parties" (UK)
I'm not excluding transactional emails because to someone who doesn't want your email ... it is not transactional.
You are making a bunch of leaps of logic:
1. The person you are emailing is the same person using your service.
2. The person you are emailing consents to you emailing them about your service.
Consent can be withdrawn at any time, it doesn't matter if it is "transactional" or not, "legally spam" or not. This is just basic human decency and if you cannot follow it ... then this is why we need laws, I guess.
Wrong address is one reason. For example, I receive transactional emails from a US-based ISP for someone else and the only way to unsubscribe is calling their customer service line. I’m not even in the same country.
Exactly, seriously -- I get monthly+ e-mails from a gym and a car dealership and some golf course because somebody else put in my e-mail.
I contacted the customer support for all of them and they said they can't do anything about it. To change the customer's e-mail address, I need to prove I'm the customer, and obviously I have no idea who they are.
So I gave up and implemented a Gmail filter in the end, but I definitely wish that parallel with the traditional unsubscribe, there was a way to say "this isn't that person's e-mail". Where I don't have to prove I'm the person, I just have to demonstrate I receive the e-mails.
I think they mostly are -- they're all about reminders for upcoming appointments and vehicle checks (the dealership), confirmation of bill payment and notices of rate rises and holiday hours (the gym), and confirmations of tee time reservations or payments or something or other with the golf course.
I have that friend that whenever I don't feel like putting my own email or phone number I just put his. You probably have that friend too, the other way around
Why don't people like you just spend exactly 2 minutes to create a bogus gmail (or etc) account for yourself that you put down when you don't want to put your own email in? I just cannot fathom any reason for you doing this that isn't just malice. Surely nobody is just so _lazy_ that they intend to screw over their friends over a minute or two process making an account.
It's a prank. Meant to be funny. Best when signing up for something which might be construed as embarrassing.
I've also done this where I've donated $25 to U of California in the name of my friend who went to Stanford (rival universities). He's likely still getting calls.
The rival university one seems like a solid prank. The user I replied to did not make it sound like the intent was to be funny.
> whenever I don't feel like putting my own email or phone number I just put his
This sounds more like malice than well thought out humor. If I found out someone I knew and respected was using my primary contact information for spam emails at <insert random pet supply store or random restaurants' rewards programs here> I would definitely consider not talking to that person much any more. The rival university one however I would let slide because the intent from you is obviously different.
Yeah, I just made a new google account today. It takes about 2 minutes. You need a birth date (easily lied about), a phone number (it's google, they have your phone number already, no reason to lie) where they will send you an 8 digit code for you to confirm, then type in your desired email address and your password. Hardly draconian. Viola, you have a gmail account. You can do more to ensure you're the only one that ever logs into it if you like, but chances are if you're setting this account up for the purpose we're talking about, you're just writing down the email address you set up and then forgetting everything else.
I'm not sure, are you implying that it is not worth doing this, and you would rather instead just pollute the inboxes of people that happen to know you? If so, would you like to be friends? I'd be happy to receive your junk emails if in exchange I can come by your place and just leave my trash in your front yard/driveway.
Not that it’s really all that draconian anyway. Tying an address to some other piece of verifiable information is valuable when they probably have to respond to abuse complaints for thousands of gmail addresses every week.
I still have a quite short firstname@gmail.com address, and those emails were unbearable about 10 years ago. Several times, the only alternative was resetting the the password and taking over "someone else's" account to then change the email to a disposable provider like Mailinator.
Hostile? A bit, but after contacting services and complaining, nothing would get done anyway.
I ended up changing email providers because of that.
This is not a spam problem but a security one. I received one guy (from the other side of the world) contracts and financial transactions. A mistake in domain name has resulted in his ?partner sending this information to me. Someone else could have used it. I think the process to handle these should a bit more different.
The problem comes, as I know very well, is that when you have a common sounding email, all kinds of people use it for all kinds of things. I get dozens of transactional emails a week from stores multiple states away.
A big part of why I’m stuck on/with gmail is that filtering redirects about 90% of those to spam.
> A big part of why I’m stuck on/with gmail is that filtering redirects about 90% of those to spam.
That doesn't really make sense? If you used an address on your own domain, other people would be pretty unlikely to enter that email address instead of their own. The problem with misaddressed email should be limited to domains with really high username density; nobody else than the Gmails and Outlooks of the world need to solve the problem because nobody else also has the problem.
Becaus having used an address personally and professionally for close to 20 years, I can’t really abandon it, and I honestly get way too much important stuff to only go I. There once a month or so. If I forward all emails to the new address, I get buried under the avalanche.
Why limit yourself to only either forwarding emails or to "check for important emails" once per month?
For example, email clients generally allow you to use multiple accounts at the same time. Configure your client to read emails from both accounts at the same time, and any time an important email arrives at the legacy account try to update the sender.
(I mean, I'm sure that xkcd.com/1172 applies, but still this seems like an odd thing to be blocked by.)
IMHO, that sounds like more effort than configuring Emacs to map a CPU temperature rise to a Ctrl keypress.
I'd rather begrudgingly keep taking advantage of Google's spam filter over adopting the added workflow branch that is perceivably likely to trail me for another decade-plus.
Custom domains aren't a panacea, I own my last name as an email domain, but my last name is one letter different from a building supply company in my country . I regularly get purchase orders sent to me instead of them, so even in a small country with a custom domain you can't escape misaddressed email
On one of my SaaS apps workers receive details on their shifts via email. If I allow them to one-click unsubscribe, I know there will be many who do so accidentally, with no idea how to resubscribe.
Currently they need to sign in and manage their contact methods in settings (email, SMS, etc). Thus they know how to re-enable it if they disable it.
I can see many support requests from managers saying "X worker isn't getting emails". Sigh.
You can simply put two buttons on the email, one for unsubscribe, one for re-subscribe. If they unsub by accident they can simply pull the last email and re-sub. It's not rocket science.
AFAIK Google shows you an unsubscribe button/link separate to the email and performs the POST request to your server. There's no option to ask Gmail to show a resubscribe button/link.
That seems to be a bad idea. The new rules state that you need to process the unsubscription within 2 days. Sending an email a few days later sounds like a good way to make it on the naughty list.
I suppose the best you can do is indicate how to re-subscribe in the unsubscribe confirmation email and say, “you should save this email! Here are alternate channels to receive your schedule if needed.”
Perhaps you could notify the manager when a user unsubscribes? Puts the ball in their court to notify the user (their employee) they aren’t going to get critical emails. Make sure any unsubscribes show up in a log available to your customer.
That's Amazon, in case it's not obvious. I don't need any of that by email, I immediately archive it, and if I want to know I look in my account, not my email. I even have the app installed and notifying me with all of the same and more (I'm spared 'x stops away' by email).
You are evidently in a tiny tiny minority of people with very special needs. The vast majority of users want to get these notifications, and most want to have them sent by email because it is one of the most uniquitous channels along with SMS and allows the recipient to "keep living and check the message later on when the time is right" (contrary to a regular in-app notification).
The vast majority of Amazon customers do not have its app installed. And those who do have the app can disable Amazon emails or create filters in their own mailbox, it's not exactly difficult.
So they don't start getting blocked as spam? For transactional emails deliverability is often CRITICAL.
Oddly, on the cash app thing, I have a very basic username and seem to constantly have folks sending me money, sometimes good amounts. I never use the app, and eventually I hope the money goes back if I don't collect it.
More annoying on email but much less than it used to be - I think more systems require email verification now so a bit less common to get the misdirected order emails etc.
But yes, if I can't unsubscribe - then I block and report spam - even if it looks like transactional email (some is a lead-in to a scam where they will refund you for the "bogus" purchase).
I got a really cool vanity email address, back in the early days of gmail. But the downside of that is 100s of goofball people around the world randomly guessing it when they want to put some bullshit value in a field on a web form. The worst was when my address got posted to to some indian jobs forum, under a title like "test job" - I got dozens of applications per hour for a few days. I had to make filters to block all email that included the words "bangalore", "delhi", or "hyderabad".
Anyway, the job applications have died down, but I still get plenty of others for people who are creating accounts. I unsubscribe when I can, and "mark spam" when I can't.
This sounds like the Steve Wozniak story from his college and early Apple days. He was apparently an inveterate prankster, especially phone related.
After starting Apple and gaining some influence in the tech world, he managed to secure a mobile phone with the number (888)888-8888 - something he'd desired for years but could only realise once the 888 area (mobile) code came into use.
Well his life became a living hell - he'd receive calls at all hours, usually with only rustling or scraping sounds, sometimes breathing and the occasional gurgle. The penny finally dropped when he heard a stern motherly voice in the background of one of these calls shouting: "Put down that phone, Jimmy!"
He realised that babies all over America were picking up push button telephones and hammering the most obvious button - the one right in the middle of the bottom row...
He had to change his number because there was no way around this DDOS prank by The Universe.
Because (according to this announcement) if you don't, Google will put you in the spam folder.
Edit: I suppose it does say "unsubscribe from commercial email in one click". But it's hard to say exactly what they mean. They also don't define Bulk Senders - is that the domain or the sending SMTP server?
Because its better than me just sending it to the spam box. Or worse, not interacting with your service.
At this point something as simple as ordering something online means I get 4-7 emails and then some growling "please rate us" shit. And if I am stupid enough to do so, but only rate it 4 our of 5, another "we are sorry, please tell us what we did wrong" email.
Reading all the comments makes me think I'm an outlier.
I very aggressively unsubscribe from everything so I get very little mailing list spam. Maybe a few messages a month.
What I do get _constantly_ is spam email messages to my inbox from Gmail and Outlook domains. At least one a day for many years. Because it from Gmail, they have very little spam filtering done, yet if any other provider sent these messages then Google would block the entire domain.
These particular spam messages get on my nerves, and these are the only ones making it through to me.
Never unsubscribe from anything you haven't subscribed for (or at least where you haven't gave your email address to the sending party), because I believe any interaction with unsolicited emails provide spammers with a clear signal that their spam is not just delivered but also read and interacted with, so they get more agressive.
I've heard this advice before, but in my experience you can tell the difference between something malicious or not.
But more importantly even if I provide some signal that my email is active it's not going to change that much. They can send more, but that just helps train filters.
Lastly default Gmail settings loads remote images. Just opening the email is enough to create some signal. Having remote images turned off is enough to stop most engagement pings.
AFAIK Gmail downloads and caches all images server-side the moment it receives the email, then replaces them with cached versions when viewing. The only thing this tells you is that the address exists, not that anyone opened your email, which you already know since the email wasn't rejected.
Yep, I'm the opposite of you. I get almost zero true "spam" to my Gmail account. Maybe 1-2 messages a month.
Whereas quite a few of these quasi-spam marketing emails from a company that I once had some interaction with. The worst is hotels - you stay at 10 hotels during the course of a trip, then you get added to 10 email lists for the rest of your life.
I have a Gmail account I opened in the early days of Gmail and stopped using on a regular basis when I got my own domain around mid-2000's. Whenever I occasionally check in, I always find heaps of spam. Many I've tried unsubscribing for and still get the mail--obviously Gmail's filter doesn't take into account senders I've flagged time and time again as spam.
In the days I ran my own main server for my domain I was surprised to find that well over 50% of spam originated from Google (both emails with @gmail.com domains but also emails from other domains being processed via their servers). And I wasn't even a Gmail customer, so it looks like they don't really filter outgoing mail to other providers. It made my inbound filtering quite tricky as I couldn't block Google as quite lot of legitimate traffic comes from friends using Gmail so the other Spamassassin rules (e.g. content analysis) had to do much of the heaving lifting. A couple of years back I gave up and outsourced the MX for my domain to Fastmail. Interestingly they also struggle to filter Gmail messages (which isn't too surprising as they also use Spamassassin) but thankfully there are only a few a week that get past and I always make sure these are flagged as spam to train the filter. Over time they end up going into my Spam folder and eventually they just don't arrive at all due to my spam settings blocking high spam scores.
Usually when I get the spam you are describing sent to my gmail account it looks like some spammer managed to send obvious spam messages from a server on an authoritative domain like a university.
Most of the spam I get in gmail apparently comes from other gmail accounts. Presumably google already filtered out senders pretending to be gmail, so I am not sure what a big improvement this will be for the average user.
I've gotten a few emails from my own gmail account, spoofed, which inexplicably did not land in the spam folder. This happened to me on multiple different gmail accounts, too.
The majority of my spam is to firstname.lastname@gmail.com, because I have a common name. I assume spammers put together a list of common names and infer addresses from them. This would probably help me a lot.
> Most of the spam I get in gmail apparently comes from other gmail accounts.
Are they actually from Gmail accounts, or are they simply spoofing the sender? My bet is on the latter, because Google has heavy restrictions on Gmail that make it impractical to use for sending bulk spam.
> I am not sure what a big improvement this will be for the average user.
It's not going to be particularly noticeable for the average user, except for the second part (single-click unsubscribe, as opposed to a multi-step flow, is slightly stricter than what's required by CAN-SPAM). It will probably make Google's work easier, though, by having a publicly-known policy of rejecting emails without DKIM, as opposed the the status quo of having that be merely an open secret.
The vast majority of spam we get that isn't trivially rejected (DMARC, malformed HELO, etc) is from real, actual gmail. But they sure do care about _incoming_ spam.
Overall the changes seem sensible. For those wanting to self host there are plenty of guides out there on how to configure various MTAs with all of the required bits.
BUT, Why does IP reputation matter so much these days when you have DKIM, MTA-STS, DANE and other mechanisms that provide verification of the sender?
Say I want to startup a Email Service Provider, I need to go and source a bunch of IPv4 typically to have a premium upsell for end users to really ensure cross sender reputation does not impact other tenants. Crazy.
IPv6 historically at least was anecdotally punished by the likes of GMAIL, Yahoo, Hotmail, Office365 etc. Does anyone know if IPv6 hosted email severs still suffer additional spam scoring?
Delivery via IPv6 still seems more stringent. IPv4 now requires "authentication" as well where previously only IPv6 did. Last I checked Google didn't use DANE, preferring instead MTA-STS -- perhaps understandable for a giant web property.
The authentication stuff is all standard practice so no big change IMO. However the hard spam limit with Gmail in particular will get interesting. I predict this is going to create some insane headaches for indie Saas startups.
Gmail is the only inbox provider that doesn’t offer a real feedback loop (you don’t actually know if a given email address marked you as spam when sending to gmail users). The FBL in Google postmaster tools is anonymized and unreliable at best.
So essentially, you never know if a Gmail user marked you as spam so you can stop sending to them. Gmail will just by default mark your emails as spam for that user going forward, without telling you. This means your spam complaint level will inevitably rise over time without you knowing why and what email addresses are causing the issue.
Unless Gmail actually starts providing a real FBL like other inbox providers, the hard spam limit is going to snowball into a nightmare for even the most conservative and legitimate senders.
Honestly sounds like I'm on the side of Gmail here.
Think about this from the perspective of an actual spammer. You get a notification that address XYZ is marked as spam by user ABC. Well, now you just email user ABC from a different address.
Not even spammers want to waste time & money emailing people who have already marked their emails as spam (that's as clear a signal as any to move onto the next victim).
The real problem is, for legitimate senders, the people who send less emails actually get higher levels of spam complaints! This is because humans are human and they forget who you are. I would argue this actually incentivizes sending more emails. This is why marketers all recommend sending garbage emails daily/weekly/monthly.
The truth is, the companies with full-time spam (marketing) departments will do just fine with these changes. It's the little guy who is going to have to navigate these complexities (likely unsuccessfully), and get shut out from yet another technology that used to be open.
On top of that, Google has started to offer perks for senders within Gmail for a $1,500 per year fee (VMC). They're basically one step away from collecting rents on all of email by way of their monopoly.
I disagree with your analysis. I think they will limit the amount emails with garbage that people don't want to see if they risk getting their entire domain blocked over it.
I also don't think it's complicated for the "little guys". The solution to avoid getting banned is simply to not send mass spam. It's not rocket science, don't mass email people knowing that they get mad at you when see your emails in their inbox.
Hijacking the thread: I do some "bulk" sending for a 501(c)3 I volunteer for. I include unsubscribe links that go to a form with a submit button (because I want the unsubscribe to be a POST request). Each link has a random opaque identifier in the query string. Something like:
hxxp://example.com/unsubscribe?id=abcd1234
A couple years ago I noticed that MSFT IPs hitting my unsubscribe links with invalid identifiers on the quest string. Anybody ever seen that?
I think some crawlers run JS, because a lot of the web simply won't work without JS to initialise the page state these days.
You can use captcha or similar, one workaround I've seen has a submit that is hidden so never clicked by real people then a visible submit that sets a hidden input and clicks the other one which requires the hidden input... not foolproof but avoids some accidents.
A crawler that follows links found in emails and sends POST requests / submits forms will cause so much havoc. It could buy things, validate account sign-ups, delete data, etc. I have a hard time believing the answer isn't to ask users to switch to a normal email provider.
I know web search at least runs JS to get better results. Not sure about email pre-fetch but I assume they do. I don't think crawlers click buttons though unless they are malicious so it's probably fine for unique email links.
Okay, HN. Go ahead and explain what's offensive here.
The question that was asked: "I noticed that MSFT IPs hitting my unsubscribe links with invalid identifiers on the [query] string. Anybody ever seen that?"
The question the parent commenter seems to have hallucinated: "Does anyone know how we can keep mail services from unsubscribing folks in error when these mail services scan our subscribers' emails, but also still offer our subscribers 1-click unsubscribe?"
No, it doesn't. The original questioner is already aware of the extremely common phenomenon where mail providers scan links in emails. That's not what the question is about. The first comment contains a very specific question about something different. The response is derailing the discussion.
Agreed, it's curious! I wonder if they would still fuzz it if you changed the URL scheme to include the identifier as part of the URL path, rather than as a parameter? e.g., hxxp://example.com/unsubscribe/abcd1234
It's not really common for clicking a link to immediately unsubscribe, almost everyone requires you to click a button after navigating to the unsubscribe link. Otherwise you have issues with link scanners unsubscribing your recipients without their knowledge. There are some more complex ways to approach this with JavaScript checks for "real browser" but IMO these are more likely to create frustrating friction to unsubscribing (by not working if the user has an adblocker for example) than having the user click a button.
I've seen this pattern of unsubscribe link, then click button approved as CAN-SPAM compliant more than once so I don't think there's a legal concern. The CAN-SPAM rule seems more targeted at the systems you used to see a lot that required the user to log into their account, type in their email address, or figure out a complicated "communications preferences" list to use the unsubscribe form.
It's a little fuzzy to me how exactly to interpret this but I think you could reasonably read it as allowing even unsubscribe pages that require you to type your email address in again (even though I detest these and don't think the problem they're intended to solve is a meaningful one).
So many email security systems preemptively access every URL in messages. I found that I receive a GET for virtually every unsubscribe URL I send out.
I don't read clicking a "confirm" button as a second action. The attorney didn't either. He also said CAN SPAN doesn't apply to a 501(c)3. I still try to comply to be a good citizen.
You can require a second action such as clicking a button.
What you can't do is take them to a page that says "to unsubscribe, send a certified letter to our headquarters and wait 90 business days". The entire transaction must be completed at the page you link to.
Or, as I so often get, ask me to log in to "my account". Which is not my account, it's someone else's account but they don't know their own email address, so logging in is probably technically unauthorised access to computer systems and highly illegal.
Bonus points when contacting support requires me to log in to "my account" too.
Probably true but how do you handle autodetonation of email links in that case? Too many emails servers will click links automatically to check for issues.
Unsubscribe link goes to a page that has a form that's automatically submitted via JavaScript. Disable that for the first 5 minutes of that link's life to get around automated things.
This is exactly what the list-unsubscribe-post header from RFC8058 provides: https://www.rfc-editor.org/rfc/rfc8058. The unsubscribe button that gmail, Apple Mail and others displays is driven by that; it's not a gmail feature.
Weirdly, if google thinks you're a dodgy sender they won't display the button, which seems counterproductive to me.
Some companies attempt to hit every link in order to cache the link and then embed their own link so that they can track those links, and also to examine for malware. I work for a marketing SaaS and what made us break away from the monolith structure was that our server was getting blasted to hell and back by the sheer volumes of tracking links that were automatically followed by email providers.
Several antivirus scanners and mail providers open links to check for malware. I believe they add some randomness to either bust through cache or to detect if the URL is encoded as an exact match (some exploit kits will redirect to google.com if you alter the URL in any way or after x requests to the same URL).
Yes have seen this is in a couple of my SaaS applications.
If it's in the querystring then they essentially fuzz it by changing some part(s) of the value. I noticed this because I use signed tokens and it raised an exception in Sentry when the signed token was invalid.
I ended up moving the signed token into the URL itself and the problem went away. eg. /unsubscribe/abcd1234/
What else should I do? The list is double opt-in, every message includes a one-click unsubscribe link, full contact info for the organization is included, and I send text-only.
I require a button to be clicked to confirm. No entry, no JavaScript, nothing else. Just something to make a POST request because I receive GET requests for almost every URL I send out.
My experience is that every unsubscribe goes to a form w/ a submit button. Shitty ones make you type your email address. (Mine doesn't.)
I've seen a hybrid where you have a form with a button to confirm, but include JavaScript to auto-submit the form on load. For the crowd that has JS disabled, they can click the button, but otherwise it's one-click from the email.
No idea if this holds if/when the email crawler bots start executing JS on crawl.
Doesn't matter to me, if an email doesn't have a one click unsubscribe I just mark it as spam. Messes with their email reputation so they hopefully get kicked off of reputable email services.
"!" key shortcut to mark as spam in Gmail web interface. I use it all the time. If I didn't expect and don't want the email you sent, then it is spam, regardless of what fine print I clicked through unknowingly at some point.
Would love for an "Unsubscribe Sunday" unofficial holiday to catch on to the same degree as "Cyber Monday".
Unfortunately for us, the Privacy team at our org has determined that a one-click unsubscribe link in the body of the email is unacceptable (passing an identifier into the URL of the link). So we accept either the client unsubscribe link, or users who click the unsubscribe link in the email have to provide their email address on the unsubscribe page.
That's rather ridiculous. There's a good reason not to put a one-click unsubscribe button in the email (email scanners will GET every URL you link to check for malware and you end up auto-unsubbing your recipients) but emails already inherently contain personal information: the email address they're directed to.
If someone gets forwarded the email and they take action based on another person, or erroneously get unsubscribed by an email scanning tool, those are no-no events according to our lawyers.
Keep in mind our webforms you can put whatever email you want in them. But something to do with the fact that we are knowingly storing the information and it crosses to another system.
That shouldn't stop you from including such a link in the header and keep the non-oneclick link in the footer. Nowadays, emails are forwarded embedded, not as EML attachments, so the header link wouldn't be included. You have to jump through hoops to forward as EML.
Yes, that's what we do. We have the one-click through the client at the top, and the link at the bottom takes you to a more robust "preference center" that combines preferences from multiple systems (marketing, sales, product, etc).
That doesn't stop people from sending in a spate of complaint emails every single day. But this is kind of the local minimum we have found and no one really wants to mess with it at this point.
I do exactly the same. I give them one chance to let me unsubscribe. If it is more than 2 or 3 clicks I give up and mark as spam. If they keep sending I mark as spam.
I honestly don't care about their reputation, I just mark anything I don't want as spam. It's easier than finding the tiny 8-point link at the bottom and rolling the dice on whether their unsubscribe is one click or not. I don't feel obligated to protect their shitty business model.
I once went to an Atlassian conf and they resold all our emails to dodgy people. Or perhaps leaked them over the black markets.
Not only I keep receiving almost the same email suggesting to buy 5,000 email addresses of Atlassian customers with always the same fields, but it’s always from different domains.
I didn’t think of submitting an Atlassian ticket for each spam I receive. That would teach them.
Same with Blackhat. You can provide a different e-mail on your profile... and then they'll still happily pass both that and your original sign-up address to any vendor you interacted with, and it will be resold so you end up with spam from vendors that weren't even there.
I think that happens with most conferences these days.
Happened to the disposable email address I sent to the International Manufacturing Technology Show, the A3 Automate show, and the Advanced Manufacturing Expo.
I understand giving my business card or email address to a new vendor I meet at the show. That's the point of the thing.
I do not understand why these shows sabotage themselves by selling their reputation to spammy marketers.
There are three requirements. The first requirement - DKIM - is already a de facto must-have when sending emails to avoid getting marked as spam. The second is also a legal requirement in the US for all commercial email under the CAN-SPAM act[0]. And the third is more or less how email delivery has worked for the last 20 years or so anyway.
[0] The "one click" and "within two days" parts are a little stricter than the bare minimum CAN-SPAM requirements, but not much, and they are not difficult for any legitimate sender to implement.
The one-click part I believe is referring to the unsubscribe smtp header.
CAN-SPAM is ignored for the most part anyway, e.g. LinkedIn requires recipients to authenticate in order to unsubscribe and openly violates the letter and spirit of the law to the point scripts are required: https://github.com/chengyin/linkedin-unsubscribed
> CAN-SPAM is ignored for the most part anyway, e.g. LinkedIn requires recipients to authenticate in order to unsubscribe and openly violates the letter and intent of the law to the point scripts are required:
There are several known-bad actors. LinkedIn isn't even the worst offender - Amazon is much more brazen, though they get less flak for it because the number of violating non-transactional emails they send is lower.
Regardless, I stand by my point that this isn't a big shift. Google stating publicly that they will penalize people who are violating an law that turns 20 years old this year, and which has generally been implemented by almost all legitimate bulk email providers[0], is not something I'm particularly surprised about or worried by.
Again, the first and third bullet points in this press release are already de facto policy at Gmail, and have been for over a decade. The news is that Google is stating this publicly, not that they're doing something new.
[0] The notable exceptions notwithstanding, it's quite rare to find a bulk email sender who violates this, because very few legitimate mail providers will allow it, and it's pretty difficult to set up your own mail server with decent inbox delivery rates.
Unsubscription requirements are a pain in the ass in the sense that anyone that steals a large list of emails (from any service, not yours in this particular case) could now run it against your service and unsubscribe a million users before you realize what's going on via a botnet.
...and saving email at the same time. It's totally unusable without spam filters, and the open models/blacklists don't come anywhere close to Gmail's capabilities.
Perhaps, but it's hard to say. False positives are much more harmful than false negatives. I have peronally had Gmail flag a number of legit emails as spam, and those are just the ones I know about! It's almost certain that I have lost valuable messages because I didn't check the spam folder in time. These aren't transactional emails either, I'm talking about messages from real people that I know personally.
I would be willing to wade through a number of additional spam emails to avoid losing important ones but of course this is Google so there is no user facing dial to adjust the sensitivity. Users just have to trust that Google's generalized approach is well calibrated for them.
It's still faster than manually marking hundreds of spam though.
In the spam folder I just scroll down the list as fast as I can skim, and then close the tab if there's nothing.
If they were all just in my inbox I'd have to manually mark each one (and risk accidentally doing it to a real message while going through hundreds of messages).
There's no perfect solution here. Just personal preferences. I think I'd prefer a clean inbox with a 1% false positive rate vs having to manually flag a bunch of missed spam all the time.
I'd take the false positives, personally. If someone really needs to reach me and doesn't get to me on the first try, they usually just email or text back and go "Hey, did you get my email?". Or, just quickly skim through the spam folder once a week.
> Which has happened to me before where people wondered why I was ghosting them.
Same, but I feel like it's almost kinda socially acceptable now. Happens to everyone and it's not something to get upset about... "oh, it wasn't me, it just went to spam." Like Gmail managed to alter our public norms instead of ensuring a zero false-positive rate :)
Sometimes people will reach out again, but that doesn't cover all cases. If an old friend/acquaintance/relative who I don't regularly talk to reaches out and I miss the email they will probably assume I blew them off. Scenarios like they will be in the area and asking if I want to meet up, or maybe sharing something notable that happened to come up.
It sounds like a lot of people here check their spam folder regularly, which is good, but I don't know how widespread that is. I remember Gmail early on deemphasizing the spam folder since, in their view, the filtering was so good people didn't need to check it.
"open models/blacklists don't come anywhere close to Gmail's capabilities"
I disagree with you. I use Postfix with rspamd plugged into it for my personal email account. I get way more spam to my gmail than I do to my personal account, and I sign up to everything with my personal account.
rspam also dkim signs my emails when I send them etc, verifies SPF/DKIM/DMARC on recipet etc.
Now to counter that - I am a TINY mail server - Probably 100 emails a day tops.
rspamd is very, very impressive. I guess most of the hard work I've put into it is adding some of the not-turned-on-by-default things, like Pyzor and Razor. Also adding some other RBLs that weren't included by default (I spent a lot of time personally researching them and only picking ones that I believed to be of high value)
The other big thing that I think is important is the RBL whitelists - DNSWL.org and HostKarma have a whitelist as well.
About one a week I spend 10-15 minutes looking at the logs of what it's accepted/rejected during the week to see if I can spot any obvious mistakes - it's pretty rare. If I do spot something I make config changes to address it. That said there's been months before where I haven't done this and none of the users of my platform have complained about spam (or missing email)
rspamd really is that amazing. I don't understand why more people don't scream it's praises from the rooftops.
I think that's pretty standard for everybody who runs its own mail server (like "shared webhosting"-running even). Owning your mail should also be standard for everybody in tech, you don't want to rely on Google for something that important.
Exactly. I rely on Google for a number of things, the primary thing being photos. But I've read too many horror stories (on here) of people losing their Google account and thus their life.
So all my photos are also backed up locally and then into a BackBlaze bucket.
Using Postfix+Rspamd gave me good insight into SPF, DKIM and DMARC and how to use them effectively.
I mean, electricity is also very important, but that doesn't imply that everybody in tech should be configuring their own wiring. It's fine to do that if you want to, but it is completely reasonable to expect that most people should be able to rely on someone else to do the work of ensuring that the key infrastructure runs well, and not think about it so that they can focus on the specialization they want to handle.
We're not talking about running bare metal in your garage but paying Hetzner or alike 2,50 Euro/month so you're independent from the shenanigans of the automated, AI-"improved" systems of Google. That's a fair price to pay if you value your electronic communication abilites.
I suspect it’s not that unusual. In six years of running my personal mail server, I’ve received exactly zero spam messages with grey-listing as my sole anti-spam measure. The only time I got spam was when I had to move my domain to a new server and forgot to enable the postgrey service.
Before I decided to leave it due to its horrendous false positive rate, gmail was driving like half of notification emails from my servers and mailing lists to spam, despite me never marking them as such. I was regularly missing important things.
It's much better with just regular client side bogofilter and some training on my personal mail/spam archive. And I do zero server side filtering, it's just all content based.
I don't care about capabilities, I just want near 0 false positive rate on the kind of email I receive (and not some common model), even at cost of some false negatives, and Gmail doesn't deliver there at all. And I don't want any arbitrary 5xx rejections for my senders, since I know how annoying that is on the sender side. Gmail will not guarantee that.
No, sorry, it's purely anecdotal. And also more applicable to the last few decades, when other email services were still terrible, than nowadays with many adequate options.
I think I have the opposite preference to you: false positives are OK to me if that means less spam gets through. In fact I've seen many of those notifications in my gmail spam and thought to myself, "Huh, you know, maybe I don't need those that badly after all... I'll just let gmail keep it there."
The overwhelming majority of my human contacts use other channels anyway (some chat app, or SMS), not email. I might get like ten real emails from humans in a year, and even then 90% of them are from people already in my contact list (and so bypass spam).
Phone calls are similar these days. Google Fi/Android also applies a similarly strict spam filter to incoming calls, and marks and blocks a lot of them as spam. I check once in a while, but overall I just don't really mind. If someone really needs to reach me they'll find a way... if they don't try, it's a good filter for how important their message really is anyway, lol.
You mean the same Gmail that is responsible for >50% of all spam to other providers? They may be good at filtering mail from other providers to Gmail accounts, but they are lousy when it comes to the other direction i.e., mail out of Gmail to other providers. Unless they're prepared to block their own users from sending spam to other providers (or even other Gmail users) this initiative won't be of much use.
email is perfectly usable without _Google_'s spam filters.
And if you use non-GMail email providers, you would know they do fine. Not perfect, and of course it differs among providers, countries and accounts, but it's generally fine.
It's also standard practice to use self-signed certs with mail DKIM. Mail as a protocol has, for the most part, tried to stay true to it's federated roots and most things can be implemented without dependencies on third party corporations.
I avoided DKIM till 2018 when google started accepting my mail but silently sending it to the spam folder; so I wouldn't even get a reject message. I thought it'd be to onerous to implement but rspamd's dkim signing feature made it easy to use with my locally generated self-signed certs (and postfix).
Most people that want to self host their own email server for personal use (e.g. on a VPS on their own domain) don't have the infrastructure for reverse DNS zones, so I'd argue that DMARC and DKIM are kind of pointless because their email lands in spam anyways once the PTR query on the IP fails to resolve to the same domain because 99% of the time it will be something like ipv4.somehosting-company.com
> Oh fun so basically no one will be able to setup their own email servers by themselves anymore. Antispam is killing the open internet now.
It's been a long time since you've been able to set up your own email servers without DKIM and expect that your emails will get reliably delivered to Gmail users, especially for bulk mail.
The second requirement is more or less already a legal requirement in the US, and the third is literally how anti-spam has always worked - the only difference is that Google is now saying that they'll publish the threshold publicly, rather than keeping it a secret.
This is technically news, but it's hardly a major shift.
This is my impression too. I briefly used emails from a domain I own to my gmail account as a way to send myself "notifications". My impression was that absolute table stakes to even make e-mail deliver work AT ALL were:
- non residential IP (I had to proxy through my VPS)
- SPF
- DKIM
- use TLS with a modern cipher
And even with this, I still had to "favorite" (or whatever) AND set up a rule to "never send to spam" for my alerts@ sender address because I would still get them going to spam for no reason that I could find - I'd check the message and would see that SPF and DKIM PASSED and yet it was still going to spam.
I ended up switching to using webhooks to send alerts to a discord channel for a server that only had me in it. It works fine. It's a lot more surefire than trying to figure out email delivery
I have my personal mail hosted on a hetzner server using mailinabox. I didn't do anything fancy except whatever mailinabox's default config is.
I have no problem with email deliverability to gmail/outlook. I think the difference is that my emails are two-way communication. I email someone, they email back or vice versa. Not a continuous stream of unreplied emails from my personal server to some gmail address (which does look like spam).
I imagine if you set up a script to reply to these emails from your gmail account with lorem ipsum and then deleted those replies after a few days, your problems will disappear.
Why wouldn't you be able to set up your own email server anymore?
Yes, you need to configure authentication (DKIM, rDNS and preferably DMARC) but you should be doing that anyway, the hard requirement doesn't change that.
One-click unsubscribe is required for bulk email, but you probably don't want to be sending bulk mail from your self-hosted solution anyway.
Anti-spam isn't killing the internet, spammers did.
I rarely get spam in my inbox, if at all, but I also never sign up for newsletters nor give airlines, grocery stores, etc. my e-mail address.
I get spam messages once in a blue moon on my iPhone (specifically, on iMessage, I get recipients with a string of random letters ending in gmail.com). Ironically, it's ALWAYS a gmail.com or hotmail.com address. Funny how the overwhelming majority of spam I can remember comes from Gmail and Outlook, both of which love sending everyone else's messages straight into the spam tray, despite having DKIM + DMARC set up, static IP not on any Spamhaus blocklist, etc.
I mean... No? You can set up your own mail server all you want, it's just that few people will take your mail. Just make friends with other people who hate managed mail companies, you'll be able to email them just fine.
That's too facile. Email was intended as a federated service that allows anyone to send mail to anyone. Privileging large companies over small companies and individual users is a clear violation of that principle, and a danger to the open and impartial internet. I get that spam is annoying (I hate it too) but letting giant American tech companies decide who is allowed to send email and who isn't is not the solution.
Imagine you live in an apartheid state and the people in power say: “White people will now refuse mail coming directly from black people. If black people want their mail to be received, they are required to send it through a trusted white liaison. If you're black and you don't like it, just make friends with other blacks and the tiny minority of whites who will accept mail from undesirables like you."
The above analogy is exaggerated of course, but I think there is a fundamental truth for it: large tech companies like Google have cornered the market by offering free solutions, and now they are imposing an apartheid system where mail sent through big companies is given priority over mail sent by real people who run their own email system.
(Personally, I've disabled all spam filters in Gmail since I've noticed that Gmail is likely to filter out legitimate email while the amount of spam I receive is actually very low.)
Eh, opposite experience, Gmail filters out almost entirely spam email for me and extremely rarely legitimate email. The filter learns fast in either direction.
I get daily spam coming from Gmail and Azure tenants especially.
Uh, no. SMTP, IMAP and POP3 only became popular as a sort of accident, in the midst of a bunch of warring protocols and standards, two of which were expected to be the leading messaging system, not the current ones. There was never some grand plan for internet hippies to all come together around "federated" services.
There is no such thing as the open and impartial internet. It's a melange of fiefdoms which only works through loose agreements between giant providers that tacitly allow all kinds of shit to happen in the hopes that they'll recoup the cost through their own business plans. The internet is quasi-open; open enough at the level that you interact with it that it "feels" open, sometimes. And it most certainly is not impartial. Competing interests have been warring over pieces of the pie for decades, and use whatever control they can grasp to make as much money as they can, while they can. Nerds running self-hosted servers and railing on about the inequities of corporate control on forums have absolutely no say.
> I get that spam is annoying (I hate it too) but letting giant American tech companies decide who is allowed to send email and who isn't is not the solution.
Again, they aren't. They have their own e-mail system, and you can use it or not. They aren't telling you you can't send your own e-mails or run your own systems. You are just upset that they have their own party and won't let you choose the music. You could throw your own party, but you don't want to do the work that entails, while you do want to force the people who are doing the work to do it your way, despite everyone else in the world not giving a shit and not wanting to deal with the problems anymore.
E-mail is not state sponsored racism. Again, you can choose what e-mail provider you use, and run your own mail system, and do whatever other asinine navel-gazing techno bullshit you want. Nobody is stopping you. They just aren't going to accept what you make. That's not oppression, that's called competition and free choice.
I'd be curious what you think of the telephone. Was that too intended to be some kumbaya international symbol of freedom that anyone could do anything they wanted with? Are you looking to run your own switchboard, and upset that AT&T won't carry your calls without forcing you to pay to hook up to their equipment? How dare they be able to reject your homemade lines to connect to their customers?
You want to know what actually not having a choice means? It means you can't even run your dinky mail server at home because the service is deemed illegal. That has not happened, and will not happen, because literally nobody cares about you and your e-mail service. You are the only person who cares about this. You are obsessed with a principle for the principle's sake, and the funny thing is, that principle isn't even being violated.
You want an end to the "tyrrany"? Use that engineering genius to come up with a solution to spam that doesn't revolve around IP reputation. Companies around the world will gladly take your mail if you can come up with a solution that doesn't require them to spend millions to mitigate spam.
> "Gmail’s AI-powered defenses stop more than 99.9% of spam, phishing and malware from reaching inboxes and block nearly 15 billion unwanted emails every day."
This will be a pain for legit use cases but will net to a better place for the ecosystem.
You mean Yahoo isn't the rotting carcass of the company it once was? I see nothing but decay: their abuse addresses don't work, nor do any of the addresses they have in WHOIS, either for their domains or their networks, that haven't been switched to oath.com. Their SOA isn't real. They've basically stopped accepting abuse complaints.
Is Marcel Becker, supposedly the "Sr. Dir. Product at Yahoo", according to this article, the only person working at Yahoo handling email these days? I'm only half joking - Yahoo is incredibly unresponsive when it comes to abuse.
During the pandemic era, I would use my Gmail account to send emails to people who signed up for an on-line museum tour that I held over Zoom.
I was shocked to find out that maybe 1/3 of all recipients had to find my emails in their SPAM box. Eventually, I paid for a service that allows to send SMS in bulk so that I could inform people to check their e-mail and spam box for the login details.
I hope these new measurers will mean that less email is earmark as spam.
The fact that is sent out 300 mails with identical text and multiple links in it, is in no way a sign that it is spam.
It got so bad in facts that some people reported not even seeing my mails in their spam box (or, many older folks don't know how to find/open their spam folders). So eventually, I asked them to send a mail to me first, to which I would simply reply.
It got to the point for us when a customer with gmail would ask for an update about their order with us, we couldn't get an email back in front of them.
I'm a little unclear how these requirements differ from just setting up correct DKIM/SPF records, and having a one-click unsub link - or is this all they're saying?
The cynic in me thinks it's a prelude to stuff like BIMI because that lets them add a large annual cost for anyone that wants decent deliverability. It's a way for large senders to use their market position to invent a new industry with a service we all have to pay for. Free money!
Does Google even sell BIMI compatible certificates? I don't think they're making any money with that protocol.
BIMI does solve some issues with DKIM, so I can see why Google prefers it. Requiring what should be a minor fee for any company to do bulk email will also make it difficult to set up a thousand different spam domains.
None of that seems new. What would be new is if both gmail and Yahoo provided any means of allowing legit bulk senders to actually send properly.
The one-click unsubscribe is from 2017's RFC8058. Everyone that's sending in volume is already doing all the usual stuff - DKIM, SPF, DMARC, matching reverse IPs, etc.
The privacy-first email marketing service I wrote (https://info.smartmessages.net) implements account-wide unsubscribe by default (unsubscribing you from one list unsubscribes you from all). It requires double opt-in, and asks for explicit consent before doing any tracking whatsoever (so no Google Analytics, no cookies, no trackers), which of course is what the (at least EU and UK) law requires. You're not going to see shitty exploiters like MailChimp doing anything like this; abusing your data is just too lucrative.
It's still ridiculously hard to deliver messages at any volume, and there is zero recourse when you are penalised incorrectly. Gmail's spam filtering is just dire - if I send myself an email from gmail, it goes into spam. A large proportion of the spam I receive is sent from gmail.
Google's postmaster tools are a joke. It's entirely normal for them to give you a "bad" spam rating when you have 0 spam reports, 0 auth failures, strict DKIM and DMARC, and every single message has double-opt-in audit trails. This useless feedback makes it very difficult for senders to actually comply with their ever stricter, but ever more opaque requirements.
Proving that subscribers actually want to receive messages from you its difficult. So back in 2017 I wrote an outline proposal https://github.com/Smartmessages/subscriptionproofrfc to create a standard, possibly built on top of DKIM keys, to provide provable subscriptions. This would pretty much solve the entire thing for legit senders, but of course the industry is not really interested in cooperation or complying with any law that might reduce the number of people they send to by even the tiniest amount.
Get a grip. So you would consider twitter and Facebook notifications you have explicitly requested as spam? I also run a social network with 20k users that is equally accessible over web and email, and we have had peaks up to about 4 million messages/month containing nothing but conversations between users, and we run into all these bulk sending issues all the time. Please explain, oh wise one, how is emailing people messages they have explicitly asked for spam?
Planet Fitness have a system that will send you mail simply if you visit their website.
Steps to reproduce:
* Search for a gym on Google maps.
* Click a Planet Fitness result that's somewhere nearby.
* Expand to their website link, follow it, and browse several pages on their site.
* Do NOT give them your email.
* Wait a few days and check your email.
* Watch your email through the next couple weeks for follow-up emails that continue to urge you to action.
This will probably require you to use a browser with an extensive history. EG, not one with temporary container tabs or other such privacy considerations. Something you've used the email on in a variety of scenarios, enough to have it linked to your identity with some sufficiently large advertising agency.
It's illegal, a complete violation of CANN SPAM act, but I imagine it makes them more money than they'd lose if they ever actually got slapped down.
I just wonder which information provider they're using that has 'sold the goose', so to speak. By giving an email address they no longer sit between the company and the user's marketing efforts, so it must be fairly expensive to do. But it enables these kinds of follow-up campaigns.
To be honest I had to block mails from @gmail.com as its the only place i get spam from, so if they try to make their service less of a wasteland thatd be really appreciated
This will be interesting to see how this plays out internationally, since some countries don't have the same anti-spam laws we do. Will I stop getting notifications from some of the non-EU, non-US services that I am a member of just because they don't have in-email unsubscribe links (I can still unsub on their website)? These are not companies under sanction, so I have every right to communicate with them freely, even if they don't obey the same laws as where I live. Should I end up suffering damages because Google blocks legitimate communications, will they be taking liability for their interference?
For clarity, I am not against anti-spam measures, but I do worry about centralized services being overly strict and doing damage to their customers, especially if it is so draconian that it prevents delivery of important communications as retaliation.
Does anyone know if this will stop NGP Van emails (seems to be dem party platform). I cannot get off their mailing lists - they seem to resell the email constantly. I've probably unsubscribed from NGP emails 50+ times. It's crazy. How are they not entirely blocked?
if you mean the email marketing software for political campaigns, then yeah sorry you are toasted (your email is) - they resell lists and spam everyone into oblivion. Apparently (as per Can-SPAM Act) politicians are (obviously) exempt from spam practices, so if you are mailing on behalf of politician or his campaign, its all wild west no limits and no rules apply.
If I wanted to learn everything there is to know about email and SMS spam/abuse policies, technical best practices, important standards, etc, what would be a good strategy? It feels like a super important but ridiculously intractable subject.
Does this apply to all emails including transactional? What I am supposed to do if a user requests a password reset but unsubscribed from our emails?
Most of the spam I received these days is from gmail addresses these days.
Yeah, at this point, I’ve completely lost my main email address to spam and mailing lists; half of which seem to have broken unsubscribe pages. I’ve abandoned this email completely for personal communications and have a new email for that now. I continue to use my old email for any service or website, since I know they will likely sell my email in addition to spamming me to death.
This has all gotten completely out of control. Yet again, regulation seems to be about a decade behind.
While I'm all for doing a better job at reducing spam, this also will effectively drive a lot of those advertising dollars that go into bulk email straight into sponsored email products from Google and Yahoo.
The main webmail platforms do not benefit economically from spam. They have every incentive to turn it to their advantage by diverting ad dollars from bulk email and forcing it into their own ad platforms.
Right now google allows the SPF domain, and/or the DKIM signing domain to be different than the From domain, not just a subdomain but an entire different domain. From an ESP perspective, will this drop shared SPF(Return-Path) domains? I'm assuming DKIM has to match, just not sure about the return-path side. It's a bit vague in the support article.
What exactly are the news here? I see three points but fail to comprehend them, because I thought all those things were a norm for a long while:
1. Is it the news that Google still accepted bulk volumes of unauthenticated mails in 2023? If that's true - finally, good riddance. Although I believe most spam those days comes from legit hacked domains.
2. Am I reading this right that List-Unsubscribe and/or unsubscription link is going to be required for high-volume senders, marketing and transactional? That's good to hear, although - again - it's hard to believe this is a requirement only now. I thought everyone with at least a sliver of honesty already had those for a long while.
3. Enforce low spam report ratio? It's news to me that the "report spam" buttons didn't behave that way already, I assumed that if users actively report then domain gets blocked (unless it's whitelisted, e.g. to defend from a false reporting DoS attack).
> Is it the news that Google still accepted bulk volumes of unauthenticated mails in 2023
Apparently so. I just read through this earlier today, and it's kinda insane how broken email is. Kinda remains me of the "You go to jail" meme, believe it or not, straight to inbox.
If you are running your own postfix MTA and those mass email providers keep spamming you even when you write their abuse@ teams: I created a simple anti spam tool/blocklist generator that can be integrated with postfix's postmap format, because spamhaus was totally useless for those providers. [1]
It's trying to be dead-simple, and also blocks the alternative ASNs these spam providers have in reserve. Haven't found a fully automated way yet because whois protocol is kinda broken, but I'm working on it.
Does that include the spam I get from Google? Because you guys have been sending non CANSPAM compliant emails lately with "Account Updates" which are thinly veiled marketting emails.
Feature request: please require a direct unsubscribe link in emails. The new trend is that companies use 3rd party tracking services, which are blocked by my DNS settings. So I can't even unsubscribe from 60-80% of emails without disabling my custom DNS. Google requires the unsubscribe link to be present already, they just need to require it to be accessible.
We should all stop using email providers who are known to massively compromise our privacy, build profiles of our online activities, manipulate us through ads, pass lots (or all) information to the government, and consolidate ownership of too much of Internet communications and activity.
Specifically, we should stop using GMail (and Yahoo), and encourage our friends to leave that email service as well. There are plenty of fine alternatives.
Bulk sending breaks the utility of email. I wish there was a way to say, “Don’t allow my email to receive bulk sent emails.”
I can’t imagine how much that would improve my life. I just don’t want to see it. It breaks my attention far too frequently for far too little utility, and I would love it if entire emails I own could be bulk spam free.
I don’t really want a better version of our shitty current system.
On the contrary, I only care about receiving email from bulk senders. I pretty much exclusively use email to read newsletters and handle communication with companies/accounts.
Any 1:1 communication with real people pretty much exclusively happens elsewhere for me.
Depends. I suppose it would not make sense to have "unsubscribe" for "reset password" notifications, but for "there's a new event in your account, come log in to see it" type notifications it would.
Some mail providers somewhat support this. Fastmail for example allows setting retention limits on each folder including the trash and spam folders. One could make a folder for marketing and make rules for some of the bulk senders and then just keeping adding them as one finds them. Perhaps if enough people asked their mail provider they could add a global check-box for all the common email campaign providers.
I put together some time-based filtering I use on my own inbox, it's awesome.
I like letting most of my email land in my inbox, because I don't want to need to check (and purge a bunch of folders). But email of declining value will automatically get moved to folders after a certain amount of time. for example:
* Monitoring alerts go to trash after 4 hours (if it's still broken, I'll get more emails, after all).
* shipping notices from amazon etc go to trash after 3 days (long enough for the item to arrive on time)
* Notices from ups/fedex about "your item is arriving today" go away after 24 hours
* Marketing I don't mind seeing but has a shelf life - I have 2 or 3 time intervals setup for those
* Mailing lists I'd like to read (but often don't get back to) delete after 2 weeks
* Utility bills move to a folder for utility bills after 24 hours
etc. It's awesome - but oddly enough, nobody I ever tell about it gets that excited.
YMMV but Gmail hasn't been that bad for me. The only problem I (knowingly) had was with a newly registered domain and mails still at least went to the spam folder there. Microsoft has been much more annoying, punishing you for bad IP "neighbors" that you have no relation with. Of course I don't know if all my mails get delivered since I don't do any tracking, just relying of voluntary in-band or out of band replies / receipt confirmations. And being based on black box heuristics (and "AI" lol) there is no guarantee that my experience with Gmails spam filters is the norm - but Gmail rejecting half of self-hosted mail seems a very pessimistic estimate.
Still, just citing numbers for how much spam they blocked is (deliberately?) only showing half of the picture.
We have toi jump through hoops to send email to the big email providers already, and some (outlook, hotmail, yahoo) take months before allowing any volume of email to be sent to our own customers!
I haven't trusted the spam button or unsubscribe functions for a long time. It never felt like it worked. I've been making filters to auto delete stuff instead and it just works.
While this sounds great on the surface, it's used to control things like our elections. Politicians that Google likes can send as much mail as they want. Ones they don't mysteriously gets all of their email marked as spam.
Normies don't understand that big tech will basically control our elections from now on (and they won't understand how) unless we get the government involved.
The truth is, most small businesses cannot figure out how to add DNS records to their domain. So they will no longer be able to inbox.
And the more complicated and difficult Gmail makes it for companies to access your inbox via open tech like email, the more likely it is you'll be forced to pay for Gmail Ads.
The bonus is Google gets to couch this as being "for the users." Gmail already has fantastic spam filtering and it's highly likely they use all this stuff as spam signals already. I would be very very careful of any claims from a giant advertising monopoly that this is "for the good of all."
This is step closer, after few more steps they'll make sure only those "approved" companies can operate email server... leading to more internet centralization.
I'm someone who a) uses Google Suite (or Workplace, or whatever it's called) b) runs a newsletter service [buttondown.email] that sends millions of emails every day, most of them to Gmail.
The amount of cold email I get from prospecting/outreach tools that is nigh-impossible to unsubscribe from is _infuriating_. Any legitimate bulk sender is already conforming to DKIM + one-click unsubscription, and anything we can do to cut down on obvious spam is a win in my book.
There's a lot of things Gmail does as de facto tsar of email that I don't love — initiatives like AMP for email come to mind — but this is an unalloyed positive in my mind.
I think the explanation is a little incomplete, but it makes sense if you expand the explanation a bit.
What really happens is this: when GMail receives a lot of email from domain xyzzy.com, and a lot of it seems to spam (either it's marked spam explicitly by the recipient, or maybe Google uses some weird AI or whatever to identify messages as spam) then GMail will start marking email from that domain as spam. Obviously if you own xyzzy.com and you're not a spammer you want to avoid this. So what can you do?
SPF and DKIM are ways to prevent unauthorized senders from delivering mail that appears to come from your domain. SPF is a way to list IP addresses authorized to deliver mail on your behalf, and DKIM contains cryptographic keys needed to sign email coming from your main. That means if you have SPF and DKIM enabled, the only people able to send mail that appears to come from your domain are people that are authorized to do so (there are a few more bears on the road, but broadly this is true).
It's true that spammers can register their own domains for the sole purpose of sending spam, and they can enable SPF and DKIM on those too, but if they use domains exclusively to send spam, they will still be marked as spam domains by GMail, at least eventually.
But this doesn't explain why GMail should be distrustful of domains without SPF and DKIM records. There are literally hundred of millions DNS records worldwide, and only the tiniest minority (think, 1% or less) of those have SPF/DKIM records, and not having those records isn't evidence of being a spammer per se. But look from the perspective of spammers. If GMail adopts the policy that email from rare domains without SPF/DKIM records is accepted so long as they don't send high volumes of spam, then it's trivial for spammers to collect 100 million domains without SPF/DKIM and send literally 1 message from each, which results in a 100 million spam messages being accepted by GMail.
That's why GMail wants you to add SPF/DKIM records to your domain if you're not a spammer. It allows GMail to block email from the >99% of domains that don't have SPF/DKIM enabled. And for the remaining 1% of domains, it can either delete email outright (if it's forbidden by SPF/DKIM), or else it can reliably identify a domain as being spammy.
It's not clear to me how this is any different than before? Most of my spam that I actually see already has all those things (valid DKIM, one-click unsubscribe link, and a rate limit per sender).
If you really want to fix email spam, create a micro-payments system. One cent for every email you send, the user has two options after they open the email: mark it as spam and keep the penny, mark it as legit and give the penny back. If they don't act on it within a week you get your penny back.
Legit senders won't be harmed because they will get their pennies back, spammers won't be able to afford sending messages anymore. The real interesting part would be stuff like LinkedIn notifications -- if people find them useful they'd give the penny back, but companies would have to decide how many people might actually find it useful for their cost analysis.
The flaw is in giving the penny to the user instead of the email provider. If an email provider is claiming everything you send them is spam, you stop sending to them, which for a real email provider is a problem if you're sending non-spam email their customers actually want.
You bring up a vaid case. People farming pennies could be an issue, but on the other hand, farming pennies is a more noble cause, and one that ostensibly seems far easier to catch. I'd rather do a lookup to find the outliers who are harvesting pennies than to try and cat-and-mouse spammers who are masquerading as legitimate senders.
Well not exactly. The currency isn't the hard part, it's the payment transfer infrastructure that would be hard. If the big players all go on board and agreed to one thing we'd be off to the races.
The only spam I get on my old Gmail account, is some democratic party people who think opt in is for chumps. So whenever I check that account, I click report spam for all their spam mails. Maybe their successor won't be such an ass. One of them recently lost his election and I was very happy about that.
Edit: no idea why I only get democratic spam, maybe people with my name in the USA too dumb to enter their actual email don't like republicans. But I have no acceptance for spammers, no matter their politics.
I hope they make it really strict. I'm sick of companies that send you spam ("newsletters") just because you interacted with them once, then when you unsubscribe, you get unsubscribed from that one list, so they keep spamming you just with a slightly different newsletter type. (Edit: Also, everything requiring a notification - by e-mail if they couldn't get me to install their app - just to get me to engage with their site.)
Once such behavior has the potential of landing your entire domain in the spam folder, maybe they'll be more careful.
Edit: For example, I can't imagine LinkedIn being able to pull of their "phish people, steal their address book, spam each contact three times with no opt-out" bullshit for so long if strict spam thresholds were in place.