• Sp chevron_right

    Now hiring: Cheetah Digital / spam_resource · Friday, 5 November - 12:00

Cheetah Digital is looking for a Senior Deliverability Consultant. Remote is an option.

They're looking for somebody who can "work directly with customers to help guide them and resolve their deliverability problems in a timely manner" and who knows all the best practices, deliverability tools and remediation steps that those in our space would be expected to know. Could that be you? Click here for more info and/or to apply .

Značky: #cheetahmail, #Network

  • Sp chevron_right

    Dead domains: and / spam_resource · Thursday, 4 November - 12:00

Yahoo announced a shutdown of Yahoo Mail in China ( and to take place back in 2015. In 2019, the domains seemed to be resurrected , but they’ve since gone dead again, as the MX records for each domain point at nothing.

And since Yahoo just announced that they are fully pulling out of China , you can consider that the final answer. That, as they say, is that.

I'm guessing that the resurrection I stumbled across in 2019 might have had something to do with the transition of Yahoo Mail's Chinese users to Alibaba ? But I don't have an easy way to confirm it, and at at this point, it doesn't really matter, as there's not much a sender can do about it today. (Were the Yahoo domains ever that big in China, anyway? I was always more concerned with delivery to,,, and a handful of others. Yahoo was never on my top domain list for China.)

Značky: #Network, #yahoo, #china

  • Sp chevron_right

    HOWTO: Query Spamhaus Safely / spam_resource · Wednesday, 3 November - 12:00 · 2 minutes

You'll recall me warning recently that using Spamhaus data to protect your mail server is a bad idea if you're using open or public DNS resolvers . TL;DR? Spamhaus is worried about too much traffic via public channels but blocking is implemented in a way that makes it effectively intermittent and potentially confusing. You could be fine for weeks and then suddenly you start bouncing all inbound mail accidentally. Or you could be querying a resolver that never shows ANY bad IPs to block, losing you out on the good spam filtering benefit that you were hoping for.

Here's what to do about that.
  1. No matter how you implement DNSBL usage, check your logs periodically. In the case of Spamhaus, look for the "127.255.255" response codes. That will indicate that your attempt to query Spamhaus data is being blocked , so you've got a problem. That problem is probably interfering with the delivery of legitimate mail.
  2. Test and make sure you are getting a response proving use of Spamhaus data. If you're a unix nerd, type "host [IP address of your DNS server]" from the command line on your mail server. Make sure you get responses that say,, That shows that your DNS resolver can get through to Spamhaus (at least for test entries). If you never get any response other than NXDOMAIN, it means your resolver isn't able to get data from Spamhaus and you'll never block a single piece of spam that way. Either the DNS server is not able to connect where it needs to, or you've typo'd something in your configuration. (Google Public DNS seems to only give NXDOMAIN responses to Spamhaus query attempts, for example.)
  3. Install and run your own DNS resolver (server) locally. This used to be a bit sketch back in the day. The common DNS software "bind" was such a magnet for exploits in the past that it drove me to stop hosting my own DNS. Things are slightly better today. There's a great caching DNS resolver called Unbound that will do exactly what you need. I've had smart friends like Tim Wicinski and John Levine tell me it is safe and that it works well, and I'm happily using it myself nowadays.
  4. Sign up for the Spamhaus Data Query service. They provide you with what amounts to an API key (a little short bit of text that will be unique to your queries) and you query the DNSBL via "[key]" instead of "" --  allowing Spamhaus to see this traffic as you and you alone, not grouping any usage data together with that of a whole ISP or all users of a public resolver. Spamhaus offers a 30 day free trial of DQS access and say that an annual subscription to the Spamhaus data for commercial use starts at $250/year. Spamhaus also clarified for me that they provide free access for lower volume non-commercial use.
The point of this is so that Spamhaus sees your query traffic as from you and not all grouped together with all the traffic from your ISP or from a public DNS resolver. This makes you less likely to hit their unpublished query traffic limits through no fault of your own. (It does not, however, provide a free license to query Spamhaus millions of times a day.)

Which of these steps should you follow? All of them.

Značky: #howto, #spamhaus, #dnsbls, #Network

  • Sp chevron_right

    OpenDKIM and Postfix: Signing DKIM for multiple domains / spam_resource · Tuesday, 2 November - 12:00 · 1 minute

How do I use OpenDKIM with multiple domain names on a single postfix server? That's a question I myself had when I first set up my current VPS to host my current email system. So I searched around a bit. I found this guide , but it's kind of a pain in. Too much heavy lifting.

So I tried this instead. It's a bit of a hacker trick nobody seems to mention online: In your opendkim.conf file, where you specify the domain, you can just include multiple domains here, separated by commas.

Instead of
Just put
In your opendkim.conf file.

Upside : Super easy.
Downside : All domains have to share the same DKIM key, because there's only one DKIM key setting in opendkim.conf.

It works fine. Though you specify the domain name when creating a DKIM key, there's nothing in the key that is actually domain-specific. At scale, this is insecure. At the hobbyist level, where I've got three domains running on my one server that send a grand total of 150 emails a day, it's not a concern.

You can also put an asterisk (*) to wildcard the domain setting in opendkim.conf. However, I don't recommend this, because it will try to sign all mail for any domain, without checking to see if a DKIM public key actually exists for that domain. So if you send or forward any mail at all for any other domain, that mail will end up with a broken DKIM signature attached to it. An example where this will happen and be very bad for you is mailing lists. Some mailing lists rewrite the from address to use their own domain to bypass DMARC concerns, but not all do, and some only do it sometimes. So I strongly recommend against using a wildcard here, unless you know what you're doing.

Značky: #opendkim, #llinux, #dkim, #howto, #postfix, #Network

  • Sp chevron_right

    HOWTO: Create a BIMI logo file / spam_resource · Monday, 1 November - 12:00 · 1 minute

Looking for guidance on how to create your BIMI logo file? Valimail has a pretty good guide that explains the requirements and they also explain what to keep in mind when creating your BIMI graphic SVG file. Starting with:

  • Square
  • SVG Tiny Portable/Secure format
  • Solid background
  • Published via HTTPS

SVG meaning a Scalable Vector Graphics file, and particular type of SVG called SVG Tiny Portable/Secure (SVG P/S) . The image has to truly be a vector graphic ; the overall SVG spec does allow you to embed a bitmap in a file but this isn't allowed for SVG P/S or BIMI usage.

The Valimail guide goes on to explain how to manually edit the SVG file to convert it to the SVG P/S spec. But if you don't feel like editing XML files by hand, download this converter application that the BIMI (AuthIndicators) Working Group has shared here. I've used the Macintosh version and it works fine. (You may need to tell your Mac that it's OK to run this application.)

I used the tool to create a BIMI logo for , just to see if I could do it. I don't have a VMC and I send a very low volume of mail, so I don't expect it to show up anywhere, but at least it was pretty easy to do.

Značky: #bimi, #xnnd, #valimail, #howto, #Network

  • Sp chevron_right

    A DMARC Dictionary from dmarcian (and more!) / spam_resource · Friday, 29 October - 12:00 · 1 minute

I've got just enough time for a quick post today, to share with you this very useful DMARC Dictionary put together by the fine folks at dmarcian . Check it out ! And since that would make for a very short blog post, here's four bonus online resources that you might also want to bookmark, if you didn't already know about them:

  • The ISP Information page from Laura Atkins and Steve Atkins over at Word to the Wise , where they've collected info on which ISPs offer ISP Feedback Loops (FBLs), which ones have Postmaster information pages, help/support ticketing systems, etc.
  • My new friends at Kickbox (disclaimer: they are my employer) have put together this great "Developer's Guide to Email" website that you are going to find quite useful if you are looking to learn more about email technology or study how it all comes together.
  • Postmark's SMTP Field Manual allows you to look up example bounce messages for different ISPs, often with links to more information about a particular ISP's spam filtering.
  • And finally, my very own , a simple site that lets you DNS lookups and check various things about an IP address or domain name. (Like, does a domain have a DMARC or BIMI record?) Very recently, I moved XNND to Amazon's AWS EC2 platform, to make it faster, and I've got plans to add more features in the future, including re-incorporating my spamtrap data into lookups. (And you should give me your feedback on what else you think I should add to it!)

Happy Friday and happy bookmarking!

Značky: #dmarcian, #kickbox, #dmarc, #useful, #wttw, #Network, #postmark, #guide, #bimi, #xnnd

  • Sp chevron_right

    DNS problems causing email delays to / spam_resource · Thursday, 28 October - 19:58 edit

Having trouble sending mail to You're not alone. One of their three authoritative DNS servers ( for the domain appears to be unreachable right now. Confirm for yourself here .

If you use public DNS, results are mixed . My testing shows that Cloudflare can find the MX record; Google Public DNS cannot.

If you're lucky enough where it's easy to hard code an MX setting in your mail sending infrastructure, you could probably get away with temporarily directly mapping mail destined to so that your MTAs just directly connect to IPs -, as they seem to be responding just fine on port 25. (Those IPs are just a few of the mail servers that host mail for that domain.) Of course, that's not a scalable long-term solution.

I'll update the website when more information is available.

Značky: #Network,

  • Sp chevron_right

    Now hiring: Braze / spam_resource · Thursday, 28 October - 12:00

Braze "delivers customer experiences across email, mobile, SMS, and web. Customers, including Burger King, Delivery Hero, HBO Max, Mercari, and Venmo, use the Braze platform to facilitate real-time experiences between brands and consumers in a more authentic and human way." And they're looking to fill multiple Email Deliverability Specialist roles.

You'll be providing deliverability support to customers and internal teams; Help manage the workflow of deliverability requests to ensure accurate and efficient responses; Help conduct in-depth investigations, reviews, and audits into email sending practices; Assist customers with blocklists, spam traps, and issues with ISPs; and more.

They're looking for two US-based specialists (remote - click here ) and one London, UK-based specialist ( click here ). Happy (job) hunting!

Značky: #braze, #Network