I do not know about tutanota and if they are a bad actor in the email space. But I remember them having done funny things like banning the complete German Hetzner IP range because Hetzner didn't want to give them customers information without an curt order (which I guess Hetzner isn't allowed to do either iff the customer(s) in question is a private customer...).
Like consider Google banning all Azure hosted mail providers independent of their reputation and DMARK,DKIM,SPF etc. because MS keeps with the law and doesn't give Google private customer information, it's that ridiculous.
Whatever the cause, I’d be surprised if bad mail is sent in enough volumes to be noticeable to MS
last year i helped someone install miab and somehow neither gmail nor outlook nor any "major" provider logged them as spam from the get go. i was truly impressed and surprised.
i have heard war stories about people self hosting email and having problems. sure 3-5-10 years ago that might have been the case but not now for the most part.
please give your self hosted email a try again. it will take you less time to set everything up than cooking dinner. try using miab or similar email software.
go cheap, like racknerd or something and save money from vultr/DO.
I strongly want what you say to be true, and would also encourage people to self-host email, but I want to make sure people are aware of the pits so they can avoid them or at least not have to learn the hard way.
All companies cover by GDPR (or similar privacy laws) would have this requirement. Can't be handling out information on customers to random companies willynilly.
Many providers seems to do this, respond everything ok and then drop the message silently..
It's better for governments to have just a few big email providers, so authorities have easier life if they need to snoop on someone.
You can’t control who sends email that looks like it’s from you. If your email were bounced because of a spf or dkim failure, you could get an unlimited number of emails.
Second: corporate & institutional users have no choice
Even a spotlessly configured MTA will not guarantee you anything.
That’s one of the reasons I stopped working on hosted mail. It has not turned to anything better with big companies putting their hands over it. It’s more controlled now but the same crap as before, just as dangerous and a bit more expensive.
Currently working on a system with as much control as possible but piggybacking existing providers' transports.
Nice to see you like(d) it.
Yes, sadly it gets worse, perhaps not even in bad faith but by trying to fix it.
Everything went fine until the last gas stop before arriving to our destination... only to find our cards frozen anyhow.
It took about 25 mins to get cleared up, but these big corps are so heavily dependent on automation, they can't deviate because the system will take its own actions anyhow.
I, for one, am tired of living in a society that somehow isn't able to routinely think/behave proactively rather than reacting only once "the system will let you".
Of all the major mail providers, I found getting my mails to Outlook the hardest. Gmail played nice once I setup DKIM, DMARC, SPF, MTA-STS, rDNS and a couple more things that I forgot setup exactly the way they like it.
Outlook was harder though. I had to send a series of mails spread over multiple days to people who had Outlook accounts and get them to both mark it as not spam and reply to the mail until it eventually started working.
It's been a couple of months, not sure if it still works though. Hope it does.
I have a daily message sent out from my server to a test account at outlook.com for two reasons: to try to work around this behaviour and to know immediately when there is a delivery issue.
All providers should be doing that. Most will remove IPs/domains after 90-120 days.
That being said, email as a whole could do with being replaced with a more robust solution to make it more versatile and offer other spam prevention techniques.
Not really; they will just sign up. Probably using a stolen card (I assume? I have no way to check.)
Source: have worked for email provider. Have you seen one of those films where one guy fends off hordes of zombies or other "bad guys"? It's like that. Anything that can send email will attract hordes of twats trying to spam the shit out of it. The main difference is that the spammers are more despicable subhuman twats.
it's almost impossible to figure out where to report spam; most of their support articles are about how you report spam in Outlook instead. For reference, those reporting emails are:
phish@office365.microsoft.com
junk@office365.microsoft.com
but you get zero feedback, and I keep getting repeat phishing too
they care so little about cleaning up their own act, i'm considering just rejecting their stuff with a bounce message. i checked, and there's very little important traffic from prod.outlook.com arriving in my inbox.
What's worse - often times emails sent out from an old hotmail/outlook.com account always end up in recipient's junk/spam folder. They still haven't addressed [this](https://x.com/tvjames/status/1278813439222145024?s=20), it seems, even to this very day.
1. Emails from everyone (including you) go into the spam folder. 2. I identify senders I do actually want to receive messages from.
The industry isn't doing item 2 very well, but default-deny for new senders is exactly what I want from a mailbox service.
I hate everything about M$ so damn much.
We then got the recommendation of a company (cannot remember their name) that could analyse our IPs and give recommendations. Naturally, the recommendations were the ones that you could find everywhere so they were not useful, but the company did have access to MSFT's score of our IPs, so we could know when we were close to being blacklisted and could take action/ramp down/etc. How did they have access to those internal IP scores? I don't know, but it seems totally fishy :).
For sure we spent 5k+ USD yearly in this service (which is a huge amount of money in a 3rd. world country), and "somehow" after paying our deliverability did improve, despite doing the same things as before, as the recommendations were not ingenious.
So yeah, e-mail deliverability is a mafia, for sure.
How did they have access to those internal IP scores?
When I was doing DMARC stuff professionally, plenty of big names were willing to send DMARC reports our way. Microsoft was the only company to give us full text.That's not necessarily unreasonable, depending on which provider that is.
Sites like Wikipedia also block entire ranges to prevent spam. Unfortunately sometimes people do get caught up in that (as I did last year).
Those links are often spammer controlled and just confirm your email address as valid.
But if the mail is unsolicited or the unsubscribe link doesn't work then absolutely yes, mash that spam button.
Which is not ideal, and might explain why Gmail routinely puts perfectly legit correspondence in my spam folder - again and again.
I realize this might well be a problem stemming from email clients having but one option to flag emails: spam. Ideally one should have more options - as it is scamming, spoofing and innocuous unsolicited marketing (and slow loading messages it seems) are all put in the same basket.
Those are all spam. Especially unsolicited marketing. Fuck everyone who sends that, and I hope they get banned from whatever provider they use and it kills their company. I always report all of those even with an unsubscribe link, as it’s not as if I can trust them not to use "unsubscribe" as a "send more spam" signal, they’ve already proven themselves untrustworthy by not using double-opt-in.
Though with some providers even "mark as spam" seems to be able to leak your email as they send reports which contain the message-id. Good in our case as we don’t want to spam anyone and can then blacklist the address, but bad in case you report evil spammers.
it is all spam; none of us want to see any of it, why do we need more fine grained control?
SMTP 550 means the email bounces. The sender knows but unless they're also the admin they can't do anything about it. The recipient knows nothing. In the most recent case that happened to me, it happened when I sent a reply to an @outlook I had just received a message from (and was regularly receiving emails from, but only rarely needed to reply).
I felt outraged at the moment because it was clearly a "pay-to-play" scheme, but ~8 years ago the number of Hotmail/Outlook addresses in my country was definitely substantial. Probably it still is.
All mail providers mass block IPs, because the spam from some ISPs is literally too much to even filter.
I run a few high volume (very legitimate) servers and it's been a huge pain in the butt to keep them off of blacklists, but at the same time we've also had spammer problems and I totally get it.
They get the spam flag too for not being respectful of my inbox.
But the score I am speaking of was something different: it was the reputation assigned by Microsoft (i.e., something internal) to the IPs from which we sent e-mails. This score was used to determine how many e-mails sent from those IPs would pass/fail MSFT's filters. And to have access to the score and improve it, we had to pay a 3rd. party :).
Thanks for mentioning this. Have set DMARC preferences in DNS for ages but never configured a mailbox to receive the reports. Will try it out.
This "users can't handle fine-grained control" philosophy is stupifying users IMO. Granted, many don't have the knowhow, but they could just use the (hypothetical) dislike button, and the anti-spam AI could in that case place little weight to their judgement call. The interested user could instead be placed on a journey to be ever more adept at identifying email misuse.
Edit: as another commenter mentions, at present these completely unreliable signals to the anti-spam software causes for example Gmail to put perfectly legit emails in the spam folder - so I have to wade through a load of junk anyway (otherwise the legit messages in there gets deleted after 30 days).
The system is broken, and people reporting irrelevant things as spam is most likely a part of it.
Also "I don't remember signing up to this newsletter" is mostly a case of pre-checked "consent" to mails or companies packing on newsletter subscription as a requirement to some unrelated service. That's also spam.
OK thanks, my bad. But you also seem to miss something, namely my point: you seem to imply that I'd be opposed to users marking unsolicited or dark pattern mailing lists emails as spam, if they indeed are such. Or that the existence of such emails somehow undermines my point. But that's not it.
The overarching problem is of course spam in the first place, secondly the substandard systems that email services use to identify spam. In third place I'd place the problem I raised, that legit emails are not delivered correctly, where part of the problem seems to be that users use the 'spam' label as a dislike button.
But here's the kicker: this last problem is mainly what might threaten email as a means of correspondence, period: If I get a lot of junk then I can sift that out to get to my real messages. But if my real messages don't reach me at all then that's likely game over for the email era.
Even worse though are places like Atlassian, which add a footer to some of their emails like "this email can't be unsubscribed from".
Even though it's directly illegal for them to have emails that can't be unsubscribed from.
It's their own special "Fuck You!" message to their email recipients.
After feeling gaslighted by some spam emails that I was very sure I had unsubscribed from, I started keeping a spreadsheet to track my requests with date, and what link I followed to get removed. Almost 25% of my requests have never been honoured, it's disgusting.
But when you have dozens of databases, each owned by a different company, and they feed off each other perhaps once a day, then you can end up with a long time before all your data is deleted.
I own my own email domain, and I use a different email address per service. I have done so for 13 years.
On legitimate emails, unsubscribe works correctly almost every time.
True spam seems to originate from a handful of compromised services like LinkedIn, parkmobile, etc. I don’t hit unsubscribe on those, but I don’t see how it would make things any worse.
Personally, my email is text only. It drops all HTML. I prefer it this way. :)
But the concept of your comment "they're just doing what they want because they reckon they can get away with it" is pretty common among large tech companies.
But if you landed in a mailing list, there are quite high changes that the unsubscribe link is legit.
"Legit" in that it will unsubscribe you from that exact list but not the 100 others they added you to at the same time.
So if you send me a marketing email, it's spam because I didn't ask for it. It may be legal but that doesn't impress me.
But I'm pretty sure that some people who actually signed up on purpose to be on some mailing list just click the spam button not to see them any more, because they are not any more interested, or for whatever other reason.
If you want to get people to click a link in your malicious booby trapped email, then an "unsubscribe" one is high on the list to include. :)
As if there is even single counter-example you should just automatically mark it spam and then email providers should blacklist the domain.
Are you 100% sure you never just signed up for a newsletter and forgot about it?
Are you 100% sure your email didn't end up there in some other way?
I used to send out some newsletters for my website; just a programming blog thingy. It was just a form with a simple program on the server to collect email addresses. Wrote everything myself; no external service or whatnot involved.
I got some pretty aggressive replies about people who insisted that I was spamming them. Did they forget (I didn't send out the newsletter very often)? Did someone typo their email and end up at the wrong person? Did some bot maybe fill in the form and pass the little captcha I added? Who knows. All I know is that there was a legit POST /subscribe request.
And as someone who also worked with spam prevention: it's this kind of stuff that also makes legit spam detection harder than it needs to be. The "Report spam" button is not a "fuck you" button, but unfortunately many people seem to use it as such.
And it took me a minute to find phishing mail with unsubscribe link. Which entirely proves my original point. Sure those sending phishing mails won't stop the mails I probably ordered somewhere?
99% of the time you explicitly unsubscribed from all categories, but the sender just added a new one and helpfully opted you in. So, yes, "fuck you".
For me, I can be pretty sure as I have extensive email archives.
Before claiming I've not signed up for stuff I check them first. :)
No matter how spammy a sender is, an unsubscribe click is a big signal that they don't want to contact that email account again. It takes time and money to warm up a domain, prepare it for outbound email, and keep it from being blacklisted when you're sending out a high volume of mail. The days where someone can just spin up an email server in a couple of minutes and blast hundreds of thousands of people with spam are over. If you don't manage your reputation you'll get blacklisted in a matter of hours. The #1 way as a mailer to manage your reputation is to respect unsubscribe requests.
Yes, clicking the unsubscribe link indicates that there's a real human checking the mailbox. But data resellers have many ways to verify the validity of a mailbox that are more effective than this one. And unlike this one, they don't indicate that the person dislikes receiving unsolicited email. So very few data resellers use unsubscribe clicks as a way to verify email validity, because if they do they'll be polluting their product with the emails of people who are likely to get pissed off by unsolicited mail, report it and get a customer's domain blacklisted. If the data reseller is selling "verified" data that is getting his customers blacklisted - he won't be in business for much longer.
It's worth pointing out that not all unsolicited mail is illegal. There are exceptions carved out in US CAN-SPAM and in other jurisdictions. If you're a business in the US the law is basically that people can send you unsolicited marketing emails whether you like it or not, as long as they provide an unsubscribe link and respect your request if you click it. To not use the mechanism that is explicitly required by the law for your protection is shortsighted.
No, not absolutely.
I presume you are operating under the assumption that most bulk email comes from the big providers like AWS and MailChimp (who in fact uses on SendGrid underneath). And yes, under those circumstances you are correct. Those big firms whose day job is sending "spam" have a huge incentive to ensure you don't outright reject the spam - if they don't the reputation of the IP Address ranges they are sending from get trashed. For example, they go to the trouble of wrapping every link in the email with a redirect via them, so they can monitor what emails from them you are engaging with.
But I have some news for you - the vast bulk of spam does not come from them. Maybe you aren't aware of that because you use an email provider like GMail or Outlook. They stop most of this other spam (which is how we get to the headline). But nonetheless it's there, and if it does sneak through and you click on the unsubscribe link you no only won't be unsubscribed, you confirming your a real human will ensure you will be subscribed to many spam emails.
Plus the link is always at the bottom in a tiny footer.
The mark as spam button has no such issue and hurts the sender to boot.
I also haven't seen those email addresses passed on to someone else (I use unique aliases).
You weren't talking about phishing before. You're shifting this to something radically different.
> Yeah no. Emails which include an unsubscribe link are legit enough to not do that. Actual spammers don't bother to include an unsubscribe link.
I found a phishing email with unsubscribe link. Thus I think we can generalize that emails containing unsubscribe in general are not legit nearly enough of times to trust that. Thus only correct and safe way is to mark them as spam and let the email provider eventually to handle them correctly for everyone.
You are pretty much suggesting the very thing Microsoft is doing here.
This is not a serious suggestion in any shape or form.
[1]: A number I have serious doubts about by the way, but we'll use it for now.
As I mentioned before, even with the best of intentions people can "construe your email as spam".
People mark emails as spam as "fuck you". Bad support? Spam! Argument with a friend? Spam! Yes, people really do this.
People can abuse your platforms in way you didn't foresee: either an outright security flaw or a "logic flaw" (e.g. one system I worked on the rate-limiter could be bypassed by using Cc, which was of course quickly solved, but people did unfortunately use it to send out spam).
If you have any sort of "sign-up", even if paid only, people will try to abuse it to send spam.
People's computers get hacked, and while botnet spam is less of an issue due to residential ISPs blocking SMTP traffic, abusing the hacked machine's Outlook or whatnot still happens.
There's tons of cases where regular well-intentioned people send out spam. Anyone who claims any different has never seriously worked on any kind of anti-spam system with real-world usage. If this was an easy problem it would be a solved problem, but it's not, because it's a hard problem.
But the onus should be on the model builders not on the final user.