Phil Zimmerman's Pretty Good Privacy (PGP) and its offspring have been encrypting and decrypting email for almost 25 years — but require enough knowledge and determination to use them that adoption has never taken off outside the technoscenti. Now initiatives from several quarters aim to fix that — but will it all "just work," and will end users adopt it even if it does?

According to a new Pew Research Center study of Americans' attitudes after two years of disclosures about widespread government surveillance, 61% of respondents are less confident that these efforts are serving the public interest, and 57% said it is "unacceptable" to monitor the communications of US citizens. Despite this strong sentiment, only 18% of those surveyed indicated that they had changed the way they used email — even "somewhat" — as a result. Add this gap to the high bar end users have had to overcome in order to adopt email encryption, and how likely is it that these new tools and services will trigger a change in behavior?

Not Widespread After Two And A Half Decades

People who regularly say things that can put them in danger — activists, dissidents, journalists — may come to depend heavily on encrypted email. But it never really caught on with average email users, probably because in the past it never occurred to them to worry about who might see their messages other than a nosy spouse or partner. Even if they felt the need, the steps involved were fairly arcane for the average consumer. And if they overcame that hurdle, and if somebody they wanted to swap encrypted messages with did too, then exchanging and loading the necessary keys was often a bridge too far.

The community around PGP tried to make key exchange easier by creating public keyservers and programming plugins for just about every email client written. But the adoption curve was never driven far enough to trigger the network effect — likely because of the number of unusual (to Joe Sixpack) steps involved in generating a key and getting it onto that keyserver in the first place. Similar issues affected alternatives like S/MIME, outside of certain business environments and platforms, where the equivalent hurdle was obtaining or exchanging valid certificates. Each system worked well where it was used, but none of them really impacted the use of email on Main Street.

Instead the form of encrypted email most often encountered by consumers has typically been a small, self-contained system — often deployed by banks or healthcare providers — that only allowed them to exchange messages with people at those organizations. In many cases this was just a captive webmail service accessed from a web browser over a TLS-encrypted session, with content-free "you have a message" notes going to a customer's regular email address to prompt them to visit the portal. In these highly regulated industries the expense of deploying these systems is often easy to justify, especially when the alternative is an envelope sent via courier or next-day service.

Along Comes Citizen Four

Since the Edward Snowden leaks made the depth and breadth of recent government surveillance public, there has been renewed interest in encrypting email — along with just about every other kind of Internet traffic. And after a few years of steady work, a number of initiatives are coming to the fore.

Since 2008 the German government has been working on an email service called DE-Mail. The initial goal was to support the exchange of legally binding electronic communications and documents between citizens, businesses, and government. But according to German officials, beginning in April 2015 the platform will offer end-to-end encryption of messages through browser plugins, which will be based on PGP. While the DE-Mail platform hasn't been wildly popular with consumers to date, this new service might change that — and the announcement certainly reflects a different attitude on the part of the German government, compared to the official UK or US positions that end-to-end encryption threatens the effectiveness of law enforcement.

In early 2014 a small startup called Keybase.io began getting attention, at least partly because of the founders' track record with SparkNotes and OkCupid. They set out to update the traditional PGP keyserver and attestation models, incorporating public proofs of identity based on social media and other services. They also offered both command-line and browser-based code that would simplify many of the details of key management and encryption for end users — though perhaps allowing users to upload their private keys for ease of portability is a step too far. Still, the focus on simplifying things for the end user is laudable, and it is a standalone service that you use with your existing email account. Their keyserver is integrated with the existing PGP keyservers, and their simpler user interface can be used on top of publicly reviewed and vetted open source programs.

In June of last year, Google announced it was developing a Chrome extension that would make end-to-end encryption with PGP a lot easier for end-users — which, in a blaze of creativity, they named End-To-End. While this extension still hasn't reached the Chrome Web Store, the source code has been publicly available for over six months and other messaging players such as Yahoo have been participating in the project. Like Keybase.io, Google is revisiting the keyserver — but this time taking a new look at the entire key distribution model, with an approach that draws on concepts from Certificate Transparency.

At Black Hat USA last summer, Yahoo's Alex Stamos promised that they would deliver an end-to-end encryption capability for Yahoo Mail users. On Sunday at the South by Southwest Festival, he announced that Yahoo was on track to deliver the functionality by the end of this year, showed a video of a beta version that was much easier to setup and use than traditional PGP clients, and announced that their version of the code from their collaboration with Google was available on Github for public review.

But If You Build It, Will They Come?

Whether or not DE-Mail sets a standard for Europe, whether or not Keybase.io can revitalize PGP for users at large, anything that is interoperable and adopted by both Google and Yahoo is going to be hard to ignore. And having that many potential correspondents in their key distribution system is going to be a powerful motivator to maintain interoperability with existing keyservers, even if the latter have to make some changes to do so.

Will end-users adopt it? I think so, though even if it only takes a few extra clicks, it probably won't be used for most messages — you just aren't going to encrypt a quick note about when to take the kids bowling this weekend. But if it is just a few clicks, and if most of your contacts are in the same position, then I think you'll see modest growth from the consumer side. However the ability to reach so many consumers without deploying expensive, specialized infrastructure might represent an opportunity for lots of businesses to communicate more securely with their customers, and vice versa. And I think that could be the one-two punch that finally changes expectations, and gets adoption moving on a broad front.

Note: I have referred almost exclusively to Pretty Good Privacy, or PGP, which is the progenitor and probably most-recognized of a family of compatible implementations. But the GNU Privacy Guard, also known as GnuPG or GPG, may be the most widely deployed example as it is found in most Linux distributions. OpenPGP refers to an IETF Proposed Standard or protocol that these programs implement, RFC 4880, and which is free for use without licensing fees.

Written by Steve Jones, Consultant - Programmer - Strategist

I am excited to announce the recent release of the industry first Best Common Practices document for Cloud and Hosting providers for addressing abuse issues that was created by M3AAWG and the i2Coalition. M3AAWG has been collaborating with the Best Practices Working Group of the i2Coalition over the past 2 years to discuss ways to solve malicious activity within hosting and cloud ecosystems. The result of these efforts is the M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers which was published in March." I am proud to have been part of this document as one of its drafters and as a member of both the i2Coalition and M3AAWG through my employment at Rackspace.

The Messaging, Mobile & Malware Anti-Abuse Working Group (M3AAWG) has been working to combat spam, phishing, denial of service attacks, mobile spam and other forms of abuse since early 2004. M3AAWG represents over a billion mailboxes and 200 companies among its global membership.

The Internet Infrastructure Coalition (i2Coalition) focuses on education and advocacy for the companies that build the Internet above the telco layer. i2Coalition fights for a free and open Internet and works with groups like M3AAWG to make sure that they have the resources and insights necessary to make the Internet a better, safer place.

The collaboration between M3AAWG and the i2Coalition was a natural and important fit in creating a best practices document from inception to its release. System abuse is an enormous challenge on the internet, and it has become an increasing issue with hosting providers as malicious parties have gone from ISPs to the hosted space with new and different ways of exploiting vulnerabilities in the Internet's infrastructure and customer environments.

The primary goals of the document is to provide cloud and hosting companies with guidelines for prevention, detection, identification, and remediation of of abuse issues on their networks. The document is written to apply to a wide range of companies in the hosting industry from a multi-national to small local hosting companies. This document will be continually evolving as the threat landscape and the methods of exploiting hosting companies and their customers changes.

M3AAWG and the i2Coalition encourage all web hosting providers to read this document, share it and put it into action.

Written by Matthew Stith, Anti-Abuse Specialist

One of the key benefits of cloud computing is the opportunity to replace up-front capital infrastructure expenses with low variable costs that scale with your business. The digital messaging space pertaining to email infrastructure has lived in a hybrid cloud since 2014. A cloud-based delivery infrastructure environment combined with an industrial grade on-premise message transfer agent (MTA) platform such as PowerMTA or Momentum has been proven to deliver much higher degrees of agility to your organization.

PowerMTA™ email infrastructure for the cloud is used by over 75% of ESPs worldwide. Learn MoreWith the cloud, senders no longer need to plan for and procure MTAs and other IT infrastructure weeks or months in advance. Instead, they can instantly access hundreds or thousands of servers in minutes and deploy massive amounts of emails faster than ever. A hybrid cloud offering combines cloud services and on-premise infrastructure into an aggregated pool of resources. This allows workloads to be distributed between on-premise software and private cloud environments and gives your business greater flexibility, efficiency and agility, including additional sending deployment options. A key benefit of hybrid infrastructure is that it enables a variety of hybrid workload implementations. This hybrid-cloud is particularly valuable for dynamic or highly changeable workloads, which is often the case when scaling email.

For example, during peak seasons when email sending demands spike, especially during the holidays, a simple use case would be to divert some of your sending traffic such as your transactional email streams to a cloud solution. This puts less pressure on your on-premise SMTP solution, providing a secure deployment option for mission critical messaging. A hybrid cloud solution provides flexibility and scalability, immediately meeting the demands of your workload on an as-needed basis. This strategy eliminates the need for your company to make continued, substantial capital expenditures or investments, such as purchasing additional licenses or configuring additional instances of on-premise MTAs to meet excess demand. A hybrid cloud can accommodate short-term spikes in workloads and provide resources on demand that can be deployed instantaneously.

Faster IP Warm Up

Cloud platforms tethered to the digital messaging space have the ability to scale to unpredictable demand levels in the shortest time frames. With cloud-based email infrastructure, ISP delivery policies are already optimized, providing efficiencies that are unmatched and bypassing the configuration of VirtualMTAs or individual tiers of messaging streams. Port25 leverages one of those efficiencies with IP Warm Up, which gives you the ability to quickly add reputable new IP addresses to their sending infrastructure. In the past, unlocking a dedicated IP and ramping up to achieve highly scalable sending volumes would take weeks and sometimes months. Under most circumstances, depending on your cloud provider, when you use IP Warm Up, IPs with excellent sending reputations are already warm and optimized for highly scalable workloads immediately. Cloud-based email infrastructure creates recognized efficiencies because sending patterns are customized to ensure that the most reputable IPs are readily available for your clients.

Hybrid Cloud Transactional Mail Solution – Cloud platforms tethered to the digital messaging space have the ability to scale to unpredictable demand levels in the shortest time frames.(Click to Enlarge)

Further, onboarding your clients to a cloud platform ensures speed and processing power in a shorter time interval. Onboarding customers no longer have the pain point of establishing their dedicated IP instance, now that the 30- to 45-day wait period for messaging to scale is removed. With cloud infrastructure in place, onboarding brand new customers is instant.

Combining the on-premise MTA with a cloud option frees the company from being tied down by processing power, security and granular configuration requirements. VirtualMTAs and/or binders are instantly deployed based on sending patterns associated with your segmented email streams. This creates enhanced dexterity in your business environment that minimizes risk, and brings higher customer satisfaction, leading to greater market-share and revenue.

One company that deploys a hybrid solution is MessageGears, a Port25 Solutions, Inc., client, that uses PowerMTA as its on-premise infrastructure solution to power emails on behalf of its clients. By combining the power and security of installed software with the efficiency and scalability of cloud delivery, MessageGears enables marketers to capitalize on every email they send. The combination of an on-premise solution with a data-driven cloud delivery model ensures that workloads are secure and well balanced. Hybrid cloud computing enables enterprises to augment their isolated, on-premise MTA without large costs or scaling requirements. The cloud solution enables high-availability, resiliency, and the ability to introduce new functionality quickly.

Security

Data security for digital messaging cloud sending environments is a chief concern for many businesses. Security threats today are increasingly more diverse and more sophisticated, chasing multiple different attack vectors. This can cripple an organization's ability to detect and adapt proactively to avoid service interruptions. While hackers of yesterday were motivated by profit, today's criminals want PII — and they are pursuing security sinkholes far more swiftly and aggressively than their hacker predecessors.

With the explosion of sensitive company data stored in the cloud, businesses need stronger, more secure access to web-based applications. Recently, SparkPost introduced multi-factor authentication (MFA) for even greater security with all of your web application integrations. Multi-factor authentication is the gold standard for ensuring that a user is legitimate at login. It is the cornerstone of enterprise integration.

Not all enterprises can make the case for a hybrid cloud solution. Your organization's cloud adoption journey will be unique. An understanding of your current situation and your overall goals will shape your transition toward the cloud.

Everyday, however, the case for a hybrid cloud becomes more compelling. Skills and competencies once revered in the email space can now be offloaded to the cloud, for continuous integration and heightened optimization. The hybrid cloud environment can redefine the workplace, while additional security layers take precedence. Our customers have found that the business benefits far outweigh the costs when they switch from a lone on-premise solution .

To be a leading provider in 2015 requires a large footprint in the cloud. If you are focused on reducing cost, stimulating innovation and growth for your clients, expanding into new geographies, and diversifying your business, the hybrid cloud offering is your ticket to improving quality, reducing complexity, and empowering your customers.

Written by Fred Tabsharani, Vice President of Marketing, Port25 Solutions, Inc. He can be reached by email via fred.tabsharani@messagesystems.com for any questions. Follow him on twitter @tabsharani.

UK-based email marketing solutions provider Forfront is a private company that serves over 1000 users sending 120 million emails per month. The users of their platform are primarily B2B. However, 30% of their target audience is consumers. With peak volumes of up to 1.1 million messages per hour, Forfront needed an agile and flexible SMTP server solution to handle its growing message volume. They required more email stream control during heavy send periods to reduce their bounce rate dramatically. They also required more detailed bounce classification within their bounce log to process true hard bounces (bad addresses that should be extracted from the send database) from soft bounces (temporary delivery failures that can be resolved).

Forfront Delivery Challenges

"With PowerMTA™ in our arsenal, we can reliably send the amount of emails our clients expect from us as an ESP. Its ease of use and powerful controls help us grow as a company with the assurance that PowerMTA™ will keep pace."Before their move to PowerMTA™, Forfront relied on email marketing software from StrongMail. As Forfront's client base expanded, the company grappled with a growing and poorly managed bounce logging system. Optimizing bounce log management is a crucial building block for maintaining a stellar IP reputation. The lack of detailed categorization of bounces with their old MTA software was a pain point for Forfront, as it was challenged to identify which bounced emails should be extricated from their send lists correctly. In addition, the propensity of granular configurations required to distribute large numbers of emails were becoming resource prohibitive. Forfront exercised due diligence with StrongMail (now StrongView) and other MTAs, but didn't find a product that would give them the specified bounce strings they required to isolate true "hard bounces" that should be extracted from soft bounces masquerading as hard bounces.

The Solution

Forfront required a pragmatic approach and switched to PowerMTA™, which has close to 20 unique ISP diagnostic bounce codes built in the PowerMTA toolbox, allowing them to effortlessly distinguish true hard bounces from soft bounces that show up as 5.X.X, thereby optimizing their clients' send lists. PowerMTA's feedback loop processes and bounce log filtering optimized Forfront's processing servers, liberating additional resources for queuing and sending email. With the agility to throttle at the domain level, Forfront now ensures timely delivery for their growing client base to the inbox. The granular level of bounce classifications available from PowerMTA™ provides Forfront with a powerful tool for working with large clients. PowerMTA™ gives high volume clients better delivery rates for email campaigns, leading to greater client satisfaction.

Discover PowerMTA™

Port25's flagship product, PowerMTA™, has a global footprint with more than 4,500 installations in over 51 countries. Click here to learn more and evaluate PowerMTA™

PowerMTA from Port25 Solutions, Inc. is recognized in over 50 countries, with over 4000 installations worldwide. Port25's global footprint exceeds well over 130 Email Service Providers and cloud based marketing automation companies including 70% of the leading ESPs. As of May 2014 we've begun to see traction for email infrastructure in emerging markets such as Brazil, Russia, India, China and South Africa and the UAE. PowerMTA can be evaluated here.

With expansion on the horizon, email marketing company gets more out of its hardware to meet growing demand.

GetResponse declares itself "the world's easiest email marketing provider." The company helps 350,000 customers in 182 countries and delivers as many as 100M email messages per day, sustaining send rates of 4.2 million messages per hour, and has approached 1.5 billion messages per month. Customers include small, medium and enterprise B2B and B2C businesses located primarily in the U.S., Canada, the U.K. and Australia. The company has recently experienced a growth surge in Europe, the Middle East and Asia.

The Messaging Infrastructure Challenge

For a decade, GetResponse used IronPort for its mail servers before selecting PowerMTA™ from Port25 Solutions. IronPort, acquired by Cisco in 2007, has limited command line batch capabilities. The GetResponse IT people love command-line-driven Linux, which made it a challenge to integrate IronPort's technology with the GetResponse platform. GetResponse selected PowerMTA because its powerful command-line features made integration simple. PowerMTA made it easy to configure and deploy multiple sending environments via text files, while optimizing delivery streams using message headers to significantly reduce the amount of outbound connections needed. Further, GetResponse didn't require investments in more stout hardware.

The Solution

PowerMTA quickly overcame the limitations of the IronPort solution and opened up new opportunities for optimized mail management. "We are doing more with the same hardware by virtue of the PowerMTA approach to best practices," said Simon Grabowski, CEO "At the current growth rate, the software will pay for itself in less than three years."

GetResponse developers love the dynamic configuration options. "PowerMTA creates a new efficiency, with rather awesome options to filter messages, send messages via multiple channels, control the number of outbound messages per ISP and 'warm up' IPs by sending sample mail-outs," said, Irek Rybinski, Deliverability Manager for GetResponse.

GetResponse is able to manage rapid growth with fine-grained PowerMTA™ features such as VirtualMTA technology and the option to define or label traffic for individual ISPs. Rybinski added, "PowerMTA can queue large volumes of email data, and these days we're sending 100 million emails on a busy day."

GetResponse CEO, Simon Grabowski, says PowerMTA's features remove barriers that prevented the company from offering customers a high level of service without growing pains. "Admittedly, we let the IronPort maintence contract drop several years ago," Grabowski said. "However, PowerMTA breathes new life into our infrastructure, which means we can handle more traffic with fewer devices."

GetResponse aspires to be the best-in-class platform for email marketing, landing page optimization and marketing automation. With rock-steady support and a great track record from PowerMTA, GetResponse is on track to become an all-in-one tool for marketers worldwide to promote their products and services online.

Visit the Port25 Solutions, Inc. website for a full-featured trial evaluation copy of PowerMTA.

Facebook just announced support for PGP, an encrypted email standard, for email from them to you. It's an interesting move on many levels, albeit one that raises some interesting questions. The answers, and Facebook's possible follow-on moves, are even more interesting.

The first question, of course, is why Facebook has done this. It will only appeal to a very small minority of users. Using encrypted email is not easy. Very few people have ever created a PGP key pair; many who have done so have never used it, or simply used it once or twice and forgotten about it. I suspect that a significant number of people (a) will try to upload their private keys instead of their public keys; (b) will upload it, only to discover that they no longer remember the strong password they used to protect their private keys; (c) will realize that they created their key pair three computers ago and no longer have PGP installed; or (d) more than one of the above.

The nasty cynical part of me thinks it's an anti-Google measure; if email to users is encrypted, gmail won't be able to read it. It's a delightfully Machiavellian scheme, but it makes no sense; far too few people are likely to use it. Unless, of course, they plan to make encrypted email easier to use? That brings up the second question: what will Facebook do to make encryption easier to use?

Facebook is, of course, one of the tech titans. They have some really sharp people, and of course they have the money to throw at the problem. Can they find a way to make PGP easy to use? That encompasses a wide range of activities: composing encrypted and/or signed email, receiving it and immediately realizing its status, being able to search encrypted messages — and doing all this without undue mental effort. Even for sophisticated users, it's really easy to make operational mistakes with encrypted email, mistakes that gut the security. To give just one example, their announcement says that if "encrypted notifications are enabled, Facebook will sign outbound messages using our own key to provide greater assurance that the contents of inbound emails are genuine." This could protect against phishing attacks against Facebook, but if and only if people notice when they've received unsigned email purporting to be from them. Can this work? I'm dubious — no one has ever solved that problem for Web browsers — but maybe they can pull it off.

The third big question is mobile device support. As Facebook itself says, "public key management is not yet supported on mobile devices; we are investigating ways to enable this." Their target demographic lives on mobile devices, but there is not yet good support for PGP on iOS or Android. There are outboard packages available for both platforms, but that's not likely to be very usable for most people. Google has announced plans for GPG support for gmail on Chrome; it would be nice if they added such support to the built-in Android mailer as well. (Oh yes — how do you get the same key pair on your mobile device as on your laptop or desktop?)

The last and most interesting question is why they opted for PGP instead of S/MIME. While there are lots of differences in message formats and the like, the most important is how the certificates are signed and hence what the trust model is. It's a subtle question but utterly vital — and if Facebook does the right things here, it will be a very big boost to efforts to deploy encrypted email far more widely.

One of the very hardest technical things about cryptography (other than the user interface, of course) is how to get the proper keys. That is, if you want to send me encrypted email, how do you get my public key, rather than the public key of some other Steven Bellovin or a fake key that the NSA or the FSB created that claims to be mine? (I've put my actual PGP key at https://www.cs.columbia.edu/~smb/smbpgp.txt, but of course that could be replaced by someone who hacked the Columbia University Computer Science Department web server.) PGP and S/MIME have very different answers to the question of assuring that a retrieved key is genuine. With PGP, anyone can sign someone else's certificate, thus adding their attestation to the claim that some particular key is really associated with a particular person. Of course, this is an unstructured process, and a group of nasty people could easily create many fake identities that all vouch for each other. Still, it all starts with individuals creating key pair for themselves. If they want, they can then upload the public key to Facebook even if no one has signed it.

By contrast, S/MIME keys have to be signed by a certificate authority (CA) trusted by all parties. Still, in many ways, S/MIME is a more natural choice. It's supported by vendor-supplied mailers on Windows, Macs, and iToys (though not by the standard Android mailer). Facebook is big enough that it could become a CA. They already know enough about people that they've inherently solved one of the big challenges for an online CA: how do you verify someone's claim to a particular name? At the very least, Facebook could say "this key is associated with this Facebook account". No other company can do this, not even Google.

This, then, is a possible future. Facebook could become a de facto CA, for PGP and/or S/MIME. It could sign certificates linked to Facebook accounts. It could make those certificates easily available. It could develop software apps, desktop or laptop programs, what have you — that go to Facebook to obtains other people's keys. The usability issues I outlined earlier would remain, but when it comes to certificate handling Facebook has advantages that no one else has ever had. If this is the path they choose to go down, we could see a very large bump in the use of encrypted email.

Written by Steven Bellovin, Professor of Computer Science at Columbia University

Over the years, email service provider Emma has experienced 35% annual growth in email volume from its new and existing clients. Emma's services include email automation, audience segmentation, mobile email marketing, and integration with CRM solutions, eCommerce platforms, and social networks. Emma has developed an innovative Event-Driven Architecture (EDA) with sophisticated messaging features — from data-driven insights, to email automation — rapidly and without service interruptions. The EDA architecture gives marketers real-time insights, allowing them to personalize each customer's experience.

The Challenge

A major obstacle that drove Emma to consider PowerMTA was an expected forthcoming collision between mail volumes that had risen to 375M messages/ month, and its 10-year-old, home-grown PHP-based system. The technology had reached the end of its scalability, being cumbersome to configure, and lacking deployment features and sophisticated delivery controls. Emma urgently needed a better solution to manage the growing volume, one that would include the capacity to add smarthooks at minimal cost.

Key features of the old system were either missing or difficult to use, such as retry back-offs, rate limiting, DKIM, and the ability to react proactively to SMTP reply responses. As the company grew, it would be expensive, awkward, and risky to scale the aging technology — it was clearly time for a replacement.

Solution

Emma now uses PowerMTA to manage its increasing mail volume efficiently, with a minimal investment while allowing it to scale its business exponentially, without bottlenecks or unreasonable expense.

Emma's system administrators were drawn to PowerMTA's flexible logging schematics, as well as its easy-to-configure VirtualMTA pools, ability to configure retry and total time in queue, and the ability to send large volumes of mail using modest hardware.

Emma's digital messaging volume currently averages 1.5M hourly, 12M daily, and 375M monthly, expected to double in the relative near-term, consistent with industry forecasts.

Discover PowerMTA™

Port25's flagship product, PowerMTA™, has a global footprint with more than 4,500 installations in over 51 countries.  Visit the Port25 Solutions, Inc. website for a full-featured trial evaluation copy of PowerMTA.

Every year M³AAWG gives an award for lifetime work in fighting abuse and making the Internet a better place. Yesterday at its Dublin meeting they awarded it to Rodney Joffe, who has been quietly working for over 20 years. I can't imagine anyone who deserves it more.

Since he wasn't able to attend in person, they made a video of an informal interview in which he recounts a lot of what he's done, with a few comments from his friends.

Also see Laura Atkins' story about how Rodney got her into the anti-abuse world.

Written by John Levine, Author, Consultant & Speaker

Stepping back from the DMARC arguments, it occurs to me that there is a predictable cycle with every new e-mail security technology.

1. Invention and enthusiasm

Someone invents a new way to make e-mail more secure, call it SPF or DKIM or DMARC or (this month's mini-fiasco) PGP in DANE. Each scheme has a model of the way that mail works. For some subset of e-mail, the model works great, for other mail it works less great.

SPF works great for mail sent directly from the sender's server to the recipient, not for mail that is relayed or mail sent from a third party server (the usual example is newspaper send-an-article.) DKIM works great for mail sent or relayed from the sender's server, so-so for mail that is modified as it's relayed (mailing lists) or from third party servers. DMARC works great for much of the mail where SPF or DKIM works, not at all otherwise. In each case, the range of mail that each handles is a large fraction of all mail, but a large fraction is not the same as all.

2. Overselling the benefits and getting FUSSPy

The ball gets rolling, the enthusiasts see how great the scheme is, and how well it works for the mail that fits the model. Sometimes the enthusiasts are different from the inventors, and it is common for the enthusiasts not to understand the model very well. For example, DKIM is deliberately designed so that the domain in a DKIM signature need not match the From: or anything else, which provides a great deal of useful flexibility. But some enthusiasts insisted that "first party" signatures that matched the From:, or maybe the Sender:, were more legitimate than others.

The next step is to observe that if only all legitimate mail fit the model (either the real model or the enthusiasts' model) we could reject the rest and solve the spam problem, or in the case of DMARC, the phishing problem. Never mind that all mail doesn't fit any model, and no mechanical scheme will ever perfectly separate good mail from bad, the lure of a FUSSP is hard to resist.

3. Slandering mail that doesn't fit the model

Since mail that doesn't match the scheme's model is inconvenient, it must therefore also be bad. So the enthusiasts borrow derogatory terms to describe it, with "forged" being the most common. No, mailing lists do not forge mail from subscribers, and courtesy forwarders like computer.org do not forge the origin of the mail they resend.

When the enthusiasts start rejecting mail that doesn't fit the scheme's model, they lose a lot of perfectly good mail, but that of course is the fault of people sending forged mail.

Or they insist that people use clumsy workarounds like SRS which reinvented source routing (which SMTP mail ditched in the 1990s) to try and deal with limitations in SPF.

Or worse, they admit that the model has its limits, but the benefits of the scheme are so overwhelming that the collateral damage is a small cost to pay for progress and only a Luddite would object. Particularly since the cost is invariably paid by someone else.

4. A truce, if you're lucky

SPF and DKIM are pretty well understood now, and it's rare to see mail rejected due to an overstrict SPF policy. DKIM is well integrated into the mail world.

DMARC is still in the "small cost for progress" stage, but current work in the IETF DMARC working group suggests there may be hope yet.

Written by John Levine, Author, Consultant & Speaker

With over 5 million users, and delivering over 16 billion emails per month, MailChimp is one of the most highly regarded Email Service Providers, especially among those focused on small and medium sized businesses. In order to serve customers effectively, MailChimp required a solution that could scale cost-effectively and execute email sends reliably for its expanding user base. When a colleague requested information regarding PowerMTA™, MailChimp responded with the following:

Reliability

We utilize PowerMTA form Port25, and this is what I can say… It's reliable! The one recommendation I have to to make sure you are running on bare metal and make sure you are using plenty of RAM. We license several instances of PowerMTA delivering well over 16B emails per month. We run 18 processors with 48GB of RAM in each box. With PMTA, make sure that the maximum amount of RAM it can use is LESS than the total RAM on the OS; otherwise, you will get into situations (when volume is really high) where the queues get wonky. Also, make sure that you limit your outbound bandwidth.

Bounce Categorization

The bounce categorization engine out of the box is improving. PowerMTA currently has over 17 different "baked in" categories, and users have the ability to define custom categories based on their own sending experiences. Boogietools is an excellent resource for bounce categorization as well. But if you have time and love regex's, you can make PMTA's bounce categorization work very well. Version 4.0 of PowerMTA will have even more powerful bounce categorization features.

Injection Rates

MailChimp has hours where we send about 2.5 million emails (sometimes more). We limit how many campaigns we have going simultaneously, but we inject 100,000 payloads an hour. We allow for up to 2.5 million recipients to be going out of an MTA at one time, and on high volume days we have 10 - 12 hours where we remain over 15 million every hour. PowerMTA can take what you throw at it but you don't want to let the queues get overwhelmed. So, you need to use some logic and common sense and back off when you are reaching 65 - 70% of the MTA's total volume.

VirtualMTA™ Utilization

Port25's VirtualMTA stuff is awesome. Authentication, configuration, backoff algorithms, pause queues, force queues to clear, etc. On the dozens of MTAs we've installed, we have a bunch of IPs on each box and it pretty much manages itself. The setup is very manual but in Version 4.0, their new web interface will simplify most of this stuff. And the configuration stuff is straightforward.

Honestly, I cannot say enough good stuff about their software; it's unbelievable for the price. But what really keeps us going with these guys is their support. They always, always have an answer and they really know their stuff.

Discover PowerMTA™

Port25's flagship product, PowerMTA™, has a global footprint with more than 4,500 installations in over 51 countries.  Visit the Port25 Solutions, Inc. website for a full-featured trial evaluation copy of PowerMTA.

RHEL6/Centos6 (and presumably RHEL7/Centos7) machines with the latest openssl packages now refuse SSL connections with DH keys shorter than 768 bits. Consider RHEL6 sendmail operating as a client, sending mail out to a target server. If the target server advertises STARTTLS, sendmail will try to negotiate a secure connection. This negotiation uses openssl, which will now refuse to connect to mail servers that have 512 bit DH keys. The maillog will contain entries with "reject=403 4.7.0 TLS handshake failed".

If your mail server advertises STARTTLS, but only has a 512 bit DH key, you won't receive any email from anyone running RHEL6 or other systems with that openssl logjam fix.

Read more details in the OpenSSL Blog on this issue.

Written by Carl Byington

Communicator Corporation is an ESP with a different approach to email delivery. Unlike other ESPs, they allow each client to take ownership of their deliverability, which helps clients understand and appreciate that delivery is not just something for which their ESP is responsible. Rather, delivery is a result of proper data hygiene and depends upon how and where the data is collected and segmented. We talk about data hygiene with clients regularly. Poor data hygiene is the number one reason that legitimate, permission based marketing ends up in the junk folder. That said, the quality and the relevancy of an email campaign correlates directly with stellar deliverability and, ultimately, the responsiveness of the list itself.

Communicator Corporation's decision to install PowerMTA not only allowed greater flexibility and control of outbound mail queues, but also the capacity to manage inbound streams, bounce processing, and secure email relaying for transactional pattern streams PowerMTA's ability to identify delivery issues in real-time by alerting senders and showing the source of the problem helped the decision making process.

Challenges

Before Communicator Corporation began using PowerMTA, they lacked sufficient information to optimize delivery. They had little visibility into what was being delivered, and more importantly, lacked insight into what was not happening and why. Deliverability could not be granularly measured, which has become a significant metric for marketing professionals.

Additionally, the ability to scale was a problem. Mail servers choked or bottlenecked when queues became too large. As these inefficiencies mushroomed, it created a workflow challenge. When you are sending 1.2M messages per hour, per server, having any sort of downtime diminishes productivity and rattles customer confidence. And, purchasing additional servers to handle increased volume was not the answer. Communicator Corporation needed sophisticated software that would easily scale, reduce the number of servers being used, and manage increased volume more easily and efficiently.

Without the benefits of a commercial MTA, Communicator Corporation had resorted to managing all email queues without the ability to prioritize them. For example, a large email campaign could not be prioritized against the "five" small test campaigns, which meant the test campaigns, had the same priority as the marketing message. With PowerMTA's queue prioritization, this is not a problem. The feature allows both prioritization of queues
(like test emails vs. marketing campaigns) and granular measurement.

Actions

Purchasing PowerMTA was a conscious business decision with many competitive advantages. Besides scalability and performance, for which PowerMTA is universally renowned, it provided deliverability insight and intelligence to asynchronous queue management, as well as the ability to customize and recalibrate the configuration for optimal sending patterns or business requirements.

Rather than requiring businesses to shift requirements and resources to fit the MTA capabilities, PowerMTA revolves around current and future business requirements.

A Customer's Point of View

Steve Henderson of Communicator Corporation had this praise for PowerMTA and the affect it has had on his company:

"We provide our clients with the information, the expertise, the support and the technology to help clients reach and maintain the highest delivery rates possible. And to do that, we rely on PowerMTA. The Communicator Intelligent Delivery Solution (IDS) uses hundreds of IP addresses across different IP ranges, automatically responding to ISP/IEP policy changes, based on sending rates of statistical analysis or previous campaigns, protecting and/or preserving delivery reputation, while at the same time allowing for the quickest inbox placement rates possible.

The Communicator Response Engine shows which mailing lists are generating a good or bad reputation and why — which segments of the data are more responsive than others and why. All of this relies on the sophistication and agility of PowerMTA. PowerMTA is integrated into our unique delivery-focused approach to email messaging. PowerMTA allows the delivery team to respond to delivery issues in real-time, provides our clients with the qualitative and quantitative information they need to make better business decisions and provides Communicator Corporation the power and flexibility to keep our promise of delivery beyond expectation."

Discover PowerMTA™

Port25's flagship product, PowerMTA™, has a global footprint with more than 4,500 installations in over 51 countries.  Visit the Port25 Solutions, Inc. website for a full-featured trial evaluation copy of PowerMTA.

Port25, A Message Systems Company is excited to announce the next major iteration of its leading email delivery solution, PowerMTA which will be ready for general audiences late this month.

Port25's PowerMTA software has led the industry over the years both in innovation and performance, with unmatched scalability combined with many advanced features not seen in other outbound focused email solutions. Port25 separates itself further from the competition with the release of PowerMTA v4.5, and one of the noteworthy options in this release is Scheduled Delivery Control™.

Scheduled Delivery Control™

PowerMTA v4.5's unique Scheduled Delivery Control™ allows for scheduled, time based delivery for campaigns and even for individual mailings, by dynamically controlling the processing of messages based on the sender's predefined time windows. Pushing this intelligence from the CRM solution to PowerMTA is the only way to ensure true time schedule adherence, since email servers and other delivery solutions will generally attempt delivery as soon as messages are submitted. For very large, time sensitive mailings, it allows senders to create and submit the full campaign hours or even days in advance, to be released on a certain day and time in the future to help ensure maximum reach and results within a desired time frame. Numerous start and stop time windows can be defined for a single message.

Recipient engagement is now a critical component in maximizing delivery to large inbox providers, and only PowerMTA's Scheduled Delivery Control™ allows senders to truly take advantage of time based engagement metrics in order to maximize both delivery rates and overall campaign results. Have PowerMTA send the message at the time that your data shows is the most likely time frame the recipient will open, read, and act on the message. Scheduled Delivery Control™ is also needed to ensure adherence to strict time based policies imposed by some of the international gateway providers, as well.

PowerMTA Enterprise

PowerMTA Enterprise includes new, advanced performance based algorithms and optimizations to help Email Service Providers and cloud relay providers realize maximum return on recent high end hardware investments. Modern hardware today is far superior to what was available only 2 years ago, and this combined with ever increasing workloads, has senders demanding more from their applications. The optimizations in PowerMTA Enterprise Plus maximize hardware ROI, making it the best email delivery solution on the market to handle the huge workloads of this very demanding group of senders. An official release will be available on CircleID later this month.

Other Noteworthy Enhancements in v4.5

• Custom retry intervals
• IP based rate limiting
• Multiple DKIM signing support
• Backoff reason insight
• TLS handshake performance optimization

Discover PowerMTA™

Port25's flagship product, PowerMTA™, has a global footprint with more than 4,500 installations in over 51 countries.  Visit the Port25 Solutions, Inc. website for a full-featured trial evaluation copy of PowerMTA.

Boasting delivery rates of over 5MM messages per hour, eAlert from MIS Sciences is United States' leading emergency alert notification system. An extremely reliable and flexible system was key for handling the delivery of several million high-priority messages each day.

About MIS Sciences Corporation's eAlert Service

eAlert is the leading notification service for organizations ranging from transportation agencies, small community groups to the largest corporations, and government agencies. For more over 10 years, eAlert has provided notification services to the transportation industry, federal, state, and local governments; schools and universities; homeowners associations; the health care industry; and others.

eAlert delivers to SMS devices, PDAs, cell phones, pagers, email accounts, fax machines, and other devices at the rate of over 5,000,000 messages per hour.

eAlert's clients include the US Department of Homeland Security, the US Department of Defense, transit agencies, and several 911 emergency operations centers. These clients have diverse and complex sending characteristics with regards to prioritizing message delivery through various devices and configuring IPs.

The Solution

As the chief crisis management solution nationwide, it is essential that eAlert utilizes a delivery system with maximum reliability, delivery performance, and reporting features to meet its clients' demands and provide time-sensitive alerts and messages to each type of audience and device. PowerMTA was the only SMTP server software flexible enough to supply these necessary features and easily integrate into eAlert's current system without interruption. On integration with PowerMTA, Jeff Willis, a VP at MIS Sciences, said, "PowerMTA was ready to run 'out of the box.' The ease of configuring a VirtualMTA for each client and their unique attributes made deployment very simple."

Challenges

Disaster management planning requires quick and efficient transmission of important information. These transmissions are detailed and must be well coordinated; the ability to relay critical information and instructions to multi-jurisdictional and multi-disciplinary agencies is paramount. Therefore, as a high-priority immediate notification system used by emergency and government agencies, eAlert had two conclusive challenges to surmount. eAlert required the ability to satisfy each client's exclusive sending patterns and policy based requirements with "one" comprehensive delivery solution. Given the urgent nature and high volume of these notifications, the solution also had to be a remarkably stable one, with the ability to analyze and report on each individual campaign's performance based on deliverability.

Actions

It was obvious to MIS Sciences Corporation that PowerMTA was the most innovative delivery software that had the malleability and functionality necessary to perform the tasks required for their eAlert service. With PowerMTA's APIs and merge capabilities, the company now serves clients such as the New York Metropolitan Transit Agency with confidence. Using PowerMTA's VirtualMTA dashboard, the eAlert successfully delivers time-sensitive alerts to 1,000,000 plus subscribers. Additionally, it can process multiple other email streams simultaneously. MIS Sciences Corporation required a solution to process over 5MM email messages hourly, given its diverse range of end-user devices. Furthermore, the powerful reporting provided eAlert's clients with all the delivery performance metrics required.

Additionally, PowerMTA possesses the robust email authentication tools eAlert requires to mitigate "bounces." Sometimes the alert is rejected because it is being sent to an invalid email address. However, many advanced anti-spam filtering policies will cause a message to be returned because the ISP requires authentication and/or a whitelisted server. Pioneers of email authentication, PowerMTA overcame this challenge through the implementation of PowerMTA's DKIM verification tool, which allows eAlert to auto-generate a unique public and private key for outgoing messages, thus increasing the ISP's natural inclination to steer these alerts to a user's inbox, rather than rejecting or returning them.

Discover PowerMTA™

Port25's flagship product, PowerMTA™, has a global footprint with more than 4,500 installations in over 51 countries.  Visit the Port25 Solutions, Inc. website for a full-featured trial evaluation copy of PowerMTA.

A group of researchers from the US government and dot-com operator VeriSign are working on a new system for secure email: using domain names. Highlighting the problems and security holes associated with current mail systems, the team from the National Institute of Standards and Technology (NIST), a subset of the US Department of Commerce, argues that by using a new set of security protocols built around the domain name system, it is possible to provide a much higher level of security in electronic messages.

Read full story: The Register

One of the noteworthy features in PowerMTA's new v4.5 release is IP based Rate Limiting. The feature, enabled via the new per domain "source-ip-max-msg-rate" directive, is designed to give delivery engineers/admins additional control. IP based rate-limiting allows for throttling the number of attempted recipients on a per-hour, per-minute and per-second basis separately for each IP address for each domain/VirtualMTA. This feature will be primarily used by senders that define multiple IPs in a single VirtualMTA and that want to limit the attempted delivery rate for each IP address in the VirtualMTA to the respective domains.

In addition, IP connection rate limits can now also be controlled via the "source-ip-max-connect-rate" directive, which allows one to specify the maximum number of connections to be attempted during the specified time period per IP per domain/vmta.

Backoff Insight

In previous versions of PowerMTA the only method to know why a queue entered backoff mode was to check the log file or to setup the backoff-notify directive. Now PowerMTA will show the "error" that caused the queue to go into backoff mode in the individual queues of the web monitor as well as in these commands:

pmta show queues domain/vmta
pmta show topqueues domain/vmta

IP based rate-limiting and Backoff Insight, are just two features of the latest release of PowerMTA v4.5, which is available now for download.

IP Monitoring Service

If you receive an alert from your IP based monitoring service, such as excessive bounces or complaints, one of the most critical elements to preserving your IP reputation is the ability to quickly throttle at the source IP. The best tool I've seen has recently just launched by Postmastery. They offer IP reputation monitoring based off of SNDS Status and Sender Score. They also cross-reference your IP to a database of blacklists. You'll receive real-time notifications via email based off of any decreases in any of the metrics above. Notifications are sent on an "as needed" basis- you're notified at the beginning of a potentially forming IP reputation issue. So, if there's any decrease in IP reputation or a high number of complaints, you'll know about it very quickly. There's also a weekly email with a summary of all IPs being monitored and their current rep/status. Postmastery also has the ability to use SNDS API keys to aggregate data from that as well, showing complaints from SNDS domains. Contact Maarten Oelering at www.postmastery.com.

PowerMTA from Port25 is an industrial-strength software for high-volume email delivery. Designed for performance, deliverability and manageability, PowerMTA is able to consistently deliver millions of emails per hour. With it's extensive configuration capabilities and VirtualMTA technology it provides granular control of sources, sending IPs, and domain policies.

Port25 recently introduced PowerMTA v4.5 as a major new release of PowerMTA. It now includes a wide variety of new advanced features and functionalities that allow for greater flexibility and delivery control to help maximize overall performance and deliverability.

PowerMTA Management Console (PMC) v1.5 is also now available with support for all new PowerMTA v4.5 features.  Other new features in the PMC include: IP based reporting, saved reports, configurable session timeouts, and advanced reporting filters including sets and regular expressions.

Key features included in the release:

• Scheduled Delivery Control – PowerMTA now supports the ability to schedule deliveries via a header. This may be very useful for instances when it takes a long time to build a campaign, or if you need to adhere to strict delivery windows.
• Precached domains support – To help optimize DNS usage during peak sending times, PowerMTA now offers the ability to precache predefined domain names to ensure the DNS name is always available.
• IP Rate Limiting – IP rate limiting allows for controlling the number of attempted recipients on a per-hour, per-minute and per-second basis for each IP address for each domain/VirtualMTA. This is primarily used by sites that define multiple IPs in a single VirtualMTA, and that want to limit the attempted delivery rate for each IP address in the VirtualMTA to the respective domains. One can also specify the maximum number of connections to be opened for this domain during the specified time period per IP per domain/vmta.
• Auto Cold VirtualMTA Rate Increase – PowerMTA now supports the ability to auto-increase cold VirtualMTA mail volumes with a list of daily limits. This makes it very easy to have a set it and forget it configuration for warming new IP addresses.
• Address Suppression Lists – Addresses in the suppression list are rejected (or turned into bounces, depending on options) during submission. This is very useful for sites that do not have complete control of the list to which they are mailing.

Other Noteworthy Enhancements in PowerMTA v4.5:

• Custom retry intervals
• Enhanced job control (pause & resume)
• Recipient events listing
• Second DKIM signing support
• Backoff reason insight
• Time interval for bounce-upon-no-mx
• Defer-queue option in SMTP pattern list
• Disabling of accounting records per queue
• Domain definitions in virtual-mta-pools
• Reverse DNS check support on inbound connections
• TLS information in accounting file fields
• Pattern matching support on non-ASCII headers
• Added inbound AUTH username to accounting field
• Change recipient priority on-the-fly

Discover PowerMTA™

Port25's flagship product, PowerMTA™, has a global footprint with more than 4,500 installations in over 51 countries.  Visit the Port25 Solutions, Inc. website for a full-featured trial evaluation copy of PowerMTA.

DMARC is an anti-phishing technique that AOL and Yahoo repurposed last year to help them deal with the consequences of spam to (and apparently from) addresses in stolen address books. Since DMARC cannot tell mail sent through complex paths like mailing lists from phishes, this had the unfortunate side effect of screwing up nearly every discussion list on the planet.

Last week the DMARC group published a proposal called ARC, for Authenticated Received Chain, that is intended to mitigate the damage. What is it, and how likely is it to work?

When the DMARC list problems started last year, a frequently proposed workaround was for receivers to whitelist mail from known lists. Large mail providers already have a pretty good idea of where the lists are, so this would be relatively simple to do. Smaller systems might combine their data into shared whitelists. But this whitelisting didn't happen, for reasons discussed below.

Mailing list messages typically take one of these paths:

sender.com → list.org → recipient
sender.com → list.org → forwarder.edu → recipient

The list is a mailing list run by something like Mailman or Sympa. When there's an extra forwarder, that's generally a permanent address provided by an alumni association or professional society. (For example, I'm uucp@computer.org.)

The sender adds a DKIM signature which the list can verify. Then the list does what lists do, such as adding subject tags or message footers, adds its own DKIM signature, and sends it along. At this point, the original DKIM signature is often no longer valid due to the message changes, but the list's signature is valid. If there's another forwarder, it adds its own signature and may or may not make changes that invalidate the list's signature.

The original plan with DKIM was that the recipient would look at the signatures, see that the list's signature was valid, look in its reputation database and see that the list sends generally desirable mail, and deliver the message.

People at large mail systems told me that it's surprisingly common for a mailing list to send nice clean mail for a while, then start spewing spam when a subscriber is compromised, or bad guys pretend to be a subscriber. ARC helps deal with this last situation.

ARC adds more DKIM-like signatures that give the recipient an idea of where the message actually came from. Before ARC, the DKIM signatures on the message would be something like this:

DKIM-Signature: ... d=list.org ...
... other stuff ...
DKIM-Signature: ... d=sender.com ...
From: bob@sender.com
... rest of the message ...

Each signature is added at the top of the message so they appear from most to least recently added.

But by the time the message arrives at the recipient, the d=sender signature is no longer good, and the recipient can't tell whether it was good when it arrived at the list. ARC is intended to fix that:

ARC-Seal: i=1; d=list.org; ...
ARC-Message-Signature: ... d=list.org ...
ARC-Authentication-Results: list.org; dkim=pass header.i=@sender.com; dmarc=pass
DKIM-Signature: ... d=list.org ...
... other stuff ...
DKIM-Signature: ... d=sender.com ...
From: bob@sender.com
... rest of the message ...

The ARC-Seal is a simplified DKIM signature that signs the ARC-Message-Signature and the ARC-Authentication-Results, so the recipient can see they're all good (or bad) as a group. If the message went through multiple forwarders, each one adds its own ARC- header group with ARC-Seals with i=2, i=3, and so forth. Since nothing should change the ARC- headers, all of the ARC-Seal signature should be valid when the message is finally received, and reading from the top of the message the i= numbers in the seals should be in reverse order down to i=1 for the oldest one. (If not, the message is probably not what it purports to be.)

The ARC-Message-Signature is a modified DKIM signature that covers a fixed set of headers (Message-ID, Date, From, To, Subject) and the message body. The most recent ARC-Message-Signature should be valid, previous ones may or may not be if forwarders have changed the message.

The ARC-Authentication-Results header is a copy of the standard Authentication-Results header (see RFC 5451) which among other things says which DKIM signatures were valid and whether the message passed DMARC validation. Again, if the message is forwarded several times, there will be several of these.

So when a recipient gets a message from a mailing list or other forwarder, and sees ARC-Seal and ARC-Message-Signature headers with valid signatures, it can make some reasonable assumptions. The ARC-Authentication-Results header shows whether the message originally passed DMARC validation. If it did, and the list has a good reputation, it's likely a real message from the putative sender, and it's safe to skip recipient DMARC checks. If the original message didn't pass DMARC, and its domain asserts a DMARC policy of quarantine or reject, it's more likely that the incoming message was a fake and so the recipient system might reject it or put it in the spam folder.

If a message has multiple groups of ARC- signatures the recipient can check that the ARC-Seals are all valid, and look at the seals and ARC-Authentication-Results to see whether the message originally passed DMARC.

A malicious forwarder could of course put in fake authentication results, so ARC is only useful for forwarders with good reputations. This puts us more or less back where we started, whitelisting mail from known lists, but with a tweak that gives recipients a better idea whether the original message actually came from its putative source.

This is intended to plug the hole in which lists pass along mail from bad guys faking list member addresses. People at large mail systems have told me this should let them deliver list mail despite DMARC problems. I certainly hope so, and will report back as we find out.

Written by John Levine, Author, Consultant & Speaker

When asked what are the best configurations to use with PowerMTA? The answer is different for every region of the world. Configuration settings in the US will be vastly different than those in Europe for example, so global settings are not as effective. In this blog post we'll look at five essential PowerMTA configuration tips that will help make your sending infrastructure more efficient and reduce I/O clutter.

1. Utilize source directives to make sure your email headers are correct

ESPs and many high volume senders send email on behalf of other organizations and often feel they do not have full control over the email headers. This is not the case, and if best practices are not followed, email almost inherently will end up being routed to the junk folder. With PowerMTA™, you can add missing data or Message-ID headers. You can also hide internal sources in the "received header," or completely disable adding the received header altogether. The latter is often used to make it look as if the email originated from the sender's public IP. You also have granular rate limiting control of both the source IP and sending IP basis, as a result of an update last year.

2. Keeping a clean configuration by using parameter inheritance more wisely

For manageability of configurations, it is important to keep them DRY. DRY stands for Don't Repeat Yourself, and, is an acronym used by software developers. For example, PowerMTA™ merges the settings from all matching sources, top to bottom. Thus you can often move common settings to the source that matches 0/0. Except for always-allow-relaying of course, which should only be allowed from specific sources, by removing settings with obvious default values, you can further reduce redundant configurations.

With domain directives, all matching domain entries are merged, giving preference to more specific entries, regardless of the order in the configuration. By using sensible default settings for the wildcard domain, you can reduce the configuration to only a few exceptions. For example, the following settings string reduces the need to set limits on "many" specific domains:

• max-smtp-out 2 # enough for small domains, increase for common domains
• max-msg-per-connection 100 # most ISPs accept 100 emails per session
• max-errors-per-connection 10 # avoid disconnect due to long sequence of invalid recipients

3. Don't waste resources on invalid email domains

If the local part of an email address does not exist, you'll usually get an error message from the ISP. However, if the domain is not valid, you might run into repetitive errors such as failed DNS lookup, non-responsive servers, or servers that refuse to relay from a particular domain.

PowerMTA™ should be configured not to waste resources on these domains, and focus delivery of resources to valid domains. For example, use a rather low max-smtp-out for default domains, and increase this for important valid domains. A setting of 20 is enough to send millions per hour, and completely over the top for many domains. Furthermore, you can instruct PowerMTA to bounce email if an MX record is missing. Invalid domains caused by typos often have an "A "record without a proper mail server, causing these domains to languish in the queue until they timeout. You can also use a domain macro combined with black-holing to drop mail known for discontinued domains or domains with anonymous discardable accounts. In any event, the goal is to keep the configuration "lean" for invalid or less important domains.

4. Apply settings based on your own data and experience

We've talked about this before, but I'd like to reiterate here. PowerMTA™ has a long list of configuration directives that you can use straight out of the box. Directly copying settings from other sources or matching configurations from another sender environment is not useful, since you might end up with redundant configurations, or even applying settings that are not applicable in your sending environment. The best approach is to keep it as simple as possible, and add settings that you understand, and that are appropriate in your "own" environment.

Senders in the US require a different configuration than senders in Europe. Furthermore, the settings often depend on the volume, the type the emails and the reputation of the IPs. You can use data from PowerMTA's accounting files to determine what are the most important domains in your case. By looking at the bounce reports, you can determine which errors should trigger the back-off mode for example.

5. Log transient errors to monitor throttling by ISPs

The PowerMTA accounting logs are often used to record deliveries or bounces. But by enabling logging of transient errors, you can get a wealth of information about the delivery, and how to optimize it. Large webmail providers, but also smaller ISPs, have limits on the number of messages they accept from a certain IP. When the limit is reached, they return a temporary error, which can be logged by PowerMTA. This information can be used to adjust the volume for IP seasoning (warm-up) or maximum rate of sending, or tune the configuration of the back-off mode.

For more comprehensive information on configuration settings, join our forum and don't hesitate to ask detailed questions about your settings and more specifically about your sending environment.

This blog post was inspired by a email delivery consultant and PowerMTA advocate Mr. Maarten Oelering of Postmastery based in the Netherlands.

Discover PowerMTA™
Port25's flagship product, PowerMTA™, has a global footprint with more than 4,500 installations in over 51 countries.  Visit the Port25 Solutions, Inc. website for a full-featured trial evaluation copy of PowerMTA.

Email Infrastructure: Open Source vs. Commercial MTAs – Port25 white paper addressing a number of frequently asked questions on the core differences between open source Mail Transfer Agents (MTAs) and commercial MTAs. (Learn More)It's always refreshing to obtain a different perspective, especially from the open-source community regarding email sending infrastructure. For those who are currently utilizing an open-source product, we thought this feedback from one of our constituents would be valuable for decision makers.

From feedback regarding our Open Source vs. Commercial MTA white paper, an advocate of open source sending software, Matt Sergeant, provided his own viewpoints between the tangible differences of open source and commercial MTA software. Based on these perspectives we updated the white paper to give readers and decision makers a more objective thread on why commercial MTAs are such a critical investment for enterprise level sending environments. Below is Matt's perspective:

Things commercial MTAs offer that (most) open source MTAs don't:

• Cluster support
• Monitoring (including cluster monitoring)
• Sophisticated Bounce Management
• Per recipient domain settings
• VirtualMTA Technology
• Email Encryption
• Scheduled Delivery Control
• IP Based Rate Limiting
• 30+ Custom Retry Intervals
• Real Time Bounce Diagnostics
• Back off reason insight

Cluster Support

Commercial MTAs usually have some form of built-in support for centralized management of a cluster of servers. This can be as basic as shared configuration data, or as complex as full control of every machine in the cluster from a centralized management console, shared information between instances of current connection counts to recipient domains, and cluster-wide monitoring. This is only one benefit for the new PowerMTA Management Console introduced this past year by Port25.

Monitoring

Most commercial MTAs have built-in monitoring support. To monitor open source MTAs you often need to install some external monitoring tool (such as Nagios) and rely on whatever support is built into that tool for monitoring your mail server. Alternatively you end up writing your own monitoring software, or plugins for your monitoring software of choice. This becomes particularly tricky when you have multiple servers, and need to be able to monitor as both an aggregate and be able to "drill-down" into individual servers.

Sophisticated Bounce Management

Modern commercial MTAs have sophisticated algorithms that they have built up over years of experience for managing bounces. Because the SMTP RFCs are often unclear on giving reasons why a mail may have bounced, these commercial MTAs have built up techniques for understanding responses from different types of recipient MTAs, providing the administrator of the commercial MTA with the appropriate tools for dealing with bounces in a manner which is appropriate given the information at hand.

Per Recipient Domain Settings

While some open source MTAs have some level of per-domain settings for outbound email, this is often rather complex to code or doesn't exist at all. Commercial MTAs were mostly borne from the need for large senders, and so having flexible configuration on a per-recipient domain basis is a basic requirement.

TLS over SMTP Reporting

The use of the Transport Layer Security (TLS) protocol over SMTP offers certificate-based authentication and helps provide security-enhanced data transfers by using encryption keys. With the sending industry moving to a more secure and encrypted sending model, it is necessary to "track" if a given message was delivered over a secure socket and if so, what protocol and cipher were used.

Commercial MTAs now have the ability to encrypt outbound email with TLS over SMTP. Both the receiver and the sender must have email encryption enabled. As we move towards email encryption as a standard Port25 has optimized performance in it's latest version v4.5. For example, commercial MTAs now have granular reporting on TLS over SMTP. You now have the ability to know if a message was sent over an encrypted connection. The benefit is important if your client, for example, is a financial institution and requires proof of security.

Discover PowerMTA™ — Port25's flagship product, PowerMTA™, has a global footprint with more than 4,500 installations in over 51 countries.  Visit the Port25 Solutions, Inc. website for a full-featured trial evaluation copy of PowerMTA.