Have you ever sent an email only to find out the recipient didn’t receive it for two days?

Why is this? We know email is not real-time, but it shouldn’t be this delayed. Maybe it was stuck in your outbox or held up on the outbound mail server. Maybe the recipient’s mail server is the cause for the delay.

There are a number of possibilities for an email to not make it to its destination in a timely fashion. One lesser-known reason may be due to email feedback loop controls enforced by a mailbox provider, such as an ISP or large consumer mail service. ISPs and mailbox providers are constantly faced with a whole host of activity from botnet-infected customers to spammers sending an obscene amount of unsolicited email. The spam not only takes up system resources, but it frustrates ISP and mailbox providers’ customers.

With billions of emails flowing through their networks, mailbox providers are pretty good at weeding out blatant spam. But they are not perfect and they can’t make accurate universal decisions for all customers. After all, one man’s trash is another man’s treasure.

Why is this important to your business and mass email campaigns?

The feedback loop controls allow mailbox providers a mechanism for customers to report spam. When a recipient receives what they believe is spam and report it, the feedback loop informs the sender. The sender can tailor future campaigns based on the input. This is important because the more recipients complain, the worse the sender’s reputation becomes. The mailbox provider may use this information to deprioritize future email from the sender. In addition the feedback loop can serve to alert the sender of a possible email server compromise on their network. If recipients are receiving and reporting spam from an infected server, the feedback loop may help identify this.

Is the feedback loop new? Not really, but it is not top of mind with many businesses. It is also not well known by some email gateway providers – those who offer outbound email filtering and encryption services via the cloud. What’s interesting is some mailbox providers can use the feedback loop to throttle back mass email campaigns sent from your business. This allows mailbox providers to deprioritize email based on the source and reputation of the sender. If the sending company’s IP addresses connecting to the mailbox provider are not in their feedback loop database, the provider can delay the delivery of the email because they appear like a spammer.

Mailbox providers creating rules based on the history of email sent to their customers and the feedback loop database status of the source IP, allow for email flow control. If the sender is not enrolled in the feedback loop database the mailbox provider can delay email delivery. These messages are then retried but the problem is when this happens, there are potentially thousands of messages already in queue which keep retrying. In addition, singular email messages to the same domain of the mailbox provider from the same source can end up getting caught in this vicious cycle. First in does not mean first out and hence the delay. Here’s a sanitized excerpt taken of log messages between a mailbox provider and email gateway provider.

Transfer to xxxx-xx-xxxxx-xxx.com. [192.168.1.1] For: xxxxx@xxxxxx.com Receiving system returned “Deferred: 452 Too many recipients received this hour. Please see our rate limit policy at http://security.xxxxxxxxx.com/spam.htm#ratelimit.” status 4.0.0, “Transient failure”

All is not lost as organizations can complete the feedback loop form offered by mailbox providers and escape the rate limit controls. This is a way for mailbox providers to allow bulk email to be sent to their customers once the sender has identified their source address space and have forward-confirmed reverse DNS in place.

What else does this have to do with security?

Customers and businesses have come to rely on an email address for many of today’s security services. Consider for a moment the security dependence on the customer email box for businesses who offer temporary and password resets, multi-factor authentication codes, and security and login alerts. In particular, financial institutions and eCommerce sites provide security email notifications to customers as a security service. The email address has become a universal catchall for activity alerting and time-sensitive authentication services. Email is expected to arrive in seconds, even if it wasn’t designed to.

Surprisingly the feedback loop and the ability to use it to rate limit mass email is not as widely known as expected. In the case of enterprise email gateway providers servicing thousands of customers, they are the ones who need to complete mailbox provider forms. This is because they are the ones who email relay and are seen by the mailbox provider as the source IP address.

The feedback loop designed as a complaint tool for email customers does provide informational value to businesses that enroll. Recipients reporting spam provide the sender with useful data to improve their campaign and not appear as spammy. However, mailbox providers can choose to use this as a way to rate limit email as a means to protect their system resources. Before the next mass email campaign, check with email administrators and possible email gateway service providers to determine if the feedback loop forms are complete. If not, proactively engage teams to complete this process with the top mailbox providers to protect against possible email delay. No one wants snail email!

Leave a Reply