This is just that last of many cases of MS Outlook acting in an intentional power abusive market distorting way.
I do not know about tutanota and if they are a bad actor in the email space. But I remember them having done funny things like banning the complete German Hetzner IP range because Hetzner didn't want to give them customers information without an curt order (which I guess Hetzner isn't allowed to do either iff the customer(s) in question is a private customer...).
Like consider Google banning all Azure hosted mail providers independent of their reputation and DMARK,DKIM,SPF etc. because MS keeps with the law and doesn't give Google private customer information, it's that ridiculous.
Tuta are a privacy focussed and pretty responsible mail service. They have quite strict sending limits to dissuade bulk mailers and keep the service free for those who need it.
Whatever the cause, I’d be surprised if bad mail is sent in enough volumes to be noticeable to MS
i installed MIAB like 3 years ago. had this exact same problem with outlook at the time. did the same and never have had any more problems.
last year i helped someone install miab and somehow neither gmail nor outlook nor any "major" provider logged them as spam from the get go. i was truly impressed and surprised.
i have heard war stories about people self hosting email and having problems. sure 3-5-10 years ago that might have been the case but not now for the most part.
please give your self hosted email a try again. it will take you less time to set everything up than cooking dinner. try using miab or similar email software.
go cheap, like racknerd or something and save money from vultr/DO.
Just keep in mind that you need working reverse DNS record and not all cheap provides support it. Also cheaper hosting solutions usually have worse IP reputation.
You may have gotten lucky with IP addresses. When your cloud provider gives you an IP address from the pool, it is luck of the draw whether some customer in the past got that IP address on the bad list with some mail providers.
I strongly want what you say to be true, and would also encourage people to self-host email, but I want to make sure people are aware of the pits so they can avoid them or at least not have to learn the hard way.
With Microsoft a clean IP is not enough IME - you also need the whole block to be clean. That's not really something you can control if you have just the one IP.
> But I remember them having done funny things like banning the complete German Hetzner IP range because Hetzner didn't want to give them customers information without an curt order (which I guess Hetzner isn't allowed to do either iff the customer(s) in question is a private customer...).
All companies cover by GDPR (or similar privacy laws) would have this requirement. Can't be handling out information on customers to random companies willynilly.
My private email server gets completly blocked on regular bases. They are blocking the whole ip-range of my provider. You get no response from them whatsoever. You have to fill out a form und wait a couple of days. You can however sign up for a 200$ whitelist... from a different company owned by guess who.
I worked for a company that sent travel deals newsletters everyday. Deliverability to (then) Hotmail was abysmal.
We then got the recommendation of a company (cannot remember their name) that could analyse our IPs and give recommendations. Naturally, the recommendations were the ones that you could find everywhere so they were not useful, but the company did have access to MSFT's score of our IPs, so we could know when we were close to being blacklisted and could take action/ramp down/etc. How did they have access to those internal IP scores? I don't know, but it seems totally fishy :).
For sure we spent 5k+ USD yearly in this service (which is a huge amount of money in a 3rd. world country), and "somehow" after paying our deliverability did improve, despite doing the same things as before, as the recommendations were not ingenious.
So yeah, e-mail deliverability is a mafia, for sure.
Was it "Return Path"? If so, yes, they are just a racket. They ostensibly provide consulting services on this stuff, but in reality they have a (exclusive?) deal with Microsoft to change scores and allowlist, so you just pay them and they get your email through. Pricing is based on volume of email, I think we were paying $10k/yr for our emails to get to Microsoft hosted addresses.
I cannot 100% confirm it but "Return Path" (now Validity) definitely rings a loud bell :), and the figure is also in the ballpark -- we definitely started to send less e-mails just to be able to afford/test them.
I felt outraged at the moment because it was clearly a "pay-to-play" scheme, but ~8 years ago the number of Hotmail/Outlook addresses in my country was definitely substantial. Probably it still is.
How did they have access to those internal IP scores?
When I was doing DMARC stuff professionally, plenty of big names were willing to send DMARC reports our way. Microsoft was the only company to give us full text.
Well, you can (and should!) set up your DMARC preferences through your DNS records and enable a mailbox to receive those reports, which you can then use to verify if you have any/some problems with particular providers. This is totally free and standard.
But the score I am speaking of was something different: it was the reputation assigned by Microsoft (i.e., something internal) to the IPs from which we sent e-mails. This score was used to determine how many e-mails sent from those IPs would pass/fail MSFT's filters. And to have access to the score and improve it, we had to pay a 3rd. party :).
in outlook's admin console, there are a few tools related to antispam, including a way to view stats about why or why not a specific email got sent to spam. IIRC it exposes the sender's reputation score among other things.
Even if you get them to create an exception for your IP, personal experience shows that this lasts for 2 months tops, then you're blocked again. I gave up, getting my personal mail server to communicate with Outlook is not worth it.
I would assume any provider that allows you to send email also allows a great deal of spam, so this might not be unwarranted. My provider is also frequently blacklisted, I just don't use it to send mail anymore.
What the original poster describes is anti-competitive behavior, for this reason alone the idea of blocking the whole IP range of a competing email service provider is very bad. Personally, I wouldn't use an email provider that blocks spam server-side without an option to turn this off because these filters often block legitimate mails and can cause all kinds of annoying problems.
Kind of, but parent poster was talking about his own small server, which is likely hosted on a residential IP pool that's pretty much guaranteed to be blocked all the time.
All mail providers mass block IPs, because the spam from some ISPs is literally too much to even filter.
I run a few high volume (very legitimate) servers and it's been a huge pain in the butt to keep them off of blacklists, but at the same time we've also had spammer problems and I totally get it.
Maybe Tutanota.com has a lot of outlook users reporting your marketing emails as spam. I generally do this if the unsubscribe route is too painful, or even if it takes too long to load.
I'm very surprised to see you are being downvoted, I was convinced everybody is doing that. Spam is spam, period. Asking me go click on a link that leads somewhere is just a waste of my time - and there are still a few culprits out there who instead of unsubscribing me straight away demand that I log in to "manage my notification preferences"!
I'm not even their customer (and never will be), so not really sure what kind of app functionality they'd be claiming. :/
But the concept of your comment "they're just doing what they want because they reckon they can get away with it" is pretty common among large tech companies.
After feeling gaslighted by some spam emails that I was very sure I had unsubscribed from, I started keeping a spreadsheet to track my requests with date, and what link I followed to get removed. Almost 25% of my requests have never been honoured, it's disgusting.
But when you have dozens of databases, each owned by a different company, and they feed off each other perhaps once a day, then you can end up with a long time before all your data is deleted.
And that’s their problem, not mine. If they structure their email campaigns such that it takes a long time to update every database, that’s a design choice on their side. When that design choice means they effectively ignore my unsubscribe, well, I don’t see why that should receive any sympathy.
I own my own email domain, and I use a different email address per service. I have done so for 13 years.
On legitimate emails, unsubscribe works correctly almost every time.
True spam seems to originate from a handful of compromised services like LinkedIn, parkmobile, etc. I don’t hit unsubscribe on those, but I don’t see how it would make things any worse.
Are people still using that for tracking? I thought it was made pretty pointless by the large cloud providers simply prefetching and proxying it through their servers, and independent mail clients only loading them on-demand.
Nearly everyone has their client configured to do that, because it is the default setting. Gmail makes that very easy to change, but many other clients have it buried in the menu
It is good practise. You should never use the unsubscribe function as it tells sender the account receives is actually in use and valid. Thus they will sell your email to even more spammers.
Not really true. Many spams (at least in the past) used to include unsubscribe link, either for faked-legal-compliance, to give some illusion of legitimacy of the mail/originating company to the recipient, and/or to track who is actually receiving them.
But if you landed in a mailing list, there are quite high changes that the unsubscribe link is legit.
Totally true, but sometimes people just want to unsubscribe to a mailing list they got in because they forgot to uncheck the box "send me promotions" when buying something online, or maybe they even signed up on purpose in the past. Still, some of these just mark the mails as spam not to get them any more.
The unsubscribe link is legit, but how did I end up on the list? I've never ever signed up for something with the goal of receiving marketing emails. I've never given explicit permission to receive marketing emails.
So if you send me a marketing email, it's spam because I didn't ask for it. It may be legal but that doesn't impress me.
If you ended up on the list without signing up, well I wouldn't blame you to click the "Report spam" button, because that's what it is.
But I'm pretty sure that some people who actually signed up on purpose to be on some mailing list just click the spam button not to see them any more, because they are not any more interested, or for whatever other reason.
I wish you were right, but that is not the case, sadly. I could give you several examples but here's one: there was a comment on HN a little while ago [1] about a spammer by the name of whitehallmedia. Every single email they send has an unsubscribe link. Clicking it (I used a test email account.) does not have the effect that one might expect.
Are you 100% sure you never just signed up for a newsletter and forgot about it?
Are you 100% sure your email didn't end up there in some other way?
I used to send out some newsletters for my website; just a programming blog thingy. It was just a form with a simple program on the server to collect email addresses. Wrote everything myself; no external service or whatnot involved.
I got some pretty aggressive replies about people who insisted that I was spamming them. Did they forget (I didn't send out the newsletter very often)? Did someone typo their email and end up at the wrong person? Did some bot maybe fill in the form and pass the little captcha I added? Who knows. All I know is that there was a legit POST /subscribe request.
And as someone who also worked with spam prevention: it's this kind of stuff that also makes legit spam detection harder than it needs to be. The "Report spam" button is not a "fuck you" button, but unfortunately many people seem to use it as such.
With email spam it has been long proven that best way to act is to treat all actors as malicious. As there is enough malicious actors around.
And it took me a minute to find phishing mail with unsubscribe link. Which entirely proves my original point. Sure those sending phishing mails won't stop the mails I probably ordered somewhere?
> Yeah no. Emails which include an unsubscribe link are legit enough to not do that. Actual spammers don't bother to include an unsubscribe link.
I found a phishing email with unsubscribe link. Thus I think we can generalize that emails containing unsubscribe in general are not legit nearly enough of times to trust that. Thus only correct and safe way is to mark them as spam and let the email provider eventually to handle them correctly for everyone.
Collateral damage is by definition damage to innocents – people who have done nothing wrong.
As I mentioned before, even with the best of intentions people can "construe your email as spam".
People mark emails as spam as "fuck you". Bad support? Spam! Argument with a friend? Spam! Yes, people really do this.
People can abuse your platforms in way you didn't foresee: either an outright security flaw or a "logic flaw" (e.g. one system I worked on the rate-limiter could be bypassed by using Cc, which was of course quickly solved, but people did unfortunately use it to send out spam).
If you have any sort of "sign-up", even if paid only, people will try to abuse it to send spam.
People's computers get hacked, and while botnet spam is less of an issue due to residential ISPs blocking SMTP traffic, abusing the hacked machine's Outlook or whatnot still happens.
There's tons of cases where regular well-intentioned people send out spam. Anyone who claims any different has never seriously worked on any kind of anti-spam system with real-world usage. If this was an easy problem it would be a solved problem, but it's not, because it's a hard problem.
To be more constructive, I agree that personal spam/nom-spam decisions should not be used to train a general model, at least not without a significant signal from multiple users. Possibly users should be matched to models according to their behaviour.
But the onus should be on the model builders not on the final user.
You're absolutely incorrect about this. What you're saying may have been true a long time ago but it's 100% wrong now. In 2023/2024 you should click unsubscribe links.
No matter how spammy a sender is, an unsubscribe click is a big signal that they don't want to contact that email account again. It takes time and money to warm up a domain, prepare it for outbound email, and keep it from being blacklisted when you're sending out a high volume of mail. The days where someone can just spin up an email server in a couple of minutes and blast hundreds of thousands of people with spam are over. If you don't manage your reputation you'll get blacklisted in a matter of hours. The #1 way as a mailer to manage your reputation is to respect unsubscribe requests.
Yes, clicking the unsubscribe link indicates that there's a real human checking the mailbox. But data resellers have many ways to verify the validity of a mailbox that are more effective than this one. And unlike this one, they don't indicate that the person dislikes receiving unsolicited email. So very few data resellers use unsubscribe clicks as a way to verify email validity, because if they do they'll be polluting their product with the emails of people who are likely to get pissed off by unsolicited mail, report it and get a customer's domain blacklisted. If the data reseller is selling "verified" data that is getting his customers blacklisted - he won't be in business for much longer.
It's worth pointing out that not all unsolicited mail is illegal. There are exceptions carved out in US CAN-SPAM and in other jurisdictions. If you're a business in the US the law is basically that people can send you unsolicited marketing emails whether you like it or not, as long as they provide an unsubscribe link and respect your request if you click it. To not use the mechanism that is explicitly required by the law for your protection is shortsighted.
I presume you are operating under the assumption that most bulk email comes from the big providers like AWS and MailChimp (who in fact uses on SendGrid underneath). And yes, under those circumstances you are correct. Those big firms whose day job is sending "spam" have a huge incentive to ensure you don't outright reject the spam - if they don't the reputation of the IP Address ranges they are sending from get trashed. For example, they go to the trouble of wrapping every link in the email with a redirect via them, so they can monitor what emails from them you are engaging with.
But I have some news for you - the vast bulk of spam does not come from them. Maybe you aren't aware of that because you use an email provider like GMail or Outlook. They stop most of this other spam (which is how we get to the headline). But nonetheless it's there, and if it does sneak through and you click on the unsubscribe link you no only won't be unsubscribed, you confirming your a real human will ensure you will be subscribed to many spam emails.
You absolutely should use the unsubscribe link if it is solicited mail. It is very rude to ask for mail then harm the senders reputation because you don't want to unsubscribe.
But if the mail is unsolicited or the unsubscribe link doesn't work then absolutely yes, mash that spam button.
Which is not ideal, and might explain why Gmail routinely puts perfectly legit correspondence in my spam folder - again and again.
I realize this might well be a problem stemming from email clients having but one option to flag emails: spam. Ideally one should have more options - as it is scamming, spoofing and innocuous unsolicited marketing (and slow loading messages it seems) are all put in the same basket.
> as it is scamming, spoofing and innocuous unsolicited marketing
Those are all spam. Especially unsolicited marketing. Fuck everyone who sends that, and I hope they get banned from whatever provider they use and it kills their company. I always report all of those even with an unsubscribe link, as it’s not as if I can trust them not to use "unsubscribe" as a "send more spam" signal, they’ve already proven themselves untrustworthy by not using double-opt-in.
Though with some providers even "mark as spam" seems to be able to leak your email as they send reports which contain the message-id. Good in our case as we don’t want to spam anyone and can then blacklist the address, but bad in case you report evil spammers.
That's why Gmail is fantastically bad at spam filtering. Even simple spamassassin setup is miles ahead of it. Gmail filtering is basically useless because it forces me to check spam folder and I need to look at all this spam anyway.
you forgot to mention "slow loading emails", and I might add "I don't remember signing up to this newsletter", or "ok I signed up to this newsletter but this article triggers me" etc.
This "users can't handle fine-grained control" philosophy is stupifying users IMO. Granted, many don't have the knowhow, but they could just use the (hypothetical) dislike button, and the anti-spam AI could in that case place little weight to their judgement call. The interested user could instead be placed on a journey to be ever more adept at identifying email misuse.
Edit: as another commenter mentions, at present these completely unreliable signals to the anti-spam software causes for example Gmail to put perfectly legit emails in the spam folder - so I have to wade through a load of junk anyway (otherwise the legit messages in there gets deleted after 30 days).
The system is broken, and people reporting irrelevant things as spam is most likely a part of it.
The OP was talking about the unsubscribe loading too slow, not the mail. That is certainly grounds for being marked as spam.
Also "I don't remember signing up to this newsletter" is mostly a case of pre-checked "consent" to mails or companies packing on newsletter subscription as a requirement to some unrelated service. That's also spam.
> The OP was talking about the unsubscribe loading too slow, not the mail.
OK thanks, my bad. But you also seem to miss something, namely my point: you seem to imply that I'd be opposed to users marking unsolicited or dark pattern mailing lists emails as spam, if they indeed are such. Or that the existence of such emails somehow undermines my point. But that's not it.
The overarching problem is of course spam in the first place, secondly the substandard systems that email services use to identify spam. In third place I'd place the problem I raised, that legit emails are not delivered correctly, where part of the problem seems to be that users use the 'spam' label as a dislike button.
But here's the kicker: this last problem is mainly what might threaten email as a means of correspondence, period: If I get a lot of junk then I can sift that out to get to my real messages. But if my real messages don't reach me at all then that's likely game over for the email era.
I wouldn't mind these providers being aggressive with spam filtering IF they would just bounce the messages so i know WHY. I've had so many cases where an 'email wasn't sent' by our systems and then the logs show it was accepted by outlook.com for delivery, but never even showed up in the spam folder (apparently, if customers are to be trusted).
Many providers seems to do this, respond everything ok and then drop the message silently..
Been there, done that. This is be a nightmare, mainly for back scatter from spam runs.
You can’t control who sends email that looks like it’s from you. If your email were bounced because of a spf or dkim failure, you could get an unlimited number of emails.
This sort of email oligopoly/mafia problem can only really be solved with legislation. There needs to be push from within the EU to legislate this hopeless situation.
How is legislation the only answer? Users can just stop using Outlookif they care that MS is blocking providers. If users don't care and stay on Outlook, why bother legislating it?
First: Most users don't care. From their perspective, its' always the senders fault/problem. And the burden is always on the sender to prove it was actually outlook that dropped the email etc.
Second: corporate & institutional users have no choice
Putting on my "postmaster at shared hosting company" hat:
Used to be. Gmail is done lot of work to be worse than Outlook. At least MS idiosyncraties are somewhat known and stable. I would say that most customer complaints are related to gmail.
FWIW that has not been my experience with hosting my own personal mail. The only deliverability issue I had with Gmail was with a newly registered domain and even then they did at least deliver the mails to the spam folder (and soon enough directly to the inbox) which is much more than Microsoft does.
I have a small sample size but for my SaaS which primarily sends email GMail marked as spam for a while but then gained domain trust and it hasn't been a notable issue. Outlook has my IP on a blacklist and doesn't even consider anything else. I need to send via relays to get an IP that is trusted enough for Outlook to even consider my message (which is signed with DKIM + SPF with a DMARC reject policy)
That’s one of the reasons I stopped working on hosted mail. It has not turned to anything better with big companies putting their hands over it. It’s more controlled now but the same crap as before, just as dangerous and a bit more expensive.
Currently working on a system with as much control as possible but piggybacking existing providers' transports.
Love mailcow I moved off exchange to mailcow. I’ve used email for I guess 30 years now and every year it’s less reliable. My kids do not use email at all , they are on the internet with out actually using email. Sure they have a google account for YouTube but their services tend to allow a sign up with out an email. I can see a future where it continues to be less of a thing and turn into something held on by older people.
I have an outlook.com account, too and having a look at the Spam-folder is as important as looking at the Inbox. Too many important mails get missing with outlook
Looking at the correspondence cited in the article I expect this is because the "AI"-powered anti-spam detection is hallucinating, and have decided every email from this provider is spam, based on a few (or many as the case may be) bad apples.
Hah! My bank did this too before I went on a trip - it blocks Interac transfer requests from Wise, and will hold your outgoing transfers until you call to validate, calling it fraud. Gotta love using your own anti-abuse processes to stifle competition, as little impact as it may have.
Ugh, we contacted Chase since we were going on an 'out-of-the-ordinary' road trip.spoke with fraud dept and gave them our travel itinerary, hoping to prevent cards from being frozen while we were in questionable cell coverage areas.
Everything went fine until the last gas stop before arriving to our destination... only to find our cards frozen anyhow.
It took about 25 mins to get cleared up, but these big corps are so heavily dependent on automation, they can't deviate because the system will take its own actions anyhow.
I, for one, am tired of living in a society that somehow isn't able to routinely think/behave proactively rather than reacting only once "the system will let you".
Recently, I managed to get my personal mail server working and delivering to Outlook.
Of all the major mail providers, I found getting my mails to Outlook the hardest. Gmail played nice once I setup DKIM, DMARC, SPF, MTA-STS, rDNS and a couple more things that I forgot setup exactly the way they like it.
Outlook was harder though. I had to send a series of mails spread over multiple days to people who had Outlook accounts and get them to both mark it as not spam and reply to the mail until it eventually started working.
It's been a couple of months, not sure if it still works though. Hope it does.
Outlook are a pain. If you don't regularly send email to outlook.com they forget your IP and start responding with 550s.
I have a daily message sent out from my server to a test account at outlook.com for two reasons: to try to work around this behaviour and to know immediately when there is a delivery issue.
Disagree. They can do what they want with the email once it is in their queue but bouncing 'unknown' IPs is an extreme choice especially when they have SPF/dkim/dmarc/mta-sts/... all set up, and are not on any spam lists, and are hosted in a reputable data centre.
SMTP 550 means the email bounces. The sender knows but unless they're also the admin they can't do anything about it. The recipient knows nothing. In the most recent case that happened to me, it happened when I sent a reply to an @outlook I had just received a message from (and was regularly receiving emails from, but only rarely needed to reply).
I'd be pissed off if I were an Outlook user - it's a shame that big tech get treated as the "gold standard" - I get that spam prevention is important but it shouldn't hurt your business. Their support is below standards. I wonder how many opportunities Outlook businesses lose because they don't receive certain emails.
That being said, email as a whole could do with being replaced with a more robust solution to make it more versatile and offer other spam prevention techniques.
The sad part is that this kind of behavior might actually be optimal for Microsoft. Most people won't even see the issue (as senders work around it) or blame the sender wheres they will start screeching if they so much as have to see a spam mail once in a while.
Little OT, I was using Hotmail in 2015 to apply to grad schools. I got an email about interview from a professor with @vt.edu address that got flagged into spam. I noticed only after someone else got selected for funding. To this day I don’t understand why an email written by a professor from a reputable university domain was flagged as spam, but I have definitely stopped using Hotmail
If you give people free web services they're going to use it for spam, porn, file sharing or crypto mining. If even their most basic tier only cost a few quid a year, it would probably stop spam usage by 99%
> If even their most basic tier only cost a few quid a year, it would probably stop spam usage by 99%
Not really; they will just sign up. Probably using a stolen card (I assume? I have no way to check.)
Source: have worked for email provider. Have you seen one of those films where one guy fends off hordes of zombies or other "bad guys"? It's like that. Anything that can send email will attract hordes of twats trying to spam the shit out of it. The main difference is that the spammers are more despicable subhuman twats.
Yes but I've also seen enough scam investigation videos where they just create email addresses and phone numbers non-stop using free services just because there's no penalty for doing so. If creating a new email cost them £3 a time then they'd probably just move onto someone else's free service.
most of the phishing emails bypassing my spam filters (on Fastmail) recently have been from prod.outlook.com
it's almost impossible to figure out where to report spam; most of their support articles are about how you report spam in Outlook instead. For reference, those reporting emails are:
phish@office365.microsoft.com
junk@office365.microsoft.com
but you get zero feedback, and I keep getting repeat phishing too
they care so little about cleaning up their own act, i'm considering just rejecting their stuff with a bounce message. i checked, and there's very little important traffic from prod.outlook.com arriving in my inbox.
MS outlook.com also blocks emails from apple.com as spam
What's worse - often times emails sent out from an old hotmail/outlook.com account always end up in recipient's junk/spam folder. They still haven't addressed [this](https://x.com/tvjames/status/1278813439222145024?s=20), it seems, even to this very day.
So what fraction of send mail do the actual end receivers consider spam? And why would there not be some reasonable threshold. Or should we entirely instead ban spam filtering?
Microsoft may be using AI for spam detection and... is - of course - unable to fix it, because you can not debug a neural network (or may need months/years to debug and fix it)... So: WELCOME TO THE NEW WONDERFUL WORLD OF AI where we will not be able to fix things...
I think this is it, too. AI is efficient, but malfunctioning a fair percentage of the time. Are we going to have to accept it just because it has a number of upsides - or are we to demand that errors be brought to 0 before using it on critical systems, like email? Or in critical situations like war for that matter.
I do not know about tutanota and if they are a bad actor in the email space. But I remember them having done funny things like banning the complete German Hetzner IP range because Hetzner didn't want to give them customers information without an curt order (which I guess Hetzner isn't allowed to do either iff the customer(s) in question is a private customer...).
Like consider Google banning all Azure hosted mail providers independent of their reputation and DMARK,DKIM,SPF etc. because MS keeps with the law and doesn't give Google private customer information, it's that ridiculous.