Fighting Spam

Every email marketer would love to know the special sauce that gets their messages directly into the intended recipient’s inbox. However, most marketers, especially those who’ve been doing it for a while, know just how complicated and tricky that task can be.

ISPs give us a few of their secret ingredients here and there, but most scanning and filtering tools that ISPs use are not shared publicly — and for good reason! No one wants spam in their inbox! And if spammers knew all the secrets, they could circumvent them. But for legitimate senders who need to get an email to people who have asked for their messages, sometimes it can be frustrating.

One of the clues Microsoft gives us into how they measure the legitimacy of your email message lies in the headers. In the last few years, they’ve introduced a rating system that determines how spammy or phishy they believe a message to be as well as how likely the sender is to generate spam complaints.

Microsoft’s Anti-Spam Message Headers: SCL, PCL & BCL

As soon as an email message hits Microsoft’s servers, their proprietary Exchange Online Protection (EOP) filtering service scans the message and then inserts an anti-spam report into the message headers. You can read more about all of the different fields and filters they use here, but the three fields that I’m going to focus on today that have helped us understand how messages are being processed are:

SCL = The Spam Confidence Level
PCL = The Phishing Confidence Level
BCL = The Bulk Complaint Level

When opening the message headers you can do a search for X-Forefront-Antispam-Report and find the SCL ratings underneath. BCL and PCL ratings can be found under the X-Microsoft-Antispam section. Here’s a screenshot of the message headers from a message I received in my Outlook account where I’ve highlighted these ratings.


SCL — Spam Confidence Level

After the email is received and goes through the EOP spam filtering it’s given an SCL score. Here’s a breakdown of what each means:

-1 = A special value that means the message is a safe sender and is not spam. This score tells Microsoft to put the message in the inbox.
0-1 = The content of the message was scanned and determined to not be spam. These two scores also tell Microsoft to deliver the message to the inbox.
5-9 = Starting with a score of 5 the message is suspected to be spam and is increasingly suspect to the highest score of 9 which indicates there’s a high confidence it’s spam. Any rating between 5 and 9 means the message should be sent to the Junk folder.

*Note: 2, 3, 4, 7, and 8 are ratings that are not assigned by Microsoft.

For more information, refer to Microsoft’s official documentation on SCL.

BCL — Bulk Complaint Level

BCL ratings range from 0-9 depending on how likely the message is to generate complaints based on historical data. Microsoft says they use both an internal and third-party tool to assign messages a rating — a message that receives a 2 is unlikely to generate many complaints versus a message that receives a score of 8, which is likely to generate a high number of complaints. Here’s the breakdown of BCL ratings:

0 = Indicates the message is not from a bulk sender.
1-3 = This bulk sender generates few complaints.
4-7 = This bulk sender generates a mixed number of complaints.
8-9 = This bulk sender generates a high number of complaints.

For more information, refer to Microsoft’s official documentation on BCL

PCL — Phishing Confidence Level

This rating simply determines how likely the message is a phishing message based on the content. These range from:

0-3 = Not likely to be phishing.
4-8 = Likely to be phishing and marked as suspicious content.

For more information, refer to Microsoft’s official documentation on PCL.

What Do These Ratings Mean?

So what can we take away from these ratings? If you’re having junk foldering issues at any of the Microsoft domains check your SCL, BCL, or PCL ratings. If any of these are high, it could be the cause of the junk foldering. Microsoft doesn’t disclose the specific criteria for how they assign these ratings, but looking at the ratings will let you know what aspect of your email sending you may need to improve to get better inbox placement, be it the message content or your sending practices.

Got questions or comments? Feel free to tweet us or send us a note in our community slack channel. We would love to hear from you!


Some of the most common questions surrounding email deliverability are around whitelisting and concerns about spam complaints. We’ve covered a lot about all things blacklists and spam, what they are, how to avoid them. In addition, we’ve looked at ISP level whitelisting and the effects it has on deliverability. In this post, we’re covering personal whitelists, what they are and why you want your company’s emails on them.

What are Personal Whitelists?

Simply put, personal whitelists are a custom list of email addresses and/or domains from which a subscriber always want to receive emails. In this case, all the filters are disabled for whitelisted senders. Subscribers can whitelist a specific sending email address, or a full sending domain. It’s a way for email clients (Gmail, Yahoo, Outlook, etc.) to recognize that you’re a legitimate sender, and not a spammer. The personal whitelist gives the recipients the ultimate control of what they want sent to their inboxes. However, if your company’s emails are whitelisted, this does not guarantee 100% delivery. If your IP address is on the ISP’s blacklist, your email will not be allowed through.

Why Do They Matter?

Essentially, whitelisting improves deliverability. ISPs use personal whitelisting as a positive signal from the subscribers that they want your mail. If they see a lot of subscribers adding your domain and/or sending address to their personal whitelist, then that factors into a good reputation and inbox placement. Since the goal of sending email is to get it delivered to the inbox where subscribers will see it, this is extremely valuable.

How Can You Get On Personal Whitelists?

You can get on a personal whitelist by asking your email subscribers to make changes in their individual email clients to note you as a “safe sender”. This means your emails won’t be held up or filtered. The process for a subscriber to add you to their personal whitelist varies depending on the ISP. By educating your recipients, you’re quickening up the process. Here are some examples from the large email clients:


  • Select “Contacts” under Mail on the left side of the Gmail Inbox.
  • Select Create Contact on the top menu.
  • Enter the email address in the primary email box.
  • Select Save.


  • Open your Yahoo mailbox.
  • Click the address book icon under the Yahoo! Mail logo. When you roll your mouse over it, it will say Contacts.
  • Click “New Contact”.
  • Fill in the fields of your Contact.
  • Click Save.

  • Select Options from the top right.
  • Select More options > Safe and blocked senders > Safe senders.
  • In the space provided, enter the address.
  • Select Add to list.
  • Ensure the safe mailing lists box has the address you entered, and select OK

*See more info here

Sometimes just asking your subscribers to whitelist you can make a huge difference in your delivery rate. This is one of the only actions that marketers can take to suggest that their company be on an individual’s whitelist, and all it involves is providing simple instructions as listed above as to how they go about whitelisting in the first place. Otherwise, you can add the email address you want subscribers to save to the header or footer of your commercial emails. See examples from Skyscanner and Moleskine below to see how they have included it:

Similarly, we can see the same request in this example:

Try For Yourself

100% inbox delivery is extremely hard to achieve. So, the more positive signals the ISPs see from your mail, the better. Having your subscribers add you to their personal whitelists is a good thing. If you follow best practices your mail is less likely to land in the junk folder. You should try for yourself, ask your subscribers to add you to their personal whitelists or “safe lists”.

Finally, if you want more information on personal whitelists, deliverability or how to be a good sender, feel free to contact us below, on Twitter or Slack.

We have deliverability experts who can help!

-Holly McQuillan

Big Rewards Blog Footer

Protecting Your Brand Against Threats

Your brand has a reputation and beware, because criminals want to ruin it through email. Yes, unfortunately, there are a lot of bad people sending email out there. We like to classify them into three categories: spammers, phishers (or scammers) and spoofers.

You’re already familiar with spammers, they send you unsolicited email. Phishers try to get you to divulge your personal information. Lastly, Spoofers impersonate your brand and send email as you to your customers in hopes of phishing, scamming or worse, bringing your business to its knees. Yikes! Sounds like a security nightmare, and it is.

When your email is spoofed, your reputation gets tarnished among ESPs, which means sending even legitimate email will be hard. This can be worse than having your company’s servers hacked.

Don’t fret because there are things you can do to prevent these types of security breaches from happening to your brand and they’re incredibly easy to set up.

In our upcoming webinar on February 7th, Bulletproof Your Email in 2017, join SparkPost CISO Steven Murray and ValiMail’s CEO and co-founder, Alex Garcia-Tobar, as they talk about the importance of email authentication, how impersonation attacks can slip through conventional defenses, and how to protect your brand against various security threats in 2017.

So, in this upcoming webinar we’ll review:

  • Different types of security threats we’re seeing
  • How this impacts your brand’s reputation
  • How to combat these criminals and protect your email and your brand

You won’t want to miss this! Register today for the Bulletproof Your Email in 2017 Webinar on February 7, 2017 at 10am PT/1pm ET.

Bonus: Be one of the first 500 people to sign-up and have a virtual coffee on us!

In the meantime, you can keep yourself busy with Steve’s blog on Debunking the Myths of Moving Your Email to the Cloud or Alex’s post on Three DKIM Challenges You Might Not Know About. See you soon!

~ Tracy

9 Things ISPs Really Want Email Marketers to Know

spam complaints

Spam complaints are one of the most important signals you have access to as a marketer. They can tell you a lot about the health of your mail program. They are also one of the main data points that ISPs look at when determining how to treat your mail. In this post, we’ll explore what they are, how you receive them, and what to do with them.

What is a spam complaint?

A complaint is registered when a user clicks the “This Is Spam” button in the mail client. ISPs track the number of people who complained about your mail relative to the amount of mail you sent to them, which is called a “complaint rate”. As you can imagine, the lower the complaint rate the better.

What is an acceptable complaint rate for good delivery?

A complaint rate of 0.2% or lower is considered good.

How do you receive complaints?

Some ISPs (AOL, Microsoft, and Yahoo to name a few) provide complaint reports back to senders via a feedback loop. The M3AAWG website has a resource page that lists the available feedback loops and more information about what they are here. At Sparkpost, we subscribe all of our customer IPs for the available feedback loops, and the complaints and complaint rate for those ISPs can be viewed in our UI.

Why do ISPs share this information?

ISPs provide this valuable information to senders in order to help them improve their mail programs. That brings us to the next question…

How should you handle spam complaints once you receive them?

Once you are signed up for all of the available FBLs, it’s important to do 2 things:

  1. Ensure you are removing subscribers who have complained from your list.
    1. Though it’s not a legal requirement… Remember, it’s one of the most important metrics that ISPs use to decide whether your mail is wanted by their users or whether it deserves to be in the spam folder, or even blocked.
    2. Plus, it’s just bad form to continue mailing to people who clearly don’t want your mail.
  2. Look at complaint trends.
    1. Send out a new campaign that generated a ton of complaints? Maybe it’s time to take a closer look at the content and targeting.

Spam complaints are a direct signal from your subscribers letting you know how they feel about your mail. Properly managing user expectations lowers your risk of complaints and increases your likelihood of good delivery performance and higher ROI.

Hope this quick overview helps give a better understanding of spam complaints and how you can use them to refine your email programs!

Happy Sending


ps: Find this topic interesting? Check out these other related posts:

Do not go gentle into that new normal

At SparkPost’s recent Insight user conference, Steve Jones, executive director of, didn’t hold back. He began his talk on email authentication by bluntly observing that “spam and phishing are the new normal.” I sucked in my breath. Steve’s comment felt like a punch to the gut. I felt like I wanted to defend the honor of email. Yeah, bad guys—sometimes really bad guys—are out there, I thought to myself, but it’s the exception, not the rule! But I knew he was right. I settled down and nodded my head, knowing that Steve’s perspective squared with the experiences of people who manage the front-lines of defense at ISPs and corporate email hosts, as well as the findings of email industry organizations like M3AAWG.

Source: M3AAWG Email Metrics Report

Steve noted that 28 billion spam messages are sent every day. By some estimates, phishing is a $3.7-million annual cost for the average enterprise. And for publicly-traded companies, a disclosure of phishing leads to a loss of stock value of $411 million or more. As Steve put it, costs like these are fraudulent email’s “hit to reputation and brand, made tangible. And there’s no bottom to what bad actors will do to get your money.”

So, spam and phishing really are the new normal. Companies must incorporate a security posture that takes into account email as a major attack vector that’s exploitable through phishing, malware, and socially engineered content designed to defraud recipients of sensitive information and to steal credentials that grant access to systems.

And this new normal is why Steve’s organization does its work. DMARC, or “Domain-based Message Authentication, Reporting & Conformance,” is a technical specification that builds on earlier SPF and DKIM email authentication mechanisms. In his talk at Insight, Steve presented an overview of the current landscape of email authentication, including why DMARC is important, how it works, and recent developments.

ISPs are moving to an authentication-only world. So should you.

authenticate dmarc

The biggest consumer mailbox providers prefer authenticated email. But that preference may be changing to a mandate. In 2015, Yahoo took the plunge and published a “p=Reject” DMARC record. By doing so, Yahoo essentially told receivers, “if you can’t verify an email came from Yahoo, throw it away. No exceptions.” There are reports that Google may take a similar step for Gmail in 2016.

There have been issues with this “strict” posture—in some cases, legitimate email has suffered because of this spam counter-measure. But, I remind you that false positives are nothing new. It’s frankly just a cost of doing business for senders (and a much smaller cost than those that result from successful phishing attacks). Legitimate senders long have been operating in the shadow of compromised hosts, spam, phishing and other abusive digital communications, and incurring short-term inconveniences to stem that tide is worth the effort. Truth be told, what disturbs me more is the fact that everyone hasn’t yet adopted SPF, DKIM and DMARC as a means of combating spam and protecting their own reputations!

It’s time to splice email authentication into corporate DNA.

The watch guards of enterprise security (especially CISOs) often talk about a company’s “security posture,” the plan and cultural shift that a business puts into place to protect its employees, customers, intellectual property, and systems from attack, both cyber and physical. We’re likely all familiar with defenses like firewalls, multi-factor authentication mechanisms, access and password policies, and more.

But what about email? It’s the lifeblood of every company doing business on the internet today. But at too many businesses, email security is limited to spam filters or malware scans. Those are fine front-line tools to help protect against brute force bad guys, but they do little for phishing (and spear-phishing) attacks.

The simple power of email is its ability to connect people and businesses the world over. But the simplicity and ubiquity that makes email the Internet’s “connective tissue” also allows the spread of viruses, fraud, phishing, and compromises to accelerate to pandemic speed as they move from one email box to another.

Every company that works with customer data, financials, or has a broad national or global presence is nothing short of a flame in the night that draws all sorts of malicious attacks. In the digital marketing industry, ESPs, marketing automation companies, anyone who purports to be a marketing system of record… are just some of the inevitable targets for phishing attacks.

Adopting email authentication standards like DMARC (and transport layer encryption standards such as STARTTLS) will go a long, long way to improving your digital messaging security posture. What are you waiting for? Do it.

Learn more.

Ready to learn more about DMARC and email authentication? Here are a few resources to get going.


Email Security Cloud Blog Footer

Malware Email AttachmentsI recently was catching up on my email, and I was struck that there wasn’t a single marketing message with an attachment in my inbox. The only notes with attachments were transactional in nature: a receipt from a store I made a purchase from and a voicemail notification from my company’s phone system. Those transactional messages didn’t have any images, nor were they long with a bunch of offers. Sure, there were a few links to their website where I could find marketing offers, but no big call to action beyond the essential transactional purpose of the message.

Now curious, I also took a look at my spam folder. In contrast, it had quite a few messages with attachments that looked to be marketing. Upon further investigation, though, it became very clear that those seeming marketing messages actually contained malware. Yikes.

Now you may think, how does this affect me? “The attachments I send aren’t malware, so what’s the problem?” Simple: you might be lumped in with the bad guys because receivers will judge you guilty by association. Anything you do that looks even slightly like the behavior of malware spammers will hurt your deliverability. In this post, I’ll look at some popular techniques used by these bad actors.


First and foremost, the bulk sending of non-transactional messages with attachments has become a clear indicator to ISPs that your messages have a high risk of being malware. It’s hard to understate what a significant problem computers infected with malware have become for ISPs. When a PC gets infected, it’s often used for sending more spam, which harms the ISP’s reputation, eats up bandwidth, and degrades their network for their customers. When an ISP permits marketing or other bulk senders to send attachments, they’re taking a very sizable risk of exacerbating this problem.

Forewarned and forearmed, I picked apart the header of a message that purported to be from a well-known sender, USAA. However, I immediately noticed a major red flag: a lack of authentication. SPF failed, and there was not a DKIM or Domain Key Signature. It is important to do both SPF and DKIM authentications in order to get into the inbox. ISPs have made it clear that without it, you’re fighting an uphill battle, and at high likelihood of being disposed of as spam.


SparkPost understands the importance of authentication and therefore signs with SPF and goes the extra step of signing with DKIM for the sending domain as well as the SparkPost domain.


Moving on from the message headers of this spoofed USAA message, I saw that this spammer was trying really hard to convince me to open the attachment. Sure, the imperfect grammar was a good warning that something wasn’t legit, but a recipient who is a USAA member, and perhaps not reading carefully, just might fall for it—and then, boom, the spammer’s mission is accomplished. Those of us in the business may be a little jaded, but if this technique weren’t effective, it wouldn’t still be around after all these years. It’s a major reason ISPs have become more and more strict about blocking bulk messages with attachments.


As we saw, the example malware spam above was sent in mass, without authentication, and with an attachment. To maximize deliverability legitimate senders should strive to look as different from that profile as possible. In most cases, it is far better to send an email with no attachment and instead include a link for your recipient to click to access the content you otherwise would have attached. But, if you do find yourself unavoidably in need of sending attachments there are a few key things to keep in mind:

  1. Don’t send attachments in bulk. Instead, send them only in response to transactions initiated by your subscriber. If a subscriber is expecting an email, they are more likely to locate the message and open it, even if it’s in the spam folder.
  2. Don’t include images or marketing-centric calls to action. It’s OK to reference offers and point them to your site, but be careful not to look like you are attempting to slide in the attachment with a marketing message.
  3. Don’t send apps or executable files, as they will be blocked instantly. There is a host of file types that are not allowed by ISPs. Do some advance testing to make sure what you are sending will be accepted by the ISPs you are sending to.
  4. Watch your grammar and spelling. Content is looked at very carefully when sending attachments.
  5. Authenticate! This is a best practice when sending any message, transactional or commercial.

Even when following these best practices, you may still find yourself in the spam folder. If that’s the case, it may be best to throw in the towel and try another approach—like using a file-hosting service to handle the attachment.

privacy-policyIn this day and age, every company or organization that collects any personal information (pretty much all of them!) needs a privacy policy. Since larger organizations are likely to already have privacy policies in place, I’m going to speak here to the needs of smaller organizations. Here are 3 reasons your smaller organization should create a privacy policy:


With data breaches and identity theft constantly in the news, people are more concerned than ever about what’s happening with their personal information. They are very aware that their information is being collected, and they want to know what’s happening with it. Without a privacy policy, people may wonder what information you’re collecting about them and what you’re doing with it, and may choose not to work with you when they can’t easily find out by reading your policy clearly linked on your website.


As your organization grows, your data collection practices may change. It’s easy to get caught up in the whirlwind of new technology and not realize how your collection of personal information is changing. As new people join your team, they may have new ideas about what information is needed, and how best to make use of it. As things change, it’s good to have a policy as a touchstone.

Setting a privacy policy gives you a guiding light on how your organization thinks about personal information and interacts with customers. It will keep you from making drastic changes without consideration. Having a privacy policy will ensure that your team seeks to fully understand new technologies that collect information before deploying them. In the event of any legal complaints, having a privacy policy in place that your organization follows will protect you from charges that you are working outside the expectations of your customers.


It all comes down to trust. If I don’t know what you’re doing with my personal information, I am less likely to give you my personal information in the first place. If I’m not sure you’ll notify me if you change your practices or think changes through, I am not likely to want to do business with your organization. People do business with organizations they trust, and they trust organizations that are transparent and consistent with their use of personal information. Having a privacy policy in place shows all your potential customers that you take their concerns seriously, and that you can be trusted with their information.

Need help to create a good policy? The Better Business Bureau has a great sample policy here.

Coming Soon: Why You Need to Adhere to Your Privacy Policy

In the next installment in this series, we’ll take a look at what can go wrong when companies put in place solid data privacy policies, but then fail to follow them.

Call Gary-T-Webit Spam or Unsolicited Commercial Email (UCE), it’s still the same thing: a confounding problem that has plagued our inboxes, and the world, starting with the first piece of spam in 1978 by Gary Thuerk. The story, and history of spam, is full of twists and turns—patterns of abuse have adapted and capitalized on innovative technologies and changes in policy and legislation.

The Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) held its 33rd annual meeting last month in San Francisco. As part of the ongoing conversations and training that happen before the official start of the meeting, Autumn Tyr-Salvia, Director of Standards and Best Practices at Message Systems, gave a talk a talk on The History of Spam. Autumn premiered this talk in Boston at the 32nd meeting; the talk covers 4 decades in the battle against spam highlighting central figures on both sides of the struggle.

Autumn’s talk is a rich narrative and will help you understand how spam evolved and what the industry has done to combat it across multiple fronts. This kind of history lesson is invaluable as it helps you understand the climate in which you send mail, and it drives home the message that the kinds of threats that ISPs and mailbox providers face are really quite daunting. Legitimate email accounts for a small fraction of the total volume of email sent on a daily basis—mailbox providers are constantly trying to find new, programmatic ways to differentiate between legitimate, wanted mail and spam. On the flip side spammers are constantly trying to make their email look more like legitimate mail to bypass the filters on the road to the inbox.

Differentiation is an important concept to take stock of, brands coalesce around themselves based on how they differentiate from their competitors. Differentiation is equally important when you apply the concept to email delivery and deliverability: senders need to differentiate themselves from spammers by conforming to industry best practices and understanding how spam has evolved since the first shot across the bow.


shutterstock_85898620Some years back I wrote a blog post entitled “What I Learned From Nigerian Spammers.” The inspiration for the post came from a piece of spam I received while working for Unica, and attending the Marketing Innovation Summit (the last as we were just acquired by IBM). (more…)