In today’s special episode of “For The Love Of Emails” Podcast, hosted by Matthew Vernhout, VP – Deliverability for Netcore, North America, we welcome Raymond Dijkxhoorn, CEO of SURBL. Raymond holds Specialties in anti spam solutions, and large scale mail filtering. He is also experienced in managing server solutions, MySQL clustering, housing and colo solutions.
Introduction (00:06)
You are listening to “For The Love of Email Podcast,” powered by Netcore, a weekly show dedicated to helping email marketers, marketing enthusiasts, and professionals of all walks to engage, grow, and retain customers through reliable, smart, and effective email communication and engagement. Discover actionable ways to increase ROI and deliver value through email innovations, personalization, optimization, email deliverability, and email campaigns. No fluff. Tune in to hear best practices and tactical solutions from the best thought leaders and practitioners to master your email communication. Now.
Matthew Vernhout (00:39)
Welcome to another edition of “For The Love of Email Podcast.” I’m your host, as usual, Matthew Vernhout. I’m coming to you today from the ECC. So my guest is live with me in person today. Normally we would record over the internet because we live in different countries. But we’re both here, and we decided that we were going to sit down and have a great conversation today. I have with me Raymond Dijkxhoorn. Raymond is the CEO of SURBL. SURBL is a block list that functions based on the URLs found within email messages. I’m not doing it justice; I’m sure Raymond also does many other things. So I will ask Raymond to explain what he does and the different projects he’s involved in.
Raymond Dijkxhoorn (01:33)
Yeah, sure. Yeah, so you’re right. We started with the SURBL Project over 20 years ago now. So time goes by pretty fast. And in that time, indeed, we did look at bodies of email messages, and we were looking if there were patterns in there that were not okay. That was basically how we started. But the data is used in various ways nowadays. As weeds get filtered with it, it’s like it’s not only limited to email, it’s a lot wider. And we have excellent relationships with all the registries, which also helps. We don’t only want to do Whack-a-mole games day after day, but we also try proactively to see if we can take down a lot of domains if we see a bad actor having a few thousand of them.
Raymond Dijkxhoorn (02:37)
That’s basically how we started with SURBL Project. I also run one of my other companies called eHawk, which, for email sellers, might be one that they already know, is used for onboarding clients. So that’s also fun if you are an ESP with onboarding or client issues you learn about much later. It might be a fun way to look at eHawk.
Matthew Vernhout (03:07)
Also, eHawk is a service we use to help process inbound accounts to help us determine whether these are domains or customers that we want to work with based on past history, based on existing domain reputation, and in some cases, the age of the domain. Let’s start there. The age of the domain is an important thing to consider when it comes to email.
Matthew Vernhout (03:32)
A lot of times, you get advice. You’ll read it on a blog like buy a new domain, don’t impact your existing domain or corporate domain from your point of view. Where does that sit on the scale of what marketers should do compared to what marketers shouldn’t?
Raymond Dijkxhoorn (03:49)
Yeah. Well, I mean, I get it. And in some of the more prominent companies, it is challenging. If you hire an ESP, you need to extend your existing SPF, DMARC and sign in. And there are many things that if you want to collaborate on a domain level in a very big multinational, that’s hard. So but still, you are promoting your brand. Let’s say Volvo or BMW and if you make BMW promotions.com for the single mailing, from my point of view it doesn’t make sense.
Raymond Dijkxhoorn (04:35)
So you’re crippling some of what you try to accomplish with your brand because you introduce a second brand. Why? I would not recommend it. On the other end of the spectrum, we see this often happening with banks, and we usually call that phishing. When people register a bank domain, banks use their own domain because they don’t want to have that phishing thing. And yeah, new domains have that fishy feeling. I recommend using a sub-domain for your mailings. And if that’s not needed, well done, you take your main domain because that’s what you are promoting, that’s your brand. So it only takes away attention if you have multiple domain names that you need to renew. It’s always a mess. So I wouldn’t recommend that.
Matthew Vernhout (05:42)
Yeah. I’m a big fan of sub-domain over cousin domains or purchasing a new domain. Yeah, right. There’s the whole idea that the fresh 30 domains registered within the last 30 days typically have significantly higher delivery issues than domains that are well-aged you know, as over a year, over five years, 10 years with a long history.
Raymond Dijkxhoorn (06:06)
There is some item that you might need to automate if you start to use like sub-domains for campaigns that if you point those sub-domains to an external party who’s hosting your landing pages, and that campaign is like finished but you forget to clean that DNS record again, and let’s say, it’s an AWS or another cloud provider, and I tend to obtain the IP you were pointing to. That’s the easy way of doing real Phishing also. So if you do sub-domains, also take care of the hygiene of your DNS and check if things are still valid; if not, remove them before somebody else uses them.
Matthew Vernhout (06:55)
Absolutely. Domain management’s a considerable portion, and it involves cross team work. Yeah. It’s your IT team, it’s your security team and your marketing team all working together. And that’s where the benefit of things like DMARC comes in. You can get that global view of your email network and all the related sub-domains currently being used to send an email. Now, from the point of view of SURBL… when you first started, SPF wasn’t a thing,it didn’t exist. DKIM – nobody knew what it was, it was still just an idea. DMARC came 10 years later. How does authentication solutions like SPF, DKIM, and DMARC play into your data sets when determining whether this is a legitimate sender? Is this an illegitimate sender? For traps, for things that you’re looking at on your reputation networks?
Raymond Dijkxhoorn (07:52)
So, we use authentication in fair use ways. And most importantly, if you run a list, any reputation list is based on a high percentage of domains that end up there, which are really bad and not like a few accidental good ones. So in a dataset, we take a lot of time to work on our white-list data, and once, for example, from a big ESP, we see messages with their headers.
Raymond Dijkxhoorn (08:28)
It could be a DKIM replay attack, but we want to avoid that. We list something because their competitors are repeating their messages and throwing them into the traps that they found out we have. Right? So it’s really important that all of those things match. So, if we get a spin trap hit, we know it was from your network and not a competitor trying to get you listed because it happens more than you think. Sometimes, reach out to that ESP and say, hey, this is going on! So they can take care of sending the IP, which we can disclose because somebody is forging it. And it’s also like when we started there was no anti-spam solution. We did a lot of work on the spam assessment project, which is still alive.
Raymond Dijkxhoorn (09:31)
And back then, because our indication was missing in many of the emails sent 20 years ago, SPF was well known, and a few people used it. DMARC was nonexistent. So we always said, well, you can look in the body of the domains, but the headers, well, everybody’s forging headers. So with DKIM, SPF, and DMARC, it gets harder to forge all of that. So our data set is also heavily used in the domains now, like the header checks, which you can do there. And that’s also fun because some bad actors change the body domain names, but the rest is all scripted and templated. So it’s easy for us to find those out. But, yeah, if you’re starting to send a lot of emails, go to one of the nice online DMARC analyzers, make sure that everything is in place, what should be in place, because that’s where it starts.
Raymond Dijkxhoorn (10:38)
It’s, it’s already like zero to one if you’re playing a football match and need to have those things set up correctly. Right. It’s the basics.
Matthew Vernhout (10:50)
Should a sender send an email, land in your trap network, and become listed on the blocklist… I know you have a couple of lists. You mentioned your white list already. Then you have a block list and a multi-list. You probably have a gray list somewhere in between of domains that are questionable but not ready to be blocked. How does the sender work with you to resolve those issues?
Raymond Dijkxhoorn (11:19)
It sounds almost too silly to be accurate, but it talks to us. Most of the ESPs know by now how to find us. We have a feedback address, [email protected], and explain what happened.
Raymond Dijkxhoorn (11:37)
And, that’s already like, if you start sending in, don’t even call it the delisting request, but like an informational request, then be open because sometimes, we get a whole essay with everything that happened, and they fix SPF and whatever they think the issue is without knowing why we listed them. So it’s always a good start to ask us “why did we get listed” and “what can we do to prevent that next time?”. And if you’re a legitimate ESP, we’ll de-list the domains that you’re having issues with, and we’ll see again. But we also have repeat offenders who reply with one single line “list cleaning completed, can you please de-list this?” And then the next week it’s the same. We have a few that just submit weekly tickets, and that won’t work.
Raymond Dijkxhoorn (12:43)
We’re open and easy to work with, but you should also show from the ESP side that you’re serious about this. Some of the ESPs, if we give them a campaign number that is causing issues, they investigate, and usually, we get feedback like: Hey, we terminated this client, or we stopped sending to this specific list. And that’s something we can work with. If things don’t change afterward, we are not enthusiastic about giving you much information about what happened because you’re not doing anything with it anyway. Right. So it has to come from both ends in de-listing cases.
Matthew Vernhout (13:26)
Yeah. So it’s a give and take regarding, please help me understand what I did or my client did. Then I will take that back, process it, figure out what I can do on my end, and then come back and say, all right, here are the actions we took.
Matthew Vernhout (13:40)
Hopefully, this fixes the problem. Let’s try again. And then that could be, like you said, it could be a termination of the account, it could be list hygiene, list suppression, list validation, maybe even again, like, to do a confirmation pass, which may hit your traps, but the message would be something like, please click here to continue receiving those traps, clearly won’t click.
Raymond Dijkxhoorn (14:07)
And it’s like a tiny portion of things that hit and are hitting traps. Most people at the level of sending millions of confirmation emails are less likely to hit traps a lot. We had some music apps that many people use, and those were also sending the re-confirmations and that campaign lasted three or four months because they tend to have a lot of users.
Raymond Dijkxhoorn (14:41)
And we got zillions of traffic. But after that campaign ended, they removed everyone who did not respond. So we don’t see much traffic anymore on our trips because they cleaned it well.
Matthew Vernhout (14:56)
So you hear, you heard it here, list hygiene, important list, consent is essential, keeps you off the lists like SURBL. We’ll switch gears because you mentioned eHawk as well. eHawk is a reputation platform that businesses can use, whether they’re an email sender or even a hosting company. It’s possible they would want to use a solution like that. How did that come to be, and how are your customers incorporating that data into their activities?
Raymond Dijkxhoorn (15:31)
Yeah, so there are various ways of using that data.
Raymond Dijkxhoorn (15:36)
But let me circle back. How did that happen? Why did we start eHawk, and is it useful for people? It was an idea that circled around at one of the messaging conferences. And we talked with a few of the large ESP giants, Mailchimp, SendGrid, Constant Contact. And they all had the same problems, if they had a bad actor and it was booted off one of the networks they run, then it would take a day or two, and then it would pop off at their neighbors. This is good because if it happens at the neighbors, it’s not my problem. But they tend to jump back again. So they said we need to have something that tries to stop that, where we say, if this is a really bad customer doing bad things, we don’t want the industry to have the consequences of that because it’ll impact everyone in the end.
Raymond Dijkxhoorn (16:50)
So we started eHawk with that and made a few products there. And one of the helpful things is the onboarding process. So if you are an ESP or have a different business that wants to validate customer information before they can do anything, like buy something on your site. Basically the eHawk system does a lot of checks, roughly 400 in real-time. And if you have to compare it with something, a bouncer usually stands at the door if you go to a club. And that’s what it is. In less than a second, we will tell you, this customer we see issues with, be careful. We never say you are not joining our club, because we only give you a risk score.
Raymond Dijkxhoorn (17:47)
And it’s up to you to do something with that. But if the risk score is a certain level, you should be very careful taking on that customer, but call him or do other things you usually don’t do when you take in a customer. But the system can detect a lot of stuff.
Matthew Vernhout (18:11)
Applying friction. Make it not as easy to self-serve in that case.
Raymond Dijkxhoorn (18:16)
Yep, yep. And you can do like policy-based decisions afterward. Right? Some clients using that, they do not like rejecting the client because if you reject the client, he knows that the system blocked him out, so he can try again. And that’s not the smartest way of blocking a customer or limiting him.
Raymond Dijkxhoorn (18:42)
So a few customers say, we still sign him on; we send the welcome email, he can log into the dashboard, but his sending practice is like, it’s limited to two messages. Like, that’s it. And usually, they send out a test message to see if it works, and then they start to do the bad stuff. But that’s a lot further in the process. So then you also know what that customer had in mind. So it’s not only slamming the door, but you keep it open a little, and you pick what he would’ve done. Right. And that gives you a lot of, like, good information also, also back to your sales department, like: hey, we blocked his customer and yes, it’s a loss of sales, but see what he would’ve done, you know, it’s a double check.
Matthew Vernhout (19:37)
And it’s great because there is an intermediary that is helping ESPs prevent that cross-client jumping from platform to platform to platform. Exactly, and really, it’s something we can’t do ourselves, I can’t call MailChimp and say we just terminated this customer, it would help if you watched out for them. There are things there legally that prevent that from happening. So yeah, having a reputation score, a series of checks, as you said, just like any other block list, whether it’s the spam house or anything, there is a reputation risk score assigned to that individual, to their IP address, to their email, to whatever it happens to be. That allows you to make those decisions.
Raymond Dijkxhoorn (20:31)
Yeah. And it only takes a bit because we know that some ESPs built something in-house, which is understandable and good, but they only see their traffic.
Raymond Dijkxhoorn (20:43)
So when we already saw traffic, it doesn’t need to be even ESP-related. The product is used quite widely. But if we already have seen something or one of our customers reported it, there’s also a community database involved with that product. If you boot some customer, which is like a very bad one, then you basically submit the data, and it doesn’t have to be PII, but just like, this was the IP, this was the domain don’t link together, but any of those are bad, then all of your colleagues benefit from that.
Matthew Vernhout (21:23)
So there’s a resource pooling of knowledge in a fairly anonymous way.
Raymond Dijkxhoorn (21:31)
A lot of ESPs also have something in their terms of service: if you violate their terms of service, you’re no longer a customer. But some of them also have: we can share that information with others if you violate our terms of service. So sometimes, it’s not even an issue to share that. But if you don’t have something like that in your terms of service, my advice is to add it.
Matthew Vernhout (22:06)
Mental note. When it comes to things like, I see a lot of conversations right now around cold emails and outreach emails – Google’s recently cracked down on some of these API solutions that use and abuse their platform to send cold emails to people. How does SURBL deal with those types of solutions to help protect businesses and consumers from that type of messaging?
Raymond Dijkxhoorn (22:37)
That’s not easy; the domain name is usually not even there. So they ask you to call this phone number, for example, if you are interested. There’s no domain in sight there. They usually use a Gmail address to send out the messages if it’s the Gmail interface. And I would have said a few years ago that it was really tough to block it.
Raymond Dijkxhoorn (23:11)
Right now, it’s the easiest thing to block. So besides the domain block list, we also have a hash block list. The hash block list can do head checks. It can do all kinds of stuff, even body checks. We see, for example, a lot of things with Bitcoin hashes when it comes to sextortion, for instance, which is also usually very hard to block, with no domains in there—only a crypto hash. So, we decided let’s also make something that can detect Bitcoin hashes and take action on that. And the same applies to those API-generated emails that fly out from the Google IP space. It has a sender. There’s always a sender email address. There’s usually a “reply to” that we can use because, usually, those two are not the same.
Raymond Dijkxhoorn (24:10)
And there might even be a third email address in the body. So all of those three are subject to being put in our HBL, you can use it also to filter, and it’s quite an easy way of implementing that. But it also stops things like many ESPs allow URL shortening services like Bitly.co, t.cl
Matthew Vernhout (24:40)
There’s like hundreds of them.
Raymond Dijkxhoorn (24:41)
There are a lot of them. And that was also really hard to block, which is why many people use that. In a good way, they use it to do some click tracking, counting and see what the user does but in the bad way you could put any link there. So you make the template ready, you put your Bitly link there, while sending it points to a completely nice site, not the one that you want to send to them afterward, but during the sending they change to whatever they want.
Raymond Dijkxhoorn (25:17)
And that could be a malicious site, phishing site, you could have malware injected if you end up there. And that’s hard from the ESP side to validate or check that when the mail goes out because it looks legit. Only during traveling does it change. So there’s also some advice from our end and we also give the same advice to all of those re-director sites. We have contacted many of them to ask if they would support that. And that’s basically if you have re-directors in your email, don’t allow like a second one or a third one or a fourth one because usually, they chain them, and well, we have had occasions where there was some logic when they explained why they did that but usually it’s just bad.
Raymond Dijkxhoorn (26:15)
They try to hide wherever they want to go and you should not allow your user base to do that. It’s usually a very bad sign. So many of the redirector operators also implemented something like if you go to the redirector service, they don’t allow you to go to another service. And that’s something that an ESP also should do. Hey, if this redirection is five levels, what is that guy doing? That’s just like you have no idea why he’s doing that.
Matthew Vernhout (26:50)
Right, like: Why do you need to redirect? You know, nothing good happens at that point. Looking for bigger picture advice for marketers sending emails to summarize what you look for and how they can stay out of trouble, what would you tell them?
Raymond Dijkxhoorn (27:10)
So we see a lot that the ESP that we like are getting bigger and have experienced this more than once, they will say, yeah, it was a really bad idea if we just had one domain for all of our customers. And if one loads up a bad list, the others are impacted. It would help if you always looked at how you can segment customers in a viable way for the block list industry. Right? And that’s different than just putting a header in the message. We had that discussion before with a couple of ESPs where they said, well, we put a header in there, and you don’t need to block our domain, but you can tell us the header, which was like giving trouble. So we can take care of that.
Raymond Dijkxhoorn (28:03)
But that doesn’t stop issues at the inbox providers, our customers, who expect us to do our job. So in those cases, either we block the complete domain or don’t. So if there’s a lot of collateral damage, let’s say, for a very big ESP, 1% is bad, and we can talk about it, sure, we can talk about it. We want to avoid having issues where we block many legitimate emails. Right. So that’s our main concern. But to differentiate for that purpose, if you have tracker domains, which most ESPs have, make them for a customer. Right? And not only in the headers but also give that a sub-domain per campaign or customer. You don’t need to name the customer. It doesn’t need to be the identifier. So we know which customer it is.
Raymond Dijkxhoorn (29:00)
It can be a random internal number, but still, it has to be something that, on the sub-domain level, we should be able to detect. So once something is happening, you also, on your end, know exactly which customer caused it because, well, it was like this, this sub-domain, which is linked to that customer. So you don’t even have to ask me what happened. You can look on your end, and we don’t have to slam the whole domain in our list because we can also do it at a subdomain level.
Matthew Vernhout (29:35)
And that’s an important distinction because some ESPs operate on a shared configuration. And their differentiator is the subdomain. Right? It’s a service that we have, it’s a legacy service, but it’s one that we’re moving away from where clients are using their own domains, their own using their authentication and their link tracking. And we’re in theory trying to become less visible to their consumers so that the client’s brand is more in front because that’s what the consumer is interacting with, it’s the company. They’re not interacting with the ESP. They shouldn’t be interacting with the ESP. They should be interacting with the brand that they have that relationship with.
Raymond Dijkxhoorn (30:19)
And also if, for whatever reason, they change ESP because they’re not happy or missing features, then they can move their tracking domain to the other ESP and start doing the same. And from a customer point of view, it’s more consistent also. And it’s brand, as we circle back to when we started, like when you do separate domains for brands, it’s the same. To make your own decisions on that.
Raymond Dijkxhoorn (30:47)
It’s your brand. It’s not the ESP brand that you’re promoting.
Matthew Vernhout (30:51)
Here’s a great question. What are your, what are your feelings around the idea of, you know, promo.client.com and transactional.client.com subdomain breakouts? Is that something that more brands should be thinking about doing?
Raymond Dijkxhoorn (31:06)
It’s a wise decision. It’s very easy for the people handling your email flow to directly distinguish whether it should end up in the spam folder because they didn’t ask for these promotions or if it’s transactional and it’s clearly a transactional email, so it should end up in the inbox folder and a different decision part. So yeah. That’s important. It’s an important part of your deliverability to package it right.
Matthew Vernhout (31:40)
So in summary we got, don’t use cousin domains, don’t buy something new.
Matthew Vernhout (31:48)
Segment your marketing and your transactional messaging, clean your lists, and ask questions if you’re confused or if you do get listed. With the feedback you get, actually fix it. Don’t just lie about it. And, you know, your reputation precedes you in regards to moving from platform to platform. That summarizes your services well and how you consult with people.
Raymond Dijkxhoorn (32:17)
Yeah, it is, and also, like, let’s say you’re merging two brands, which also happens, it’s very wise to reach out to us. We had it with a few banks, international banks that merged, and we got a lot of emails in our traps from a bank that we never heard about. And that’s not good. Usually, banks that we never hear about, we call phishing. So, that ruined their whole campaign.
Raymond Dijkxhoorn (32:49)
The whole idea was to introduce their customers. But they forgot to introduce the whole chain before it ended up there. So that’s also something. We do that quite a lot.
Matthew Vernhout (33:02)
That’s true. That’s important – to work with your ESP. Your ESP is going to know who to reach out to at various mailbox providers that are interested, various block list providers that are interested, and various reputation list providers that are interested. Yeah. In knowing the stuff proactively. That’s a great point to make in this scenario.
Raymond Dijkxhoorn (33:20)
Most people recognize that afterward, like, we should have done that because now we are in deep shit, and it’s sometimes really easy. We also saw it with the large campaigns that Microsoft did for most of the American people sending out help messages and offering all of the governmental campaigns running to help businesses to help people.
Raymond Dijkxhoorn (33:51)
And that was also with a completely new set of domains. So is that Phishing? Is it not phishing? I don’t know if it’s like if it’s ending up in spam traps. I might tend to say it’s Phishing. So if a big company reaches out to us and says, this is going to happen, we will send out a few million or a few billion emails. There might be something ending up here in your spam trap. Well, fine. It’s not our goal to block anything which does a little bit wrong. That’s not the case.
Matthew Vernhout (34:29)
You’re looking for the really malicious bad actor.
Raymond Dijkxhoorn (34:31)
Oh yeah.
Matthew Vernhout (34:34)
Well, Raymond, thank you for joining me on the podcast today. If you want to reach Raymond, what is the best way to contact you to learn more about your services? You don’t have to give your email address, but your website or social media handle.
Raymond Dijkxhoorn (34:48)
You can always do [email protected]. it’s the easiest way, and that’s not because I don’t want to share my email, but I’m always either traveling, working, and feedback has a team behind it, which makes it a lot easier to have questions answered. Yeah, it could be questions like if you ever have recent listings, like we rather have people reach out than us having to do the same thing all over month after month. We started this project to help people have a nice inbox that they could handle. And we do a good job there. But still, if some ESP has questions, the ESP traffic is, is a small part of the things that we have listed.
Raymond Dijkxhoorn (35:52)
A large part is botnets, botnet traffic, large campaigns, still trying to sell something, but usually different than the type of ESP traffic we see, and usually they don’t reach out.
Matthew Vernhout (36:09)
So just buy a new domain and move on.
Raymond Dijkxhoorn (36:11)
Then we slam thousands of domains and we never get a complaint like: Hey, you slammed 5,000 of our domains. So if you’re reaching out to us, that means you’re human. Right? You’re not a bot and, usually, that works. We can, we can resolve it. We’re reasonable. And, just circling back to what we said before, just be open about it. Even if you say, Hey, we had a bad customer. Tell us you had a bad customer. That’s better than just making up a story that we had a hire and he loaded the wrong list.
Raymond Dijkxhoorn (36:45)
We had all of the excuses we know now.
Matthew Vernhout (36:48)
All the old intern excuses we hit, the intern did it. Well, Raymond, thanks again for joining me on the “For The Love of Emails Podcast,” you’ve been a fantastic guest. If you want to understand SURBL, then SURBL.Org, that’s where you can find them. Again, I’m Matthew Vernhout, your host. Please like, subscribe, and share this podcast with your friends, especially if you found it useful. And we’d love to hear your feedback. So please drop us a note anywhere at netcorecloud.com domain; we’d love to hear from you. Thanks again, Raymond.
Raymond Dijkxhoorn (37:26)
Thanks.
Outro (37:27)
You’ve been listening to “For The Love of Emails Podcast,” powered by Netcore. Hit subscribe in your favorite podcast player to make sure you never miss an episode. To learn more about effective email communications and engagement through AI-powered email solutions, visit netcore.com. The only global email engagement leader delivering marketing ROI and value to 20+ global unicorns and 6500+ brands for over two decades.
