Why you might not receive our emails (and what to do)

Unlike most small businesses, I don’t outsource Cultivariable email to a big service provider like gmail.  Instead, I actually run the server.  It hasn’t always been this way, but running the mail server gives me better flexibility and offers increased privacy to customers who care about it.  I take advantage of all of the options to run a clean and secure server.  Our DNS is DNSSEC, the domain uses SPF, DKIM, DMARC, and DANE to ensure that spammers can’t pretend to be Cultivariable and that your mail provider can securely connect to us.  If that is a bunch of word salad to you, and it probably is, that’s OK.  What it boils down to is that I use every method that is currently available to provide secure, authenticated, and encrypted communication.

Despite all of that, there is a fair chance that, if you place an order or I ship your order right now, you will not get the confirmation email.  Why?  Because we have been put on a blacklist.  A number of organizations maintain blacklists for mail server addresses that are used to send spam.  The big email providers then subscribe to these blacklists and use them to automatically block emails originating from the listed email addresses.  That actually sounds like a totally reasonable thing to do.  I always thought so.  I even use a blacklist on our mail server.

Why are we on a blacklist?  An outfit known as UCEPROTECT decided to blacklist our hosting provider and the IP subnet that the Cultivariable server lives on.  They readily acknowledge that there is nothing wrong with my mailserver.  Here is what they have to say:

Who is responsible for this listing?
YOU ARE NOT!. Your IP 74.208.144.186 was NOT directly involved in aabuse, but has a bad neighborhood. Other customers within this range did not care about their security and got hacked, started spamming, or were even attacking others, while your provider has possibly not even noticed that there is a serious problem.
We are sorry for you, but you have chosen an provider not acting fast enough on abusers.

This is like living in a neighborhood where someone was accused of postal fraud, so nobody in the neighborhood is allowed to use the post office anymore.

There is a solution to this problem, assuming that I don’t want to go with the implied solution and completely uproot Cultivariable to move to another hosting company.  They offer it here: http://www.whitelisted.org/

That’s right!  You can buy an indulgence for 25 Swiss Francs a month.  It does nothing for your security, of course.  Nothing would change other than that I would pay them and they would remove me from the list that they created.  Major email providers like Apple, Google, and Microsoft actually use the blacklist provided by these creeps.  We should really call it a blackmaillist.

I’m not even that upset with UCEPROTECT.  Scroungy predators will do their thing.  I don’t get mad when a raccoon gets after my birds, I just shoot it and move on with life.  I’m a little bit upset with my hosting provider, because there is no doubt that they could do a better job dealing with email abuse, but they are a bargain hosting provider and there are tradeoffs.  Sure, I would love to do business with a top-shelf bare metal hosting provider, but I can’t afford it.  The real villains in this scenario are the big email providers that are using the UCEPROTECT blacklist.  They know that thousands of people who are not abusers get swept up in these mass listings.  That is all to their benefit, because they want everyone to use them for email, so they can collect data.  Make the little guy’s life difficult enough and he will just have to outsource his email delivery to Google, Microsoft, or Amazon.

Well, I’m certainly not paying protection money to UCEPROTECT.  And I am not going to be forced back onto a big surveillance provider.  For the moment, I will just have to live with the fact that email is going to be unreliable.  Because of this, I strongly recommend that you create an account when placing an order.  If you have an account, you can check the status of your order and use the site private messaging function, so we can communicate without email.  There is a messenger button associated with each order under your account.

Another option that you might consider is to open an email account with a small email provider, preferably one to whom you pay something.  Most small email providers do not use the UCEPROTECT blacklist, but, even if they do, small providers are usually responsive to complaints.  Because this blacklist spans such large segments of the Internet, there is a good chance that you are also missing mails sent by others who have been blocked.  As a nice bonus, the privacy of your email is restored when you move away from the free email model, where your information is mined and sold to finance the product.  We’re sleepwalking into a future where a few big companies own most of the Internet because it is free and easy.

I will update this post when something changes or when I have a solution.