Saturday, September 19, 2009

Technical Discussion of How Social Networking Sites Send Transactional Email

Shortly after JangoMail launched its own transactional email platform, we took on a flood of new clients with a need to send "social networking" type transactional emails, including "You have a new message" notifications and "You have a new friend request" notifications. Then we launched our SMTP relay for email marketers, and the floodgates ripped off.

We're often asked what the best practices are from a technical standpoint, with respect to issues like Content, From Addressing, DomainKeys and DKIM, and SPF/SenderID. Should the content of a message sent from one member to another be included in the email notification, or should the recipient have to log in to the site to read the message? Should a "friend request" email come "from" the friend or "from" the social networking site? Should the email contain Plain Text, or HTML, or both? To best answer these questions, I've analyzed transactional email from the most notable social networking sites -- Facebook, LinkedIn, Friendster, and MySpace. Note that this is an article about the technical aspects of sending transactional email. If you're looking for an article on transactional email strategy (what to send, how often, to whom...), then you won't find that here, but you can in many other places.

The following are the properties of each social networking site's email that I will analyze:
  1. Presence of a DomainKeys header.
  2. Presence of a DKIM header.
  3. Sender Policy Framework (SPF) compliant email.
  4. The From Address
  5. The From Display Name
  6. The SMTP MAIL-FROM Address used in the SMTP transaction
  7. The Sender header, if present
  8. The Reply-To header, if present
  9. Use of a unique identifier in the SMTP MAIL-FROM address
  10. The content, particularly whether a friend's message is present in the Email Body, or whether the user must log in to read the message.
  11. The use of HTML versus Plain Text MIME parts.
Let's get started with the biggest social network of all, Facebook:


When somebody sends me a message on Facebook, I get an email notification with the Subject line:

"Mary Parker sent you a message on Facebook..."

The Body of the email contains the actual message, which is convenient, because it prevents me from having to log in to Facebook to read the message.

From Address:
From Name:
v=1; a=rsa-sha1;; s=q1-2009b; c=relaxed/relaxed;q=dns/txt;; t=1253415012;h=From:Subject:Date:To:MIME-Version:Content-Type;bh=fLwGefDfPrLKUK2vwWzaC5k5iNo=;b=DfJugajI0Fsc5FIppBQSfSAAiV+WuK1ugzc00USpIkJku3sUgcupO+TPua0Tcxw7qJDUE0yRohPMWz3jPwPfRA==;

A DKIM-Signature header for is present, but it is noteworthy that a DomainKey-Signature header is not present.

The SMTP MAIL-FROM address is:

Facebook Transactional Email SMTP Log: [03A4] 22:50:13 Connected [03A4] 22:50:13 >>> 220 ESMTP IceWarp 9.1.0; Sat, 19 Sep 2009 22:50:13 -0400 [03A4] 22:50:13 <<< EHLO [03A4] 22:50:13 >>> Hello [], pleased to meet you. [03A4] 22:50:13 <<< MAIL FROM:<> [03A4] 22:50:13 >>> 250 2.1.0 <>... Sender ok [03A4] 22:50:13 <<< RCPT TO:<> [03A4] 22:50:13 >>> 250 2.1.5 <>... Recipient ok [03A4] 22:50:13 <<< DATA [03A4] 22:50:13 >>> 354 Enter mail, end with "." on a line by itself [03A4] 22:50:13 *** <> <> 1 2021 00:00:00 OK BLS56313 [03A4] 22:50:13 >>> 250 2.6.0 2021 bytes received in 00:00:00; Message id BLS56313 accepted for delivery

The SPF record for is:

"v=spf1 mx ip4: ip4: -all"

The connecting IP is, which is a part of the "ip4:" directive and therefore this IP is SPF-valid for sending email "FROM"

Noteworthy Points:
  1. It's excellent that Facebook is employing both SPF and DKIM.
  2. The email lacks a DomainKey-Signature header for backwards compatibility for receiving systems that might not be DKIM-compliant yet.
  3. The email is from "Facebook" and not my friend "Mary Parker". This is likely to prevent people from attempting to reply to the email as a way of writing back to "Mary Parker". The only way to reply to the message is to login to Facebook and use their internal messaging system.
  4. Facebook's transactional emails come from the domain rather than the more recognizable This is perhaps to separate email reputation from their actual high-value business domain That way, should their emails be treated as spam by a network, the domain name will be punished, not
  5. The X-Mailer header of the email is:

    X-Mailer: ZuckMail [version 1.00]

    Presumably, ZuckMail is an email system written by, or an homage to, Facebook's founder Mark Zuckerberg.


LinkedIn sends transactional email differently than Facebook. While Facebook "friend request" email comes from "Facebook" and a no-reply email address, LinkedIn's "Join my network" emails usually come "From" the person trying to add you.

The relevant headers from a LinkedIn transactional email are below:

DomainKey-Signature: s=prod;; c=nofws; q=dns; h=Sender:Date:From:To:Message-ID:Subject:MIME-Version: Content-Type:X-LinkedIn-fbl;b=KQVq9LfSNIZ+6tOuz7xUaUW1wx86f62EndMqyY+bbkmI8jHQDNe8HdtW ZfJsxH50d8nvAnQHryCdQKGfBEY0u2t5sXkrRmf7yCAhhg4Q9aqBo20KZ LSUvTK726opFnO0;
From: "Mary Parker" <>
To: Ajay Goel <>

Note that the the From Name is my friend "Mary Parker" and the From Address is Mary's email address, Because no Reply-To header is present, clicking "Reply" on my email client will auto-address the message to the From Address,

From an authentication perspective, it's interesting that the LinkedIn transactional email contains the DomainKey-Signature header, but not the more modern DKIM-Signature header. JangoMail transactional emails contain both the DomainKey-Signature and the DKIM-Signature headers, for the highest level of compatibility with all receiving email systems.

LinkedIn Transactional Email SMTP Log: [057C] 12:16:54 Connected [057C] 12:16:54 >>> 220 ESMTP IceWarp 9.1.0; Thu, 03 Sep 2009 12:16:54 -0400 [057C] 12:16:54 <<< EHLO [057C] 12:16:54 >>> Hello [], pleased to meet you. [057C] 12:16:54 <<< MAIL FROM:<> SIZE=3706 [057C] 12:16:54 >>> 250 2.1.0 <>... Sender ok [057C] 12:16:54 <<< RCPT TO:<> [057C] 12:16:54 >>> 250 2.1.5 <>... Recipient ok [057C] 12:16:54 <<< DATA [057C] 12:16:54 >>> 354 Enter mail, end with "." on a line by itself [057C] 12:16:54 *** <> <> 1 4048 00:00:00 OK KZT46754 [057C] 12:16:54 >>> 250 2.6.0 4048 bytes received in 00:00:00; Message id KZT46754 accepted for delivery

Noteworthy Points:

  1. 1. The SMTP MAIL-FROM address is a string of characters followed by LinkedIn is using a sub-domain of its high-value business domain, JangoMail also offers the option to setup a sub-domain based off your corporate domain name. The string of randomly generated characters is presumably to track any bounce that occurs as a result of this particular transactional email. If the MTA sends a notification back to, the LinkedIn system will be able to immediately tie the identifier present in that email address and use that information to immediately notify Mary Parker that the email to me bounced. JangoMail also handles bounces to transactional emails, but with a unique identifier in the X-VConfig header of the message as opposed to within the MAIL-FROM address itself. Both options are legitimate for tracking bounces.
  2. The SPF record for is:


    The redirect directive then tells us to look up the SPF record for, which is:

    "v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: mx ~all"

    The sending IP is covered by the "ip4:" designation, therefore this email passes the SPF test.
  3. Emails with subject line "Invitation to connect on LinkedIn" always has the user's information as the From Name / From Address.
  4. Emails with subject line "Join my network on LinkedIn" sometimes have the From Name / From Address of the user, but other times From Name is "Mary Parker (LinkedIn Invitations)" and From Address is

    I have been unable to determine the reason for the ambiguity with the "Join my network on LinkedIn" emails.


The following are the relevant headers from a Friendster "new message" notification:

From: Friendster <>
Subject: New Friendster Message from Vikki - 09/07/09 10:17 PM

Friendster Transactional Email SMTP Log: [03A4] 01:17:58 Connected [03A4] 01:17:58 >>> 220 ESMTP IceWarp 9.1.0; Tue, 08 Sep 2009 01:17:58 -0400 [03A4] 01:17:58 <<< EHLO [03A4] 01:17:58 >>> Hello [], pleased to meet you. [03A4] 01:17:58 <<< MAIL FROM:<> SIZE=9837 [03A4] 01:17:58 >>> 250 2.1.0 <>... Sender ok [03A4] 01:17:58 <<< RCPT TO:<> [03A4] 01:17:58 >>> 250 2.1.5 <>... Recipient ok [03A4] 01:17:58 <<< DATA [03A4] 01:17:58 >>> 354 Enter mail, end with "." on a line by itself [03A4] 01:17:58 *** <> <> 1 10017 00:00:00 OK POZ63258 [03A4] 01:17:58 >>> 250 2.6.0 10017 bytes received in 00:00:00; Message id POZ63258 accepted for delivery

Noteworthy Points:
  1. The complete lack of both DomainKeys and DKIM signatures.
  2. The email is SPF compliant. The SPF record for is "v=spf1 mx ip4: -all" and the sending IP is, which is covered by the "ip4:" directive.
  3. The email is not "from" my friend but instead is from "Friendster". The From Email is also not of my friend, but a Friendster unique email address, in this case The From Address is the same as the SMTP MAIL-FROM address shown in the SMTP transaction. Therefore bounces at the MTA level will be sent to, and the unique number that's a part of that From Address presumably allows the Friendster mail system to know that it was this particular transactional email that bounced.
  4. There is no Reply-To address, so if the user does hit Reply in his email client, the reply will go to the From Address,, and sending to this will presumably cause the email to be lost in the ether.


The following are the relevant headers from a MySpace "new message" notification:

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=pmta;;h=MIME-Version:From:To:Reply-To:Date:Subject:Content-Type:Content-Transfer-Encoding;;bh=T25HyvwBLohBcz5zhA0xB0tJqdc=;b=SeqKqNrcg4jDIyy0lmlo2BJje2frO0hgd16E9M/Y7U42LNLPh+cLlr7q5muDN7ASuPzwaNIvjj9VKq9VzNSvnxNukRsF2ICj+jT7GFRHdO39feZXnyJgcGbu0eHGLF7v83PL8CApEF80w/f3HuZ8xZgzYQcagUvNeD2jUmTqj/4=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=pmta;;b=SlJszI5cM6w78pK5nSJLzVTrrFw5YgU2vX8GraxP8yPjhbb6/hZ+oMjr7HUF21r8wyK774IEA/o/u3Y6z+kcpRHTf7D3TWD94TCZW+mQDGxl3t+FSdqLLt4ISVUvGu+LTAIMfpSOzVKNnz3C/4QHpAg1c2a2jRu1IFmrPbqOaK0=;
From: MySpace <>
Reply-To: MySpace <>
Subject: MaryParker has sent you a new message!

MySpace Transactional Email SMTP Log: [0664] 18:04:01 Connected [0664] 18:04:01 >>> 220 ESMTP IceWarp 9.1.0; Fri, 10 Jul 2009 18:04:01 -0400 [0664] 18:04:01 <<< EHLO [0664] 18:04:01 >>> Hello [], pleased to meet you. [0664] 18:04:01 <<< MAIL FROM:<> BODY=8BITMIME [0664] 18:04:01 >>> 250 2.1.0 <>... Sender ok [0664] 18:04:01 <<< RCPT TO:<> [0664] 18:04:01 >>> 250 2.1.5 <>... Recipient ok [0664] 18:04:02 <<< DATA [0664] 18:04:02 >>> 354 Enter mail, end with "." on a line by itself [0664] 18:04:02 *** <> <> 1 5669 00:00:00 OK RDO05602 [0664] 18:04:02 >>> 250 2.6.0 5669 bytes received in 00:00:00; Message id RDO05602 accepted for delivery

MySpace is the only one of the four social networking sites to use both the DomainKey-Signature and the DKIM-Signature headers, so kudos to MySpace for considering the entire email ecosystem.

Noteworthy Points:

  1. Both DKIM and DomainKeys headers present.
  2. SPF passes. The SPF record for is "v=spf1 ip4: ip4: ip4: ip4: a ~all" and the sending IP is, which is included in the "ip4:" directive.
  3. The email is From "MySpace" rather than "Mary Parker", and the From Address is instead of The From Address clearly implies that you should not reply to it, unlike Friendster's address. Clearly MySpace wants you to log in to the site to reply rather than by email.
  4. The SMTP MAIL FROM is, and does not contain a unique identifier.
  5. The Reply-To header is present, but its value is the same as the From Address. So regardless, if you hit Reply on your email client, the email is going to

If I had to rank the social networking sites in order of best to worse in sending authenticated, compliant, and useful transactional email, this would be the ranking:

1. Facebook (Best)

Positive: Emails are DKIM and SPF compliant. Email notifications of "You have a new message" include the message in the body of the email.
Negative: No DomainKeys signature, and the Reply-To address is one that cannot receive replies.

2. MySpace

Positive: Emails are SPF, DKIM, and DomainKeys compliant - the only social network to use all three.
Negative: Notifications of "You have a new message" force you to login to read your message. The Reply-To address is one that cannot receive replies.

3. LinkedIn

Positive: Emails are SPF and DomainKeys compliant. Sometimes emails are "From" the actual friend rather than LinkedIn. Proper use of the Sender header.
Negative: No DKIM signature, which means LinkedIn is complying with the older DomainKeys standard but not the newer DKIM standard. Notifications of "You have a new message" force you to login to read your message.

4. Friendster (Worst)

Positive: Emails are SPF compliant.
Negative: No DomainKeys signature. No DKIM signature. Notifications of "You have a new message" force you to login to read your message. The Reply-To address is one that cannot receive replies.

JangoMail Best Practice Recommendations:

When using JangoMail to send transactional emails for a social network, you can optimize the deliverability and usability of your emails by following these guidelines:

1. Ensure your emails are SPF compliant. In most cases, your emails will already be SPF compliant. Whether you're using as your From Address or as your From Address, SPF validates the SMTP MAIL-FROM Address, not the Display From Address that the recipient sees. The SMTP MAIL-FROM Address, meaning the From Address that shows in the SMTP logs, will always be, unless one of the following is true:

a. You've setup a custom sub-domain, in which case your sub-domain will be reflected in the SMTP MAIL-FROM.
b. You've explicitly set the SMTP MAIL-FROM by unchecking the "Use JangoMail MAIL-FROM" box on the Send Email page.
c. You've explicitly set the UseSystemMailFrom=False option when calling the SendTransactionalEmail API method.
d. You've unchecked the Use JangoMail MAIL-FROM box under My Options --> SMTP Relay, and you are using the smtp relay to send your emails.

2. Ensure your emails are signed with DKIM and DomainKeys. Once you've setup your account to use DKIM, your emails will automatically include both a DKIM and a DomainKeys signature. Read this guide to learn how to configure DomainKeys/DKIM for your emails.

3. Determine whether the content of a "You have a new message" email should appear in the Body of the email or whether you want to force the recipient to login to read the new message. I personally favor Facebook's method of including the original message in the email notification but forcing the recipient to log in to reply. After all, free social networks need to generate page-views, and they can't do that if they allow back-and-forth messaging functionality all within email.

4. Determine whether the From Address and/or Reply-To Address should be that of your social network's or that of your user's. We've seen that in the big four, LinkedIn is the only site that shows the user's name and email address in the From Line. This allows the recipient to conveniently reply to the sender of the message via email. The disadvantage to the owner of the social network is that the recipient need not visit the web site to reply to the message.

Therefore, If you wish to optimize the user experience, set the user's name and email address in the From line of the email message. If you employ this strategy, consider these points:

a. Your emails will still be SPF compliant so long as the SMTP MAIL-FROM contains a single consistent domain and SPF has been setup properly for that single domain.
b. Return Path, a large email deliverability company, recommends that if you send emails in this manner, be sure to include the "Sender" header as well. In JangoMail, you need only contact Support to have the Sender header turned on for your account.
c. There is a small chance that your emails will not be SenderID compliant, since SenderID may validate the Display From Address in addition to the SMTP MAIL-FROM address. However most SPF records for major domains are just that - SPF records and not SenderID records. In fact, all four major social networking sites use ONLY SPF, and not SenderID, as shown by the v=spf1 designation in all four records.

The best option may be to set the From Address to the social network site's address (, and set a Reply-To Address equal to the user's email address. The advantage of this setup is that you need not worry about any SPF/SenderID issues, and if the recipient hits Reply, the email will be directed to the user, not the social network web site. It is still important to have the Sender header inserted, however.