Monday, November 29, 2021

Bulk emails with SMTP

I was exploring ways to send emails in bulk without having to pay for a service. I did some experimentation using Python's 'smtplib' library. Here, I present some of my observations:

1. I tried sending an email with a Discord server invite to a little over 150 people (retrieved from the 'To:' field of an email in my Gmail inbox) by simply pasting the email addresses in the 'To:' field of Gmail's web interface, but it didn't reach them. It wasn't going to their Spam either. Gmail didn't give any error either. So I thought Google must have delayed the request owing to the large number of recipients. Later that day(~6 hours later), I found that the email had popped up in my Spam(my second email address was among the recipients). This is why I thought sending individual emails to the list of recipients via SMTP would be my best bet.

2. I didn't want a commercial software and I didn't find any widely available safe, free option. I wasn't planning on making an end-user focused software either. So, I chose Python with the smtplib library. I made the following observations from my experimentation. Note that I made a new email address corresponding to each of the following SMTP servers I tried.

a) Yahoo's SMTP server blocks email send requests upon sending 10-15 emails back to back (throws exceptions - SMTPDataError, ConnectionRefused exception, etc.)

b) Gmail's SMTP server easily sends a hundred emails (could be more, didn't test) flawlessly on the client side without throwing any exception. but it is not certain those emails will reach the destination, and when they do, they can end up in spam

c) Outlook's SMTP server easily sends over a 150 emails (could be more, haven't tested) but its behavior is complicated. If you haven't logged into your Outlook email inbox recently, and you try sending emails in bulk, it throws a very descriptive exception: SuspendedException or BlockedException or something along those lines, meaning your account gets flagged and temporarily blocked. To remedy this, you just open your Outlook inbox in a web browser, and let it verify your authenticity - usually asks for a mobile number, just fill up the access code sent via SMS and it gets unblocked again. Then, it's pretty well behaved after this. I kept batch sizes of 50 emails back to back. Then I sent a single legit email using the web interface of Outlook and went back to the script again. Worked like a charm. But, although the email was being reported to be successfully sent on the client side(using the SMTP script), the email could end up as Spam on the recipient side. To remedy this, I adopted the approach explained in (d).

d) While sending emails via SMTP(not the web interface), including an external link (in my case, a Discord invite) in the email body was enough for the receiving Gmail client to mark the email as Spam. However, when I removed just the link with the rest of the message intact, it appeared in the recipient's inbox right away. Then I tried sending the same email with the link included again and it was no longer marked as Spam, it went straight to the proper inbox! So, I figured it's better to first send a warm-up email not containing any link and then to immediately follow it up with another email which does contain the external link. But sending these two emails back to back was still getting marked as Spam. It was probably due to the short duration between the two emails. So, I switched to first sending a batch of warm-up emails to a batch of recipients, waiting a couple minutes then sending the actual email to them. this worked very well with Outlook's SMTP server. Haven't tested with Gmail's.

Minor observations:

i) Yahoo requires generating an 'app password' for use in SMTP mailing; the default login password doesn't work.

ii) Gmail doesn't require generating an 'app password' but does require enabling 'less secure apps' from Gmail account settings. The same login password is used.

iii) Hotmail doesn't require 'app password' or anything, just your regular login password will do. It just emails you to confirm if the 'suspicious app' that tried accessing your email account was you. You can confirm it through a web interface and you're good.

iv) I had tried as well, seeing as it didn't require mobile number to sign up but its SMTP server didn't behave too well. Btw it also requires you to generate an 'app password' for using SMTP.

v) Protonmail doesn't have a public SMTP server, so it's not as simple as the other email providers to send emails programmatically with it.

vi) The SMTP message headers are difficult to get right, for example the "Subject" header is sometimes recognized by a receiving client while some others don't detect it and display (no subject) instead. It also changes with the SMTP server you're using to send the email. The SMTP header structure seems to be interpreted differently according to the SMTP server you're using.

Here's the corresponding script.

Update/side note:

The conversion rate seems to be hovering at around 10% in this campaign.