Email list scrubbing

Business

Lucky Brand: A Lesson in How Not to Run an Online Business

lucky-logo-8160288

Who is Lucky Brand?

For anyone who is unfamiliar with the name, Lucky Brand is the maker of Lucky Jeans. According to their website, they have 209 stores all over America, sell their clothing line in department stores as well as online retailers.

I’d like to preface this story with a disclosure; Lucky Jeans are my all-time favorite jeans. They fit great, have an awesome look and are the most comfortable jeans I own. I probably have 7-8 pairs sitting in my closet, with the oldest pair being 12-15 years old.

Last month, my wife and I were walking in the local mall, when we passed the Lucky Brand store. I decided to go in and look around. The salesperson was extremely knowledgeable about the brand and styles. He explained the different “models” to me and how they fit and my wife ended up buying me a pair of $129 jeans. Yes, you heard me right. The jeans were $129 + tax. While the price even seems crazy to me, I consider them an investment in my wardrobe and will likely have this pair for 10+ years. The salesperson also explained to me that Lucky had a Model 181 which was more of a relaxed fit jean, but they did not sell them in the stores, only on the Lucky Brand website.

The Lights Are On, But There’s Nobody Home

So, when I got to work the next day, I logged on to the Lucky Brand website, signed up for their newsletter to receive a discount (as stated in the newsletter signup pop-up message that appeared) and proceeded to find the Model 181 relaxed fit jean, picked my size and attempted to place my order. I was then asked to create an account and to my amazement, noticed that the website was not secure. Thinking this was some type of oversight or a new error, I then sent Lucky a message to the customer support email address I found on their website.

Below is the email message I sent:

lucky-brand-1-7908451

Six hours and nineteen minutes after I sent the email above to their customer support, I received a response. (See below)

lucky-brand-21-4622196

Besides the reply seeming very canned and generic, the first of many mistakes made by Lucky is to allow interns, uneducated or untrained staff to respond to consumer inquiries, especially concerning website or ordering issues. Based on my email and the rationale why I didn’t place my order (the site being unsecure) why would Cadelia J. (the customer service rep) respond to me with, “We assure you that our site is secure”, when it’s obvious that it is not secure and the only reason I sent them an email to begin with. Then she suggests that I contact their Customer Service team, via telephone. Sure, that’s exactly what I want to do; call and give someone my credit card information over the phone who will simply type it into the same unsecure website I didn’t want to type my information into originally.

As soon as the shock of stupidity wore off, I promptly responded to the above email with the reply below.

lucky-brand-3-8314025

And the reply to my email, received on September 25, which came from Elizabeth G., a different customer service person at Lucky Brand. (See below)

lucky-brand-4-4866907

Sadly, the 3-5 days has come and gone a long time ago, I’m glad I wasn’t holding my breath and I never heard from anyone at Lucky Brand ever again. While this was not anticipated, it is still very disappointing, especially for such a large brand. Their website is still unsecure, which is utterly amazing to me. How a company, that claims to generate $100 million in annual sales, could drop the ball and allow something like this to occur is beyond me.

There is One Failure After Another – But Wait, I’m Not Finished Yet

Since I still wanted to buy these Lucky Jeans, I decided to look on Amazon for them, and voila – there they were, perched among all of the other Lucky Jeans. So, I picked my size and color and placed my order. Now hold on because here comes the best part…… They were $79.00 and I got free shipping. What’s even better is they were sold by Lucky Brands and fulfilled by Amazon. A few days later, my new jeans arrived and they are as expected, simply awesome.

Email Marketing – The Clueless Continuation

Sometimes I wonder if the lights are simply left on and there’s nobody home, because it sure seems that way here. I made the mistake of signing up for Lucky Brands’ email newsletter and now I’m stuck in newsletter hell. Every time they send out a newsletter, I receive 2 identical newsletters simultaneously. (See below)

lucky-brand-5-5-3087482

Then I noticed they were sending newsletters every day. So, now I’m receiving 2 identical emails from them daily. It get’s worse – it’s the same email creatives rotated every few days. It’s either 40% off, 50% off or mystery percentage off (just go to the website to find out what percentage off you’ll receive). So I decided enough is enough and tried to unsubscribe. I clicked the unsubscribe link and was brought back to their home page. Thinking they just weren’t bright enough to bring me to an unsubscribe confirmation page, I concluded that’s it, no more emails from Lucky, hallelujah. Not So Fast – guess again – the emails kept coming – 2 at a time. I then thought to myself, maybe it’s a browser issue and tried the unsubscribe link in Firefox and Internet Explorer, because Chrome didn’t seem to work. In IE it finally worked and I was brought to the page seen below.

lucky-brand-6-6106964

Now I figured I’m done with this. I made sure “Unsubscribe” was ticked and clicked “Update”. I was brought to a page that said “Thank You” (See below)

lucky-brand-7-3572335

Now You Think We’re Done Right? Think Again

Did you possibly believe it could be this easy? I did – why? I have no idea. You guessed it, the emails kept coming – 2 at a time. To end this fiasco, I simply clicked the spam button so that all Lucky Brand emails simply go into the junk/spam folder. What’s even more amazing to me is that Lucky has still not fixed the SSL Certificate issue on their website. I cannot imagine how much business they are losing from this simple configuration fix and what its costing them. I can’t be the first person who brought this to their attention, nor can I assume I’ll be the last. So why haven’t they fixed it? Why is their email marketing program, deployments, frequency and creative choices so poorly managed for such a large company? I agree, I have no clue either.

Surprise, Surprise, Surprise – Lucky Brand files for bankruptcy July 2020. Why am I not surprised?

Phishing Emails: The Unacceptable Failures of American Express

Over the past few weeks I’ve received a large percentage of phishing emails that purport to be from American Express, although they are not. These emails are sent by scammers trying to steal user names and passwords from unsuspecting American Express card holders, so they can then access their account information and card numbers to use them for fraudulent purposes. Below is a sample of one of the many phishing emails I received. Phishing attacks like this highlight how fragile trust can be in the inbox. When authentication and sender controls are misconfigured, even well-known brands can unintentionally expose recipients to unnecessary risk.

Although it is pretty obvious to me that this email is not from American Express and is no doubt a phishing email, there are some recipients who are not so astute. If your mother, grandfather or someone new to the Internet or not paying close attention received this email, would they be able to tell that it was not sent from American Express? Would they click the link that looks legitimate and appears as if it would take them to the American Express website? Even though it will not take them to the real American Express website, will they unwittingly type in their user name and password on the fake site? Obviously a percentage of people do, because if they didn’t, these phishing emails would cease being sent.

Below is the header that was received with this email:

From: American Express [mailto:fraud@aexp.com]
Sent: Tuesday, October 09, 2013 12:15 PM
To: redacted@emailanswers.com
Subject: Fraud Alert: Irregular Card Activity

Based on the received ‘from name’ and ‘email address’, it looks like the email was sent from American Express. It even has an aexp.com email address, which is the domain American Express uses to send emails from. It’s not that I blame American Express for sending this email, but rather American Express could easily stop this email from being delivered if they would simply fix their SPF Records. You might ask yourself at this point, how can you blame American Express if they didn’t send this email? Hang in there for 2 minutes and I’ll tell you. Let’s review a few details first.

OK, so what is an SPF Record?

An SPF (Sender Policy Framework) record is a DNS (Domain Name System) record which lists specific servers and IP addresses that are allowed to send e-mail from a domain, such as aexp.com. Correctly configured, this reduces spam and phishing activity that may be perceived to originate from a specific domain, that actually doesn’t, which is known as source address spoofing. For email marketers, this reinforces a broader lesson: technical controls and list hygiene work together. Even well-intentioned campaigns can create downstream risk when authentication, infrastructure, or recipient targeting are not handled responsibly.

An SPF record is used for messaging security purposes. The SPF record enables a receiving email server to query DNS and determine whether the sending server is authorized to send from a specific domain. There are three ways in which an SPF record can be parsed and dealt with; such as hard fail, soft fail or neutral. The difference between a hard fail and a soft fail is how the owner of SPF records expects the message recipients to treat a spoofed message. When a neutral response is received, it usually means that no SPF record exists for the domain. Most email servers will accept an email with a neutral SPF response, but most SMBs and large corporations all have published SPF records.

Below is a list of SPF Records for aexp.com, which is used by American Express to send email.

“Spf2.0/pra a:phxamgw01.aexp.com a:phxamgw02.aexp.com a:sppim501.aexp.com a:sppim502.aexp.com ~all”

“v=spf1 ip4:12.10.219.0/24 ip4:148.173.91.0/24 ip4:203.19.215.67 ip4:192.102.253.34 ip4:192.102.253.35 ip4:192.102.253.36 a mx a:sppim502.aexp.com a:sppim501.aexp.com a:phxamgw01.aexp.com a:phxamgw02.aexp.com ~all”

To simplify and make the records easier to decipher, I have broken down the formatted records into an easy to understand format.

Without getting into too technical an explanation of how an SPF record is configured, I’ll discuss and point out the failure. If you look at the last line in the SPF record detail above, you’ll notice ~all which is listed as a “Soft Fail”.

Understanding the difference between ~all Soft Fail and -all Hard Fail

A Soft Fail (~all)

If the email message from a domain comes from an IP address which is outside the IP range that is defined in the SPF record for the domain, the message will be accepted but marked in the email header. This is something you do not see when you receive the email. All properly configured email servers will accept an email tagged with a “Soft Fail”.

A Hard Fail (-all)

If the email message from a domain comes from an IP address which is outside the IP range that is defined in the SPF record for the domain, the message will be rejected.

How American Express has failed to protect its card members.

If American Express simply changed their SPF Record from ~all (Soft Fail) to –all (Hard Fail) these fraudulent, phishing emails, that appear to be sent from American Express, would be rejected at the recipients email server and never get delivered to the intended email recipient. Simply using ~all is tantamount to saying, here are all the possible servers that our email should come from, but if it doesn’t accept it anyway. Why even bother publishing SPF records if you’re going to override them with a ~all?

American Express has a section on their website dedicated to fraud prevention and protecting your information. They provide advice and a vast amount of information to help you protect yourself, but fail miserably themselves where it really matters.

In 2012 alone, losses from credit card fraud totaled $6 billion. Now who do you think pay’s for those losses? You are correct, we all do. If by simply changing a tilde (~) to a dash () or ~all to -all (Soft Fail to Hard Fail) American Express could reduce the number of phishing emails delivered and significantly reduce credit card fraud and losses due to stolen credit card information. Why wouldn’t American Express make this simple change? Don’t know? Neither do I. Situations like this are a reminder that email risk is rarely caused by a single factor. Infrastructure configuration, sender reputation, and who you send to all influence how messages are received and trusted.

“It is the obvious which is so difficult to see most of the time. People say ‘It’s as plain as the nose on your face.’ But how much of the nose on your face can you see, unless someone holds a mirror up to you?”

― Isaac Asimov

December 2025 Update: (It only took them 12 years)

It appears American Express has fixed their SPF record and it only took them 10 years.

This article is part of our broader resource on email list cleaning and hygiene, which explores how responsible sending practices reduce trust and security risks over time.

It’s Time to Start Dating Your Customers

Imagine walking into a bar and immediately proposing to the first person that catches your eye. Unless you have the body of David Beckham or the lips of Angelina Jolie, I am going to go out on a limb here and say that your approach to finding a life-long partner is a bit skewed. And I bet you would agree with me. As we all know, dating can be extremely exhausting. It’s a large investment of time, money, and emotions in your search for “the one” that makes it all worthwhile in the end. What it all boils down to is that the world of dating and the world of marketing are one in the same. I am not suggesting that you pursue romantic relationships with your most valued customers, as that could lead to sexual harassment charges that could do more damage to your business reputation than it’s worth. What I am suggesting is that you should align your approach to dating with your approach to marketing.

The problem with marketers today is that we go straight for the gold. We are attempting to go fishing without bait. We tend to interrupt customers and try to sell them our products and services without realizing that, without offering some kind of incentive to spark the conversation, they have no reason to pay attention to you. This is essentially equivalent to proposing marriage before asking them on a second date.

Think about applying for a job, for instance. It’s a process. You can’t submit your resume on every job search website and expect to get hired on the spot. A well-crafted resume will earn you an introductory interview. Given that you are well-spoken and present yourself in a professional manner, you may get the opportunity to come in for a second or third interview. Once proper measures are taken to determine whether or not you are a right fit for the company, only then should you expect an offer. After paying hefty fees toward your schooling and investing your time in an effort to gain relevant work experience, you are now armed with the knowledge and expertise to enter into another line of work and eventually reap the rewards of your initial investment.

The same goes with marketing in that the customer acquisition costs far outweigh the customer retention costs. Take American Express, for example. This credit card company invests nearly $150.00 to get a new cardholder. Although this makes you wonder how they are still in business, it’s because they have adopted the permission-based marketing model to generate loyal customers who stick with them for the long term. Instead of approaching new customers with the intention of making a sale right off the bat, they woo their customers with an offer that they can’t resist. They focus their media efforts to sell their permission to engage in conversation, and have earned much higher response rates as a result. While $150.00 seems a bit steep at first glance, American Express leverages that expense by engaging in a continued, mutually beneficial relationship with their customers. Rather than exhausting their resources into selling their product pipeline to as many new customers as they can find, they extract the maximum value from each of their loyal customers.

But how do you initially open the lines of communication with those who want to hear from you? In this information age where owning a computer or smartphone is just as common as owning a toothbrush, we can target and reach business decision makers or consumers in around the globe through email marketing for a fraction of the cost of more traditional forms of advertising. As advances in technology have enabled us to track consumer interest and buying patterns online, we have the ability to choose who to target. As long as you provide something of value and demonstrate how it will enhance the lives of your audience, those who are interested in your offer will come to you for more information.

In addition, smart marketers acknowledge the fact that marketing does not end with the first sale. Rather, that’s where true marketing begins. Now, the question lies in finding the secret to keep our customers satisfied and wanting more. Not to keep referencing the dating analogy, but try to spice things up every now and then. Eventually, we all get sick of going for dinner and a movie.

Successful business lies in continually fine-tuning the products and services you offer while also expanding your selection to meet the ever-changing wants and needs of your client base. It means revamping your advertising strategy and adjusting your incentives to continually lure them in.

The bottom line? Sell more to fewer customers.

Categories

Blog Index

Categories