
SPF, DMARC, and DKIM: How to Keep Your Email Out of the Spam Folder - wpBenny
http://www.wpsitecare.com/keep-your-email-out-of-the-spam-folder/
======
edutechnion
A few tips from setting up SPF/DMARC/DKIM for a SAAS service:

* SPF: limit your record and all includes to 10 DNS lookups (e.g., "A MX include:_spf.google.com" is 3 DNS lookups plus all of the lookups inside the include.

* DMARC: to see a strict reject policy, check out Yahoo:
    
    
      $ dig +short -t txt _dmarc.yahoo.com
      "v=DMARC1\; p=reject\; pct=100\; rua=mailto:dmarc_y_rua@yahoo.com\;"
    

* Mail forwarding: if your app sends mail as the logged-in user, make sure the user's actual email address is not in the FROM address as Yahoo does not authorize you to send FROM: xxxx@yahoo.com

* DMARC emails: use dmarcian.com to parse and process the auto-generated emails

* SPF: use the ~all for your first day of testing and then lock it down to -all after testing is complete

* DKIM: OpenDkim appears to be the most widely supported Linux software package.

* DKIM keys: setup a TXT entry you control and ask client to CNAME it. Then setup key rotation.

~~~
talideon
For DKIM, rspamd/rmilter are a great alternative to OpenDKIM if you want to
build the DKIM check into your regular spam checks.

One minor downside of rmilter is that it will only sign the headers of mail
sent by by authenticated users. This isn't a huge deal, but can be a bit of an
irritation.

~~~
cebka
Rmilter now can sign mail that come from certain networks as well.

~~~
talideon
That's good to know. I'll have to check that out. The packaged version the
FreeBSD port didn't have that last time I looked, but that could just have
been me missing something.

Edit: just noticed the 'sign_networks' and 'our_networks' settings. Thanks for
that, and thanks for rspamd and rmilter! They're great software!

------
chewmieser
I've had great luck with my personal email servers thanks to this tool:
[https://www.mail-tester.com/](https://www.mail-tester.com/)

Gives you a score and suggestions on improving it to reduce the chance of
hitting the spam filter.

~~~
icebraining
I like this one from NIST: [https://www.had-
pilot.com/py/had.html](https://www.had-pilot.com/py/had.html)

You just send an email to the address at the bottom and it replies with a
bunch of information regarding its SPF, DKIM and/or DMARC.

------
dmuth
Just to throw this out, I'm the guy responsible for one of the "top 10" DMARC
reporting engines on the Internet in terms of volume. If anyone would like to
chat about DMARC in the real world or about the DMARC reports (that they are
very likely receiving from my employer's domain name), feel free to reach out
to me.

My email is my username at my username dot org.

~~~
Erwin
Google's Postmaster tools always tell me 100% DKIM, 100% SPF but a crazy
varying amount of DMARC success rate. Postmark's weekly report gives me 99.9%
DMARC compliance. Do you have an explanation or theory? Our envelope-from
often differs from header-From but none of those domains have a strict DMARC
alignment policy.

~~~
medmunds
I _believe_ you can explain some common cases in Postmark's weekly digest like
this (but would really appreciate confirmation from an actual specialist in
the field):

1\. "Trusted sources" (DMARC fully/partially aligned), DKIM pass, but SPF
_fail_ : a recipient has forwarded your fully-aligned email.

2\. "Untrusted sources" (DMARC not aligned), DKIM fail, SPF fail: genuine
spam, or email forwarding that also rewrites headers in way that breaks DKIM
(like the recent Hotmail/Outlook.com forwarding problem).

3\. "Untrusted sources", DKIM _pass_ , SPF _pass_ : properly signed and SPF'd,
but your envelope-from domain doesn't match the header-From domain. If your
DMARC policy is reject or quarantine, these messages won't get delivered.

One way to get case 3 is with a vendor sending on your behalf, where you've
included their SPF in your own record (so SPF pass), but they sign DKIM and
set envelope-from using their domain. The DKIM is valid for your vendor, so
passes, but doesn't match the From, so DMARC is not aligned and fails.

For example, UserVoice has this problem if you're using a custom From address
in your domain. And Gmail shows this type of message as "From <you> via
<vendor>".

------
djsumdog
I wrote this a while ago. I have SPF, DMARC and DKIM all implemented on my
mail domain and I still get put in the spam folder:

[http://penguindreams.org/blog/how-google-and-microsoft-
made-...](http://penguindreams.org/blog/how-google-and-microsoft-made-email-
unreliable/)

I think part of it might be that I use Linode, and there are other spammers in
their data centre, so I could just be on a subnet bad list. But I think a lot
of it has to do with Google/Microsoft's spam filters just being crazy over
aggressive.

~~~
walrus01
A huge part of the problem is that while your personal smtpd might be set up
impeccably, you're in the same /24 as a bunch of other low cost bulk hosting
customers that have in the past several years set up VPS with much less clue
than you. As a result the entire ARIN netblock that your server resides in has
a "poor" IP space reputation as seen by the opaque incoming anti-spam measures
put in place by Microsoft and Google.

There's very little that can be easily done about this other than moving your
smtpd to an ipv4 address with an ISP that has never had an outgoing spam
problem (such as for example a /24 that's been held by the same company for 8+
years, in ARIN/RIPE/APNIC/whatever space very tightly controlled by the
network engineering team of a clueful local ISP where you know the staff).

There's a pretty direct inverse correlation between the cost of a hosting
service ($5/mo VPS vs. minimum $200/mo colocation of a 1U server) and how much
outgoing abuse traffic has been sent from the particular netblock assigned to
the enduser customers. Cheap hosting company = poor IP space reputation.

~~~
panic
And this is how the decentralized internet dies...

~~~
walrus01
Yes, sort of, but not really a new problem. Low budget hosting companies have
had poor IP space reputations and outgoing spam problems since such a thing as
a hosting company began to exist, 20 years ago, way before there was such a
thing as an x86-64 bare metal hypervisor or a VPS. The lower the cost the less
clueful the customers. The problem is more on the google and MS side.

------
unethical_ban
I resent that IP block based filtering is done anymore. Legit people are using
VPS to send email, and email is a fundamental decentralized protocol of the
internet. It's really crappy that in this age of DKIM/SPF/DMARC, we can't do
away with IP filtering.

------
ryandonsullivan
Thanks for posting this. I know it's on a WordPress site but definitely
applies to way more people than just that audience. I hope to build the
article out even more and get super specific with various vendors like
Mandrill, Amazon SES, Sendgrid, etc.

------
slasaus
I think it's pretty weak they're advertising the use of "~all" in their spf
records. Either use "-all" or just don't use SPF I would say. If you can't
make a decisive statement about your own domain then it won't be actionable
for receivers that evaluate your records.

~~~
ryandonsullivan
That's a totally fair point. I'm not entirely sure why most third parties are
still using ~ in their documentation but it still seems to be the norm. I do
like the definitive nature of -all.

~~~
aroch
IIRC ~all is the recommendation because hotmail/live told people to use ~all
to prevent hardfails when hotmail's lookups timed out or if a particular
mailserver IP was inaccessible during spam checks.

~all will result in your email being bounced around until accepted even if the
IP doesn't match DNS records (more or less).

-all will result in hardfail if rejected by any TO mailserver.

------
znpy
I host my own email at home on a domestic connection with a domestic fixed
ipv4 and I only set up SPF.

Most e-mail providers accept my email.

More accurately: in the last two years only gmx.de rejecte one email.

------
specialp
I have found that the site [https://mxtoolbox.com/](https://mxtoolbox.com/) is
very good for scanning your records for SPF/DMARC/DKIM and pointing out
problems. Unfortunately even with implementing all of this some email
providers are heavy handed with rejecting mail from smaller mail servers. For
instance Yahoo will usually block all of your mail without appealing to them,
and Verizon will not allow any email originating from a VPS source like
Digital Ocean or AWS. Ironically I found that out when going to report someone
on Verizon's network trying to brute force my SMTP server. Mail to abuse was
rejected.

------
brightball
Sendgrid has a nice implementation for DKIM too. They setup 2 DKIM CNAME
records that point to a DNS entry with a id number in it for you.
Periodically, they rotate DKIM keys and by having the 2 CNAME's they can
easily transition without concerns about something getting lost in transit.

------
cm3
Say I want a personal domain and have the MX not be Google or Fastmail, how
complete is the implementation of these standards on major email providers'
SMTP setups? Would I need to do thorough research or is it reasonable to
expect it to just work in a, say, European SMTP hoster's configuration?

~~~
walrus01
Any major ISP with clue is at least checking SPF, DMARC and DKIM scores on its
incoming edge smtpd that talks to the world. How they use the scoring and
results for spam filtering varies widely.

------
logicallee
I don't like the implication that the work outlined in this article is
reasonable.

Imagine if there were a detailed guide on how to keep the post office from
throwing out the letters you send?

Because mail that you personally send out by definition isn't spam - so you
are doing work to get around broken spam filters.

why can't you just pay $10 or something as a deposit and, since you're not
actually a spammer and nobody will ever actually mark what you send as spam,
never lose that deposit.

This guide should be like four lines long and take 5 mi utes to follow.

I mean after glancing at that write-up, I'd never dream of running my own mail
server. I use gmail. Why would I jump through hoops and still risk having
letters I took the time to write, still marked as spam? I lose on two counts!
(invest time, for a worse outcome.)

This part of the industry is broken. I think a deposit paid by non-spammers
which they lose if people start marking their letters spam, might fix it.

------
cm2187
I am surprised that almost no one seems to be using DKIM. I tried setting a
higher spam weight on unsigned emails and half of my emails ended up in the
spam folder.

SPF is used more frequently.

------
talideon
It's worth keeping in mind that the real value of SPF records isn't preventing
you from receiving spam (aside from backscatter), but to prevent Joe-jobs.

------
dtemp

      _domainkey.yoursite.com TXT "t=y; o=~;"
    

Does anyone know how necessary this entry is, as opposed to just having
records beginning with selectors?

It seems like the t=y means that testing is on and to not actually block
messages that fail DKIM, and o=~ means that some messages aren't signed. I'm
not sure why the article is suggesting people use those settings, since they
are entirely variable between different users and their config.

