We're in the midst of a project to make all of our mail sources, including third parties that send on our behalf, DMARC compliant. We've run into a snag, namely an entire data center full of servers that send mail (usually just status updates or errors). If the mail's from address is <user#hostname.domain.tld> and we have many of them, and there are new ones added almost weekly, then how do get these compliant?
My understanding of DKIM and SPF, is that we'd need a DNS entry per host, because the receiving mail server checks on those records based on the FQDN of the from address.
Is there a reasonable way to keep using <user#hostname.domain.tld> as the from addresses and still make these 200+ (and changing) servers DMARC compliant?
Yes, this is what DMARC's "relaxed" mode is for. You can set that for both SPF and DKIM matching by adding these elements to your DMARC record:
aspf=r; adkim=r
However, this is the default behaviour, so you don't actually need to add them at all!
In this mode, a message from user#hostname.domain.tld would be a relaxed match for domain.tld.
Related
I'm aware this may not be the right place to ask this, but I don't know where else and others may encounter the same issue.
I'd like to have an aggregated view (or an alert) when some recipients in my contact list don't receive any of the emails my app sents. Is this possible?
I checked on the alert thing in the docs but it doesn't seem to do what I need. Although this seems like a pretty common need and there may not be necessary to setup webhooks and own app logic to handle this, wouldn't it?
Thanks
I have also faced same issue with cPanel and many other providers like Mailchimp. This usually happens due to Empty Subject due to which Cross-Server Contacts may not happen. Also, if you are using PHPmail() or sendmail function instead of SMTP, You need to be using TLS1.2 or TLS1.3 though 1.0 is also supported but many of my E-mails were not delivered so I upgraded to TLS 1.3 . Also, Check if your mail goes to Spam Folder. In that case, increase your Website and Domain Score and Try to rank in Google Safe Browsing. Also, this also happens due to misleading Hosting Provider whose SMTP servers are not setup correctly or Provider send many spam messages due to which, you domain score may got low. I currently use interserver_smtp and cloudmate_smtp collectively for all my clients as interserver deliverablility in India is low and cloudmate works in both texas and india correctly. Try cPanel or Plesk as it has the best deliverability. One More thing, This could also be an issue of DNS. Check your DNS settings if MX records are pointed to MailJet Servers.
I've implemented a DMARC policy on a few domains and am closely monitoring the reports I'm receiving from Google, Yahoo, Hotmail etc etc, looking forward to being able to switch from p=none to p=reject.
99% of all emails from the appropriate IPs are now passing both DKIM and SPF checks and 99% of all failures are from IP addresses I don't recognise.
Nearly perfect!
1% however are emails from the correct IP, failing DKIM.
The DMARC reports provide no way I can see to assist in determining anything about the emails which are failing. If I could just know the subject, the message ID - something, I'd be able to fix it.
Is there absolutely no way to do this?
TY
The Failure Reports (ruf=) option should be that you are looking for.
More at https://dmarc.org/wiki/FAQ#Do_I_want_to_receive_Failure_Reports_.28ruf.3D.29.3F and https://www.rfc-editor.org/rfc/rfc7489#section-7.3.
I suggest you the following:
Check the MTAs reporting that your IP is failing: To do this look in the RUA reports or the RUF reports in which your IP is failing and identify the reporter.
Might be a problem with a single reporter
Check if the failure is happening at the moment of verifying SPF/DKIM or at the moment of the alignment evaluation.
Get a RUA report where the IP fails. Then, go to the specific record. Check the tag <result>. ¿Is it marked as PASS?
If it is marked as PASS then the IP failed at the moment of alignment verification. To confirm it, check what domain was verified in SPF/DKIM.
I hope I was clear enough. If not please let me know how so that I can edit my answer better.
Some ESP (Email Service Providers) use their own DKIM Validators and they have bugs in them. So your DKIM will pass at 95% of the ESP and lets say the remaining 5% has a bug in it, failing your DKIM for whatever reason. I seen this time and time again and it's not your fault, just the fault of a bad component at that ESP.
Testers like MailTest check your DKIM with 4 different providers and even they say in their knowledge base that discrepancies can occur because of bugs in the individual validator in question. It's not going to be a 100% perfect, but if you keep your DKIM Signature simple (used Relax Canoncalization, instead of Simple), don't sign repeating fields, don't sign the same field twice, etc. Anything that will confuse a validator, try to avoid.
I have a few separate sites on a server with a single IP.
The sites shouldn't ever send spam, but the customers are free to send emails from their sites so I have no way to prevent them from doing so.
What I'd like to do is when sending the emails via postfix, somehow separate the sites in the headers sent out.
Previously i've setup an ip for each but i'm trying to avoid doing this.
I've also found with /etc/postfix/header_checks I can remove headers but not sure if removing specific headers will cause issues?
One thing to consider here is that blacklisting is usually based on IP addresses. Separate headers won't help much there. The reason for this is that (a) it's simple and (b) many spam sending servers have been compromised and taken over by an attacker, using custom mail sending software, so headers don't matter anymore.
Different headers might still have their merit though, as spamfilters will check those. It just won't help if your server's IP gets blacklisted.
I guess rolling out DKIM might help here, it would give you artificial separation of domains using different domain keys for each. There are some good tutorials on the net on how to set it up with OpenDKIM.
A better solution, used by big mail providers like GMX, is to send mail from a separate IP if it looks like its spam. The setup for this is a little complicated, as it requires you to scan outgoing mail with spamassassin (or something similar) and to route mail depending on the respective spam value. Not an easy task. Marking spam as such, without sending it through a separate IP, might enough to convince the other side that you try to prevent spam send from your server, but this really depends on their spam filter.
The way your server identifies itself during an SMTP conversation is through the HELO command. The smtp_helo_name parameters specifies the name used there. One could try to setup a transport mechanism to use a different name for each sender domain. I'm honestly mot sure how difficult that would be.
If you are still set on changing headers: the header_checks tables not only allow to remove headers, but also to alter them via regular expressions.
Use the REPLACE command to do so. Example:
/^(Message-ID:.*)#your-domain.example(.*)/ REPLACE ${1}#other-domain.example${2}
I'd advise against it, though. It provides to little gain for the effort of finding and setting up the right rules.
I've read everything I could find on verifying e-mail addresses. The widely encountered solution is this, and it doesn't work (for one, actual nslookup output differs significantly from what the article shows, so I don't get an actual address to telnet to).
But then I thought: I don't need to verify the address. I just want to detect clearly bogus address (such an address that sending a message to it will yield "delivery failed" response). Is it possible to do in principle, and implement using C++ sockets or Java networking API in particular?
Depending on which operating system and tools you use, verifying the recipient's domain, and whether it is recorded in the DNS with a meaningful MX (mail exchange), you could use dig in place of nslookup. For foo#bar.com,
$ dig bar.com MX
Possibilities of detecting bogus eMail adresses are typically limited, though. Availability largely depends on how "generously" the MTA offers this information. Most don't, these days. The SMTP protocol includes some verbs you could then use, such as VRFY. On the other hand, spammers could do just that, hence … (That's one reason why a mail loop is run, in order to detect valid eMails fairly reliably; embedding, as I'm sure you know, a verification string to be sent back, or passed via URL to some web service.
SMTP, being a text protocol, would be used via some "transport layers" underlying higher level APIs like JavaMail. I'd look for programmability of these with the programming language used. Typically, there is some socket library, for sending and retrieving lines of text.
I'm implementing a email newsletter sender service using .NET and Windows Server technologies. Are there comprehensive guidelines which could help avoiding emails being trapped by spam filters and other mechanisms?
They should cover all aspects of (legal) bulk mail sending: SMTP configuration, DNS, HTML content, images, links within content etc. A simple example: is it better to embed images or load them from a server?
It would be great if you could provide some empirical data to show the efficiency of some measures taken.
Although I don't have a definitive answer, I think this is a very important question.
Here are few tidbits I know about it
Choose a clean hosting/smtp server. IP addresses of spamming SMTP servers are often black-listed by other ISPs.
Send a simple introductory email to every subscriber, asking them to add your sender address to their safe list.
Be very prudent in sending to only those people who are actually expecting it. You wouldn't want pattern recognizers of spam filters learning the smell of your content.
If you don't know your smtp servers in advance, its a good practice to provide configuration options in your application for controlling batch sizes and delay between batches. Some servers don't like large batches or continuous activity.
Unless you have a very specific reason to host the newsletter yourself, I think you'd be much better off using a third party service. There are lots out there, and some are very cheaply priced.
It'll save you on development work
(no point in re-inventing the
wheel).
Their system will handle all
the unsubscribe link stuff that you
need to include in email newsletters
to comply with CAN SPAM laws or
whatever.
They handle the spam
reports that you will inevitably get
if you have a list of any non-trivial size.
They keep records of who signed up,
how they signed up, and their IP
address, and can present those on
receipt of a spam report to prove
that their service wasn't sending
out spam.
You can use double-opt in
(or confirmed opt in), for extra
evidence to prove that the people
you're sending emails to actually
signed up to receive them.
If you really do need to host it yourself I'd suggest you search the web for "email deliverability". Things that are known to help include properly set up SPF records, DomainKeys/DKIM, correct DNS settings (reverse DNS especially - best to just use an online service to check your DNS settings). You can test a lot of these things by sending an email to check-auth#verifier.port25.com.
It's best to avoid using spammy words in your email - always a bit of guesswork this but you some words can trip filters.
But I'd guess that by far the most important thing is to be sending your email from a trusted server that maintains good relationships with ISPs (i.e. ensuring that ISPs don't think that the server is sending out spam). This is a big reason why it's much much easier to get a third party to handle everything for you.