I've implemented a DMARC policy on a few domains and am closely monitoring the reports I'm receiving from Google, Yahoo, Hotmail etc etc, looking forward to being able to switch from p=none to p=reject.
99% of all emails from the appropriate IPs are now passing both DKIM and SPF checks and 99% of all failures are from IP addresses I don't recognise.
Nearly perfect!
1% however are emails from the correct IP, failing DKIM.
The DMARC reports provide no way I can see to assist in determining anything about the emails which are failing. If I could just know the subject, the message ID - something, I'd be able to fix it.
Is there absolutely no way to do this?
TY
The Failure Reports (ruf=) option should be that you are looking for.
More at https://dmarc.org/wiki/FAQ#Do_I_want_to_receive_Failure_Reports_.28ruf.3D.29.3F and https://www.rfc-editor.org/rfc/rfc7489#section-7.3.
I suggest you the following:
Check the MTAs reporting that your IP is failing: To do this look in the RUA reports or the RUF reports in which your IP is failing and identify the reporter.
Might be a problem with a single reporter
Check if the failure is happening at the moment of verifying SPF/DKIM or at the moment of the alignment evaluation.
Get a RUA report where the IP fails. Then, go to the specific record. Check the tag <result>. ¿Is it marked as PASS?
If it is marked as PASS then the IP failed at the moment of alignment verification. To confirm it, check what domain was verified in SPF/DKIM.
I hope I was clear enough. If not please let me know how so that I can edit my answer better.
Some ESP (Email Service Providers) use their own DKIM Validators and they have bugs in them. So your DKIM will pass at 95% of the ESP and lets say the remaining 5% has a bug in it, failing your DKIM for whatever reason. I seen this time and time again and it's not your fault, just the fault of a bad component at that ESP.
Testers like MailTest check your DKIM with 4 different providers and even they say in their knowledge base that discrepancies can occur because of bugs in the individual validator in question. It's not going to be a 100% perfect, but if you keep your DKIM Signature simple (used Relax Canoncalization, instead of Simple), don't sign repeating fields, don't sign the same field twice, etc. Anything that will confuse a validator, try to avoid.
Related
The project I'm working on is a newsletter builder, and I'm on its final steps. Now I need to verify spf dkim and dmark (which I don't know what they mean or how they work). Then I also need to check if my email is considered as spam or if any of the news contains spam (separately). I tried to read the documentation of 2 great spamcheckers (spamassassin and rspamd) and I couldn't understand anything about how they are supposed to be integrated on my project. I think all my problems are due to my lack of knowledge related to emails/email servers and stuff related. I'd really appreciate if someone could enlight me about what are the steps that I need to do, if I really need to setup an email server to test this out and how to do it etc. etc. I'm really in the dark here. I know the enterprise I'm doing this work for already was sending emails from their domain but I don't think they gave me access to that.
The following link may be useful to you, it's a document of iRedMail (an open source mail server solution):
https://docs.iredmail.org/setup.dns.html
You don't need to know what iRedMail is, just check the introduction of each dns record.
For me, these introductions are enough, if you want a more detailed introduction, wikipedia and official website may be more useful
For checking spam status and dns records such as spf, dkim, etc., setting spamassassin or rspamd by yourself may be complicated, but there are many free services available.
I often use the following (I have my own mail server, so I sometimes use these services for testing):
https://www.mail-tester.com/
https://mxtoolbox.com/
Our IP address recently got listed on UCEPROTECT-1 as a potential spam address, and we aren't able to figure out how to stop this. According to their website, UCEPROTECT-1 listing happens when: IP's get listed in Level 1 automatically if they either try to deliver e-mails to spamtraps or if they are involved in port scans or probes or any kind of attacks against our servers
Some research online suggests that the only way to ensure it doesn't happen again is to find out what is triggering these spam traps and plug them.
Any idea how we can go about looking for what is triggering these automatic listings? Any help would be appreciated!
Some background:
We use GSuite for our email servers, wix.com for our website, and namecheap.com for our DNS.
We'd originally paid to not be listed in the UCEPROTECT-2 and 3 listings but were automatically removed as soon as we got listed under UCEPROTECT-1.
I don't know how G-Suite works but in general check
logfiles of the outgoing e-mail servers for days with "strange" recipients patterns or for more e-mails than on other days
if your domain is listed on other blacklists, maybe that is giving you other hints
The problem is: if you are using the outgoing e-mail servers from Google and some of them are listed on UCEProtect (because other G-Suite customers are sending spam, mostly without knowing it cause they are hacked), you have little chance of fixing this yourselve. This is not really uncommon, me.com/icloud.com (17.58.63.0/24) is listed at UCEProtect right now too.
I'm aware this may not be the right place to ask this, but I don't know where else and others may encounter the same issue.
I'd like to have an aggregated view (or an alert) when some recipients in my contact list don't receive any of the emails my app sents. Is this possible?
I checked on the alert thing in the docs but it doesn't seem to do what I need. Although this seems like a pretty common need and there may not be necessary to setup webhooks and own app logic to handle this, wouldn't it?
Thanks
I have also faced same issue with cPanel and many other providers like Mailchimp. This usually happens due to Empty Subject due to which Cross-Server Contacts may not happen. Also, if you are using PHPmail() or sendmail function instead of SMTP, You need to be using TLS1.2 or TLS1.3 though 1.0 is also supported but many of my E-mails were not delivered so I upgraded to TLS 1.3 . Also, Check if your mail goes to Spam Folder. In that case, increase your Website and Domain Score and Try to rank in Google Safe Browsing. Also, this also happens due to misleading Hosting Provider whose SMTP servers are not setup correctly or Provider send many spam messages due to which, you domain score may got low. I currently use interserver_smtp and cloudmate_smtp collectively for all my clients as interserver deliverablility in India is low and cloudmate works in both texas and india correctly. Try cPanel or Plesk as it has the best deliverability. One More thing, This could also be an issue of DNS. Check your DNS settings if MX records are pointed to MailJet Servers.
We run a large online community in the Netherlands. Because of that we send a lot of mail to the hotmail email addresses of our members.
Recently we have noticed that not all mail is reaching our members, because we have hit a certain limit or so it seems.
Google doesn't give a solution (yet) but we see a lot of others having the same problem.
Note, We have added (since long) SPF records for our domain, in TXT and SPF types.
What else can we do to tackle this problem?
// Ryan
To add to what bzlm said, hotmail probably isn't rejecting your mails, so much as trying to use rate-limiting to prevent spam. That said, there are a few potential solutions you could use here. You could contact hotmail and see about getting your mailserver exemption status from their rate-limiting. Depending on the size of your community, they may or may not respond to you or be willing to work with you. I suggest this only as the "diplomatic" solution.
Or, you could set up two mail servers; one for hotmail users, and one for everybody else. I know from some of the sites that I run that a lot of people register with hotmail accounts, mostly because everybody has one which they use as a "spam dump" for online services where they don't want to use their real email address. So, as you no doubt realize, the number of hotmail users in your database represents a fairly substantial percentage. Therefore, when you need to send an email, you could determine whether to send it to your normal SMTP server, or your hotmail-designated one. On the hotmail SMTP service, you'd need to add some type of waiting mechanism to sleep a certain amount of time after receiving a 421 response.
The problem with this idea is that the number of hotmail users you have, plus the delay you'll encounter in sending, means that the queue length might very well exceed the number of mails you must send. You could alleviate this problem by setting up secondary/tertiary servers, preferably on other networks... but I'm getting ahead of myself here. At any rate, I did a bit of googling around (as you probably have, too), and this isn't such an uncommon problem, but there is no obvious solution to it.
So likely, you'll either have to create some type of slightly-unorthodox network workaround, or try the "diplomatic" route and contact an organization unlikely to care about your problem. I'd suggest doing both in parallel. :)
421 means that the service is not currently available, and that the client should try again. This could be for any number of reasons, including trying to discourage you from too frequent mailing if Hotmail thinks you might be a spambot.
Why not simply let your outbound smtpd queue the mails and try again?
Why is "not all mail reaching your members"? Don't you try again if you get a 421 response?
EDIT: Do what sqook says.
The only real way to "get around" this is to become a good e-mail citizen. Make it easy for people to unsubscribe from your notifications, establish complaint feedback loops with the major mail providers, remove bouncing e-mails from your list automatically, don't send people e-mails they don't want to receive. Failing to adhere to these simple requirements makes you look like a spammer, and providers like Hotmail will treat you like one.
The mail server IP connecting to Outlook.com server has exceeded the rate limit allowed. Reason for rate limitation is related to IP/domain reputation. If you are not an email/network admin please contact your Email/Internet Service Provider for help.
https://mail.live.com/mail/troubleshooting.aspx
I advise you too wait some times
I'm implementing a email newsletter sender service using .NET and Windows Server technologies. Are there comprehensive guidelines which could help avoiding emails being trapped by spam filters and other mechanisms?
They should cover all aspects of (legal) bulk mail sending: SMTP configuration, DNS, HTML content, images, links within content etc. A simple example: is it better to embed images or load them from a server?
It would be great if you could provide some empirical data to show the efficiency of some measures taken.
Although I don't have a definitive answer, I think this is a very important question.
Here are few tidbits I know about it
Choose a clean hosting/smtp server. IP addresses of spamming SMTP servers are often black-listed by other ISPs.
Send a simple introductory email to every subscriber, asking them to add your sender address to their safe list.
Be very prudent in sending to only those people who are actually expecting it. You wouldn't want pattern recognizers of spam filters learning the smell of your content.
If you don't know your smtp servers in advance, its a good practice to provide configuration options in your application for controlling batch sizes and delay between batches. Some servers don't like large batches or continuous activity.
Unless you have a very specific reason to host the newsletter yourself, I think you'd be much better off using a third party service. There are lots out there, and some are very cheaply priced.
It'll save you on development work
(no point in re-inventing the
wheel).
Their system will handle all
the unsubscribe link stuff that you
need to include in email newsletters
to comply with CAN SPAM laws or
whatever.
They handle the spam
reports that you will inevitably get
if you have a list of any non-trivial size.
They keep records of who signed up,
how they signed up, and their IP
address, and can present those on
receipt of a spam report to prove
that their service wasn't sending
out spam.
You can use double-opt in
(or confirmed opt in), for extra
evidence to prove that the people
you're sending emails to actually
signed up to receive them.
If you really do need to host it yourself I'd suggest you search the web for "email deliverability". Things that are known to help include properly set up SPF records, DomainKeys/DKIM, correct DNS settings (reverse DNS especially - best to just use an online service to check your DNS settings). You can test a lot of these things by sending an email to check-auth#verifier.port25.com.
It's best to avoid using spammy words in your email - always a bit of guesswork this but you some words can trip filters.
But I'd guess that by far the most important thing is to be sending your email from a trusted server that maintains good relationships with ISPs (i.e. ensuring that ISPs don't think that the server is sending out spam). This is a big reason why it's much much easier to get a third party to handle everything for you.