A few tips from setting up SPF/DMARC/DKIM for a SAAS service:<p>* SPF: limit your record and all includes to 10 DNS lookups (e.g., "A MX include:_spf.google.com" is 3 DNS lookups plus all of the lookups inside the include.<p>* DMARC: to see a strict reject policy, check out Yahoo:<p><pre><code> $ dig +short -t txt _dmarc.yahoo.com
"v=DMARC1\; p=reject\; pct=100\; rua=mailto:dmarc_y_rua@yahoo.com\;"
</code></pre>
* Mail forwarding: if your app sends mail as the logged-in user, make sure the user's actual email address is not in the FROM address as Yahoo does not authorize you to send FROM: xxxx@yahoo.com<p>* DMARC emails: use dmarcian.com to parse and process the auto-generated emails<p>* SPF: use the ~all for your first day of testing and then lock it down to -all after testing is complete<p>* DKIM: OpenDkim appears to be the most widely supported Linux software package.<p>* DKIM keys: setup a TXT entry you control and ask client to CNAME it. Then setup key rotation.
I've had great luck with my personal email servers thanks to this tool: <a href="https://www.mail-tester.com/" rel="nofollow">https://www.mail-tester.com/</a><p>Gives you a score and suggestions on improving it to reduce the chance of hitting the spam filter.
Just to throw this out, I'm the guy responsible for one of the "top 10" DMARC reporting engines on the Internet in terms of volume. If anyone would like to chat about DMARC in the real world or about the DMARC reports (that they are very likely receiving from my employer's domain name), feel free to reach out to me.<p>My email is my username at my username dot org.
I resent that IP block based filtering is done anymore. Legit people are using VPS to send email, and email is a fundamental decentralized protocol of the internet. It's really crappy that in this age of DKIM/SPF/DMARC, we can't do away with IP filtering.
Thanks for posting this. I know it's on a WordPress site but definitely applies to way more people than just that audience. I hope to build the article out even more and get super specific with various vendors like Mandrill, Amazon SES, Sendgrid, etc.
I think it's pretty weak they're advertising the use of "~all" in their spf records. Either use "-all" or just don't use SPF I would say. If you can't make a decisive statement about your own domain then it won't be actionable for receivers that evaluate your records.
I host my own email at home on a domestic connection with a domestic fixed ipv4 and I only set up SPF.<p>Most e-mail providers accept my email.<p>More accurately: in the last two years only gmx.de rejecte one email.
I have found that the site <a href="https://mxtoolbox.com/" rel="nofollow">https://mxtoolbox.com/</a> is very good for scanning your records for SPF/DMARC/DKIM and pointing out problems. Unfortunately even with implementing all of this some email providers are heavy handed with rejecting mail from smaller mail servers. For instance Yahoo will usually block all of your mail without appealing to them, and Verizon will not allow any email originating from a VPS source like Digital Ocean or AWS. Ironically I found that out when going to report someone on Verizon's network trying to brute force my SMTP server. Mail to abuse was rejected.
Sendgrid has a nice implementation for DKIM too. They setup 2 DKIM CNAME records that point to a DNS entry with a id number in it for you. Periodically, they rotate DKIM keys and by having the 2 CNAME's they can easily transition without concerns about something getting lost in transit.
<p><pre><code> _domainkey.yoursite.com TXT "t=y; o=~;"
</code></pre>
Does anyone know how necessary this entry is, as opposed to just having records beginning with selectors?<p>It seems like the t=y means that testing is on and to not actually block messages that fail DKIM, and o=~ means that some messages aren't signed. I'm not sure why the article is suggesting people use those settings, since they are entirely variable between different users and their config.
Say I want a personal domain and have the MX not be Google or Fastmail, how complete is the implementation of these standards on major email providers' SMTP setups? Would I need to do thorough research or is it reasonable to expect it to just work in a, say, European SMTP hoster's configuration?
I don't like the implication that the work outlined in this article is reasonable.<p>Imagine if there were a detailed guide on how to keep the post office from throwing out the letters you send?<p>Because mail that you personally send out by definition isn't spam - so you are doing work to get around broken spam filters.<p>why can't you just pay $10 or something as a deposit and, since you're not actually a spammer and nobody will ever actually mark what you send as spam, never lose that deposit.<p>This guide should be like four lines long and take 5 mi utes to follow.<p>I mean after glancing at that write-up, I'd never dream of running my own mail server. I use gmail. Why would I jump through hoops and still risk having letters I took the time to write, still marked as spam? I lose on two counts! (invest time, for a worse outcome.)<p>This part of the industry is broken. I think a deposit paid by non-spammers which they lose if people start marking their letters spam, might fix it.
I am surprised that almost no one seems to be using DKIM. I tried setting a higher spam weight on unsigned emails and half of my emails ended up in the spam folder.<p>SPF is used more frequently.
It's worth keeping in mind that the real value of SPF records isn't preventing you from receiving spam (aside from backscatter), but to prevent Joe-jobs.
I wrote this a while ago. I have SPF, DMARC and DKIM all implemented on my mail domain and I still get put in the spam folder:<p><a href="http://penguindreams.org/blog/how-google-and-microsoft-made-email-unreliable/" rel="nofollow">http://penguindreams.org/blog/how-google-and-microsoft-made-...</a><p>I think part of it might be that I use Linode, and there are other spammers in their data centre, so I could just be on a subnet bad list. But I think a lot of it has to do with Google/Microsoft's spam filters just being crazy over aggressive.