Marc! Why does my emails end up in peoples spam folder? – Mette Stender (My girlfriend)
Actually I couldn’t answer her, I am not a Linux specialist, and do only know the basics. But because I administrate her webpages server (and webmail) on my own VPS, I decided to figure out, how to improve the mail system and escape the evil “spam folders”.
I started Googling how to check spam score of a email, and found this wonderful tool mail-tester.com
Its a pretty easy and nice tool. The only thing you have to do to test the quality of your email, is to send a email to the email shown on the homepage and check your score!
The score page, will show you on which points you can improve.
I my case, it were the authentication part which needed improvements. My Sender Policy Framework (SPF) were not set, and DomainKeys Identified Mail (DKIM) were missing. But what is this, and how do I fix it?
Mail-tester.com tells you the basics and how to fix it, here is a short description:
- Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses.
- DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.
Set the Sender Policy Framework
To set the SPF, it is required that you have access to manage your DNS records. You have to add a “TXT” record. A “TXT” record, requires a NAME and a VALUE, the NAME should be your domain name eg, example.com, and the VALUE should look like this:
"v=spf1 a mx ip4:126.96.36.199 ~all"
And that’s it! Actually this little TXT-record also fixed your Sender ID. If you like me, have a domain with a PTR pointing to another domain, you can fix it with this entry instead:
"v=spf1 a mx ip4:188.8.131.52 ptr:other.domain.com ~all"
There are a lot of other settings which you can add to your SPF string, and Microsoft have this tool to help you create it, check it out here.
Create a valid DKIM signature
The last thing I will walk through, is you to create and set a valid DKIM signature with postfix (the mail server which I am using).
First of all, you have to install DKIM, this is how its done on Ubuntu:
sudo apt-get install opendkim opendkim-tools
When everything is installed, you have to edit some configuration files, both for DKIM and postfix:
/etc/opendkim.conf /etc/default/opendkim /etc/postfix/main.cf
Use your favorite editor to open the configuration files, we start with /etc/opendkim.conf
Add the following lines at the end, remember to replace example.com with your own domain name.
Domain example.com KeyFile /etc/postfix/dkim.key Selector mail
Save it, and open the dkim default configuration file /etc/default/opendkim
Change the default socket by adding the following line:
Save it, open the postfix main configuration file /etc/postfix/main.cf
Once again, we need to add the following lines to the end:
# DKIM milter_default_action = accept milter_protocol = 2 smtpd_milters = inet:localhost:8891 non_smtpd_milters = inet:localhost:8891
DKIM Key Generation
Enter and run the following command:
opendkim-genkey -t -s mail -d example.com
It is important that “mail” matches the “Selector” value entered earlier in opendkim.conf and of course replace example.com with your own domain name.
This command will generate two files, mail.private and mail.txt. mail.private is the private key, which will be used for signing outgoing emails. It is important that mail.private is located in the same location specified in opendkim.conf, so we have to move it:
cp mail.private /etc/postfix/dkim.key
Creating the DNS record the DKIM signature
We need to create an other DNS record, and just like with SPF, this should be a “TXT” record. The content of this record is to be found in the mail.txt which also were created before. It should look like this:
cat mail.txt mail._domainkey IN TXT ( "v=DKIM1; k=rsa; t=y; " "p=MIGfMA0GCSqGSIb3DQEBAQASDF4GNADCBiQKBgQDUoa+FBatrwEuv7co4QCs2SYHt89rgBuQd0Q11971bubHBtNJH+1JsNVq/4gmG7HBgb6ljo0LMlMUOJm4muNa9Ytfxl5vu2ZSQOPnZd8geFG4cpsj8c3958mlpAqyfCitM6OC2KYhkkGsBobBn1DncNlP/PHU9HoWM/paB8ZheHQIDAFAB" ) ; ----- DKIM key mail for example.com
Remember from the SPF record, a “TXT” record requires a NAME and a VALUE. This time the NAME should be “mail._domainkey.example.com” (or just “mail._domainkey” if your DNS provider enters .example.com automatic).
The VALUE should be the content of mail.txt. Which should end up like this (showing both SPF and DKIM “TXT” records):
Finally, we need to restart the opendkim and postfix services:
service opendkim restart service postfix restart
Verify DNS records
When your DNS records are updated (depends on your DNS provider, can take up to 12 hours), you can verify it using the dig command (Notice the “ANSWER SECTION”, which includes our public key):
dig mail._domainkey.marcz.dk TXT ; <<>> DiG 9.9.2-P1 <<>> mail._domainkey.marcz.dk TXT ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59540 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;mail._domainkey.marcz.dk. IN TXT ;; ANSWER SECTION: mail._domainkey.marcz.dk. 21599 IN TXT "v=DKIM1\; k=rsa\; g=*\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlkC4lUnzd4dF/uDUQKTOz2gNeEQNC0NHR0lvtOXHC+nbjZiLhmU3ExgKt/Dq5FFUWEZ6wsqfua/kbUSp24v10b6OEItE7WJ+1uUZjm/oL6rneb3nphgaptDrPjvkCUJ+V5KjR8sTikZDYN47s3vAgS8uzv2BcHgVVA03EhJRIMQIDAQAB" ;; Query time: 83 msec ;; SERVER: 184.108.40.206#53(220.127.116.11) ;; WHEN: Sun Mar 2 21:51:09 2014 ;; MSG SIZE rcvd: 305
Finally test your score!
You are not ready to test your score at mail-tester.com, and hopefully you are getting a 10/10! Happy emailing!