←back to thread

Understanding SPF, DKIM, and DMARC: A Simple Guide

(github.com)
443 points miles | 2 comments | 17 Jun 24 17:35 UTC | HN request time: 0s | source
Show context
dankai ◴[18 Jun 24 01:00 UTC] No.40712997[source]
This is a great guide but from my experience, even if you configure it 100% correctly, email services like Gmail may still classify your emails as spam for no apparent reason while not being on any IP or domain blacklist. I tried for hundreds of hours to get around it with no avail, and my emails to Gmail always went to spam unless it was a response to an email from a Gmail address. Had to go back to a 3rd party hosted service (iCloud) because of it.
replies(2): >>40713228 #>>40713321 #
gerdesj ◴[18 Jun 24 01:38 UTC] No.40713228[source]
I have had a Gmail account from the days when it was invitation only. The inbox contains spam and my test emails and nothing else!

I've run tiny smtp systems for 25 years or so. It can be done. I am based in the UK but at least one of my domains is a .net jobbie, so nominally American. That one still works fine and it is my (ltd) company domain, so all good. The MX records etc have moved around a bit but always very carefully.

It all starts around the IP address you are using. Is it "tainted"? is it in a tainted block? If it is then you need to either go elsewhere or clean it up and that takes a bit of time. By clean it up I mean apply for removal from the usual suspect's blocklists - Spamcop (lol), Spamhaus and all the rest that you can find.

Now setup PTR records. That has to be done by your ISP. If they can't do it for you, then find a new ISP. If you can't get PTR records to match A records then you may have to give up. One of the first checks an anti spam system will do is reverse look up an incoming IP address and compare it. Also that should match the HELO/EHLO announced by the SMTP MTA:

SMTP connection from IP address 12.13.14.15 HELO (my name is) smtp.example.co.uk

Receiver will check: smtp.example.co.uk == 12.13.14.15 AND 15.14.13.12.in-addr.arpa == smtp.example.co.uk.

Everyone gets their knickers in a twist about SPF, DKIM and DMARC but if you do not get the prior basics of IP -> A -> HELO -> PTR sorted out first then you will fail sooner or later. I also recommend that you ensure your MX records (receiving) match up too with your sending records. It means you can use mx is SPF, for example.

If you have multiple internet connections and IPs then be absolutely certain that your inbound and outbound IPs for SMTP match up.

Sorted all that? Cool, now proceed to SPF.

Most people fail at the PTR stage. If your ISP will not do PTR for you then you are probably screwed for self hosted SMTP. If you cannot change ISP to one that will, then you are really screwed. Sorry. In that case you will have to engage a service that will route SMTP on your behalf. It won't cost much but you won't own it and you will have to pay someone to do it. Soz.

replies(3): >>40713375 #>>40713957 #>>40714770 #
1. pteraspidomorph ◴[18 Jun 24 04:02 UTC] No.40713957[source]
It's getting pretty expensive to rent one IPv4 address per domain these days. You also don't always control every address in a block, which means there may be nothing you can do about your reputation no matter where you go.
replies(1): >>40723385 #
2. gerdesj ◴[19 Jun 24 00:08 UTC] No.40723385[source]
You only need one IP per MTA not per domain. I have a "vanity" email system that I run at home. I run it for my mates too. I have around 10 domains inbound. It all works fine.

SMTP and SIP are often held aloft as fucked up. My Dad's home telephony runs off a RPi and a Yealink DECT station and a dynamic DNS.

The modern internet might look a bit fucked up if you only look at the X/Facebook/webby wankery stuff but the real internet is functioning quite happily.