Most active commenters
  • csomar(3)
  • jeroenhd(3)
  • vel0city(3)

←back to thread

Spammers are better at SPF, DKIM, and DMARC than everyone else

(toad.social)
429 points pabs3 | 26 comments | 25 Mar 25 08:14 UTC | HN request time: 0.634s | source | bottom
1. csomar ◴[25 Mar 25 10:54 UTC] No.43469802[source]
I am just having this problem. Actually getting SPF, DKIM and DMARC right and having a domain with a 0 spam score will still land you in the spam directory. It turns out, you need to have a "reputation"? before your email gets accepted into gmail. My head was spinning as to how that reputation will be built if your email just goes straight to spam.

But sure, Linkedin emails are definitively not spam and their dark-patterns at adding you at n+1 emailing list doesn't get them banned from the big (or any?) provider.

replies(7): >>43469848 #>>43469853 #>>43469860 #>>43470045 #>>43470203 #>>43470850 #>>43473318 #
2. petemir ◴[25 Mar 25 11:04 UTC] No.43469848[source]
I worked on this for a while, at a time and in a market where most of our recipients had @hotmail addresses. I discovered that mass email sending was akin to a "pay-to-win" game.

We had/opted to acquire the services of a company "expert in email deliverability" (Return Path), who somehow provided detailed metrics of how our IPs were scored by MSFT. I always wondered why MSFT didn't provide those scores by themselves, and how a 3rd. party could have access to them.

Re. your comment... slow ramp-up is the only way, with constant monitoring of deliverability and consequent adjusting of recipients (i.e. removing those who do not open or hard-bounce). I did also wonder if paying that company perhaps gave us a headstart when adding new IPs...

replies(1): >>43469872 #
3. jeroenhd ◴[25 Mar 25 11:05 UTC] No.43469853[source]
It's easy, you just have to have a regular, decently sized volume of non-spam emails, and suddenly your email stops being marked as spam!

The logic isn't even that bad. SPF and DKIM serve to prove to the email who the sender is. That doesn't mean much if the sender is a spammer. Verifying identity claims is only the first part in checking email for spam, the harder part is checking if that identity is someone you trust.

When you email Outlook or Google, you're better sending more than a few every single day, and the recipient better manually drag those emails from their spam folders to their inbox, or they're all being learned as spam.

replies(4): >>43469884 #>>43469985 #>>43473673 #>>43477378 #
4. bbarnett ◴[25 Mar 25 11:05 UTC] No.43469860[source]
This isn't a problem for personal emails, as after a request or two friends will unspam you. Google blackholes emails, breaking all mail logic (no bounce), so I assure you the SPAM folder is a good gmail sign.

I would imagine that on the corporate side, your employees could do the same. Beyond that, if you're sending spammy stuff, have unsubscribe headers and links in emails.

5. bbarnett ◴[25 Mar 25 11:07 UTC] No.43469872[source]
Turn on dmarc reporting. There are loads of tools to read the resulting xml.
6. csomar ◴[25 Mar 25 11:10 UTC] No.43469884[source]
> It's easy, you just have to have a regular, decently sized volume of non-spam emails, and suddenly your email stops being marked as spam!

The domain is new and didn't send a single email until I tested it.

Edit: The domain is actually a bit old but was parked/inactive for a while, though the email was used only for receiving.

replies(1): >>43469921 #
7. jeroenhd ◴[25 Mar 25 11:17 UTC] No.43469921{3}[source]
Yup, that'll get you stuck in spam limbo alright. Good luck climbing out if it if you're initiating conversations with anyone on Gmail or Outlook (or, even worse, corporate Outlook).

Those email services will usually have no trouble with replies to emails sent from their service, so if you get someone to email you first you'll save them the trouble of dragging your email from their spam folder to their inbox.

replies(1): >>43470268 #
8. cuu508 ◴[25 Mar 25 11:28 UTC] No.43469985[source]
And you have to build up the volume gradually. In the industry this is called "warming up IP addresses". See for example https://help.elasticemail.com/en/articles/2788598-how-to-war... or https://docs.aws.amazon.com/ses/latest/dg/dedicated-ip-warmi...
replies(1): >>43470257 #
9. Gigachad ◴[25 Mar 25 11:38 UTC] No.43470045[source]
I think the domain rep is worth less than IP rep. I had occasional issues sending issues when I self hosted on a VPS. When I moved my domain to Fastmail I haven’t ever had my emails go to spam.

Most home and VPS IP ranges have negative rep.

replies(2): >>43470184 #>>43474796 #
10. csomar ◴[25 Mar 25 11:59 UTC] No.43470184[source]
I am sending from SES. Interestingly, I didn't have a problem getting the email delivered to inbox in fastmail despite having an aggressive "protection level".
11. akimbostrawman ◴[25 Mar 25 12:02 UTC] No.43470203[source]
It's almost like all those bad actors (linkedin) are owned and controlled by the big players (microsoft) that benefit from email being only commodity they can provide.
12. sharemywin ◴[25 Mar 25 12:09 UTC] No.43470257{3}[source]
which goes to the original title. spammers are better that this stuff then regular businesses.
13. gus_massa ◴[25 Mar 25 12:10 UTC] No.43470268{4}[source]
With Outlook, in my university the problem was that when we send emails they disappeared mid air, no bounce, no spam folder. The solution was that they must write an email from the Outlook address, after that we are added to a secret good list and we can write them.
replies(1): >>43470319 #
14. jeroenhd ◴[25 Mar 25 12:17 UTC] No.43470319{5}[source]
I've had to figure out a problem with reaching university Outlook servers where the Outlook server didn't like the (spec compliant) way my email server was writing the From address and rewrote it halfway through the spam filtering chain.

Then it checked the DKIM signature on the message it REWROTE ON ITS OWN and decided that the signature didn't match, and rejected my email.

Corporate email stacks are hell.

replies(2): >>43470352 #>>43474725 #
15. wizzwizz4 ◴[25 Mar 25 12:22 UTC] No.43470352{6}[source]
Do you have a write-up of this, anywhere? I'd appreciate the details (what format did it reject? what did it change it to? what version of Exchange?).
replies(2): >>43473163 #>>43474765 #
16. thesuitonym ◴[25 Mar 25 13:18 UTC] No.43470850[source]
> Actually getting SPF, DKIM and DMARC right and having a domain with a 0 spam score will still land you in the spam directory.

This little bit of wisdom gets passed around all the time, but it's actually not true. You can send email from a brand new domain to Google and Microsoft and whoever just fine. What you can't do is send email from a brand new domain, and a brand new email server--or an email server on a VPS, or an email server on a residential IP. Residential IP blocks are almost completely blocked, because of unsecured devices being used to send spam, and VPS blocks have the same problem. You can get around this by using a mail relay, or building your domains reputation on a server that already has a good reputation.

replies(1): >>43471494 #
17. teeray ◴[25 Mar 25 14:05 UTC] No.43471494[source]
> or an email server on a VPS, or an email server on a residential IP

So what options are left for a self-hoster. Colo?

replies(2): >>43471884 #>>43472755 #
18. toast0 ◴[25 Mar 25 14:37 UTC] No.43471884{3}[source]
Find a host that cares about their reputation. It can be hard to know who responds to abuse reports, but if they mention it in their TOS that's a positive. Also, many hosts block outbound port 25 by default now; that's a positive sign as well.

The more effort you have to put in to use them to send mail, the more likely spammers don't use them, and the more likely their ip space has a positive or at least non-negative reputation for sending mail.

19. thesuitonym ◴[25 Mar 25 15:51 UTC] No.43472755{3}[source]
Get a business-grade connection from your ISP. Make sure they give you a static IP from their business side, and check its reputation before you set up email. If it has a bad reputation, make the ISP give you a different one.
20. gus_massa ◴[25 Mar 25 16:30 UTC] No.43473163{7}[source]
I second the request. A few years ago we switched to Google Workplace, but it would be nice to know. I would like to forward it to the sysadmins just in case we go back to our own server.
21. bityard ◴[25 Mar 25 16:46 UTC] No.43473318[source]
If it's a new domain, then your problem isn't reputation exactly, it's having a newly-registered domain. Buying a new domain, setting up the SPF, DKIM, and MARC, and then immediately spamming from it until it's banned everywhere a week later is standard spammer MO.

I've been self-hosting mail for me and my family for about 20 years and don't send nearly enough mail to have a "reputation" with anybody. Still, I don't have any problems with deliverability of mail.

22. thayne ◴[25 Mar 25 17:21 UTC] No.43473673[source]
> you just have to have a regular, decently sized volume of non-spam emails

But if you have a regular decent size of emails coming from your domain, that is more likely to be spam than if you have a small number of intermittent emails coming from a domain.

23. vel0city ◴[25 Mar 25 19:12 UTC] No.43474725{6}[source]
This has almost always been the issue when working with clients on why our emails never appear. In the end they have some weird middleware that rewrites things and then the next level of the stack sees the middleware as the sender of the email for our domain which fails as it's not an approved sender by SPF and dkim signatures don't validate.

A fresh, plain setup on office 365 doesn't fail, but however their security department reconfigured things causes it to fail.

I've never been on the configuration side of M365 email like that, only basic cheap tier stuff and only briefly. I can't say what they're doing, but the same settings sending to practically any other email provider or even other 365 tenants works perfectly fine.

24. vel0city ◴[25 Mar 25 19:16 UTC] No.43474765{7}[source]
Not OP but I've also seen this. I think some of the servers in question were "outlook-protection" in their domain names. Some kind of managed service middleware in the stack to do additional scanning.
25. vel0city ◴[25 Mar 25 19:18 UTC] No.43474796[source]
As a tip, go to a VPS that's had a history of being very selective of allowing SMTP traffic but still allows after some kind of review. Cheap providers that never did any blocking probably have bad reputations for their entire address range.

I've been successfully using VPSes to send emails for 20 years.

26. pas ◴[25 Mar 25 23:56 UTC] No.43477378[source]
so my personal domain just needs to send newsletters to millions of people, or ... how exactly? what's decent size? how frequently?