Email from Site Still Going to Gmail spam even with DKIM and header say that SPF has passed.

Question

Hello,

I have my site set up to send users email when they do certain things (sign up for an account or ask to reset their password, etc). I noticed that those email were going to spam on server email address I tried. I used this article: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy#add-the-public-key-to-the-domain’s-dns-records, to set up DKIM to try and fix this issue. Though, even after setting this up, when I try to send to a Gmail address the mail is still sent to spam.

One thing I have noticed though is that the headers say that Google is seeing the message as having passed the spf and dkim check that is done on incoming emails.

Here is what the headers look like:

Mime-Version: 1.0
Message-Id: <20170901015114.04D72FFE51@devplateau.com>
Content-Type: text/html;charset=iso-8859-1
Received-Spf: pass (google.com: best guess record for domain of www-data@mail.devplateau.com designates 107.170.5.223 as permitted sender) client-ip=107.170.5.223;

Can anyone help me figure out why these mails are still being sent to spam? If you need more information, feel free to ask me for it.

Answer 1

Aprexer September 1, 2017

Try using https://www.mail-tester.com/ and use the content that you’d usually send.
Another thing google doesn’t like is unsecured mail so make sure you’re using TLS and if you can use S/MIME also.
https://support.google.com/mail/answer/6330403?visit_id=1-636398499938248425-4159623148&p=tls&hl=en&rd=1

Reply Report

Answer 2

linxsolaire September 1, 2017

@Aprexer Thank you for the links! I have tested out the mail-tester and one thing I see is this

The DKIM signature of your message is:

    v=1;
    a=rsa-sha256;
    c=relaxed/relaxed;
    d=devplateau.com;
    s=dkim;
    t=1504280635;
    h=from:subject:date:message-id:to:mime-version:content-type:references;
    bh=GT315uW3HPyltLAAp/TLyFINyvKGP3ZMVXsBDWiZPFM=;
    b=AeZ4Kdd++LOof2eKIJPQeuwk5hUrBsYOEUk7PYMPpxCsfPsQa+mMLcTiWhjs05i7z9TgKopDdtdkwPtyvTINQfqlrZd0h34NVvOrQ2Ysm0w0yDgpUrUTObyKRScb9ljKC88Zhfm/IHfpQN7suw43QilJrCtu0tyvUHnW9NIqfTDgrOGmU96pgwNiyNifykFl5IAk5AS8OxS6r2oXJg5mDmAvqZreZHnvvwVOBqXkUhBcuW21fYP3xW0NLsNrgI3WAQhCfKD8mfbSpM+AUN1qakA9MPQj5eEL8S1VTxqND5iXO+RTQ/ga7SH0r2pLB29bpjf4JU9pA0Ti1pba/QaDyw==
Your public key is:

"v=DKIM1;
k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWTNxJgA6/OFjDRslE4kAsHOjp2V6aEfl4Sfc2BuwGhx/A/NVym10b6rdGsyCVAvWnYA0IdyuKOU8M9Nb8Am6qN7JnfO1YzVG/KqCKdbsg00Ew/fU7HlQ6mvDLz8pxiCGWE8Xya/HVz55vcLYF8Me3UcnhR4dLWZ5KWIQJUO6vgQIDAQAB"
Key length: 1024bits

Your DKIM signature is not valid

I am confused as to why it does not believe the DKIM signature is valid. Is it because I have somehow set up DKIM wrong?

Another thing google doesn’t like is unsecured mail so make sure you’re using TLS and if you can use S/MIME also.

I see now that when I send html messages, they are not sending with TLS. I am using Let’s Encrypt to give my domain https access. Would I be able to change the postfix settings to be able to use this certificate as well, or is there something that actually needs to go in the header of the email to make gmail see it as encrypted?

Reply Report

Aprexer September 1, 2017

I’m no DKIM expert but I have encountered that long dkim cannot fit all into one dns record, it depends on the DNS Service you’re with for example CloudFlare have a tutorial how to do it with their setups.
What I’ve done with my mail server is cp the cert and priv key to the dovecot folder and it has access through there to the cert and key.
I assume that you’re using non ssl ports currently if you don’t already have this all setup.
SSL ports for SMTP are 465, IMAP 993, POP3 995
Reply Report
- linxsolaire September 4, 2017
  
  I am using DigitalOcean for DNS.
  
  I will try copying the cert to my dovecot folder.
  
  I guess I am using the non ssl ports. I have them open on my mail server. I also need to open them on the server for my website?
  
  Reply Report
  
  Aprexer September 4, 2017
  
  Well, the website has nothing to do with your mail server so that’s up to you whether you want SSL on your website.
  
  Reply Report
  
  linxsolaire September 5, 2017
  
  Thank you for letting me know that. I have the ssl ports for smtp and imap open on my mail server.
  
  I guess I just need to figure out if the software I am using to host my mail on that server (mailcow) is actually sending through those ssl ports.
  
  Also, let me ask and I don’t know if you would know, mailcow allowed me to add a dkim key to my domain through them. Can I just copy that dkim key to digital ocean or is the way that I followed through the tutorial I posted before the best way?
  
  Reply Report
  
  linxsolaire September 6, 2017
  
  Please ignore this last message. I found out I was doing this whole thing the wrong way.
  
  When I just send the email from my website (signing up for an account with the email that mail-tester gives me, I get a better score that recognizes my dkim and stuff.
  
  Though the thing that confuses me is that is in one section is says that SpamAssassin thinks my emails are not dkim signed but then in the other section mail-tester shows that my dkim signature is valid.
  
  Reply Report

Answer 3

Aprexer September 1, 2017

I’m no DKIM expert but I have encountered that long dkim cannot fit all into one dns record, it depends on the DNS Service you’re with for example CloudFlare have a tutorial how to do it with their setups.
What I’ve done with my mail server is cp the cert and priv key to the dovecot folder and it has access through there to the cert and key.
I assume that you’re using non ssl ports currently if you don’t already have this all setup.
SSL ports for SMTP are 465, IMAP 993, POP3 995
Reply Report
- linxsolaire September 4, 2017
  
  I am using DigitalOcean for DNS.
  
  I will try copying the cert to my dovecot folder.
  
  I guess I am using the non ssl ports. I have them open on my mail server. I also need to open them on the server for my website?
  
  Reply Report
  
  Aprexer September 4, 2017
  
  Well, the website has nothing to do with your mail server so that’s up to you whether you want SSL on your website.
  
  Reply Report
  
  linxsolaire September 5, 2017
  
  Thank you for letting me know that. I have the ssl ports for smtp and imap open on my mail server.
  
  I guess I just need to figure out if the software I am using to host my mail on that server (mailcow) is actually sending through those ssl ports.
  
  Also, let me ask and I don’t know if you would know, mailcow allowed me to add a dkim key to my domain through them. Can I just copy that dkim key to digital ocean or is the way that I followed through the tutorial I posted before the best way?
  
  Reply Report
  
  linxsolaire September 6, 2017
  
  Please ignore this last message. I found out I was doing this whole thing the wrong way.
  
  When I just send the email from my website (signing up for an account with the email that mail-tester gives me, I get a better score that recognizes my dkim and stuff.
  
  Though the thing that confuses me is that is in one section is says that SpamAssassin thinks my emails are not dkim signed but then in the other section mail-tester shows that my dkim signature is valid.
  
  Reply Report

Related

Question

Email from Site Still Going to Gmail spam even with DKIM and header say that SPF has passed.

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Email from Site Still Going to Gmail spam even with DKIM and header say that SPF has passed.

Related

Leave a comment

Related

question

Ubuntu mail server using ISPConfig 3 setup errors

question

Should sending email via sendmail result in a long wait?

question

How to route mail (Dovecot, Postfix setup ) to Office 365 - same domain

question

I receive emails, but I can't send

Looking for something else?