Email from Site Still Going to Gmail spam even with DKIM and header say that SPF has passed.

Posted September 1, 2017 17.8k views


I have my site set up to send users email when they do certain things (sign up for an account or ask to reset their password, etc). I noticed that those email were going to spam on server email address I tried. I used this article:’s-dns-records, to set up DKIM to try and fix this issue. Though, even after setting this up, when I try to send to a Gmail address the mail is still sent to spam.

One thing I have noticed though is that the headers say that Google is seeing the message as having passed the spf and dkim check that is done on incoming emails.

Here is what the headers look like:

Arc-Seal: i=1; a=rsa-sha256; t=1504230674; cv=none;; s=arc-20160816; b=V5HeLxDwcsnKpAgYxZNb2y327zUFXqBVlOJVwUucE0p0ciiofBh8f4lzTRvXmRikEH RWp8pQN5c23PNbn9wpH2+URXZ3AztH//rWZimk9ZEdwtXIl2Xmee1bxlFtdwbQgmkGFa 7BlDnm6VsPfWSC+Q6ZQHttmQJkeAypv5Dl78EjoAvtRJHgKzTknUGJ2WDyqRtTO762/v nnu+szBELhFbjeT42O2GkGQNHL/Tf9lLrQb/9iE62p0bhS8OpLXuavf0ouwsANek+gPy Cje+UXLclo3qgyjLBcOkBdQRBdFaznbquQVKHmPgVgvg1JmmLjtdcCbt5UJU276G3hT6 ebUw==
X-Received: by with SMTP id q25mr624414qtj.260.1504230674918; Thu, 31 Aug 2017 18:51:14 -0700 (PDT)
Return-Path: <>
Arc-Authentication-Results: i=1;; dkim=pass header.s=mail header.b=j/7ZTIv3; spf=pass ( best guess record for domain of designates as permitted sender)
X-Google-Smtp-Source: ADKCNb6Ay63iEYeS0Yo3Uiqm9SaoCqBuBUF/B5Ie5XGGh+Tzbc2etrVP2frHDn6CX6prRYLZ2fps
Mime-Version: 1.0
Authentication-Results:; dkim=pass header.s=mail header.b=j/7ZTIv3; spf=pass ( best guess record for domain of designates as permitted sender)
Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arc-20160816; h=date:message-id:mime-version:from:subject:to:dkim-signature :arc-authentication-results; bh=JG82wtXzhMJs79kwMbUAuICXbiXMjog4LfHm+AQTwLA=; b=QS47WSXmI9bc3H0B6TISGEoNyZiGOr5ACYhVkcI1paR29dr8XCG+cTgXkqMMzGx8Hj pudsbaV5xQy+IerEBT86E95mjmD4Ig/S44dInQ2AmpeixHF8VKdrpaSTYb+5XsrVNPC2 iWnMOjok7jhQE/BK9SDcIECnmC6+lF3wibW34OjFj/s17/3L1KePDV7+FRRFXAynEYbx PJ1ivsAuITPGAE7wiHc3pvdNfS4JEJLvz6NHc4yLzeVH5NF0yl0pY8wZyCrr6sKh6D/j 79OL04jP1gjuMmMgJn7rC5Yd7Yx+LftzENribPsy0K2ae+oodbj45yG1c5IKr8WiAByx 6Dog==
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=mail; t=1504230674; bh=JG82wtXzhMJs79kwMbUAuICXbiXMjog4LfHm+AQTwLA=; h=To:Subject:From:Date:From; b=j/7ZTIv33UfTIL7NGhFzd2yT5RZJL/0ngNhWI/vWZpK/vwP84/xNB/DOU3MscFetQ UvpSycvqsDMMK1iL75pPObU2Tt8BnRjlYM+6Sjk/4hia6vFfKc7A5Jj8HM+Ww3n6z3 u0NLsKlgWuuZAFSVXoiDfUhc29ohnjq77rIXI6Pk=
Message-Id: <>
Content-Type: text/html;charset=iso-8859-1
Received-Spf: pass ( best guess record for domain of designates as permitted sender) client-ip=;

Can anyone help me figure out why these mails are still being sent to spam? If you need more information, feel free to ask me for it.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

Try using and use the content that you’d usually send.
Another thing google doesn’t like is unsecured mail so make sure you’re using TLS and if you can use S/MIME also.

@Aprexer Thank you for the links! I have tested out the mail-tester and one thing I see is this

The DKIM signature of your message is:

Your public key is:

Key length: 1024bits

Your DKIM signature is not valid

I am confused as to why it does not believe the DKIM signature is valid. Is it because I have somehow set up DKIM wrong?

Another thing google doesn’t like is unsecured mail so make sure you’re using TLS and if you can use S/MIME also.

I see now that when I send html messages, they are not sending with TLS. I am using Let’s Encrypt to give my domain https access. Would I be able to change the postfix settings to be able to use this certificate as well, or is there something that actually needs to go in the header of the email to make gmail see it as encrypted?

  • I’m no DKIM expert but I have encountered that long dkim cannot fit all into one dns record, it depends on the DNS Service you’re with for example CloudFlare have a tutorial how to do it with their setups.
    What I’ve done with my mail server is cp the cert and priv key to the dovecot folder and it has access through there to the cert and key.
    I assume that you’re using non ssl ports currently if you don’t already have this all setup.
    SSL ports for SMTP are 465, IMAP 993, POP3 995

    • I am using DigitalOcean for DNS.

      I will try copying the cert to my dovecot folder.

      I guess I am using the non ssl ports. I have them open on my mail server. I also need to open them on the server for my website?

      • Well, the website has nothing to do with your mail server so that’s up to you whether you want SSL on your website.

        • Thank you for letting me know that. I have the ssl ports for smtp and imap open on my mail server.

          I guess I just need to figure out if the software I am using to host my mail on that server (mailcow) is actually sending through those ssl ports.

          Also, let me ask and I don’t know if you would know, mailcow allowed me to add a dkim key to my domain through them. Can I just copy that dkim key to digital ocean or is the way that I followed through the tutorial I posted before the best way?

          • Please ignore this last message. I found out I was doing this whole thing the wrong way.

            When I just send the email from my website (signing up for an account with the email that mail-tester gives me, I get a better score that recognizes my dkim and stuff.

            Though the thing that confuses me is that is in one section is says that SpamAssassin thinks my emails are not dkim signed but then in the other section mail-tester shows that my dkim signature is valid.