email sent from my server shows up as spam

Question

I know this question has been asked and answered a couple of times, but I can't find any reference to my particular problem. I've set up Postfix and Dovecot on my Debian 7 VPS and I can send mail, but it shows up in my inbox at gmail as spam. The domain I'm sending from runs a web app that uses an input "site contact" email address, and I've put one of my gmail email addresses there. Now, when I send to my other gmail account, it shows in spam, and the reasoning google gives is because while the from field shows the "originating" email address as mine, it knows that it didn't in fact come from gmail and thinks that there is spoofing going on.

From what I've read, I need to set up a specific SPF record in my DNS to validate my server to not show up as a spam sender. I've added a TXT record for @ with v=spf1 a:fluidvector.com include:_spf.google.com ~all, but my messages still go directly into the spam folder. Also, I've read that the Return-Path could be an issue. In my case, the Return-Path shows as the user account that Apache2 runs under. Do I need to change this to reflect my gmail sender account?

I've run some SPF testing and the output claims the SPF is good:

SPF record lookup and validation for: fluidvector.com
SPF records are published in DNS as TXT records.

The TXT records found for your domain are:
v=spf1 a:fluidvector.com ~all

Checking to see if there is a valid SPF record.

Found v=spf1 record for fluidvector.com:
v=spf1 a:fluidvector.com include:_spf.google.com ~all

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!

(the above result was given right after I added the include:_spf.google.com portion to my SPF record)

How can I keep messages sent from my server using a gmail account from showing up as spam in another gmail account? Is there possibly something wrong with my Postfix configuration?

Here is the raw email that gets put into the spam folder:

Delivered-To: chaoskreator@gmail.com
Received: by 10.70.48.208 with SMTP id o16csp66094pdn;
        Thu, 10 Jul 2014 13:25:21 -0700 (PDT)
X-Received: by 10.224.135.2 with SMTP id l2mr86728784qat.37.1405023921164;
        Thu, 10 Jul 2014 13:25:21 -0700 (PDT)
Return-Path: <www-data@fluidvector.com>
Received: from fluidvector.com ([23.88.121.82])
        by mx.google.com with ESMTPS id h39si273921qgd.93.2014.07.10.13.25.20
        for <chaoskreator@gmail.com>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 10 Jul 2014 13:25:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of www-data@fluidvector.com designates 23.88.121.82 as permitted sender) client-ip=23.88.121.82;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of www-data@fluidvector.com designates 23.88.121.82 as permitted sender) smtp.mail=www-data@fluidvector.com;
       dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
Received: from localhost (localhost.localdomain [127.0.0.1])
    by fluidvector.com (Postfix) with ESMTP id F0AF8914009F
    for <chaoskreator@gmail.com>; Thu, 10 Jul 2014 20:25:18 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from fluidvector.com ([127.0.0.1])
    by localhost (fluidvector.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id VUT1YtvYAYKz for <chaoskreator@gmail.com>;
    Thu, 10 Jul 2014 20:25:14 +0000 (UTC)
Received: by fluidvector.com (Postfix, from userid 33)
    id EA69B91400A2; Thu, 10 Jul 2014 20:25:13 +0000 (UTC)
To: =?UTF-8?B?dGVzdA==?= <chaoskreator@gmail.com>
Subject: =?UTF-8?B?V2VsY29tZSB0byAiQmVhbnNXb3J0aHki?=
X-PHP-Originating-Script: 1000:messenger.php
From: <jason.allen.oneal@gmail.com>
Reply-To: <jason.allen.oneal@gmail.com>
Sender: <jason.allen.oneal@gmail.com>
MIME-Version: 1.0
Message-ID: <44ae76f351c743f8c5ab96b753483dad@beansworthy.fluidvector.com>
Date: Thu, 10 Jul 2014 16:25:13 -0400
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: phPULP
X-MimeOLE: phPULP
X-phPULP-Origin: phpulp://beansworthy.fluidvector.com
X-AntiAbuse: Site servername - =?UTF-8?B?YmVhbnN3b3J0aHkuZmx1aWR2ZWN0b3IuY29t?=
X-AntiAbuse: User_id - 1
X-AntiAbuse: Username - =?UTF-8?B?QW5vbnltb3Vz?=
X-AntiAbuse: User IP - 97.82.234.169

I should also add that ultimately I'm going to try and set up Postfix to use all 5 of the domains I host to send mail. Does this mean that I need to set individual "sender" addresses for each domain to avoid being marked as a spammer?

Any light that anyone could shed on this would be greatly appreciated.

-EDIT-: I also notice that the mail seems to be bounced around on my server a couple of times before it's delivered. Is this normal?

Answer 1

You cannot authorize some domain to send mail from gmail addresses, only Google can do that. If everyone could authorize their own server to send some other domain's email, then SPF would serve no purpose. Spammers would just authorize themselves. You need to use a source email address whose credentials you control.

Answer 2

I see several issues:

• PTR record returns shoplucro2.smtpilimitado.info which does not lookup to 23.88.121.82. It should likely return mail.fluidvector.com. This is a strong indication of Spam.
• Envelope address and From: address don't match. If you aren't resending email, they should match. If you don't want auto-replies (as I would expect for a website) consider using an address like "noreply@fluidvector.com". You can use a Reply-To: header if you want people to be able to reply.
• From the received headers, it looks like you are virus filtering the outgoing email. While this is a good idea, you are re-injecting the filtered mail, rather than bouncing it before accepting it. This can result in back-scatter Spam.
• Reply-To: and Sender: headers both have the same data as the From: address. While I haven't verified these indicate Spam, they are intended to be used when the From: address does not specify the sender or reply-to address. I would expect your use to indicate Spam.

Your SPF policy is extremely open, so anyone is allowed to send for your domain. (This will happen anyway because you include the Google policy.)

Other than the above issues, I would not expect your use of a Gmail address in the From: header to cause your email to be classified as Spam. The published Gmail SPF policy would allow this use.

It is likely you will need to get your IP address provider to update your PTR record.

EDIT: The Sender: field is intended for cases where someone (an assistant) is sending email on behalf of someone else (the From: address). In this case the Sender: and envelope addresses should be the same and the From: address different.

The Reply-To: field is indented for cases where replies should go to a different address than the From: address sending the email. There may be rare cases where it is appropriate to all three fields with different values for each.

Either the Sender: and Reply-To: semantics apply for many web-sites, but in most case the code is the message author, so it should be the From: address.

Sites that allow users to send other links or other information would then put the originating user's address in the Reply-To: address. Responses to such email are likely not of interest to the site, so use a noreply address which is sent to the bit bucket. You may want to track noreply volumes and reasons. You should have active abuse and postmaster addresses so you can be notified of abuse and configuration issues.