0

I have a messaging system on my app where users can send messages directly to other users straight from my domain (not going through Mailchimp's Mandrill templates or Google Apps). I also have cron jobs that sends users' statistics to about 5,300 users every week. Again, the script sends messages straight from my domain.

Most e-mails are going to users' spam box, which I need to fix as soon as possible. I recently found out an app that tests e-mail deliverability and gives scores based on how well configured your email server is (among other things). This is the URL https://www.mail-tester.com. I was able to fix several things and my score went up from -0.2/10 to 7.7/10. However, although the tester says my e-mail is "good stuff", I know hundreds of emails are either not being delivered (returned because sender is not trusted) or going straight into the spam box.

The last thing I need to fix to have an almost perfect score is to add a DKIM signature to the emails. Hopefully that will increase deliverability rates. This is the message the email tester gives me about DKIM: "Your message is not signed with DKIM. DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message."

I did try to work this issue out with my server (BlueHost) but they were not able to help me (they helped me with other issues though).

Additionally, I used Microsoft's mxtoolbox (http://mxtoolbox.com/) to test my email and the result of tests says a DMARC is missing or invalid.

Does anybody know how to add a DKIM signature and DMARC to emails that come from the domain itself. Are there a command lines that I can use to do that?

Thank you!

P.S. App is written in PHP

Gabriel Ferraz
  • 101
  • 2
  • Are you sending directly from php, or are you submitting messages to the local MTA (postfix or exim, for example)? Easiest is via the local MTA as then you don't have to invent the DKIM wheel again (there are HOWTOs for those MTAs). – wurtel Oct 20 '15 at 13:49
  • @wurtel sending directly from php. Do you recommend any source that guides how to send messages via MTA? – Gabriel Ferraz Oct 20 '15 at 14:18
  • Just use the `mail()` function in PHP, described at http://php.net/manual/en/function.mail.php . That should be enough to submit email messages via the local MTA. Then follow the answers below or use google to find out how to configure DKIM etc. – wurtel Oct 21 '15 at 06:56
  • @wurtel I am already using the PHP mail() function and I have DKIM registered in my DNS zone. DKIM is registered under "default._domainkey" (I can ssh into the server and see the full DKIM register). I would think that DKIM should work for my e-mails but apparently it is not. I also implemented Google Apps but the cron jobs are not sent via Google Apps. Blue Host told me that emails sent from the site go out straight through their mail servers. So, I am not sure what to do. – Gabriel Ferraz Oct 21 '15 at 12:10
  • DKIM needs to be enabled in your MTA, it doesn't magically start to work if you've added it to the DNS; you also need to give your MTA the secret key so that the DKIM signature can be generated. What is "the full DKIM register"? – wurtel Oct 21 '15 at 13:41
  • @wurtel I changed the sendmail_path in the php.ini to force emails to be sent from contact@mydomain.com instead of user@server.mydomain.com (this was the sender email) and my emails now have a DKIM signature! – Gabriel Ferraz Oct 21 '15 at 17:10
  • nice one :) I wish more people would make sure their SMTP envelope sender is a valid one. – wurtel Oct 22 '15 at 12:14

3 Answers3

2

You will never recover from the poor abusive reputation from blue host, I would highly recommend using a smart host like mandrill app to manage your emails, they will do the DKIM and SPF signatures, handle aduse and ensure deliverability. All you need to worry about is content. Reputation is more then just good emails moving forward, its also history and volume.

Sendgrid is also a good second.

To Answer DMARC is easy, https://dmarc.postmarkapp.com/ You'll wait about a week for reports, send a ton of email to aol, yahoo, gmail if you want to ensure you get dmarc reports (it's up to the receiver to implement DMARC)

DKIM you need to match your private key (the information in opendkim used to sign) and the public key (your dns record)

I found this guide excellent for

Also this may solve your DKIM signing issue, configure-postfix-to-dkim-sign-emails-generated-from-the-system

Community
  • 1
Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
  • I already have SPF and DKIM registered in my DNS zone. DKIM is registered under "default._domainkey" (I can ssh into the server and see the full DKIM register). I would think that DKIM should work for my cron jobs and messaging system but apparently it is not. I also implemented Google Apps but the cron jobs are not sent via Google Apps. Blue Host told me that emails sent from the site go out straight through their mail servers. So, I am not sure what to do. Thanks for the tutorials! – Gabriel Ferraz Oct 21 '15 at 12:12
  • cron jobs may not be handled by the postfix system properly, have you tried piping the information via mailx? Have you installed postfix? – Jacob Evans Oct 21 '15 at 12:18
0

DKIM must be added to the DNS records for your domain. I'd also suggest adding SPF records (Also added via DNS). You can probably Google or search the knowledge base for your host on how to do that. If you aren't using Bind or some other DNS server on that CentOS box to handle your DNS then you may need to add them via your registrar.

Also worth mentioning is if you're sending out that kind of volume through one IP address without rate limiting and resends then it's possible the specific ISP you're sending to is briefly blocking the connections.

If you have the time you might consider setting up your own Bind DNS server and gluing it with your registrar so you're in full control of the records. Then purchasing additional IP addresses for your host and using IPTables / postfix to rotate mail between them (http://www.host1plus.com/tutorials/operating-systems/linux/how-to-setup-ip-rotations-for-emails-on-linux).

Lastly, you could use a third party like Google Apps for Work or Mailchimp and connect via PHP by doing something like this: http://www.beginninglinux.com/home/php/send-plain-text-e-mail-from-php-using-gmail-secure-smtp-server

Murdok
  • 1
  • I already have SPF and DKIM registered in my DNS zone. DKIM is registered under "default._domainkey" (I can ssh into the server and see the full DKIM register). I would think that DKIM should work for my cron jobs and messaging system but apparently it is not. I also implemented Google Apps but the cron jobs are not sent via Google Apps. Blue Host told me that emails sent from the site go out straight through their mail servers. So, I am not sure what to do. Thanks for the tutorials! – Gabriel Ferraz Oct 21 '15 at 12:10
  • Where are you looking to see if DKIM is being used? In the headers from a test e-mail sent from your server? For SPF you have to have all the IPs added in the string like "v=spf1 mx ip4:x.x.x.x ip4:x.x.x.x/32 include:_spf.google.com". Are the cron and messaging e-mails coming from root@ip.address.goes.here or from your hostname (e.g. gabriel@ferraz.com)? Are you using Postfix/Exim/Sendmail for the cron e-mails? – Murdok Oct 21 '15 at 12:51
  • SPF is working just fine. The problem is just DKIM. I just disabled and re-enabled it on my admin dashboard to see if it will work. The emails are coming from user@server.zapmusico.com.br. I didn't configure either of Postfix/Exim/Sendmail for the cron jobs. – Gabriel Ferraz Oct 21 '15 at 12:57
-2

You must configure the following DNS records in your DNS zone: SPF DKIM DMARC But this is not enough, you have to configure the MTA. I think you need to use an MTA (postfix for example) and not the php script. That's if you have the opportunity to access the server configuration. Some tutorials: https://help.ubuntu.com/community/Postfix/SPF https://help.ubuntu.com/community/Postfix/DKIM

LilloX
  • 101
  • 1
  • http://blog.hamzahkhan.com/2014/02/08/securing-postfix-mail-server-greylisting-spf-dkim-dmarc-tls/ may be useful to subscribe here: https://postmaster.live.com/snds/index.aspx – LilloX Oct 20 '15 at 16:12