Note: this is the second post in a series on email delivery.
So you’ve just set up your own email server and you’re ready to send your first message. You type in your address, click “Send,” and wait. And wait. Chances are, the message will end up in your spam folder, if it shows up at all.
There are a few existing protocols that will greatly improve your chances of getting into the inbox. They are, in increasing order of complexity:
- Reverse DNS
- SPF / Sender ID
- DomainKeys / DKIM
The easiest way you can improve your deliverability is to make sure that a reverse DNS lookup on your mail server returns the server’s hostname. Usually you have to ask your ISP to set this up.
Let’s look at a Digg mailserver for an example. From a UNIX prompt, you can type
dig mail.digg.comto get this result (or something like it):
mail.digg.com. 1139 IN A 220.127.116.11
Now, if you check the reverse DNS record for that IP address with
dig -x 18.104.22.168, you’ll see that the reverse DNS matches up:
22.214.171.124.in-addr.arpa. 3572 IN PTR mail.digg.com.
Reverse DNS is required for good delivery. Without it, ISPs may reject the message. Hotmail might accept the mail but not deliver it (it just vanishes), or just throw your mail into the spam folder.
SPF / Sender ID
Sender Policy Framework is a simple protocol for specifying which servers are allowed to send mail for a particular domain. All you have to do is set up a TXT DNS record according to a simple format.
Let’s look at Reddit as an example. A quick
dig reddit.com txt will pull up their TXT:
reddit.com. 212 IN TXT "v=spf1 mx ip4:126.96.36.199 mx:mail.reddit.com ~all"
Tearing the SPF record apart, we get:
v=spf1identifies an SPF specification
mxallows the mail servers for reddit.com to send mail (those listed in its MX records)
ip4:188.8.131.52authorizes a single IP to send mail
mx:mail.reddit.comallows any MX servers for mail.reddit.com to send mail as well
~allspecifies that any machines/addresses NOT listed here are not authorized to send mail. The
~indicates a “transitional mode” – once you’re done testing your record, use a dash (
The specification is here, and this tool will help you set up your own record. If you’re sending invites or user-generated mail, check out this OpenSPF best practices page for information on how to make your invitation show up as “From:” a particular user, but ensure that any bounces come back to your mailserver.
A quick note on terminology: Microsoft has a technology that they call Sender ID, which performs the same function as Sender ID but with a slightly different format. For most practical purposes, a valid SPF record is a valid Sender ID record, and when a Microsoft service talks about Sender ID, just read it as SPF. For the curious, the Wikipedia article on Sender ID has more details.
DomainKeys and DKIM
Both DomainKeys and DKIM (DomainKeys Identified Mail) are DNS-based protocols for email authentication using a public key specified in your DNS record. Before sending a message, your mailserver “signs” the email and puts the result in a header on the message. Any recipient can verify that the message originated from your servers by checking the public key against the signature header.
DomainKeys is an older standard created by Yahoo!, which is now being replaced by the DKIM standard. Because they are different standards, and different ISPs only support one or the other, you’ll need to set up both DomainKeys and DKIM signing.
Yahoo! and GMail both give a valid signature high importance in determining whether or not a message is spam, and usually tell the user that a message is authenticated. For example, GMail shows a “signed-by” field:
Let’s take a peek at a record in the wild. Twitter’s DKIM public key can be found by running
dig default._domainkey.twitter.com txt, which returns:
default._domainkey.twitter.com. 600 IN TXT "g=\;" "k=rsa\;" "t=y\;" "p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAN+FNJESkUBl+vuJDPsL3RSgYI9Qzlq43+l7Q72pRZRDprrhZTXIi7NdSqy+f9hn" "pet1pKMYMYnCxgmaS3qhUXMCAwEAAQ=="
The longest section of this record is the key itself, after the
p=. Some registrars don’t let you store TXT records this long, and if you get an error setting up your public key, you might have to switch to a new DNS provider. You can learn about the other fields from the DKIM Spec.
If you’re using Postfix, DKIMProxy does both DomainKeys and DKIM well, and there are decent step-by-step instructions its homepage. You can also check out the SourceForge DomainKeys page to find software for different MTAs as well as testing tools.
Reverse DNS, SPF, and DKIM should definitely help your deliverability rates – if you weren’t getting through at all, you should at least be hitting the Spam folder now. However, there’s more work ahead. Most ISPs have programs that help senders improve deliverability, and I’ll talk about them in my next post.