DEV Community

Ryan Palo
Ryan Palo

Posted on

Fixing a DNS Issue that Makes Your Emails Look Like Spam

This happened to me today, and I wanted to share it in case anybody else ran into the same problem.

Our domain name, email, and website hosting is done through Godaddy. It's reasonably cheap, and it works, so we leave it alone. And then late last year, I redid our website as a static site since I was spending an inordinate amount of time keeping Wordpress plugins updated and we weren't using the Wordpress site for anything more than rendering static pages anyway. Most of the design was done by another lady at our company, and I implemented it and came up with a few ideas. You can see it here. It's not earth-shattering, but I feel like I did a pretty reasonable job for someone who's much more comfortable on a command line than on the front end.

Anyways.

Once we achieved static site goodness, I put Cloudflare CDN in front of it to speed things up even more and to capitalize on the free SSL cert. In order to do this, I had to re-route the DNS so that the DNS came through Cloudflare before it hit our Godaddy server. Both sides of this have pretty great documentation, so it was a pretty easy switchover (which is surprising because DNS is hard).

Cloudflare picked up the DNS traffic it needed and forwarded the rest that it didn't, including email.

And, mysteriously, many of my emails started going into people's junk folders.

The Problem: SPF

SPF stands for Sender Policy Framework. It's a way for owners of domains to specify which servers are allowed to send emails for that domain. This is to help prevent somebody from spoofing, pretending to be from your domain. If the server that sends your email isn't approved by your DNS server, people's spam filters will get cranky. Once Cloudflare was driving my DNS, but my email was being sent from *.secureserver.net (Godaddy's webmail servers), the problem started popping up.

The Solution: Add an Extra DNS Record

I noticed that there's an actual SPF record available on Cloudflare, so there may be an even better way to solve this, but all of the guides I could find said to create a TXT record for my domain with the value:

v=spf1 a mx include:secureserver.net ~all
Enter fullscreen mode Exit fullscreen mode

As far as I can tell, this should tell everyone that, even though DNS is happening through Cloudflare, they should accept emails sent from a secureserver.net server. I'm not sure if this will fix things, but I think it should help.

Bonus Shoutout: Mail-Tester

The thing that helped me diagnose the issue so quickly (and also provide a ton of knowledge I didn't know before about DNS stuff) is a site called mail-tester.com. You send them an e-mail and they look at all your headers and let you know what a spam filter would flag.

Anyways, hope this helps somebody else. If you know more than me and have a better way of fixing this, let me know! DNS is something that seems like one of those things that is intimidating at first but not that bad once you internalize the rules a little bit. I'm still stuck in the intimidating phase, but we'll get through it!

Edit 5/17/19: “SPF” was “SFP,” three places. Thanks Paul!

Top comments (6)

Collapse
 
nikayoda profile image
Nika Revazishvili

E-Mail services today are very smart and they score every incoming email, each piece of data is some kind of score, let's say SPF... if you are not using SPF loses score, then it jumps to other records, like content types, if email has missing plain-text or HTML, it also loses some points as if email contains both content types it has higher score, so...

  1. MX Records: SPF is necessary, but you missed other records. In case, if you forgot MX records, you are not in the same trouble as when you have SPF missing, But it also has some sort of points, why? because whenever an email is received, the email service provider will always try to find MX records, then contact the mail server and see if the sender address is valid and the server has SMTP user with the same name.
  2. DKIM: DKIM very important, more important than you think, because it is a kinda signature, if signature(DKIM) is correct, then it also means that email sender was 100% authorized on server.
  3. DMARC: It is not as necessary as other records above, but if you have it, it's more points for you.

So, idea is that as many emails are sent from the server and if all of them are correctly signed and DNS records are always correct, both IP Address and the Domain name will warm up and it'll increase deliverability from time to time. so keep in mind to always add all records correctly, not only SPF.

Collapse
 
rpalo profile image
Ryan Palo

That’s a lot of info, thank you so much! Looks like I’ve got more research to do :)

Collapse
 
nikayoda profile image
Nika Revazishvili

But warming process is hard anyway, both domain and IP needs warm up process to show email service providers that, domain is for real use and not for spam, spam detection is even harder than dns records, with GMAIL and Microsoft Office 365 (or outlook.com), they have AI system that also scores each world + each sentence to analyze what is email about, there are stop words and sentences that you have to avoid if you are first time sender and ip+domain reputation is nearly zero, then when both are warmed up you can use whatever you need but you must try to reduce stop words anyway, because while warmup requires weeks and months depends on email volume, to waste reputation points it may require less than minutes, so keep in mind to Google for stop words, also if your mail domain is new and emails are still going to spam even though you did everything, check blacklists for IP and if there are no blacklist record then try to ask people you know to add you to their mailbox and try to communicate with them from both side and it'll slightly warm reputation to give you chance to send emails even if someone does not have your address in contact lists, but this tricks only work for major companies, for self hosted services except Microsoft exchange, only spam filter matters nothing else. But still it's good that someone tried to help people understand how email services work today because they are so complex almost 95% of email server owners have no idea how to operate their mail server correctly to avoid spam filters.

Collapse
 
rumkin profile image
Paul Rumkin

"SFP" should be fixed to "SPF" in the header and first sentence of the second section.

Collapse
 
rpalo profile image
Ryan Palo

You’re very right. Thank you!

Collapse
 
gadlen profile image
gadlen

When you are sure the SPF record is doing what you want, you should probably change the "~all" to be "-all". That increases the confidence level that you are sending legit email. It makes mail that wasn't sent from your domain "fails" instead of just "softfails".