Understanding Mail Deliverability Problems
Linode
Linode Staff
The e-mail I send keeps getting blocked by some recipients. What do I need to do to fix this?
1 Reply
hphillips
Linode Staff
Mail Deliverability Problems
Mail deliverability problems can be quite complicated as every receiving domain makes up their own rules about whom they trust to receive mail from.
The reason for all this complication boils down to the need to avoid accepting mail from servers that cannot be confirmed to be under the control of the domain they say they represent. This problem is getting worse due to mail spoofing and phishing attacks creating the need for stricter checks as to the origin and authenticity of email.
Upon receiving mail, most recipients are going to check the following things:
They may check to see that your domain or IP address is not on a blocklist. If you have already tried to send email and it was rejected due to not passing some of the checks I describe below, this may have put you on a blocklist right out of the gate. Don't worry, once you have things setup, you can reach out to Linode Support to assist with delisting if necessary, or follow the instructions provided in the message that got sent back to you when your email bounced. (If you are lucky enough for the instructions to make sense.) Usually these are temporary anyway and may go away on their own. When reaching out to Linode Support about email deliverability, please include the complete message (including the email headers) that bounced back when your attempt to send your email failed. We will need to know the both the sending and receiving domains as well as the full text of any error messages in order to assist.
They may lookup the reverse DNS of the IP address (IPv4 or IPv6) of the server sending the email and ensure that it when they do a forward lookup on the name provided it matches the original IP address. It does not matter what the name of the server is, but forward and reverse lookups should be consistent. If your mail server uses IPv6 you will want to setup forward and reverse lookup for your Linode's IPv6 address as well.
https://www.linode.com/docs/platform/manager/dns-manager/
https://www.linode.com/docs/networking/dns/configure-your-linode-for-reverse-dns/They may connect to the SMTP server and check that it identifies itself with the rDNS name for the server's IP address. (this is often set by setting your Linode's hostname to it's rDNS name, but it might be explicitly overridden in your mail server's settings). You can set your Linode's hostname with the following guide:
Some recipients will wish to see that you are using TLS to encrypt messages and that you have security certificates keyed for your domain. You can check our Email Server guides for finding instructions on how to set this up
https://www.linode.com/docs/email/
https://www.linode.com/docs/security/ssl/They may look at the SPF record for the sending domain to make sure that this server is authorized to send email on behalf of the domain. If you are using a third party to send email on behalf of your domain, you will want to modify your SPF to allow them to do so. Most providers will provide instructions on what to add to allow them to send your mail.
https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/
https://mxtoolbox.com/SPFRecordGenerator.aspxMore security conscious domains may check that you have configured DKIM to digitally sign your outbound mail and have a DKIM record available to verify that the message has been signed using a private key that only you know.
To go the extra mile and be up to date with most of the internet's email infrastructure you might consider establishing a DMARC policy and publishing a DMARC TXT record in your DNS which states how email should be handled by a receiving domain.(https://dmarc.org/overview/). "Points" are usually not deducted for not having this set up, but once you have a DMARC policy correctly setup and you are not sending spam, it is unlikely that you will have further deliverability problems.
Once again, every receiving domain has its own rules about what mail it will and will not accept.
An additional note about configuring rDNS on IPv4 and IPv6: Forward resolution has to be successful before your can set your Linode's IPv4 and IPv6 rDNS name to prevent passing off your IP address as a domain that you do not own. You may therefore have to wait for propagation of your forward DNS names before you can proceed with setting your rDNS. (This is true whether you host your DNS on an external name server such as your registrar's or on Linode's name servers.)
Mailing Lists
You will want to ensure that if you are sending email to multiple recipients that it is CAN-SPAM compliant. Mail that does not meet this requirement may be marked as SPAM and can get your IP and domain on a blocklist. It is also against Linode's Terms of Service and may result in service interruption or account termination. Your message must meet the following criteria according to wikipedia:
Unsubscribe compliance
- A visible and operable unsubscribe mechanism is present in all emails.
- Consumer opt-out requests are honored within 10 business days.
- Opt-out lists also known as suppression lists are used only for compliance purposes.
Content compliance
- Accurate "From" lines
- Relevant subject lines (relative to offer in body content and not deceptive)
- A legitimate physical address of the publisher and/or advertiser is present. PO Box addresses are acceptable in compliance with 16 C.F.R. 316.2(p) and if the email is sent by a third party, the legitimate physical address of the entity, whose products or services are promoted through the email should be visible.
- A label is present if the content is adult.
Sending behavior compliance
- A message cannot be sent without an unsubscribe option.
- A message cannot be sent to a harvested email address
- A message cannot contain a false header
- A message should contain at least one sentence.
- A message cannot be null.[citation needed]
- Unsubscribe option should be below the message.