Adjust e-mail to let it pass through spam filters

• Sign e-mail with DomainKeys and DKIM
• General suggestions

Spam filters are far from being perfect. This guide describes what you can do if your legitimate e-mails keep getting blocked by spam filters.

Sign e-mail with DomainKeys and DKIM

DomainKeys technology and its newer version DKIM allow the receiving part to check if the incoming e-mail is indeed sent from the e-mail address which appears in the message. Spammers usually forge addresses in e-mails and therefore can't sign e-mails with DomainKeys and DKIM. If your e-mail has a valid DomainKeys and DKIM signatures, the chances the receiving part will consider it spam will reduce significantly.

Note that DomainKeys/DKIM signing must be the very last thing you during creating the e-mail. If you modify the e-mail content after the signature has been created, it will become invalid.

To support DomainKeys/DKIM, you need a pair of certificates:

• Private certificate which you will use to sign outgoing e-mails.
• Public certificate as DNS TXT record of your e-mail server. The domain record where this certificate resides must be somewhat like selector._domainkey.yourdomain.com. selector part of the string is configurable, the rest is not.

Certificates can be created with OpenSSL tool. Unlike SSL and S/MIME certificates, self-signed DomainKeys/DKIM certificates are perfectly OK. Just make sure the certificate's private key is at least 1024 bits strong.

When the receiving part gets an incoming message signed with DomainKeys/DKIM, it validates that the message is not altered using the signature in the message and the public certificate on your server. This assures that the message was sent by someone who has access to the private certificate for this server.

Even if spammer was able to send e-mail through your server (e.g. the server is open relay), the spammer will be unable to properly sign e-mails without access to the private certificate. Of course, the private certificate must be kept in a safe place. Do not give it to anyone! If you have external (but legitimate) users which need to send e-mail through your server and sign with DKIM/DomainKeys, implement server-side signing of their e-mails instead of giving the certificate to them.

All types and classes related to DKIM/DomainKeys reside in MailBee.Security namespace. Also, MailMessage object provides a convenient MailMessage.DomainKeysSign method for quick access to the "sign with DKIM/DomainKeys" function.

The sample below signs the message with DomainKeys and DKIM. The sample assumes that the DK/DKIM public key resides in DNS TXT record named dk._domainkey.company.com and the corresponding private key resides in C:\Temp\rsa1024.private file:

Smtp mailer = new Smtp();

// Set the message properties.
mailer.Message.From.Email = "john.doe@company.com";
mailer.Message.To.Add("jane.doe@example.com");
mailer.Message.Subject = "Hello";
mailer.Message.BodyPlainText = "Hello, Jane, can we meet today?";

// Sign the message with DomainKeys and DKIM.
mailer.Message.DomainKeysSign(false, null, @"C:\Temp\rsa1024.private",
    true, "dk", DomainKeysTypes.Both);

// Send the message via SMTP server (authentication is enabled).
mailer.SmtpServers.Add("mail.company.com", "john.doe@company.com", "secret");
mailer.Send();

Dim mailer As Smtp = New Smtp()

' Set the message properties.
mailer.Message.From.Email = "john.doe@company.com"
mailer.Message.To.Add("jane.doe@example.com")
mailer.Message.Subject = "Hello"
mailer.Message.BodyPlainText = "Hello, Jane, can we meet today?"

' Sign the message with DomainKeys and DKIM.
mailer.Message.DomainKeysSign(False, Nothing, "C:\Temp\rsa512.private", _
    True, "dk", DomainKeysTypes.Both)

' Send the message via SMTP server (authentication is enabled).
mailer.SmtpServers.Add("mail.company.com", "john.doe@company.com", "secret")
mailer.Send()

We assume that MailBee, MailBee.Mime, MailBee.SmtpMail and MailBee.Security namespaces are already imported and MailBee.Global.LicenseKey is specified (in the code or in app.config or web.config file). To learn more, refer to Import namespaces and set license key topic.

Other notes:

• For ASP.NET applications, the first parameter of MailMessage.DomainKeysSign method must be true.
• dk is selector, it assumes the public certificate's DNS TXT record is available at dk._domainkey.yourdomain.com.
• MailBee.NET does not check if selector._domainkey.yourdomain.com DNS TXT record actually exists when you sign the message. This check is only performed by the receiving part which needs to validate the signature of the incoming message.
• For e-mails generated with mail merge (such as with Smtp.SendMailMerge method), you can call MailMessage.DomainKeysSign method during mail merge post-processing. Subscribe to Smtp.SendingMessage event and call e.MailMessage.DomainKeysSign in the event handler (assuming e is SmtpSendingMessageEventArgs parameter of the event handler). For details on mail merge post-processing, refer to Mail merge with post processing topic.
• Signing with DomainKeys/DKIM is a memory and resource consuming operation. Ideally, it should be your e-mail server's responsibility to sign all outgoing e-mails, not MailBee.NET's. If your server does not support DomainKeys/DKIM and you have to use MailBee.NET for that, you can optimize performance by signing with DKIM only (no classic DomainKeys). In practice, if the server supports classic DomainKeys, it will support DKIM either, so having DKIM-only signature should be enough.
• If combined with S/MIME encryption or signing, you must first do S/MIME thing, and AFTER that sign with DomainKeys/DKIM.

To read more on DomainKeys/DKIM, refer to DomainKeys class. It provides more explanations and features in addition to MailMessage.DomainKeysSign method.

General suggestions

Although DomainKeys/DKIM is a powerful tool to satisfy spam filters, it's often not sufficient (or even not possible to use at all if you are not an administrator of the server and thus cannot add entries to its DNS records).

What else you can do with the server (if you're the server's admin):

• Make sure the e-mail server has the valid PTR record (reverse DNS) and MX record. There are many online tools in the Internet which allow you to check if your e-mail server has all the required DNS records.
• Set DNS SPF record for the e-mail server to publish the list of all IP addresses which have permission to relay through it. Not as mandatory as PTR and MX, but quite important though.
• Check if the IP address of your e-mail server is not black-listed. You may need to change the IP address if it's "poor".

What else you can do with the e-mails you're creating (if you're just a user):

• If sending automated messages, provide clearly visible unsubscribe links and make sure they work. You can also add List-Unsubscribe header to your e-mails and implement List-Unsubscribe mechanism.
• Process bounced e-mails and unsubscribe dead addresses in a timely manner. You can use DeliveryStatusParser class of MailBee.BounceMail namespace to check if the e-mail is a delivery or non-delivery report.
• For HTML e-mails, provide plain-text version as well. MailBee.NET does this by default, do not turn this off.
• Avoid external images in HTML e-mails (they are often used by spammers to track when people open e-mail in their e-mail clients).

Send feedback to AfterLogic

Copyright © 2006-2023 AfterLogic Corporation. All rights reserved.