Page 1 of 2

BT refuses my email, says I need SPF, PTR, and/or DKIM to send from my domain

Posted: Tue Jul 10, 2018 11:55 pm
by virtualmike
I have a domain at Sonic, which I use for all my personal email.

I tried to send email to relatives with an @btinternet.com address, and BT bounced it, saying, "Your message looks like SPAM or has been reported as SPAM please read www.bt.com/bulksender)."

I can assure anyone the email content is not spam--it is a "happy birthday" greeting to the relatives. I don't know or email to anyone else who has an @btinternet.com address.

I'm not a bulk mailer, and some of the requirements can't be met (such as not having a static IP address), but perhaps if I can meet some of them, BT might be willing to deliver my messages.
  • Make sure the domain you send from has a Sender Policy Framework (SPF) record for the IP address you'll be sending from. An SPF record allows domain owners to publish a list of IP addresses that are authorised to send email on their behalf. The aim is to reduce the amount of spam by making it harder for malicious senders to disguise their identity
  • Make sure there is a correct PTR (reverse DNS entry) for your IP address. Reverse DNS is a method of resolving an IP address into a domain name, just as the domain name system (DNS) resolves domain names into associated IP addresses. If a spammer uses an invalid IP address that doesn't match the domain name, a reverse DNS look up program will try to match this to an IP address. If no valid name is found to match the IP address, the server blocks that message
  • Sign all your email using DKIM. This protects recipients against spoofing and phishing. If you don't have a DKIM entry in your DNS or don't sign your email with DKIM we're more likely to consider it spam
I can't do anything about these ones, though, so I'm hoping that Sonic has them covered:
  • Check your email service has a good reputation
  • Check your email sending service hasn't been blacklisted
Can anyone advise how to do the SPF, PTR, and DKIM for my personal domain? ....thanks!

Re: BT refuses my email, says I need SPF, PTR, and/or DKIM to send from my domain

Posted: Wed Jul 11, 2018 10:17 am
by drew.phillips
Hi Mike,

Our mail servers don't to DKIM signing at this time so your only option here is setting up an SPF record to designate who is allowed to send mail for your domains. I strongly recommend adding an SPF record to your domain.

Here is a starter template you can is if you only send mail from your domain through Sonic's mail servers:

Code: Select all

"v=spf1 include:mail.sonic.net -all"
Before adding it to your site, it's important to fully understand what this all means. Wikipedia entries on SPF and numerous other sites fully explain how it works so I won't go into detail here.

I personally recommend the "-all" failure mechanism because it's a strong indicator to other mail servers that if the message did not come from one of the allowed servers, that you are asserting it is a forgery and should be rejected. When using this, care needs to be taken that you don't send mail from @yourdomain.com from any host not included in the SPF record, otherwise it will likely be rejected by any mail system checking SPF records.

If, for example, you have a website that might send a message from Perl or PHP from a web form through your hosts server, you must not forget to also include the IP's or hosts that mail would come from to your SPF. If Sonic is hosting mail for your domain, always ensure you send mail from your domain through Sonic. If there are one or two cases where you don't, include those hosts in your SPF record.

To set this up, you would add a new "TXT" record to your DNS with the SPF record above. Once added, try sending the message again and see if it gets through.

I've had lots of luck with better delivery for domain email at Sonic by simply adding an SPF record.

Let me know if you have further questions.

Re: BT refuses my email, says I need SPF, PTR, and/or DKIM to send from my domain

Posted: Wed Jul 11, 2018 8:54 pm
by virtualmike
Thanks, Drew! This is very helpful! I read through much of the SPF documentation, and I had trouble following along to see what exactly I need to do.

I do send my domain's email only through Sonic's servers. Even when I access my domain email through Gmail, I have it configured to use the Sonic SMTP server for sending.

I have one question that I should have included last night: do I need to do anything to cover my subdomains?

Thanks again! I appreciate the pointer!

Re: BT refuses my email, says I need SPF, PTR, and/or DKIM to send from my domain

Posted: Wed Jul 11, 2018 9:43 pm
by virtualmike
Unfortunately, BT still is rejecting my email (sent from my TLD, not a subdomain). Drew, do you have any other suggestions? ...thanks!

Re: BT refuses my email, says I need SPF, PTR, and/or DKIM to send from my domain

Posted: Thu Jul 12, 2018 8:14 am
by drew.phillips
I checked the SPF record on your domain and it looks great. Before we dig into other possibilities, can you go to mail-tester.com and send a message from your domain as you normally do to the address they supply? The score should be about 9/10 and it should show that SPF matches and is valid. It will take one point off for no DKIM.

If that looks good, trying to send a generic message to the BT address and seeing if it goes through would be my next suggestion. I often see non-spam messages have one component in them that makes the remote server reject it. A simple email test might reveal some messages are going through but not others.

Re: BT refuses my email, says I need SPF, PTR, and/or DKIM to send from my domain

Posted: Thu Jul 12, 2018 10:04 pm
by virtualmike
Done. Thanks for the tip for mail-tester.com! I did get the 9/10, though it advised there was no HTML in my email. I normally send plain text messages unless I have to include something that forces it to MIME.

It also suggested this:

Code: Select all

You do not have a DMARC record, please add a TXT record to your domain _dmarc.<mydomain>.net with the following value:

v=DMARC1; p=none
Do you recommend I do that?

Thanks again, Drew. I'll let you know what happens next. So far, no bounce message...

PS. Do I need to add SPFs for my subdomains, or are they covered by my primary TLD? ...thanks!

Re: BT refuses my email, says I need SPF, PTR, and/or DKIM to send from my domain

Posted: Fri Jul 13, 2018 10:01 am
by drew.phillips
You can disregard the HTML factor from mail-tester, it's a cool tool for basic things but it's really meant towards testing newsletter mailings so that's why they recommend HTML over plain text.

Honestly I'm not sure in this case if having a DMARC record vs. not having one would help with mail delivery. The example they give states you have no policy in place for DMARC so it doesn't buy you much.

I have a DMARC record similar to this one for my domain (I have removed the "adkim" tag here since Sonic does not yet support DKIM):

Code: Select all

"v=DMARC1; aspf=s; p=reject; sp=none; rf=afrf; pct=100; ruf=mailto:dmarc@YOURDOMAIN.com; ri=86400"
It's a strict policy. I require the sender domain for SPF match exactly (I don't send from subdomains). The policy "p" is to reject messages that fail policy, rather than quarantine or leave it up to the receiver. 100% "pct" of messages should have the DMARC policies enforced rather than a sampling.

You could try something similar to the rules above and see if that helps. If you send from a subdomain, you could add a similar SPF and DMARC record on the subdomain itself (e.g. _dmarc.subdomain.yoursite.com and a TXT SPF record on subdomain.example.com). Alternatively, you can set "aspf" to "r" for relaxed, which means that from@sub.yoursite.com should be accepted, where strict would require it only be from yoursite.com.

Instead of setting the policy "p" to reject, you could use "quarantine" instead. Depending on the capabilities of the Mail Receiver, this can mean "place into spam folder", "scrutinize with additional intensity", and/or "flag as suspicious".

Lastly, I would recommend setting up SPF records on your subdomains in addition to the primary domain if you send mail with the subdomain in the "From" address on occasion. Similarly, you can set up DMARC records on subdomains as described above by setting the TXT record on _dmarc.subdomain.yoursite.com in addition to _dmarc.yoursite.com.

Hope that helps and I'm glad to hear that so far you haven't gotten a bounce message back.

Re: BT refuses my email, says I need SPF, PTR, and/or DKIM to send from my domain

Posted: Fri Jul 13, 2018 10:30 pm
by virtualmike
Thank you, Drew! You've been awesomely helpful. I will add the SPF for the subdomains, and carefully consider whether to add the DMARC now or wait until the next time an ISP arbitrarily starts rejecting email. :-) ...cheers!

Re: BT refuses my email, says I need SPF, PTR, and/or DKIM to send from my domain

Posted: Fri Jul 13, 2018 11:15 pm
by virtualmike
No luck. :evil: Drew, I left a PM with some details on the bounce message. Is it possible for Sonic to do an ISP-to-ISP conversation to see why they're bouncing my emails?

Re: BT refuses my email, says I need SPF, PTR, and/or DKIM to send from my domain

Posted: Mon Jul 16, 2018 9:08 am
by drew.phillips
I've reached out to their postmaster with some details and requests for more specific reasoning on the bounce and more suggestions on getting mail through than what their help page has to offer.