The first thing that you’ll want to check is that you have SPF setup. SPF lets the receiving mail server know that you are authorised to send an email from @your-domain-here.com and it works by adding a DNS record to your domain that lists the servers allowed to send on your behalf.
Here is an example of what a SPF record should look like, in this example we are sending from both Gmail/GSuite and Mailgun.
v=spf1 include:_spf.google.com include:mailgun.org ~all
Note: Mailgun actually recommends sending from a different subdomain but I wanted to show an example of what the record should look like if you are sending from multiple different services.
Note: This should be entered as a TXT record, at one point SPF was going to be a separate record type so you might see it listed separately in record type dropdowns but the correct (all be it nonsensical) thing to do is a TXT record.
Next make sure you have a DMARC record set up on your domain that tells receiving mail clients to reject anything that fails to validate. This might seem obvious (like you don’t really need the record) but I had major issues with some of my clients emails getting rejected because the DMARC record on their domain had policy set to none, this particularly affected GMail.
The guys over at DMARCian have some good tools that you can use free of charge to help you check all your records mentioned above. Their DMARC Inspector will give you some pointers on what additional properties are available and what they do.
A good DMARC record should look something like this:
v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];
Note: DMARCian has a tool to help review the XML reports that will get emailed to your rua/ruf addresses.
Note: If you want to check out what dmarc records other people are using try the
dig command in linux. Example
dig _dmarc.google.com TXT
Emails are not encrypted, they are send in plain text (or HTML/rich text), this means that your emails can potentially be read and modified in transit between your email server and the destination email server. DKIM adds a cryptographic signature to your email so that the receiver can verify that nothing has been changed in transit. Adding DKIM doesn’t seem to be as important to most email clients as SPF and DMARC but it will help as it’s another metric that can be used to judge how safe and reliable your email is likely to be. Besides while the chances of someone editing one of your emails in transit is probably quite low why take the risk?
DKIM uses a private key to generate the signature for your email and makes a related public key available via a DNS record for validation. How you set up DKIM will vary by provider but all the major providers will allow you to do it. If you’re using something like Mailgun or AuthSMTP to send email from an application then setting up DKIM (if it’s not already set up) will probably require just a few clicks and the copy & pasting a DNS record.
v=DKIM1; k=rsa; p=your-key-here
Note: Your key will be a long string of seemly random characters given to you by your mail provider.
Most emails these days use HTML, even if it’s only to help format the email signature. A lot of spam filters will score your email on a variety of factors to determine if it’s spam or legitimate. Minor errors in your HTML aren’t likely to be the sole cause of your email getting classified as spam but they will contribute and could push you over the threshold if there are other things about your email that appear spammy. This can include things like missing alt tags on an image or duplicate style properties on a single HTML element that don’t actually cause an issue but are none the less malformed and could be a sign that little effort, care or attention was give when creating the email.
Spam Assassin is a popular 3rd party spam filtering tool that scores emails to determine if they are spammy, it can also give you a breakdown of how it’s arrived at that score. Before you start trying to figure out how to run your own copy of Spam Assassin I should point out that all the services mentioned in the next section (some of which are free) will pass your email through Spam Assassin and give you the breakdown of the score.
Checking Your Emails
There are lots of services that can help you check your email and highlight issues available online, some are free and others aren’t but here are a few that I have used and can feel reasonably confident vouching for / reviewing.
Note: Make sure you don’t include any sensitive information in your test emails that you wouldn’t want to be available to the world, not only are emails an insecure way of transferring information to begin with but you never know who might be reading the emails you send to these services. Use these services at your own risk
I have not been paid to recommend or promote any of these tools, these are recommendations based off my personal experience only.
At the time of writing Mail Tester doesn’t require any signup or payment, it’s a simple and free service to use. It will check your SPF, DKIM, DMARK, run your email through Spam Assassin and give you the breakdown of the score, it will check if you’re in blacklists, it will give you access to view the text version of your message (Any email sent as HTML should also contain a text version)
Honestly I can’t recommend Mail Tester enough, you only need to send your test email to 1 address and it will address all the major factors that can cause issues for free and without signup, what more could you ask for?
Glock Apps tests a lot of the same things that Mail Tester does however it does require signup, that said it’s still free (for your first 3 tests) and does provide a really nice analysis of your message including HTML errors, issues with links and images and a text analysis for spammy phrases.
The biggest advantage of using GLock Apps is that it sends your email to multiple different real world email addresses, this means that instead of getting a score to indicate how well you email would theoretically do you get real world results e.g. GMail blocked your email 66% of the time because it classified it as spam.
I do really like GLock Apps and think it’s worth your time taking a look at it. The real world results can be really helpful in identifying specific mail services that have an issue and the rest is much like Mail Tester. If you want to do more than 3 tests the pricing is affordable and they have one time payment or subscription plans… or you could create another account with another email address but it seems fair to give them something if you like their service.
The only gripe that I have with GLock Apps (other than having to create an account) is that you have to copy in a large number of email addresses and add an id somewhere in the body of your email (meaning the text, not an html body tag)
Email On Acid
So I normally use Email On Acid for cross client testing, i.e. what does the email look like in Outlook 2013 vs Outlook 2016 vs Apple Mail vs Hotmail vs the Gmail mobile app. However I think it’s worth mentioning here as it also has spam testing built in. It checks many of the same things that Mail Tester and GLock Apps test and sends to multiple real email addresses much like Glock Apps.
Honestly I prefer the other 2 services as Email On Acid is more expensive than the other 2 (Because Mail Tester is free and Glock apps has monthly or one-off purchase options, Email On Acid does annual billing only). I also find Email on Acid slow and a bit unreliable, sometimes a test for a specific email client or service just doesn’t come through and you wonder if it’s something to do with your email or if it’s an issue with Email On Acid.
That said if you’re looking for something that can also do cross client testing it might be worth looking at, ultimately it does the job and is cheaper than Litmus but I can’t recommend it too much as truth be told I might look around for something better (and or cheaper) soon.
There are lots of other reasons your email can get flagged as SPAM (technical and none technical) but I’m not going to dive into all of those here as there are plenty of other articles that go into more detail. What I will do is say that the above will cover 90% of technical issues (in my experience) but here are some links if the above isn’t doing it for you.