30

I'm sending weekly emails to subscribers and it turns out that messages are frequently going to the spam folder for users.

I'm utilizing Amazon SES to send these messages and have added an SPF record according to their instructions: http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/SPFSenderIDDKIM.html?r=3917

In querying the SPF records for my domain I get the following back from http://www.kitterman.com/spf/validate.html:

SPF record lookup and validation for: mydomain.tld

SPF records are primarily published in DNS as TXT records.

The TXT records found for your domain are:


SPF records should also be published in DNS as type SPF records.
Type SPF records found for the domain are:


Checking to see if there is a valid SPF record. 

Found v=spf1 record for mydomain.tld: 
v=spf1 include:amazonses.com ?all 

evaluating...
Results - record processed without error.

The result of the test (this should be the default result of your record) was, none . The explanation returned was,

For my CloudFlare DNS records I have:

SPF  mydomain.tld   v=spf1 include:amazonses.com ?all   with automatic TTL
TXT  mydomain.tld   spf2.0/pra include:amazonses.com ?all   with automatic TTL

The emails are being sent from "no-reply@mydomain.tld" and "admin@mydomain.tld".

Some users have reported seeing the following message: "Messages that falsely appear to be a "bounced message" response (a system-generated email that you might automatically get after sending a message that can't be delivered such as a message sent to an invalid email address)"

With my current sending solution I can't add a DKIM to the emails.

How can this be resolved so as to ameliorate any kind of receipt issues for our users?

ylluminate
  • 12,102
  • 17
  • 78
  • 152

1 Answers1

26

There are no valid TXT records for your domain (notice that the test doesn't return any, see below for a working example), which is caused by missing quotes around those TXT records you defined, as explained e.g. in Record Types Supported:

Unlike with most other record types, for TXT records the Data field is essentially free-form and may even include spaces. Please note: When entering a string that includes spaces, such as SPF records, you must enclose the string in double quotes; otherwise, individual words will be separately quoted and break up the record into multiple parts.

Here are the TXT records we currently use successfully for Amazon SES as per Authenticating Your Email Address and (it's indeed unfortunate that their documentation doesn't address the quoting needs):

"v=spf1 include:amazonses.com ~all"
"spf2.0/pra include:amazonses.com ~all"

Accordingly, here is our domain's abbreviated result for the test you have been running:

SPF record lookup and validation for: [...]

SPF records are primarily published in DNS as TXT records.

The TXT records found for your domain are:
spf2.0/pra include:amazonses.com ~all 
v=spf1 include:amazonses.com ~all 

[...]

Checking to see if there is a valid SPF record. 

Found v=spf1 record for services.marescom.net: 
v=spf1 include:amazonses.com ~all
MrWhite
  • 43,179
  • 8
  • 60
  • 84
Steffen Opel
  • 63,899
  • 11
  • 192
  • 211
  • Are there TWO txt records for your domain, ie: 1) yourdomain.tld: "v=spf1 include:amazonses.com ~all" and then 2) yourdomain.tld:"spf2.0/pra include:amazonses.com ~all"? – ylluminate Mar 20 '12 at 10:45
  • @ylluminate: Indeed, though they might not need to be (the test you are running only seems to care about the one you have, see my update) - I never analyzed SPF requirements in detail, rather just applied the existing examples until 2-3 of these SPF tests returned 'all green' ;) The other one stems from [Authenticating Email with Sender ID](http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/SenderID.html) - I've fixed the misleading link now (which went to [Authenticating Email with SPF](http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/SPF.html) rather than their parent). – Steffen Opel Mar 20 '12 at 11:00
  • 1
    @ylluminate: Just to clarify (and for later reference) - reading the linked SES documentation and the related RFCs again confirms, that SES currently supports three complimentary _authentication mechanisms [...]: SPF, Sender ID, and DKIM_. The record you are using already is _SPF_ (obviously), while the 2nd one we are using is _Sender ID_. Accordingly, you don't require _Sender ID_, but _For the best delivery rates, and to help prevent spoofing and phishing, [AWS recommends] that all Amazon SES users maintain both SPF records (v=spf1) and Sender ID records (spf2.0/pra) in their DNS servers._ – Steffen Opel Mar 20 '12 at 11:29
  • I was indeed attempting to add SPF and Sender ID. On CloudFlare (my DNS management platform) I have used their SPF record for the SPF and a TXT record for Sender ID. I believe perhaps I could have used their SPF field for both, but I just used these two for the time being. The records seem to be returning properly now thanks to your clarification. You note "all green" in your message above; do you use a testing panel that gives a simple test to verify ns validity for email records such as SPF? Would be interested in what it is if so. – ylluminate Mar 20 '12 at 17:46
  • will it also take some time to propagate DNS after the mentioned TXT records are added? – Rossitten Feb 12 '16 at 05:44