Skip to content

Improving mail deliverability

edited November 2020 in Questions

Hi all,

I did a test with mail-tester.com on my email sent throught sendy / Amazon SES and I have 7.7/10. Not bad but I would like to reach 10.

The only points which are in orange or red, with my questions, are the following. They all concern SpamAssassin spam filter :

-2.299 (red) URI_NO_WWW_INFO_CGI CGI in .info TLD other than third-level "www"

That's the most important point but I don't understand the issue. Do you know ? Any help is welcome :)

-0.249 (orange) HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different

Not sure to get this one. Probably one is my domain and the other one is amazon domain as it's using ses. And I don't know if I can improve that.

-0.1 (orange) DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid

What do you think about that ? I implemented SPF, DKIM and DMARC so I don't think I can do more. Do you know why it's not green ?

Thanks for your help.

Best regards,

Comments

  • About the first issue (URI_NO_WWW_INFO_CGI CGI), it seems that all urls should be with www. So for the content of my email, it's done but when, I checked the output of the email received, there are still some without :

    X-Mailer: Sendy (https://sendy.co)

    how and where to rename it to https://www.sendy.co ?

    List-Unsubscribe: http://newsletter.mydomainname.fr/unsubscribe-success.php?c=7

    How can I have www here instead of newsletter ? It seems impossible here because I will be on my wordpress website domain and not on the sendy unsubscribe page. Is there a way ?

    @ben I would appreciate your precious help for this :)

    Thank you for your help.

    Best regards,
    Julien

  • @Ben for the second point of my previous answer, is there a way to :

    get a link like http://www.mydomainname.fr/unsubscribe-success.php?c=7 and do a redirection from my website with nginx to http://newsletter.mydomainname.fr/unsubscribe-success.php?c=7

    or

    have an unsubscribe form directly on my www website

    What do you think about that ?

    Thank you

  • edited November 2020

    @newty

    I've been monitoring my mail sending for a while now to get the best alignment possible using DMARC. I have SPF and DKIM entries for [domain].com for my mail server host, those pass 100% no problem. I also have SPF and DKIM entries for AWS [domain].com, which has been verified for some time now in AWS, but SPF wasn't working quite right with AWS.

    However, I have several systems that send on behalf my my primary [domain].com and I've found that I'll have issues with my mail.[domain].com for a while after doing an email campaign, and that's not good. It seems that a large amount of emails that were failing SPF would in turn effect my "true" mail.[domain].com email sending / delivery.

    I had just sent a sendy email campaign last week which sent 135K emails and when the weekly DMARC report came back, I had 100% alignment with DKIM via Amazon SES and 0% aligned with SPF via Amazon SES, so it was time to get it worked out.

    I had verified an email address newsletter@[domain].com AND my primary [domain].com in AWS, so I removed the newsletter@[domain].com (it's not needed anyway and @Ben specifies this in the sendy setup if you verify your domain, IIRC).

    So, if you verify the EMAIL ADDRESS first, AWS will default to the email address send from info, which would cause the MAIL FROM domain in AWS to default to the same domain as in the email address used, so make sure you check this part first.

    I then created a separate subdomain just for the AWS SES system: aws.[domain].com

    I added the appropriate MX record and SPF record per the AWS instructions for the "new" AWS SES sending email domain AWS.[domain].com and B-I-N-G-O 100% pass now. Scored a 9.1 of 10 on the mail-tester.com system, with all authentication metrics 100% pass, WOOT.

    This should be all I need and I'm hoping this will stop some of the lingering delivery issues from my "real" email domain.

  • edited November 2020

    Looks like this is working as it should.

    Signed up for dmarc digests (was using the free postmarkapp.com service, converted to their to their paid service via Dmarc Digests) and now showing 100% alignment for the AWS SES emails. Nice.

  • Hi @GPZs,

    Thanks for your complete feedback, I really appreciate :)

    However I'm not sure to get all.

    Let me explain to you my configuration.

    For my website http://www.boursorama-parrainage.info I exchange by email with my clients / leads through my own postfix email server. This one is correctly working and I have no issue.

    But for the transactionnal emails and newsletter emails, I'm using sendy and aws. And here, I still have 7.6-7.7/10 on mail-tester.com

    I follow your recommandations, so I :

    1 - created the mx record : aws.boursorama-parrainage.info. 0 MX 2 feedback-smtp.eu-west-1.amazonses.com.
    2 - created the txt record : aws.boursorama-parrainage.info. 0 TXT "v=spf1 include:amazonses.com ~all"
    3 - created the dmarc record : _dmarc.boursorama-parrainage.info. 0 DMARC v=DMARC1;p=none;pct=100;rua=mailto:re+jiaixzk9mep@dmarc.postmarkapp.com;sp=none;aspf=r;
    4 - Created the 3 cname records with .dkim.amazonses.com.

    And when I do a new mail-tester.com test, I still have 7.6 score :(

    -2.299 URI_NO_WWW_INFO_CGI CGI in .info TLD other than third-level "www"
    -0.01 T_DKIM_INVALID Your DKIM signature is not valid
    Have a look at our DKIM test below to know why, this may be a false-positive

    The URI_NO_WWW_INFO_CGI is the most important one. Do you know what it is ? Do you know how to solve that ?

    Thank you for your feedback.

    Best regards,
    Julien

  • @newty

    Have you made the appropriate AWS DKIM to verify your top level domain? This part should be done first, before using the AWS subdomain. Not sure if you did this previous to going to the aws.[domain].info that you listed above?

    That's all I can figure out from the mail.tester.com report that your DKIM entry isn't valid. Also, check for correct syntax on the entries you have in your DNS. It does not take much to make the record entry incorrect or invalid.

  • @newty

    "The URI_NO_WWW_INFO_CGI is the most important one. Do you know what it is ? Do you know how to solve that ?"

    I suspect the main issue is your .info first-level domain. The spamassassin software used by mail-tester does a specific check for .info domains presumably because such domains are (or were) popular with spammers. There is a thread here explaining the regular-expression checks involved: http://spamassassin.1065346.n5.nabble.com/URI-NO-WWW-INFO-CGI-rule-td15449.html

    From what I can tell, if your Sendy newsletter has links to anything other than www.sitname.info (say, newsletter.sitename.info, or aws.sitename.info), then you will get that message in mail-tester.

    To double check, duplicate a newsletter in Sendy, remove all the non-www links in the editor and put that through mail-tester. Once you have established the links that are causing the error, the next step is to get those links changed in Sendy.

  • Hi @colcol

    I did all of that and I think that the issue is about the .info domain name. So I can't do nothing more... exept change of domain name :(

  • hi @newty

    yes, a change of domain name is probably the best option. You could create a domain such as boursorama-parrainage-mail.com, and then migrate/install Sendy to newsletter.boursorama-parrainage-mail.com. I believe Sendy allows you to change licensed domains, rather than have to buy another one.

  • @newty

    Thank you for your very detailed report..
    I'm however lost and could do with some hand-holding, if you will.
    In amazon ses, I have the [domain.com], subdomain.[domain].com, email@[domain].com and email@subdomain.[domain].com under verified properties.
    The verified identity subdomain.[domain].com also has a send.subdomain.[domain].com MAIL FROM domain under Custom MAIL FROM domain
    In sendy (from my understanding) the FROM email should be sender@[domain].com instead of sender@subdomain.[domain].com

    Is this correct?

    In cloudflare where my DNS are, I have the
    MX entry send.subdomain: 10 feedback-smtp.us-east-1.amazonses.com
    TXT _amazonses
    TXT send.subdomain - v=spf1 include:amazonses.com ~all
    TXT subdomain v=spf1 mx a a:spf.web-hosting.com a:_spf.google.com mx:spf.web-hosting.com mx:_spf.google.com mx:amazonses.com mx:subdomain.[domain].com include:spf.web-hosting.com -all

    I think I may have butchered this..

    Any help would be greatly appreciated

  • UPDATE:
    Followed @GPZs instructions in one of the posts above.. sent meself a test email to a gmail account.. even though it landed in the spam folder. marked it important, moved it out of the spam folder, checked the email header and - Passed SPF, DKIM and DMARC!!

    Baby steps.. subscribed to warmupinbox to ensure my emails.. from my domain.. don't end up in the spam folder!
    yes, yes, amazon IPs are already super warmed up but.. need MY emails from my domain being seen as important and not for the SPAM folder!

    TIme will tell...

    Thanks to this thread.. super helpful!

  • @GPZs
    [quote]I added the appropriate MX record and SPF record per the AWS instructions for the "new" AWS SES sending email domain AWS.[domain].com and B-I-N-G-O 100% pass now. Scored a 9.1 of 10 on the mail-tester.com system, with all authentication metrics 100% pass, WOOT.[/quote]

    I have a question relating to the subdomain..
    If all emails being sent are from user@[domain].com what's the purpose of the aws.[domain].com sub?
    Whilst I understand the security behind creating a subdomain for sending emails etc.. if the send from email in the newsletters is from the TLD (top level domain) and everything checks out with SPF, DKIM and DMARC, how's the subdomain being used for email sending etc?

    Or perhaps this is just a setting in SES?

    Feedback would be appreciated.

  • If all emails being sent are from user@[domain].com what's the purpose of the aws.[domain].com sub?

    There is no need to verify aws.[domain].com in your Amazon SES console, or any sub domains for that matter.

This discussion has been closed.