Web Hosting - Sending Email (DMARC/DKIM/SPF Considerations)
It is no longer a good assumption that you can use any From address on your emails and have them make it past Spam, Junk, or Phishing filters. Here are some things to check yourself and who to follow up with if you have more questions.
Shared Hosting has configurations that use the Campus SMTP relay service (smtp.wiscmail.wisc.edu) for our servers, including relaying of mail to non-wisc.edu domains (ex: Gmail.com). Use of this isn't required, but many default configurations (ex: php) will use smtp.wiscmail.wisc.edu
Begin your adventure here: https://it.wisc.edu/it-community/email-authenticity
Note: We do not provide consultation about interpreting your current settings or making suggestions about what to change your settings to, Please schedule a consultation directly with the mail team: https://kb.wisc.edu/82804
Example #1: Sending email to Gmail
- Gmail will commonly Junk your email message if you are failing validation of some parts of DMARC/DKIM/SPF
- As of May 2022, Gmail has become more strict, they no longer give the sender the benefit of the doubt, they are either straight Junking your messages OR outright rejecting them if you do not have SPF and DMARC setup correctly for the specific FROM address. Please use the testing tools mentioned at the bottom of this KB and contact the mailteam for additional assistance.
- If you haven't put in the dedicated effort to test and ensure your messages are getting through to Gmail recipients, over the past few years, it is likely your messages gradually started landing in the Junk folder instead of Inboxes
- If email delivery succeeds, but your headers include "best guess", your configuration is still wrong. Read this for more details: https://www.spamresource.com/2019/02/gmail-spf-status-of-best-guess-what.html
Example #2: Arbitrary From address
- If you just pick an arbitrary From address for your email message, you will commonly see failures from some part of DMARC/DKIM/SPF.
- In the past you could pick any email address, and your sending program would happily spoof the email address, and your recipients would happily receive a spoofed email from address. (Think of bad examples like sending an email as the Chancellor, but you are not the Chancellor - that used to work)
- Better bet: Use a From address that is a real email address with a real mailbox. In the case of wiscmail, a Service Account is a good idea: https://kb.wisc.edu/68238
- Another better bet: If you are sending email from a website like mysitename.wisc.edu, try having your email From address be something like firstname.lastname@example.org
Tests you can run yourself:
- Per instructions here: https://it.wisc.edu/it-community/email-authenticityRemember to send your email to email@example.com and schedule a consultation with the mail team.
- Best Detailed explanation of your configuration:
- Check full domain sending report: https://mxtoolbox.com/emailhealth/
- After entering and email address or domain name, and clicking "Check Email Health", make sure to click "Did you really mean to run...click here" so it runs the report against your website, not just wisc.edu
- DMARC: https://mxtoolbox.com/DMARC.aspx
- Add _dmarc. in front of your sending domain, ex: _dmarc.mysitename.wisc.edu
- Click the Dmarc Lookup button
- Alternatively, you can run a command like "dig txt _dmarc.mysitename.wisc.edu"
- SPF: https://mxtoolbox.com/spf.aspx
- Enter the sending domain , ex: mysitename.wisc.edu
- Click SPF Record Lookup button
- Alternatively, you can run a command like "dig txt mysitename.wisc.edu | grep spf"
- DKIM: https://mxtoolbox.com/dkim.aspx
- Enter the sending domain, ex: mysitename.wisc.edu
- Add a selector (ex: email)
- DNS TXT requests and the like can be made to the Campus Hostmasters (firstname.lastname@example.org) for email authenticity.
- We do not provide consultation about interpreting your current settings or making suggestions about what to change your settings to, Please schedule a consultation directly with the mail team: https://kb.wisc.edu/82804