Tuesday, April 17, 2012

Avoiding Spam Emails with Google Apps

Employees at my startup have started complaining that their outgoing emails were landing in their recipient's Spam folders.  It seems to happen more often with recipients that use Outlook. After a little research I discovered that our Google Apps and GoDaddy DNS setup was missing some key configurations: an SPF Record and DKIM Record.

After making the changes described below and waiting a few hours for DNS changes to propagate, the Spam problem has been resolved!

Sender Policy Framework (SPF) Records

An SPF record is a type of DNS record that identifies which mail servers are permitted to send email on behalf of your domain.   If an email message comes from a server other than the Google Apps mail servers listed in the SPF record, the recipient's mail server can reject it as spam.  More info.

Google gives these instructions for creating an SPF record. I followed those instructions which resulted in me adding a new TXT DNS record in GoDaddy:

Host:
@

TXT Value:
v=spf1 include:_spf.google.com ~all

DomainKeys Identified Mail (DKIM) Standard

You can add a digital "signature" to the header of mail messages sent from your domain.  Recipients can check the domain signature to verify that the message really comes from your domain and that it has not been changed along the way.   Google gives these instructions for getting your emails signed and verified.  I followed those instructions which resulted in me adding another TXT DNS record:

Host:
google._domainkey

TXT Value:
v=DKIM1; k=rsa; p=CIGfMA0GCSqGSIb2DQEBAQAAA4GNADCBiQHKgQCj+tnMQMGMn8NfHnpDmgPa7ICUKdXdyzTlkBglZKRfEtF9msn1v/TmHZEvWFFp3KiaL2Igs7K57l+n/QJlk8Aj9C9nTGmXnzm9BL2zOQQL/zxJh9qh22bnO8uf7tM7sGHxr3z7yIkpXzA96G0inqmNb2XztXKseV4dp5jXbow4+QIDAQAB

I used the following services to test if the above configurations were working properly:

OpenSPF.org

The OpenSPF site contains detailed instructions.  You basically send an email to spf-test@openspf.org. Your email will bounce but the bounce message will contain diagnostic information.  Before I made any changes, the bounced email contained:

SPF Tests: Mail-From Result="none": Mail From="ken@mystartup.com" HELO name="mail-vb0-f45.google.com" HELO Result="none" Remote IP="209.85.212.45"

After adding an SPF record, I got:

SPF Tests: Mail-From Result="pass": Mail From="ken@mystartup.com" HELO name="mail-ob0-f173.google.com" HELO Result="none" Remote IP="209.85.214.173"

After setting up DKIM, a new section appeared:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
       d=mystartup.com; s=google;
       h=mime-version:from:date:message-id:subject:to:content-type;
       bh=3N7Rc6NGlzUWcAIDAPH02fhMn6EQcMyaqN1zoCZpAj4=;
       b=CB2n+ZleGjSlLH23RAvhMu56NIZULnSbc3efghykaJpeYMK5xOH2HDqzkoIk7kUWLV
        3xfcPK/7sABiIzhmi+RzzPaOEpUvE8kqFd9SocB3dUYmmCauB2RQIXh7qOUFFV/HTDxR
        23jAtjJUNX4VcdbNsmedbSwKpE30NYF49kjEY=

Port25.com

For this one, you send an email to check-auth@verifier.port25.com.  If you SPF record and DKIM is setup properly, you should get a reply containing this summary:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

IsNotSpam.com

This is similar to the service from Port25.com.  You send an email to check@isnotspam.com and get a similar reply.