Outgoing mails from my new server are marked as spam
Question asked by S Settels - 2/4/2021 at 8:09 AM
some recipients are putting mails sent via my server into a spam folder. But sent from my account as well from a customer's account. The server is new, it is not reported on any spam lists. Can somebody please tell me how to investigate this?
Thank you

8 Replies

Reply to Thread
Sébastien Riccio Replied

Can you send a mail from your account to check-auth@verifier.port25.com ?
It will bounce back a report to your account for diagnostics that you can share here ?

Kind regards.
Sébastien Riccio System & Network Admin https://swisscenter.com
S Settels Replied
Hi Sébastien,

thanks for your quick reply. The only issue is de DKIM check, might this be the cause of the problems? I thought this check was optional? I have also a bank that rejects my messages...

Thanks for your reply


This message is an automatic response from Port25's authentication verifier service at verifier.port25.com.  The service allows email senders to perform a simple check of various sender authentication mechanisms.  It is provided free of charge, in the hope that it is useful to the email community.  While it is not officially supported, we welcome any feedback you may have at <verifier-feedback@port25.com>.
Thank you for using the verifier,
The Port25 Solutions, Inc. team
Summary of Results
SPF check:          pass
"iprev" check:      pass
DKIM check:         permerror
HELO hostname:  mail.actilus.com
Source IP:
mail-from:      serge@settels.com
SPF check details:
Result:         pass
DNS record(s):
    settels.com. 300 IN TXT "MS=ms75982630"
    settels.com. 300 IN TXT "v=spf1 mx include:actilus.nl include:actilus.com ip4: ~all"
    settels.com. 300 IN MX 10 mail.settels.com.
    mail.settels.com. 300 IN A
"iprev" check details:
Result:         pass (matches 84-247-10-228.colo.transip.net)
ID(s) verified: policy.iprev=
DNS record(s): 300 IN PTR 84-247-10-228.colo.transip.net.
    84-247-10-228.colo.transip.net. 300 IN A
DKIM check details:
Result:         permerror (no usable key records)
ID(s) verified:
Canonicalized Headers:
Canonicalized Body:
DNS record(s):
    actilus.com._domainkey.settels.com. TXT (no records)
NOTE: DKIM checking has been performed based on the latest DKIM specs (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for older versions.  If you are using Port25's PowerMTA, you need to use version 3.2r11 or later to get a compatible version of DKIM.
Explanation of the possible results (based on RFCs 7601, 7208) ==============================================================
DKIM Results
none:  The message was not signed.
pass:  The message was signed, the signature or signatures were
    acceptable to the ADMD, and the signature(s) passed verification
fail:  The message was signed and the signature or signatures were
    acceptable to the ADMD, but they failed the verification test(s).
policy:  The message was signed, but some aspect of the signature or
    signatures was not acceptable to the ADMD.
neutral:  The message was signed, but the signature or signatures
    contained syntax errors or were not otherwise able to be
    processed.  This result is also used for other failures not
    covered elsewhere in this list.
temperror:  The message could not be verified due to some error that
    is likely transient in nature, such as a temporary inability to
    retrieve a public key.  A later attempt may produce a final
permerror:  The message could not be verified due to some error that
    is unrecoverable, such as a required header field being absent.  A
    later attempt is unlikely to produce a final result.
SPF Results
none:  Either (a) no syntactically valid DNS domain name was extracted from
    the SMTP session that could be used as the one to be authorized, or
    (b) no SPF records were retrieved from the DNS.
neutral:  The ADMD has explicitly stated that it is not asserting whether
    the IP address is authorized.
pass:  An explicit statement that the client is authorized to inject mail
    with the given identity.
fail:  An explicit statement that the client is not authorized to use the
    domain in the given identity.
softfail:  A weak statement by the publishing ADMD that the host is probably
    not authorized.  It has not published a stronger, more definitive policy
    that results in a "fail".
temperror:  The SPF verifier encountered a transient (generally DNS) error
    while performing the check.  A later retry may succeed without further
    DNS operator action.
permerror: The domain's published records could not be correctly interpreted.
    This signals an error condition that definitely requires DNS operator
    intervention to be resolved.
"iprev" Results
pass:  The DNS evaluation succeeded, i.e., the "reverse" and
    "forward" lookup results were returned and were in agreement.
fail:  The DNS evaluation failed.  In particular, the "reverse" and
    "forward" lookups each produced results, but they were not in
    agreement, or the "forward" query completed but produced no
    result, e.g., a DNS RCODE of 3, commonly known as NXDOMAIN, or an
    RCODE of 0 (NOERROR) in a reply containing no answers, was
temperror:  The DNS evaluation could not be completed due to some
    error that is likely transient in nature, such as a temporary DNS
    error, e.g., a DNS RCODE of 2, commonly known as SERVFAIL, or
    other error condition resulted.  A later attempt may produce a
    final result.
permerror:  The DNS evaluation could not be completed because no PTR
    data are published for the connecting IP address, e.g., a DNS
    RCODE of 3, commonly known as NXDOMAIN, or an RCODE of 0 (NOERROR)
    in a reply containing no answers, was returned.  This prevented
    completion of the evaluation.  A later attempt is unlikely to
    produce a final result.
Original Email
Return-Path: <serge@settels.com>
Received: from mail.actilus.com ( by verifier.port25.com id h3h42c2p2tol for <check-auth@verifier.port25.com>; Thu, 4 Feb 2021 19:16:54 +0000 (envelope-from <serge@settels.com>)
Authentication-Results: verifier.port25.com; spf=pass  smtp.mailfrom=serge@settels.com;  iprev=pass (matches 84-247-10-228.colo.transip.net)  policy.iprev=;  dkim=permerror reason="no usable key records"  
X-SmarterMail-Authenticated-As: serge@settels.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=settels.com; s=actilus.com;
Received: from [] (84-104-144-243.cable.dynamic.v4.ziggo.nl []) by mail.actilus.com with SMTP
              cipher=Aes256 bits=256);
   Thu, 4 Feb 2021 20:16:43 +0100
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: Serge Settels <serge@settels.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 4 Feb 2021 20:16:42 +0100
Subject: Test
X-Mailer: iPhone Mail (18C66)
X-Exim-Id: C394B821-C827-4125-BD66-308AD4811E86
Sébastien Riccio Replied

Okay I would say I see two possible issues here:

1) Your mail server IP has a reverse DNS that doesn't match the server HELO and MX record.
You should change it from 84-247-10-228.colo.transip.net to mail.actilus.com. Probably your hoster/ISP have an option to change this.

Also the MX for settels.com is mail.settels.com. I would suggest to change it to the main name of your mail server which is mail.actilus.com I guess.

2) You seems to have DKIM enabled in SmarterMail because the mail is signed but you don't publish the DKIM record in the sender domain.

Two possibilities here, disable DKIM or set the DNS record in your domain. For better deliverability I would suggest you to add the corresponding DKIM record to your domain.

Also I would suggest you to add to your DNS a TXT record:

  with the value

v=DMARC1; p=none; sp=none; rua=mailto:dmarc@settels.com; ruf=mailto:dmarc@settels.com;
dmarc@settels.com should be a mailbox where you can receive dmarc reports about received mails originating from the domain that failed the auth verifications.

Dmarc is an additional mechanism that requires SPF and DKIM.

This should help a bit increasing the deliverability of the domain mails.
Sébastien Riccio System & Network Admin https://swisscenter.com
S Settels Replied
Dear Sébastien,
thank you for your recommendations. I have implemented most of them, the DKIM check is passed. Only the DNS name I cannot change (without support). The ipref check says it is OK so hopefully it is sufficient, otherwise I will have to change more. I have asked the customer to test the new settings.
Kind regards
Sébastien Riccio Replied
Hello. Okay, but I would still go ahead with changing the iprev because having matching increases the chance do be delivered.

They especially don't like when the reverse looks like just the ip address with a domain name as usually it's the style used for reverse DNS gy ISPs for home links.

There are several pattern matching that detects this and lower the core of your mail.
Sébastien Riccio System & Network Admin https://swisscenter.com
Sébastien Riccio Replied
(click on SMTP test)
For example this check is showing a warning about the reverse name mismatch.
Also it shows you did not enable TLS on your SMTP ports. You should enable it (and also for outgoing mails).

This checker shows another issue: The DNS checker uses too much includes and it generates too much DNS queries to verify it. So some receiver will skip your SPF record and can assume it as failed.

More info about this here:

After fixing all this you should be in the best conditions to deliver mails
Sébastien Riccio System & Network Admin https://swisscenter.com
S Settels Replied
Dear Sébastien,
thanks again, today I have used your links to optimize my TLS settings and the SPF issue! You have tought me a lot!
Kind regards
Sébastien Riccio Replied
Thanks for the feedback. Happy to help :)

Kind regards
Sébastien Riccio System & Network Admin https://swisscenter.com

Reply to Thread