Do emails go to Gmail and Yahoo spam despite DKIM, SPF, DMARC, PTR?

Alexander Kolobov2013-04-18 13:22:50

Mail server

Alexander Kolobov, 2013-04-18 13:22:50

Others, I despaired.
Actually, the problem is that ordinary letters (not mass mailing, but just letters to activate the account and confirm the user's mail) go to spam on Gmail, Yahoo and Hotmail. Next, I will describe in more detail what I have already done and checked:
yandex.ru, mail.ru, rambler.ru receives my letters in the inbox without any problems
My soap server:
ip: 94.242.7.157
host: mail.da.am (if you contact 80 the port will send a 404 page - xs good or bad, I can change)
listens only to localhost: 25 (does not accept external connections, because it is only needed for sending)
The Spamhaus database is fine www.spamhaus.org/query/ip/94.242.7.157
(deleted ip from spamhaus PBL two weeks ago - the IP got there a long time ago due to the fact that once the server was lit up without external authorization, now everything is fine with this)
Another 46 blacklists are in order mxtoolbox.com/SuperTool.aspx?action=blacklist% 3a94...
PTR record seems to be ok - points to server host
DKIM record is marked as 'pass' by google and yahoo
SPF record is marked as 'pass' by google and yahoo
DMARC record is marked as 'pass' by google and yahoo (this record for receiving reports on the two records described above, reports are positive)
Yahoo, for reasons unknown to me, marks my letters with the header X-YahooFilteredBulk: 94.242.7.157
Now I am slowly communicating with their tp about this, so far without results.
In the logs of my server (Postfix) everything is decorous and noble, no error messages.
Here is the content of my email copied from Google (the email does not contain spam text according to all online tests that I found):

Received-SPF: pass (google.com: domain of [email protected] designates 94.242.7.157 as permitted sender) client-ip=94.242.7.157;
To: [email protected]
Subject: =?UTF-8?B?0J/QvtC00YLQstC10YDQtNC40YLQtSwg0L/QvtC20LDQu9GD0LnRgdGC0LAs?=
 =?UTF-8?B?INCw0LTRgNC10YEg0Y3Qu9C10LrRgtGA0L7QvdC90YvQuSDQv9C+0YfRgtGL?=
 =?UTF-8?B?INC00LvRjyDQstCw0YjQtdCz0L4g0LDQutC60LDRg9C90YLQsA==?=
MIME-Version: 1.0
Reply-To: =?UTF-8?B?0J/QvtC00LTQtdGA0LbQutCwIEJhbm5lcmQucnU=?= &lt;[email protected]&gt;
Return-Receipt-To: &lt;[email protected]&gt;
From: =?UTF-8?B?0KDQvtCx0L7Rgi3Qv9C+0YfRgtCw0LvRjNC+0L0gQmFubmVyZC5ydQ==?= &lt;[email protected]&gt;
Content-Type: text/plain; charset=«UTF-8»
Content-Transfer-Encoding: base64
Message-Id: &lt;[email protected]&gt;
Date: Wed, 17 Apr 2013 20:25:41 +0400 (MSK)

0KPQstCw0LbQsNC10LzRi9C5INCy0LXQsdC80LDRgdGC0LXRgCwNCg0K0JLRiyDQstCy0LXQu9C4
INCw0LTRgNC10YEg0Y3Qu9C10LrRgtGA0L7QvdC90L7QuSDQv9C+0YfRgtGLIGFAZGEuYW0g0LIg
0LrQsNGH0LXRgdGC0LLQtSDQu9C+0LPQuNC90LAg0LTQu9GPINCS0LDRiNC10Lkg0YPRh9C10YLQ
vdC+0Lkg0LfQsNC/0LjRgdC4INCyINGB0LjRgdGC0LXQvNC1IEJhbm5lcmQuDQrQoSDRhtC10LvR
jNGOINC30LDQstC10YDRiNC10L3QuNGPINC/0YDQvtGG0LXRgdGB0LAg0L3QsNC8INC90YPQttC9
0L4g0L/QvtC00YLQstC10YDQtNC40YLRjCwg0YfRgtC+INC00LDQvdC90YvQuSDQsNC00YDQtdGB
INC/0YDQuNC90LDQtNC70LXQttC40YIg0JLQsNC8LiDQlNC70Y8g0Y3RgtC+0LPQviDQv9GA0L7Q
udC00LjRgtC1INC/0L4NCtC90LjQttC10L/RgNC40LLQtdC00LXQvdC90L7QuSDRgdGB0YvQu9C6
0LUg0Lgg0LLQvtC50LTQuNGC0LUg0LIg0YHQuNGB0YLQtdC80YMsINC40YHQv9C+0LvRjNC30YPR
jyDRgdCy0L7QuSDQsNC00YDQtdGBINGN0LvQtdC60YLRgNC+0L3QvdC+0Lkg0L/QvtGH0YLRiyDQ
uCDQv9Cw0YDQvtC70YwuDQoNCtCf0L7QtNGC0LLQtdGA0LTQuNGC0Ywg0YHQtdC50YfQsNGBOiBo
dHRwOi8vYmFubmVyZC5ydS9hY2NvdW50L2FqYXg/dHlwZT1jb25maXJtJmNvZGU9YWYzMzljOWQ2
YzU3OTU1YmIyMTY1OTI1ZDhjZjE4ODYNCg0K0J/QvtGH0LXQvNGDINCS0Ysg0L/QvtC70YPRh9C4
0LvQuCDRjdGC0L4g0L/QuNGB0YzQvNC+Pw0K0J7QvdC+INC+0YLQv9GA0LDQstC70Y/QtdGC0YHR
jyDQsNCy0YLQvtC80LDRgtC40YfQtdGB0LrQuCwg0LrQvtCz0LTQsCDQutGC0L4t0LvQuNCx0L4g
0YHQvtC30LTQsNC10YIg0L3QvtCy0YPRjiDRg9GH0LXRgtC90YPRjiDQt9Cw0L/QuNGB0Ywg0LIg
0YHQuNGB0YLQtdC80LUgQmFubmVyZC4g0JXRgdC70Lgg0JLRiyDRjdGC0L7Qs9C+DQrQvdC1INC0
0LXQu9Cw0LvQuCwg0JLQsNC8INC90LUg0L4g0YfQtdC8INCx0LXRgdC/0L7QutC+0LjRgtGM0YHR
jy4g0JLQsNGIINCw0LTRgNC10YEg0Y3Qu9C10LrRgtGA0L7QvdC90L7QuSDQv9C+0YfRgtGLINC9
0LXQstC+0LfQvNC+0LbQvdC+INC40YHQv9C+0LvRjNC30L7QstCw0YLRjCDQsiDQutCw0YfQtdGB
0YLQstC1INC70L7Qs9C40L3QsA0K0LIg0YHQuNGB0YLQtdC80LUgQmFubmVyZCDQsdC10Lcg0JLQ
sNGI0LXQs9C+INC/0L7QtNGC0LLQtdGA0LbQtNC10L3QuNGPLg0KDQrQoSDRg9Cy0LDQttC10L3Q
uNC10LwsDQrQoNC+0LHQvtGCLdC/0L7Rh9GC0LDQu9GM0L7QvSBCYW5uZXJkLnJ1

Here is the decrypted body of the letter, it will come in handy:

Dear webmaster,
you have entered [email protected] email address as a login for your Bannerd account.
In order to complete the process, we need to confirm that this address belongs to you. To do this, follow
the link below and log in using your email address and password.
Confirm now: bannerd.ru/account/ajax?type=confirm&code=af339c9d...
Why did you receive this email?
It is sent automatically when someone creates a new account on the Bannerd system. If you have
n't done this, you have nothing to worry about. Your email address cannot be used as a login
in the Bannerd system without your confirmation.
Sincerely,
Postman Robot Bannerd.ru

Answer the question

In order to leave comments, you need to log in

12 answer(s)

Maximus43, 2013-04-18
@Maximus43

I can only assume that 94.242.7.157 resolves as mail.da.am, and letters come from bannerd.ru. Although this is the same IP, the reverse DNS is also taken into account. Write the reverse zone for 94.242.7.157 as bannerd.ru and look at the result.

shadowalone, 2013-04-18
@shadowalone

>only listens to localhost:25
some soapboxes check the availability of the sending host on port 25, so it's better to open it from the outside, just don't accept emails.

shadowalone, 2013-04-18
@shadowalone

in
/etc/postfix/main.cf
add the required interface
inet_interfaces = 127.0.0.1, XXXX
mynetworks = 127.0.0.0/8, [::1]/128
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
and restart

schastny, 2014-07-15
@schastny

I'll post here too. We struggled with a similar problem for a long time, as a result, they turned off IPv6 on the VPS in Hetzner, where the mail server was located. Corrected SPF, throwing out IPv6 from there. And immediately everything became normal.

HAbRAhabp, 2016-06-07
@HAbRAhabp

This tester helped me , maybe it will help you. I have more problems with Yandex

Alukardd, 2013-04-18
@Alukardd

And what is this strange SPF record you have?)

"v=spf1 include:_spf.google.com ~all"

should be like this:

"v=spf1 ip4:94.242.7.157 -all"

-all or ~all optional. I prefer the strict form.

vosi, 2013-04-18
@vosi

Try Precedence: bulk

CrazyOne, 2013-05-17
@CrazyOne

Do you send emails to your inbox during testing? If yes, then after several identical messages, the next ones will automatically (for your account) fall into spam. All other accounts should be fine.
In short, send a notification to a soap that has not yet received messages from you and if everything is in order, then ... everything is in order :)

bumbay, 2014-05-05
@bumbay

I ship via AmazonSES.

Dmitry Sonko, 2015-12-18
@SonkoDmitry

Completely the same problem. The mail server from Yandex, everything is set up, neither the domain nor the SP was shown anywhere in the databases, but all letters are neatly classified as spam. You mark it as not spam, they start to get into the inbox, but with a red box that the sender can be hacked, the letter is fraudulent, etc., etc.

sensor-major, 2016-03-18
@sensor-major

Similar problem.
configured SPF and DKIM
I have 2 domains. kerio mail server.
But all the same mail gets to Google in spam. There are no such problems with other hosts.
I just don't know what to do.
can someone suggest something? Spam email example.
Delivered-To: [email protected]
Received: by 10.13.204.200 with SMTP id o191csp1048786ywd;
Fri, 18 Mar 2016 07:01:09 -0700 (PDT)
X-Received: by 10.194.179.227 with SMTP id dj3mr16220469wjc.50.1458309669761;
Fri, 18 Mar 2016 07:01:09 -0700 (PDT)
Return-Path:
Received: from newlinetechnologies.net (ip211.ip-149-202-114.eu. [149.202.114.211])
by mx.google.com with ESMTPS id z193si16925312wme.98.2016.03.18.07.01.09
for
(version=TLS1_1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Fri, 18 Mar 2016 07:01:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 149.202.114.211 as permitted sender) client-ip=149.202.114.211;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 149.202.114.211 as permitted sender) [email protected];
dkim=pass [email protected]
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=newline.tech; s=mail;
h=from:subject:date:message-id:to:mime-version:content-type:
content-transfer-encoding;
bh=L8fWhzi07ejpn2MquB3t6fD12h8d8ImmkNGjFNiS2MM=;
DOSD1liViBZVP0OP0kBvnSuWuR64e5XmhZM26A = b / + yugEv4z7SMiLO07OxpvE nV4D3nVw / zYMv0eMp
KarHDIYkqctVtPT4 / AQrL7GuQxO1ucCWM59rpieoi1VYOBtyKA6u99op859clVuaOx6gukfjJ01Rqx
BCjp1tYaHii4SSPubCRdwg1TvqMnuI5FT4qoJSvkhpkgyJixjImCD0fHVt75Wq956eYztYBUnCN7Kq 2EfvQgdM82ys9PFguoEu
haXojtUvuBIXGt4LzOEjmsZ4 + / + M5iiaa6ItcQi mgvyw + PN8wRdr13kfgO
Ib67MHF4AIl0htl2Gk0aGdbs / GLbz4g ==
X-Footer: bmV3bGluZS50ZWNo
Received: from [127.0.0.1] ([91.222.248.51])
(authenticated user [email protected])
by newlinetechnologies.net
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128 bits))
for [email protected];
Fri, 18 Mar 2016 16:01:07 +0200
To: [email protected] From
: "newline.tech " B?0LvQtdC80Ysg0YHQviDRgdC/0LDQvNC+0Lw=?= Message-ID: <[email protected]> Date: Fri, 18 Mar 2016 16:01:10 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64 ; rv:38.0) Gecko/20100101 Thunderbird/38.7.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Antivirus: avast! (VPS 160317-2, 03/17/2016), Outbound message X-Antivirus-Status: Clean

gre, 2016-05-24
@gre

>> Received: from newlinetechnologies.net (ip211.ip-149-202-114.eu. [149.202.114.211])
And who will register the writeback?
>>From: "newline.tech" Is the
correct From ?
dns did not look, first fix the two points above.