How can I have more control over the delivery of mails sent from applications on Dropsolid Experience Platform
Configuring your domain to send out mails only from servers and services you want to, can be a fairly complex task.
A misconfiguration can result in mails falsely being marked as spam.
Therefore it's good practice to get this configured correctly.
Changing policies of Gmail and Yahoo may impact using the general service
If you are using a non-Dropsolid service (e.g. Mailchimp, Zoho, Hubspot, ...) that is sending more than 5000 mails / day from the same primary domain to Gmail or Yahoo addresses, you are seen as a bulk sender.
As of 01/02/2024, Yahoo and Gmail take extra spam protection measures. This results on extra requirements that need to be taken into account for bulk sender domains:
- SPF, DKIM and DMARC configuration, with alignment of either SPF or DKIM with the
From:
header - easy-unsubscribe support
- valid forward and reverse DNS record for sending IPs
- complicany with RFCs 5321 and 5322
Our general mail service is not meant to be used for such e-mails (we have our dedicated Marketing Automation product for that), so mails sent from a domain hosted on our platform are normally not affected.
However, those requirements indirectly also apply to mails sent from our infrastructure if you're sending from the same primary domain in a website hosted on our Platform.
In this scenario you can't make use of our general mail service, as it doesn't cover providing domain specific alignment of DKIM or SPF.
Below we provide answers to some common questions:
My primary domain is marked as bulk sender. Can I use subdomains as workaround?
Unfortuately, no.
A bulk sender is any email sender that sends close to 5000 messages or more to Yahoo or Google each within a 24-hour period. Messages sent from the same primary domain count toward the 5000 limit.
example: within a 24-hour period, you send emails to personal Gmail accounts:
- 2500 messages from
mydomain.com
using Mailchimp; - 2400 messages from
support.mydomain.com
using Zendesk; - 100 messages from
webforms.mydomain.com
using a webform on your website hosted on our Platform.
You’re considered a bulk sender because all 5000 messages were sent from the same primary domain: mydomain.com
.
See also the Email sender guidelines FAQ from Google
My domain is marked as a bulk sender, when does that status expire?
This status doesn't expire.
Email senders that have been classified as bulk senders are permanently classified as such. Changes in email sending practices will not affect permanent bulk sender status once it’s assigned.
See also the Email sender guidelines FAQ from Google
Depending on the level of security you want to achieve for mails sent from your domains, Dropsolid can offer one of the solutions / integrations below:
- basic: use the Dropsolid general mail service
- advanced: use the Dropsolid dedicated mail service
- self control: Use your own mail service
Some recommendations:
- Check your spam rates by subscribing to Google Postmaster Tools.
- If you have DMARC configured for your domains, we strongly recommend to have a complete and correct DKIM setup too.
This is recommended to prevent issues with mail hosts that have a very strict interpretation of the DMARC configuration.
Possible solutions¶
Dropsolid general mail service¶
Dropsolid Experience Platform provides a general mail service for all projects hosted on the Platform.
This service is included in the hosting subscription and has a FUP (Fair use Policy) regarding the number of mails sent from your domain(s).
It is meant to be used for transactional emails like standard contact form flow, it is not meant to be used for bulk e-mails or sending out 100's of mails per day.
This setup uses a dedicated IP address used for all projects hosted on the Platform.
This way we have more control over the reputation and the mail delivery.
Dropsolid monitors this mail service to ensure it's health.
With the general mail service you should configure the SPF record of your domains, to improve the deliverability of mails sent from your domain(s) via Dropsolid Experience Platform.
With the general mail service it is not possible to add DKIM validation for your domain(s).
You can use our dedicated mail service or your own service if you want DKIM authorization, see below.
What do I need to configure?¶
My domain is managed by Dropsolid
If your domain is managed by Dropsolid, we will add the SPF record for you.
No actions are required on your end.
SPF record¶
There is no SPF record yet
Add following TXT record to the DNS records of your domain names.
v=spf1 include:_spf.dropsolid.com ~all
There is already an SPF record for my domain name
Change the existing TXT record to contain following part
include:_spf.dropsolid.com
For example, if your record looks like this:
v=spf1 a mx include:_spf.google.com include:spf.protection.outlook.com ~all
You would just need to add our lookup at the end of the string, before
the ~all
mechanism, like so:
v=spf1 a mx include:_spf.google.com include:spf.protection.outlook.com include:_spf.dropsolid.com ~all
You don't want to include another hostname lookup? (not recommended)
If you would rather not include Dropsolid's SPF hostname lookup in your record, or perhaps you just have too many already, you can also choose to give permission to a specific IP address to send mail for your domain.
This is accomplished using the ip4 mechanism.
instead of adding following snippet
include:_spf.dropsolid.com
add
ip4:167.89.47.88
be aware that this is not recommended, as the IP addresses used for our general mail service may change over time.
Always check the SPF end result to ensure a non-broken state
SPF has some (security) limitations, like the number of DNS lookups.
Section 10.1, "Processing Limits" of the SPF RFC specifies the following in regards to DNS lookups:
SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check, including any lookups caused by the use of the "include" mechanism or the "redirect" modifier.
If this number is exceeded during a check, a PermError MUST be returned. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier do count against this limit.
The "all", "ip4", and "ip6" mechanisms do not require DNS lookups and therefore do not count against this limit. The "exp" modifier does not count against this limit because the DNS lookup to fetch the explanation string occurs after the SPF record has been evaluated.
Therefore it's recommended to always check the end result with online tools like MX toolbox or Kitterman SPF validator.
Dropsolid dedicated mail service¶
If you require a more advanced setup with DKIM and DMARC authentication and validation or need to send larger volumes, but don't want to configure and maintain it yourself, than a dedicated mail service can help you.
This service provides:
- Fully managed and maintained by Dropsolid
- Dedicated IP address only used for your application(s) and domain(s)
- DKIM validation of the domain names of your application
- 30 days retention of mail logs
What do I need to do?¶
Please get in contact with your contact person at Dropsolid, or get in contact via support@dropsolid.com.
They will guide you through the next steps and how to proceed.
My own mail service¶
You already have a mail service configured following the needs and requirements of your company? No problem.
Applications hosted on Dropsolid Experience Platform can connect to your own mail service.
What do I need to do?¶
Please get in contact with your contact person at Dropsolid, or get in contact via support@dropsolid.com.
They will guide you through the next steps and how to proceed.
Terminology and background info¶
SPF¶
The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF an organisation can publish authorized mail servers.
DKIM¶
DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
DMARC¶
DMARC (Domain-based Message Authentication Reporting and Conformance) is an email validation system designed to protect your company’s email domain from being used for email spoofing, phishing scams and other cybercrimes. DMARC leverages the existing email authentication techniques SPF and DKIM.
For more information on DMARC, check out dmarc.org
3rd Party Tools¶
These are some tools that might be useful to you. We do not own or support these tools, so use them at your own risk. However, we hope that they are helpful.
Record Flattening¶
There is an experimental tool called the dmarcian SPF Record Flattener, which should be considered experimental. From their site: "[this tool] rewrites this record by removing duplicate netblocks, collapsing any overlapping netblocks, and using 0 DNS-querying mechanisms/modifiers."
If you choose to use this functionality, we suggest that you test it extensively to make sure that your customers will receive your emails and their servers can look up your records properly.
SPF Wizard¶
The SPF Wizard is a browser based SPF record generation tool. Fill out the form and the site generates an SPF record for you.
Easy DMARC tools¶
Easy DMARC provides some tools to check your SPF, DKIM and DMARC setup.