0

I work for a German company that sends several thousand emails to our customers every day. Our employees send their emails via Microsoft 356, but the system does not use a mail server and sends emails via PHP sendmail, so many of our emails end up in the spam folder of our customers. My question is how do we set up our own mail server and configure it in such a way that the risk of ending up on a block list is low. rDNS, SPF, DKIM, SSL?

Is configuring these things sufficient or are there other requirements? Unfortunately I could not find an exact "list" of requirements.

2
  • Hi, you are bind to your IP reputation and DNS configuration (SPF record, etc..) in such scenario, thrust is not buildable easily. It's a long term goal. Some product exist that can manage your email distribution, but I often think it's homemade software that I guess put more restriction like to not send to the same host all the mail at once in example, kind of config out of scope of a normal mail server.
    – yagmoth555
    Commented Mar 6, 2023 at 18:21
  • If you do not have the volume to have every recipient track your past performance, you can buy into the past record of someone else. Combating spam scales so well with volume, your best shot may well be not doing much locally at all, and instead opting to have your mail relayed through some commercial service that not only assists you in local configuration, but also makes sure to respond to complaints and to disable abusive/abused accounts with such reliability that recipients can trust that almost everything relayed through them is good.
    – anx
    Commented Mar 6, 2023 at 22:01

1 Answer 1

2

Unfortunately I could not find an exact "list" of requirements.

We have this older canonical question, but for the limited application of customers with some connection to Germany, you may find the union of these 3 lists more helpful. Many other mail recipients in the DACH area apply equivalent rulesets:

If you are sending significant volume to any of these providers, I bet you have received SMTP-stage refusals or abuse complaints before. Read them, they will likely point to the key issues (you are acting on everything sent to your postmaster and abuse mailbox, right?).

Short summary:

  1. don't send malformed messages, don't run broken/unmaintained software
  2. repeated mailings must include a way to make them stop
  3. make abundantly & unambiguously clear who is sending, whois/rDNS/website/headers/names, whatever someone checks must to the extent possible name the responsible entity
  4. do not, ever, send stuff that customers did not explicitly & knowingly agreed to receive
  5. for new deployments, just consider DMARC & TLS a minimum requirement

You can mostly forget about block lists, they are a last-resort measure. While they sometimes appear where you failed to implement point 3, they generally rarely target you, specifically. And if someone does add you, specifically, you have failed at a procedural level (such as repeatedly messaging long-invalid addresses of past customers), nothing mail server setup alone can help you with.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .