I use the Swiftmailer lib to send mail in php, such as:
$transporter = Swift_SmtpTransport::newInstance('smtp.gmail.com', 587, 'tls')
->setAuthMode('login')
->setUsername('username#gmail.com')
->setPassword('password');
$mailer = Swift_Mailer::newInstance($transporter);
I use Gmail Workplace and am trying to understand and setup SPF at my webb host (not Google). Should I setup a gmail SPF or an SPF for my own IP adress to avoid having mails sent via php on my server, but with gmail SMTP, marked as spam?
You're already authenticating with credentials against smtp.gmail.com, so your own IP address is irrelevant for SPF configuration. SPF is checked by receiving servers, where the IP address of the connecting server (Google) is checked against the SPF list in the domain found in the Return-Path header.
Google is then relaying your message to it's destination recipient(s) on your behalf. Thus Google's IP should be in the SPF record for the domain you use in the Return-Path header (a.k.a. bounce address or smtp.mailfrom).
So, to answer your question: For the domain you use to send email from (as the Return-Path address), you should include the gmail servers as authorized hosts. Assuming you don't use any other services, that SPF record would look like:
"v=spf1 include:_spf.google.com ~all", as described in this Google support article.
And as per Jake's comment, indeed you should consider implementing DKIM and DMARC as well, because relying on SPF alone for protection against spoofing is not sufficient and is not resilient against email forwarding. The same documentation, a few levels up, lists all required actions to accomplish that.
Related
We have a problem using PHP mail on a shared hosting server on 1and1.com
We use SPF entries in our TXT DNS settings which include the email servers we use also confirm that outgoing emails are sent from our domain email addresses.
The scenario is: We have a button feature that allows site users to send a personal email from their email address to a client email address.
The problem is: These emails either bounce or end up in SPAM because they do not pass the SPF test.
Although I realize that we can solve the problem with a dedicated server, I was hoping someone had a solution or a way that we could solve the problem and still remain on shared hosting.
Thanks!
I am in the process of having a web app built. And it will link into other people's websites.
It's purpose is to be a login to a portal which will manage their customers and data.
My app will at some point send an email to their customers acting upon the clients interest.
My concern is that we won't be hosting our clients emails.
So my question is can I get my web server web app to email the customers of my clients using their email domain name?
I think all I would need is the mail server and email account details.
I think I'll be using phpemailer unless anyone can recommend anything else? Is it even possible?
I'm just looking for answers or documentation ton help me setup configure if anyone knows of any.
Thanks in advance
As Barmar says, if your clients include your servers address in their spf records (and only use SPF for protection) then your mail server can send messages with a from address with the clients domain.
However, there another schemes, DKIM, which requires a private key issued by the client. To confuse things further, there is a scheme combining DKIM and SPF called DMARC.
Multiplexing the schemes and client keys via your own MTA is a formidably complex task. While #Barmar usually gives good advice, in this case I think a recommendation to simply ask the clients to include your domain in their SPF is not the best approach.
There are a lot of different choices:
a link back to the clients MTA (for clients whom operate their own MX) which would need to support SMTPS and SMTP authentication. Possibly even vpn support
the spf based model (for those not using DMARC or DKIM)
sending emails from your MTA but with a a masqueraded text part in the email address, e.g.
From: "a_user#yourclient.com" <a_user_yourclient#yourdomain.com>
...but with a Reply-to header pointing to the clients address, although this may impact your IPR
just use the clients email as the from address for those without any protection scheme
It would be straightforward to handle the initial routing of the email within your applications code, but you are going to need developers who really understand how email works in practice.
I would recommend you to use mailgun... Mailgun is simple to implement, you can send 10000 emails for free every month (see below) and you can send emails in behalf of clients domains. You need to add new domains to mailgun account and verify them like it's described in the documentation (see below).
Official SDK for php
https://github.com/mailgun/mailgun-php
Domain verification documentation https://documentation.mailgun.com/en/latest/quickstart-sending.html#verify-your-domain
Pricing plan if you need to send more than 10k per month..
https://www.mailgun.com/pricing
Here are some options:
If your client provides you with an account in their email environment, then you can send using those credentials. Assuming your client has a properly configured mail environment (SPF and/or DKIM and/or DMARC), then everything should be good.
You can send from your email server directly, but your client's SPF records should include your server's IP address(es) if you don't want the email to go to spam. (Though it's possible the email will not go to spam depending on a lot of voodoo related to spam filtering and IP reputation)
You could have your client setup a DKIM DNS entry with a public key that you generate. Then you could have your server sign the message using DKIM and send it on behalf of the client.
Two scenarios:
I recently downloaded the phpMailer and added it to my public_html folder.
I add my domain's email accounts to my gmail account.
Two problems:
When sending emails (domain's email account) using phpMailer and Gmail, and when the recipient received it, the red question mark is appearing instead of the Gmail's default profile photo.
What do I need to do to solve this? I searched about in phpMailer that I need some DKIM and SPF keys or something.
Your message is not authenticated, you must set a SPF configuration this is a TXT record on your domain (envelope). For Example "v=spf1 ip4:204.200.197.197 -all" means the ip 204.200.197.197 is allowed to send mails over your domain.
more information to gmail red question mark
https://support.google.com/mail/answer/180707?vid=0-1292648286207-1480402255906&hl=en
more informations to spf records
http://www.openspf.org/FAQ/Examples
i am working on a project and i have to send mails. I noticed, that it was possible to set "From" to any email address without any kind of authentication (like password). Why is that possible and is this not a lack of security?
Sending a mail from my private domain as the "Sender" was possible and this mail was not marked as spam by the client..
Is it possible to prevent sending mails from the domain?
Yes, email headers can be #microsoft.com for example, but microsoft must have a SPF record on it, to indicate that your server is authorized to send messages with their domain. So, if you don't have authorization, it will be marked as spam by most email clients or you will be advised than message is fake .
I'm wondering what mail servers I should use for sending mail through my website, avoiding them sent as spam.
Hostgator SMTP
google hosted SMTP
I found that to avoid a mail sent as spam it should have the same host in "From:" and "Received". How to overcome this?
Thanks
you should really check (or create) your dns SPF record: it specifies which server is allowed to send email for your domain name. Hotmail and gmail users, among others, may find your emails in their junk folder if you set these incorrectly or not at all.
Also make sure you have a reverse dns record set to your domain name. your recipients Mail servers will check if your mail server's ip address is fixed or dynamic (if dynamic, it's most probably spam). See wikipedia
checking the domain names in the rDNS
to see if they are likely from dialup
users, dynamically assigned addresses,
or other inexpensive internet
services. Owners of such IP addresses
typically assign them generic rDNS
names such as
"1-2-3-4-dynamic-ip.example.com."
Since the vast majority, but by no
means all, of e-mail that originates
from these computers is spam, many
spam filters refuse e-mail with such
rDNS names