All my emails I am sending in local WAMP or on server, with PHP mail() function, goes to SPAM folder always.
While looking for the issue, I found we've to set headers like from id, reply to, return path, mime version, char type and charset.. I have set all of them, but still email goes to SPAM folder into my Gmail / Yahoo id, any clue?
All email addresses, which I am using in from/to/replyto/return path existing in real and still it goes to SPAM, very strange !
What i've found locally that sendmail_from was not set into my WAMP, and once i used,
ini_set('sendmail_from', 'some_valid_email_address'); it gets to Inbox !
Wohaaa... and working into live as well..
Take a close look at the SMTP headers from the messages that are getting flagged as possible spam. Many spam filters will add a few lines listing the reasons a message was flagged; for example, if the sending IP address is blacklisted for some reason, there might be a header describing which blacklists you're listed in.
That is one of the issues with mail function. The better solution is to go for either of these:
Swift Mailer
PHPMailer
One thing to do is to make sure that your HTML validates. It turns out that spammers are generally incapable of writing validating HTML and so this a huge tip off.
Another possibility is that you're on a shared host with another user that's a spammer. In this case, the whole IP range may have been banned.
Also, using red in your CSS and spammy words (think "free", "viagra", "act now", "sale", etc) are tip offs that some spam filters use.
The biggest thing that you can do to keep your emails out of spam folders is to only send emails to people that request them. This will keep people from reporting you as spam. If a lot of your emails get reported as spam, then your emails will get put in spam folders.
try not including the "From: " this which might let the server think that you're spoofing.
I had the same problem and nothing worked.
I found out, that no line in the message is allowed to have more than 70 characters.
Solution is to add wordwrap after the message.
$message= wordwrap($message, 70, "\r\n");
Related
a client asked me about a little form for his website, from which it would be possible to mail the URL to someone. Something like "Hey check this out".
Since he was not happy with mailto:, I want to use PHP mail() function, but i wonder if it is smart to let users define a sender of the email. I am worried about the form being abused for spam/phishing.
Is that a reason to worry? Is it even legal?
It's legal to send e-mail. It's not legal (everywhere) to send spam. But you are just providing a share link, not a relay server, so I wouldn't worry about that. If you limit the amount of control over the content of the message, and limit the number of people to send it to, it won't be too interesting for spammers.
Letting the user choose a sender is not a very good idea. Some mail relay servers check if the originating server is allowed to send e-mails for the domain specified in the address, so the mails might never arrive. You can safely set the sender name, though.
Apart from that, if the receivers of the message consider it as spam and report it, your domain might become blacklisted, and your mails will be sent to junk mail in many cases, so you want to make sure no (or little) spam is sent through your form.
Those bots try every form automatically just to see what happens, so you'll need to make some effort. You could add a captcha, which is an obstacle for humans too, although Google is going to put an end to that. Or you could protect it through other means, like a honeypot. Maybe you can just generate the form through JavaScript, which is a big obstacle for most spam bots.
Setting the From on an email in php mail isn't the cause for concern. The problem is that you'll be sending emails from your server. The mail headers will have your server information embedded - so any issues will tie back to you.
As long as you can safeguard your own server from allowing these spam/phishing attacks, then there's nothing wrong with it.
Just limit the number of people this mail function can send to - and make sure it can't be called multiple times in succession -- like with a script.
This way, the spammers wouldn't benefit from using your page to try to send spam. They'll go elsewhere.
There's much more to do to work with sending email, but this will at least get you started.
"Is it legal" depends upon the country you are in.
I don't think you need to worry about spam if you set up a login.
Or you could limit the number of emails by IP address. This can be spoofed, however, so it may not be the best option.
There are other control options you could do; limit number of emails by User Agent/IP combination, etc.
Aside from the reasons pointed out by others who have answered this question, I would advise against doing this because these messages will likely be marked as spam by spam filters, due to SPF and DMARC records.
For example, is someone sends a message through your system from a yahoo.com address, most spam filters will treat the message as spam, because os Yahoo's DMARC record, which basically says, 'any message sent from a yahoo.com email address that did not originate from a mail server on yahoo's network is spam'. See https://help.yahoo.com/kb/mail/SLN24016.html?impressions=true for more info.
I'm using PHPMailer to send mail from my server.
I have dkim=pass and SPF=pass on my outgoing emails. I am not listed on spamhaus blacklist or via the mxtoolbox blacklist. My emails usually don't go to spam.
However, today I noticed this line in the header of my outgoing mail:
X-OutGoing-Spam-Status: No, score=-2.8
I'm concerned that this negative number will lead to my emails going to spam. (I'm assuming the negative number is bad, but I couldn't find any information online.)
Can someone shed some light on this? Is it a concern? If so, how do I improve this reading?
Thanks!!
The X-spam-status scores are put into the header of any email that passes through a mail server that is running Spamassassin (and some other anti-spam programs). Here's an article regarding tests Spamassassin does in version 3.3.
The higher the score the more likely the email is spam. It uses a range of things to decide on what is and isn't spam, blacklists are only part of its algorithms.
As listed here, an email can have a negative score if it is whitelisted, which is a good thing. If an email is whitelisted, this usually means (not always) that the recipient has received an email from the sender before, and the user has acted on that email (by acted on, I mean you have responded to it, or clicked "always show images from this sender" kind of thing) or you have that email address saved in your address book.
Hope this helps.
EDIT: In short, the negative number is good and you shouldn't worry about it.
I'm confused about how mail works in PHP and CakePHP.
1.) What is the difference between sending an email either using the PHP mail function / CakePHP email helper or SMPTP as shown here: http://book.cakephp.org/1.3/en/view/1290/Sending-A-Message-Using-SMTP as the outcome looks the same?
2.) To specify who the email is coming from, you pass in the email in the header, but you can put whatever you want, so what is stopping you from just putting in anything? like yourbank.com? mail('you#gmail.com', "Subject", "Message", "From: <dave#yourbank.com>"); I just tried it and it worked fine and I couldn't find out anyway in Gmail to see if it didn't come from dave at yourbank.com...
Hopefully I can get some light on these two questions. Thanks.
1). CakePHP has a bunch of helpers & functionality implemented to make life easier when developing applications. As you've discovered, Cake has mail functionality. I suggest reading this whole page http://book.cakephp.org/2.0/en/core-utility-libraries/email.html (It's 2.0 not 1.3, so please not there have been some big alterations between the two versions). The article covers in depth on why you may configure something in a particular manner.
CakePHP is using the default mail function with PHP. It's just allow you to incorporate views into the content and configure the outgoing mail in a much easier manner.
2) As for putting in potentially any email address within the From Header.... this can potentially fall under the category of Email Spoofing, essentially sending an email when it's not authorized from the source (From Header). Again this links back to configuring specific mail servers.
By default mail clients and generally setup to prevent spam and junk, this is done by taking a large amount of steps. Some may be..
Keyword checking, (Checking the contents of an email for any
keywords classified as spam).
Header checking, <--- This is the one that answers your
question.
Essentially... headers are examined and checked to see if the server that the mail was sent from has the authority to use the given from address.
As I don't have enough technical knowledge, i'll throw a few pages your way which discuss setting up records against your DNS/Domain so emails are validated correctly and not put within spam folders.
http://www.ipswitch.com/support/imail/guide/imailgsv8.1/Appendix%20A%20dns4.html
http://help.postageapp.com/kb/application-features/dkim-and-spf-setup-and-validation
How to properly set up DNS SPF records?
I hope my jumbled ramblings make some sort of sense.
Question 1: PHP mail function uses your own server's built in email functionality to send email. If you use SMTP, you're connecting to another server (eg. Google's mail servers) and using that server to send the email.
CakePHP's email component can use either PHP mail, or SMTP, depending on how you configure it.
The outcome is basically the same in many respects. Which way is best for you will depend on your set up, the volume of email you're sending, whether your own server has any restrictions with regards to sending mail, etc. If you Google "PHP mail versus SMTP" or similar, then you'll get some info to help you decide which is best for you.
If you're not sending much email, eg. if you're just wanting to send the results of an enquiry form that gets submitted a few times each day, then just use PHP mail and don't worry about it.
Question 2: Although email programs put various measures in place to make sure mail is legitimate, basically nothing stops fake emails completely. You can send Fake email. Check out this site: http://deadfake.com/Send.aspx and in particular, their FAQ section: http://deadfake.com/FAQ.aspx
Spam filters do their best to catch fake emails, but ultimately it's up to the end user to keep their wits about them, especially with banking emails!
im developing a site who sends A LOT of emails notifications to my users from a php script who is running almost all the time, I will like to format the email mensage in order to make it non-spamm-like so my users can read the info non in the spam folder.
What suggestions do you can offer me? Do i need to use non html mensages? Is there some rules in the naming of the email address? (like no-reply#myhost.com)
I know there is not a 100% secure method, but i will like to make it the best possible. Thanks!
To do that you probably have to configure DKIM/SPF.
DKIM
DomainKeys Identified Mail (DKIM) is a method for associating a domain
name to an email
To setup DKIM in PHP you could have a look at this Stackoverflow topic
SPF
Sender Policy Framework (SPF), as defined in RFC 4408, is an e-mail
validation system designed to prevent e-mail spam by tackling source
address spoofing, a common vulnerability.
This link might help you setup DKIM and SPF.
List
Have a look at this list(more complete?) from Sendgrid:
Sengrid(outsource)
I don't think this is the most simple task. Luckily services like Sendgrid help you sent out emails without them being flagged as spam. They also provide a free plan(200 messages per day).
Also you have to keep in mind that when you sent a lot of emails you should be queuing your emails to sent out emails in a controlled manner(not overloading your server). This is also taking care of by third-party services to sent emails. Also if you are using shared hosting I don't think they will appreciate if you sent a lot emails because your resources are shared with all other users.
Alternatives
Some other alternatives to sendgrid are:
http://postmarkapp.com/
http://www.cloudsmtp.com/
http://www.critsend.com/
When searching Google you can find a lot more.
The email name won't be your issue with spam filters, most of them will be environmental.
The simplest way of making sure that your emails don't get spammed is to ensure the reverse lookups are correct for your MX records and from where the email is sent from. (Important for filters used by google and hotmail et al)
The second is to ensure that the HTML in the email is correctly formatted. Doddgy HTML formatting will cause some Spam filters to instantly class it as spam.
Other than that I would suggest also telling users to add the email address to their address book (hotmail et al) so that the spam filters see it as a not spam email.
Other than that I there are no other rules for emails that I can think of.
Hope that helps
I have been trying to get PEAR::mail to successfully deliver emails to hotmail users without being flagged as SPAM and ending up in the junk folder, i have no problems with yahoo/gmail only with hotmail.
google suggested that this is a common problem with hotmail and that possible causes can include
incorrect reverse DNS for main IP of the server
lack of SenderId/SPF records
being blacklisted
having checked all of the above i can only think of one other reason - incorrectly formatted headers ?
to test this theory i set up outlook to send email via the same address that PEAR::mail uses and sent a quick test - it delivered straight to my inbox
so i compared the headers from the email sent from PEAR::mail against the headers sent by Outlook and there are only a few differences - i have only listed the differences to save space (and peoples eyes)
PEAR::mail headers (not in outlook headers)
X-PHP-Script: www.example.com/register.php for [users ip address]
Outlook headers (not in PEAR::mail headers)
X-Mailer: Microsoft Office Outlook 11
Thread-Index: Ack6CWSQlgV8s6+6SWyifka2NNpB7g==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
the only other differences that i can see are
the order of the From: and To: headers are reversed
and in the Received: section of the headers
Outlook
Received: from myhomehostname.com ([ip address] helo=simber)
by mywebhostname.com with local (Exim 4.67)
PEAR::mail
Received: from apache by mywebhostname.com with local (Exim 4.67)
could these small differences in the headers be the cause or am i looking in the wrong place ? i knew this might be problematic hence why i chose to use the PEAR::mail class rather than rolling my own but now i really have no idea where to go with this, any help would be greatly appreciated.
Update: as per changelog's suggestion i have tried adding the MS headers to the PEAR::mail class and i have tried replacing PEAR::mail with PHPMailer (with & without the extra headers) - they all end up in the junk folder.
I am starting to believe that it may not be the headers afterall.
Update 2: i should have mentioned that the emails are just a registration confirmation to validate the email address the user signed up with - no mailshots etc so our volume is extremely low.
I have considered warning users who provide a #hotmail/live email address to add us to their address book or check their junk folder - but this just seems unprofessional to me - it may be that i have to resort to this.
As for becoming Sender Score Certified - its very unlikely that i can justify the cost of this when considering the low volume and purpose of these emails.
My company does professional e-mail marketting campaigns (through strongmail servers) we send thousands of (sollicited) emails a day to all kinds of addresses.
The problem you are facing is that you have no authority. You could just be some spammer trying to send loads of spam.
The thing you need to do is:
Add unsubscribe links
Apply for hotmail's Junkmail reporting program (JMRP) and MAKE SURE people that press the 'this is junk' button do not get mailed again. This will up your 'sender score; # hotmail and allow you messages to get through.
Add SPF and other antispam solutions.
Do not send more than 50 e-mails per minute to #hotmail.com (other domains have other limits)
B.t.w we use PHPMailer to compose our messages, no problem at all with that :-)
The problem nowadays really is the restricting receiving mailservers.
Email Deliverability is closer to an art than a science. I can pretty much guarantee that it has nothing to do with your headers. Trying to spoof headers is likely the worst thing you can do. The received: header is added by the mail servers as they receive the messages: spoofing this will cause your email to get flagged as spam: one of the spam filters commonly used is to count then number of relays (ie received: headers). If there's too many you get a higher spam score.
Reverse DNS and SPF are the minimum entry barriers. For hotmail in particular, there are three other very important factors AFTER you get your SPF and DNS records in line:
IP/Domain Reputation
Volume
Being in the Address Book
Reputation isn't the same as being blacklisted. You need to build trust with hotmail. Hotmail uses Sender Score Certified as their main reputation broker -- you can check your reputation with them if you want, but it may cost you.
If you're on a shared host or an IP address that has a checkered past, you won't have much luck with hotmail.
You build reputation by having a consistent volume with low spam complaints. You can send 1M messages an hour all day long, as long as you do it every day. If you're sending less than 10,000 messages a day, you likely won't be able to build up a decent reputation. You can get a report on your volume at Sender Base.
Finally, the best way to make sure you end up in the inbox is to get your users to add the sending email address to their address book. Hotmail uses this as a safe sender list. In fact, I think there's an additional trusted sender option in Hotmail now too (it's been awhile since I've been in the delivery game and I don't use hotmail).
Here are some other best practices for sending email:
ALWAYS use the same IP address
ALWAYS use the same FROM address
if you have a large list that you send newsletters to, make sure you retire old addresses (ie, check open rates)
if you have a large list, try segmenting it and sending from different IP addresses based on risk (ie, newer addresses may mark the message as spam)
I have always used PHPMailer in my projects, and what I did to avoid Hotmail's junk folder was to call a method they had that added MS Headers to the message.
Take a look at the source, and add those headers yourself.
Also, I recommend including a text-version if you're sending HTML e-mail.
I'd suggest modifying the headers you send to match 100% what outlook sends, and see if that solves the problem. Really it's a tough one though, hotmail is known for having a super crappy spam filter, sending lots of legit email to junk, and lots of spam to your inbox.