Skip to main content

PHP mail() function hosted on causes email to end up in SPAM. Solution?

Comments

8 comments

  • sparek-3
    This has notoriously been a target of discussion. One that I really never bought into. People will tell you to avoid using PHP's mail() function and instead use something like PHPMailer to connect to your server's localhost through SMTP and send the message that way. Maybe they're right, but my opinion is that people just don't understand what they are doing and it's easier to just regurgitate what they've been told. What parameters are you passing to the mail() function in your PHP code? Are you specifying anything for the 5th parameter to the mail() function? You need to understand that there's a difference between the header From address [plain](From:)[/plain] and the envelope-sender address (some times called the return-path or sender from address). When you initiate an SMTP transaction (whether that's an SMTP transaction between your script and your localhost or between your server and Gmail's mail server) after the HELO/EHLO (or after STARTTLS ... which probably every modern mail server supports now) the client will issue a MAIL FROM command. This MAIL FROM is the envelope-sender. As far as the email server MTA (Exim, Postfix, Sendmail, etc) is concerned, this envelope-sender is who sent the message. The header From address isn't given until the SMTP transaction is in the DATA part. At that point the MTA doesn't distinguish anything. Everything is just DATA to it at this point. SPF, DKIM, and DMARC at the MTA level is all based on the envelope-sender address. In the example you gave [font="Courier New">Return-Path: <[plain]cpanel-account-username@server1.serverdomain.com[/plain]> This is the envelope-sender. So in terms of SPF, DKIM, and DMARC the receiving mail server is only going to pay attention to the domain name - server1.serverdomain.com. When a script uses PHPMailer for SMTP localhost sending, it's probably specifying a real email address on the specific domain name as the MAIL FROM, so the envelope-sender (or Return-Path) might become [plain]something@someotherdomain.com[/plain]. Now, typically you can force a direct sendmail execution of mail to change the envelope-sender by using the 5th parameter of the mail() function in PHP with something like: [font="Courier New">mail($to, $subject, $message, "From: [plain]something@someotherdomain.com[/plain]\r\n", "-f[plain]something@someotherdomain.com[/plain]"); This will change the resulting headers that you receive at the Gmail account to read: [font="Courier New">Return-Path: <[plain]something@someotherdomain.com[/plain]> which will then allow SPF, DKIM, and DMARC to all be based off of someotherdomain.com - which is probably what you want. The envelope-sender (or Return-Path) is also sometimes called a bounce address. Whatever address is set here is where bounceback messages are going to be sent. So if your script sends an email to a gmail account that doesn't exist, then Gmail is going to bounce the message back to whatever email address is listed here. That might be [plain]cpanel-account-username@server1.serverdomain.com[/plain] or it might [plain]something@someotherdomain.com[/plain].
    0
  • jazee
    Hurray! Finally someone that appears to understand what I'm talking about and knows what they are talking about. Yes, I just didn't figure out yet how to override the envelope-sender-address so I'll give that 5th parameter try. However that will probably means it will no longer pass the SPF and DKIM tests. I did try using PHPMailer but it made no difference. The SPAM email test service was giving me a 0.7 out of 10 for various reasons. I got it up to an 9 with the only thing remaining is getting DKIM to work. The suggested txt record for DKIM though that Cpanel shows isn't working for some reason. But even at 9/10 still going to spam for outlook.com. The envelope-sender-address is now matching the From. But as far as SPF this means I'd need to add SPF records for all the domains of all the users using the app I'm assuming. It makes it through to Gmail no problem. But I'm wondering it Outlook has sort of blacklisted the sender since I've sent several emails now from the same server and they all go to spam and Gmail maybe in the past it was spam and I said it wasn't but my experience with gmail is that does not whitelist the sender for all future emails. I'm going to test Yahoo and a different outlook account. If it comes through on Yahoo, I may just call it a day and be happy I got the mailcheck score from 0.7/10 to 9/10.
    0
  • jazee
    Yep. Yahoo works fine. Outlook.com is just super finicky. Middle finger at you Microsoft! I wonder for outlook.com if it's the X-Mailer: PHPMailer 5.2.25 in the header. I've read some spam filters don't like PHP as the mailer.
    0
  • jazee
    Just FYI. After tons more testing I decided to try some 3rd party gateway services. I tested mailgun.org, clicksend..com and sendinblue.com. There are many others but I didn't like their pricing structure. Of the three, only sendinblue.com got the emails to the inbox instead of spam. It's free for up to 300 emails a day. Problem solved.
    0
  • sparek-3
    However that will probably means it will no longer pass the SPF and DKIM tests.

    Well, it depends on what you set your envelope-sender to. If the domain name associated with that envelope-sender has an SPF record (that matches the sending server) and DKIM records (that again are set up on the server that is sending the message) then the message would pass these tests once it reaches the recipient server.
    But even at 9/10 still going to spam for outlook.com.

    All major mail service providers, but for whatever reason especially Microsoft, all have their own algorithms for calculating spam. What these algorithms are and how the function is anybody's guess. Not to get too dystopian, but the days of extra-email between different providers is going to continue to get more problematic as every email provider increases their anti-spam systems. With Hotmail to Hotmail messages, Microsoft is able to see both the sender and the receiver. With Gmail to Hotmail, Microsoft can only see the message at it's receiving end.
    I wonder for outlook.com if it's the X-Mailer: PHPMailer 5.2.25 in the header.

    You should be able to remove the extra headers that PHPMailer adds. Will it help? Who knows. Again just points to the secretive nature of the anti-spam measures these large email service providers use.
    0
  • SamuelM
    Hello @jazee
    But I'm wondering it Outlook has sort of blacklisted the sender since I've sent several emails now from the same server and they all go to spam

    Typically if your mail is blocked by Microsoft's mail services, you would receive a bounceback with language such as the following: Unfortunately, messages from [$yourip] weren't sent. Please contact your Internet service provider since part of their network is on our block list
    If you aren't receiving bounceback messages and the mail is simply being marked as spam, that makes it much harder to troubleshoot, because as sparek-3 explained, Microsoft have their own algorithms for calculating spam. If you haven't already reviewed the following page, it might help to provide some basic guidelines for troubleshooting the issue:
    0
  • jazee
    I did some more testing and although I can't say 100% for sure, I believe the lynchpin is sending not only with a valid SPF record for the domain but also a DKIM record. DMARC made no difference. When you use 3rd party hosts like Sendinblue, they send via their domain and use their own records (there's also a chance many if these 3rd party senders are 'whitelisted' with the large email providers). But on SendInBlue, you can optionally authenticate your domain and setup SPF and DKIM records in your DNS which Sendinblue provies so the email doesn't come into Gmail showing Your Name with your reply address but 'sent via sendinblue.com' appears next to the senders name. With a little more work I think I could probably pass the Outlook.com spam filter sending directly from my server. However, I'm not going to because I really like the nice web interface of Sendinblue.com that gives me statistics and logs of all the emails being sent, whether they bounced, if they were delivered, if they were opened, if they were clicked on and these are NOT marketing campaign emails, these are transactional emails generated to update workers and customers about status of their service order. Also when you use a 3rd party service, you can insure yourself against one of your domains on your server getting the server'ss IP blacklisted because of one of your customers sending too much spam. That way you can still send email direct from your server when desired in the future.
    0
  • apknerd
    The same thing is happening with me on my website:
    0

Please sign in to leave a comment.