Introduction
Some email service providers such as Gmail and Outlook implement security measures to combat spam. This means that if you try to send a PHP mail from your server using postfix, it will most likely be rejected by these email providers if your domain’s DNS isn’t configured correctly.
If you want to set up postfix on your server, please read: How to get PHP mail() working on Ubuntu
Bounce Error
I was trying to send mail from my DigitalOcean droplet via postfix with the following test command.
echo "Test Email message body" | mail -s "Email test subject" [email protected]But I would never receive the email, not even in the spam folder.
Checking the postifx log with:
sudo tail -f -n 50 /var/log/syslog | grep postfixReturned this bounce error from Gmail’s server:
Feb 19 18:45:56 hostname postfix/smtp[20822]: A25DCC4104: to=<[email protected]>,
relay=gmail-smtp-in.l.google.com[172.217.197.26]:25,
delay=30,
delays=0.03/0.01/30/0.18, dsn=5.7.26,
status=bounced (host gmail-smtp-in.l.google.com[172.217.197.26] said: 550-5.7.26 This message does not have authentication information
or fails to 550-5.7.26 pass authentication checks. To best protect our users from spam, the 550-5.7.26 message has been blocked.
Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information.
c1si172391qka.253 - gsmtp (in reply to end of DATA command))Check Your Domain SPF Record
The problem for me was a missing SPF DNS record for my domain. Try adding your server’s IP address to the SPF record so that Gmail knows to trust it.
Simply add the following DNS TXT record where x.x.x.x is the IP of your server. If you don’t know how to add an SPF record, read further below.
v=spf1 ip4:x.x.x.x ~all Depending on your DNS host, you may have to wait 48 hours for the record to propagate.
Now send another test email via postfix:.
echo "Test Email message body" | mail -s "Email test subject" [email protected]The email should come through this time. Make sure to also check your spam folder.
Checking the email headers in Gmail (by clicking the three dots and “Show Original”), we can now see my server IP is a “permitted sender”.
Received: from yourdomain.com ([x.x.x.x])
by mx.google.com with ESMTP id z3si442716qvo.123.2020.02.19.12.22.16
for <[email protected]>;
Wed, 19 Feb 2020 12:22:16 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates x.x.x.x as permitted sender) client-ip=x.x.x.x;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates x.x.x.x as permitted sender) [email protected]
Received: by yourdomain.com (Postfix, from userid 1000) id 8CCB9C4106; Wed, 19 Feb 2020 20:22:16 +0000 (GMT)What is an SPF Record?
Spammers might send emails that appear to come from your domain. This is called spoofing. You can add a Sender Policy Framework (SPF) record to your domain host to help your recipients know where emails from your domain should be coming from and that they aren’t spoofed.
Your domain host keeps text settings (called DNS records) that direct web traffic to your domain. An SPF TXT record lists the mail servers that can send email from your domain. If a message is sent from a server that’s not in the record, the recipient’s server might consider it spam.
How to Add an SPF Record
- Sign in to your domain account at your domain host.
- Go to the page for updating your domain’s DNS records.
This page might be called something like: DNS management, name server management, or advanced settings. - Find your TXT records and check if your domain has an existing SPF record. (the SPF record starts with “v=spf1”).
- If you don’t have an SPT TXT record, create a TXT record with these values:
- Name/Host/Alias—Enter
@or leave blank. (Other DNS records for your domain might indicate the correct entry here). - Time to Live (TTL)—Enter
3600or leave the default. - Value/Answer/Destination—Enter
v=spf1 ip4:x.x.x.x ~all(where x.x.x.x is your server IP.)
- Name/Host/Alias—Enter
- Save the record.
Multiple Hosts in SPF Record
You may want to add multiple trusted hosts to your SPF record. For example, if you also use G Suite to send email from your domain, add it using include:.
Below we have the IP address of the server where postfix resides, and another host for G Suite.
v=spf1 ip4:x.x.x.x include:_spf.google.com ~allAnother example; I also use CampaignMonitor to send email marketing. Here I am adding my server IP (for postfix), G Suite, and Campaign Monitor’s domain (cmail1.com).
v=spf1 ip4:x.x.x.x include:_spf.google.com include:cmail1.com ~allYou can also include the IPV6 address for your server like so:
v=spf1 ip4:198.51.100.26 ip6:2001:db8:8:4::2 ~all
~all or -all tags
Once you have implemented all IP addresses and include tags you should end your record with an ~all or -all tag. The all tag is an important part of the SPF record as it indicates what policy should be applied when ISPs detect a server which is not listed in your SPF record. If an unauthorized server does send email on behalf of your domain, action is taken according to the policy that has been published (e.g. reject the email or mark it as spam). You need to instruct how strict servers need to treat the emails.
The ~all tag indicates a soft fail and the -all indicates a hardfail. The all tag has the following basic markers:
-all
Fail – servers that aren’t listed in the SPF record are not authorized to send email (not compliant emails will be rejected).~all
Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked).+all
Do not to use this option, this tag allows any server to send email from your domain.
Alternative Solutions
You can configure postfix to route mail through an SMTP server of your choice or through Gmail’s SMTP server. This usually guarantees that your PHP mail via postfix will not be rejected because of spam issues.
Please see:
- How to configure Postfix to use an External SMTP Server
- How to configure Postfix to use Gmail SMTP on Ubuntu 20.04 / 18.04 / 19.10
Useful Links
- Explaining SPF– useful explanation of SPF records
- How to create an SPF TXT record? By DMARC Analyzer
- SPF Record Checker – useful tool for diagnosing your SPF records
- G Suite Toolbox – can help diagnose issues with your DNS records and G Suite
Let me know if this helped. Follow me on Twitter, Facebook and YouTube, or 🍊 buy me a smoothie.
Thanks, ti finally worked with the addition of the TXT record
v=spf1 ip4:x.x.x.x -all
I had previously added a TXT record recommended by Google’s Postmaster Tools, but it was not sufficient…
With the addition of the TXT record above, it worked, finally!
Wanted to send you a smoothie, but in Euros it’s complicated…
This did not help.
I have an SPF record and DKIM and still get the same error.
Simple and clear… excellent