How to stop your webshop emails going to the spam or junk folder

Email is a very important way of communication with webshop customer or website users. Our clients send out thousands of emails every day. And it is very important that these emails end up in their clients' inbox instead of their spam folder. No wonder, since these mails include:

  • transactional emails confirming orders and invoices;
  • marketing emails that warn customers of an abandoned cart, tell them about a personalized offer;
  • functional emails that send customers a password reset link.

These are some of the measures I take to avoid email from going to the spam folder, junk folder or advertising folder. But first some background. [Don't gimme background, take me to da steps I need to take!]

How does a spam algorithm work?

Spam algorithms check your mail on many points. You get a spam score for each points. If the spam score exceeds a certain threshold, your mail will be sent to the spam folder. In extreme cases your mail may even be refused altogether.

The most common causes for your mail to end up in the spam folder are:

  1. The address with which you send does not really exist.
  2. The server from which you send mail is on a spam blacklist.
  3. You SPF records are not configured correctly.
  4. You email contains spammy content.
  5. Your DMARC records are not configured correctly.

In my experience, if you have items 1 through 4 configured correctly, an email will never end up in spam. Other characteristics add to a higher spam score, but it will not exceed the spam threshold.
Keep in mind that spam algorithms do change. I am guessing an ill-configured DMARC setting will be a dealbreaker in the not too distant future.

Here are the steps I take when investigating and fixing email spam issues.

Some ground rules

  1. Send email from an address that actually exists. Clients check for that. Never use noreply email addresses.
  2. Add all servers that you send email from to your SPF record. Do not forget to include IP6 addresses. How do I set my SPF record?
  3. Do not use spammy content (multiple images, abundant exclamation marks, dollar signs and so on)

Step 1. Check you email SPF and blacklisting in MxToolbox

You can quickly find the most common issues for you email domain in MxToolbox.

  1. Go to https://mxtoolbox.com/
  2. Type in your domain and hit MX Lookup.
  3. In the next screen, hit Find Problems.
  4. This page will giove you an overview of the most common problems:
    1. Blacklisting of your domain.
    2. SPF.
    3. DMARC/DKIM. (these are not a problem at the moment)

If MxToolbox does not show any other problems other than DMARC, go to step 2.
If MxToolbox finds your server is blacklisted or you SPF record is misconfigured, resolve those problems first and check if that fixes your spam problems.

Step 2. Check the headers for an email that was sent to a spam box.

Set up a test account in a strict email client

The email clients most notorious for sending email to the spam or junk folder are the Microsoft clients Outlook, Live and Hotmail. Gmail is also very strict about spam email. Create a test account on Outlook.com and one on Gmail.com. Only use these accounts for testing incoming email. Do not manually drag email to other folders. Do not add anyone to those clients' address books. Part of the spam algorithm is based on your actions in that box.

Investigate the email headers

If you are unsure what caused your email to end up in the junk folder, investigate the header. The headers contain some spam algorithm results. So often, they will provide valuable information on exactly what spam test failed.

Viewing email headers in Gmail

  1. Go to the Spam folder and select the email.
  2. In the email detail screen click on More button (three dots) next to the Reply button and select Show original.
  3. Headers are found on line 1 to roughly 60.
  4. The headers you specificallly want to look for are:
    1. spf=pass. If spf=fail go to How do I set my SPF record?
    2. smtp.mailfrom should be the same as From and Return-Path. If it's not go to What to do when my From header, Reply-To and Return-Path headers are different?
    3. dkim=pass. If dkim=none, it is not a big deal at the moment of writing.

Viewing email headers in Outlook/Live/Hotmail

Send an email from your application to the test mailboxes. If it does not end up in the spambox, you are good. If it does: investigate the headers. In Outlook:

  1. Go to the Junk email box and select the email.
  2. In the email detail screen click on the down arrow next to the forward button and select View Message Source.
  3. Headers are found on line 1 to roughly 130.
  4. The headers you specificallly want to look for are:
    1. spf=pass. If spf=fail go to How do I set my SPF record?
    2. smtp.mailfrom should be the same as From:, Reply-To and Return-Path:. If it's not go to What to do when my From header, Reply-To and Return-Path headers are different?
    3. dkim=pass. If dkim=none, it is not a big deal at the moment of writing.
    4. Antispam-Report. This line contains a summary of the antispam filter results that have been applied to the message. See https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps#the-antispam-report-stamp.
      The most important ones:
      1. SCL: (Spam Confidence Level) 0 = extremely good, 9 = extremely bad. See https://docs.microsoft.com/en-us/office365/securitycompliance/spam-confidence-levels
      2. PCL: (Phishing Confidence Level) Level 1 through 3 = neutral. Level 4 through 8 = suspicious. See https://blogs.msdn.microsoft.com/tzink/2017/11/24/a-short-intro-to-how-the-phishing-confidence-level-pcl-works/
      3. BCL: You want to go for a maximum level of 3. 0 = not from a bulk sender, 1, 2, 3 = from a bulk sender that generates few complaints. (Bulk Complaint Level) See https://docs.microsoft.com/en-us/office365/securitycompliance/bulk-complaint-level-values</li>
    5. If you find the Outlook headers hard to read you always paste the in Microsoft's header Analyser: https://testconnectivity.microsoft.com/MHA/Pages/mha.aspx. Although I harldy do this, as it provides no extra information, it just makes the headers somewhat easier to read.

What to do when my From header, Reply-To and Return-Path headers are different?

If your From header is different from your Return-Path (also named Reverse-Path or Envelope-FROM), your message will most probably be sent to the spam folder. Make sure you set these headers explicitly when sending mail.

In PHP:

$headers = 'From: webmaster@example.com' . "\r\n" . 'Reply-To: webmaster@example.com' . "\r\n" . 'Return-Path: webmaster@example.com'; mail($to, $subject, $message, $headers);

What to do when my server is blacklisted?

Go to the blacklist page and search for your domain. Most blacklists will provide some details as to why your server was blacklisted. Solve the problems that caused the listing and request a 'delisting' with the relevant blacklist. It may take a few days for the domain to be deleted. The more often the domain is blacklisted, the harder it becomes to be deleted. That is why you first have to solve the problems.

How do I set my SPF record?

To prevent e-mail from ending up in the spam box, it is important to set up SPF records correctly. An SPF record is part of DNS and specifies which servers can send mail on behalf of the domain for which the DNS applies.

Typical errors:

  • Your server's IP address is not in the SPF.
  • Your server's IP4 address is the SPF, but its IP6 address is not.

An SPF record is a TXT reocrd in your DNS, with contents that typically look like this: v = spf1 mx a [ip addresses] [domains] [other spf records to include] ~ all

  • mx: When the mail is sent from the MX record of the domain, the mail is allowed.
  • a: If the IP address from which the sender originates is the IP address (A record) of the domain, then the mail is allowed.
  • ip4: When the mail is sent from this IPv4 address, the mail is allowed.
  • ip6: When the mail is sent from this IPv6 address, the mail is allowed.
  • ~all: If the server from which mail is sent is not listed in this SPF record accept it but send it to spam.

Example: say this is the server where my shop or website is hosted and that I need to send email from.

  1. My domain name is example.com
  2. My server's IP4 address is 192.88.99.0
  3. My server's IP6 address is 2001:0db8:85a3:0000:1319:8a2e:0370:7344
  4. The domain example2.com is also allowed to send email on behalf of example.com
  5. Mailchimp should also be allowed to sedn email on behalf of example.com, and Mailchimp own SPF record is located at servers.mcsv.net

My SPF reocrd should be:
v=spf1 mx a ip4:192.88.99.0 ip6:2001:0db8:85a3:0000:1319:8a2e:0370:7344 a:example2.com include:servers.mcsv.net ~all

You can generate an SPF on this URL (you have to know what to fill out): https://www.spfwizard.net/
If you want to check if your SPF record's is syntax is correct, you can do so here: http://www.kitterman.com/spf/validate.html?