blog.thms.uk

Testing your email setup

In a previous post I wrote about setting up DNS records to protect your email brand. Have a read of that post, to learn how and why you should set up SPF, DKIM, and DMARC. But assuming you have done this (or are in the process of doing it), how do you actually confirm that you've set all three up correctly? After all, misconfiguration of these can cause significant harm by causing legitimate email to be sorted as spam. And, if you suspect you might have deliverability problems, how do you actually test what's going on?

This post runs through a few options. Personally, I run through them all in order, every time I set up a new domain for email, or make any changes to a domain's SPF, DKIM, or DMARC records, for example when switching / adding / removing an email provider.

mail-tester.com

I like mail-tester.com for it's simplicity: It'll provide an address that you send an email to. Once you have done that, it gives you a fairly straightforward report on what is good, and what needs improvement.

On the results page, you can ignore almost everything, but do expand the section about authentication. Here is how mine looks:

mail-tester authentication results

You can expand each of these sub sections further to get more detailed explanations, and if any of these doesn't have a green tick, you need to fix them, before you move on.

You may wish to have a look at the SpamAssassin section too. In the below screenshot you can again see how the DKIM and SPF have both passed. You can also see my email has been down-marked for the contents of my email, which is expected, because I sent an email containing just the word test which is obviously a bit spammy.

SpamAssassin result

None of this is surprising, but there is one thing I do want to point out: I also get fairly significant down-rating for FROM_SUSPICIOUS_NTLD, FROM_SUSPICIOUS_NTLD_FP and PDS_OTHER_BAD_TLD all just because I'm using a fairly new TLD. (I personally observed this on .xyz and .gdn domains, but I know it affects almost all the new TLDs.)

So watch out for that if you are using any of the newer TLDs: Obviously SpamAssassin is only one product, and there are plenty of other factors before your emails go to spam, but the fact remains, that some mail providers seem to significantly penalise newer TLDs. Sadly, I have therefore stopped using the new TLDs for pretty much anything. Big big shame, and I hope the day will come that I can remove this paragraph from this post.

mxtoolbox.com

mxtoolbox.com is quite advanced, and offers a lot of checks, but to get started, us their SuperTool. Plug in your domain, and you'll get some instant feedback:

mxstoobox SuperTool result

E.g. here it is complaining that I have set up my DMARC policy with p=none. As discussed in the previous article, you shouldn't really do that.

Header Analysis

Now it's time to get your hands dirty: sign up to Gmail and Outlook and send yourself a couple of test emails. Get the email headers and paste them into mxtoolbox's Header Analyser

This will spit out a lot of useful stuff:

mxtoolbox header analyser results

Firstly it will show the SPF, DKIM and DMARC results for your email. Sort out any issues highlighted, such as the failing DKIM authentication above.

Secondly, it'll show the path your email took on its way to the recipient, and if any of the servers along the way are listed on any blacklist. If they are, talk to your email provider.

Underneath - and not shown here - is a lot more detail about the SPF, DKIM, and DMARC checks, which may help you pinpoint additional problems, so if you get a red mark for any of these, scroll down, and expand all the sections.

If you got questions, do feel free to leave a comment below, and I'll see if there is anything I can advise.

DMARC monitoring

Once you have sorted this all out, you can be confident that it's all set up correctly. But how do you monitor your setup going forward?

This is where I use Postmark's DMARC tool. How does this work? Well, you may remember from my DMARC discussion that DMARC has the rua=mailto:... tag, and that email providers will send reports about the SPF and DKIM test results of any email they receive to the email address provided. The DMARC tool provides an email address that you can insert into your DMARC record. Postmark will then evaluate your reports, and send you a weekly summary, telling you how many emails where received by them, and crucially if any of your emails failed the SPF/DKIM/DMARC tests.

This is extremely helpful when first setting up SPF, DKIM, and DMARC: Set your DMARC to p=none and any misconfiguration won't result in your emails being sent to spam, but they will be flagged in your weekly report, so you can fix any mistakes. Once you have confidence that everything is configured correctly, don't forget to change to p=quarantine or p=reject, as otherwise you are missing out on DMARC's best part.

Crucially it's also helpful for ongoing monitoring though: As this tool continues sending you weekly reports, it'll help you identify and fix potential issues.

Summary

In this post I've shown you a few options to test your SPF, DKIM, and DMARC setup. I use them all, every time I setup a new domain for email sending, or make any changes, and I use Postmark's DMARC tool for ongoing monitoring.

These tools should both give you the confidence to configure your DMARC with p=reject or p=quarantine (which may seem risky without them), and they will also help you keep on top of new developments / changes.

If you do believe you may have deliverability issues, these may also help you identify them.