I'm building a SAAS app that allows users to send email sequences, I want to stop the sequence when a user replies to an email sent by my app.
Based on what I found on the internet I should use Mailgun Routes to accomplish it.
I have all set up (Domain and MX records) but I couldn't forward emails to my server.
What I want to accomplish is the following:
User A uses this email address (usera#example.com)
User B uses this email address (userb#lorem.com)
User A sends an email using my platform, my platform calls mailgun
API to send it
User B receives that email and hits reply
Mailgun notices that User B replies and forwards that reply to my
server.
I do not own neither example.com nor lorem.com domains
What am I doing wrong?
If you control neither, you can't. Set the Reply-To address to something you control and that's linked to Mailgun Routes, check the Message-ID then forward the e-mail to user B.
Rather than using the Message-ID header, some people generate a unique Reply-To address (replies+a2c4e6#some-domain.tld) as the In-Reply-To header isn't guaranteed to be sent.
I don't have any technical problems, but I have a question that I would like to be answered out of curiosity.
Here is my current understanding of how email works:
One of the privileges of having your own domain is that you can hook it up to IMAP/POP3/SMTP servers and use them to send and receive messages to and from "anyone#yourdomain.com". With spam being such a problem, however, the SMTP server that you use to send messages must add a bunch of headers (DKIM, SPF, etc) to each message that you send in order to prove that the SMTP server has the authority to send emails from that domain. The receiving SMTP server can cross-check those headers with DNS records that it finds to verify the legitimacy of the email message.
So if you want to send emails with your domain cheaply, you can use Gmail's "Send Mail As" feature. I followed this help article to get mine working: https://support.google.com/domains/answer/9437157
Note: I unchecked the "Treat as an alias" option during the setup.
But wait... no additional DNS configuration required? I have my domain registered with Cloudflare, and there are no entries related to Google in there.
There is this step in the setup process:
But it seems that this only for Google to prevent you from using their servers to send spam. What is stopping Google from impersonating any email address they want? Why do receiving SMTP servers trust an email from "anyone#yourdomain.com" if Google's SMTP servers have no way of adding legitimate SPF/DKIM headers?
The short answer is that nothing prevents Google from doing this, and that DMARC was created for exactly this case.
There is nothing that stops Google from impersonating any domain. However, there are things receivers can (and should) do when they receive an email which isn't send from the server indicated in the From: field.
Try sending an email from the alias you just added to a different #gmail.com inbox. You will see that it says via gmail.com behind the sender email address. But other email receivers might do more: flag this message with red exclamation marks and scam warnings, throw it into spam or even deny receiving it completely. Gmail probably has some hardcoded trust, but try doing this from your own SMTP server and the above will very likely happen.
As you say in your question, you can authorize your emails by marking gmail.com as an authorized sender with SPF (which protects against forging from other domains, but doesn't stop Google), or even sign your emails with DKIM (not possible from Gmail UI, but you can do this in some email clients or send email with a custom Python script like me; Google can't do this without knowing the key).
However, that only solves one side of the problem – authorizing legitimate email messages. But what if an SMTP server still receives an unverified email? What if they have previously received an email from the same sender which was DKIM signed? What if DKIM passes, but SPF fails?
Because the behavior in that case is largely unspecified, and also the sender wants to check if their DKIM/SPF authorizations are actually working, and if anyone is attempting to spoof them, another standard was created: DMARC. It introduces another DNS TXT record where you can say what checks are required to pass, what to do if they fail, and also what basic analytics should the receivers report to the owner of the domain.
Of all webmail client providers, Google's Send mail as is actually the most well-implemented for a variety of reasons.
First of all, how it works is not different from when you set up POP3 or IMAP using a mail client like Outlook or Thunderbird. You have to specify the domain and port where you receive emails from, and the domain and port where you send emails from. For example, Google's incoming and outgoing servers for IMAP are as follows:
imap.gmail.com:993
smtp.gmail.com:465
The Send mail as feature is a partial implementation of that. It only implements the outgoing part.
How mail clients like Outlook and Thunderbird send emails, is basically that it sends the email to the outgoing mail server, and the outgoing mail server then sends the email. Usually, outgoing mail servers will require some sort of authentication, and will allow authenticated users to only send from specific email addresses.
Gmail works the same way. The outgoing mail server is the one that has to pass the SPF and DKIM tests, not Google's servers.
No other webmail clients do this. Hotmail used to do this, but they recently removed the feature. Now, the option is very difficult to find, and they just rewrite your FROM address and sends your email from Hotmail's SMTP server, which creates delivery problems.
They don't provide you with the option to send emails from another SMTP server, because this allows people to very easily set up virtual mail servers that can send emails under a domain of your choice, but use say a typical free Hotmail account to store incoming mails. This takes away business from their paid services, because both Hotmail and Gmail sell the option to host your company emails. I'm sure Google also knows about this, but it is really awesome of them to still keep the option available to free Gmail users.
If you want to learn more about virtual email servers, you can check out this article here: https://blog.terresquall.com/2022/01/setting-up-a-virtual-postfix-mail-server-part-1/
I'm using nodemailer, and a direct transport to send an email. The email is successfully sent, but blocked intermittently by the recipient's firewall and never ended up in the recipient email inbox.
Here's my code that sends the nodemailer email:
var nodemailer = require('nodemailer'),
var transport = nodemailer.createTransport(sendmail());
var mailOptions = {
to: 'recipient#email.com',
from: 'Sender <sender#blah.com>',
subject: 'Subject',
html: 'html'
};
transport.sendMail(mailOptions, function(err, info) {});
When I change my to to a #gmail.com email, my mail was sent through. I'm not sure how the recipient firewall is configured, but is there a way for me to increase the chances of my email making it across?
Note that blah.com, the from email domain that I'm sending out from is not actually a registered domain. I hosted my server on localhost. Could hosting on AWS, registering the domain blah.com and adding in MX records somehow increase the chances of my email being sent through?
This is what usually happens when a mail is been sent from a domain like blah.com,
Mail Sent
"to address" smtp server gets the mail
it checks the spf record of blah.com and dkim signature of mail
If blah.com dns contain spf record allowing you to send behalf of that domain you pass the first test.
If your mail is signed properly with dkim you pass the second test
Then the smtp server checks if your sending ip has been blacklisted for spamming, if not you pass the third and final test.
If all mail params are in orders then it forwards the mail to the recipient.
What happens in your case is that step 3 is not setup, therefore you cannot successfully send the mail. It would be a lot easier to use a 3rd party service to send mail because they pretty much hold your hand through the entire process and sign all the messages for you.
So you either need to implement these standards yourself or need to use a third party to increase your deliverability.
I have various email addresses set up under Gmail. I have checked 'Treat as Alias' and also checked 'Reply from the same address the message was sent to'. Despite this I find that Gmail will randomly expose my user#gmail.com address when sending mail, or when I reply to mail sent to one of my pseudonymous addresses.
Have other people had this problem?
Is there something else I need to do to get Gmail to secure my email addresses?
Is there another service I should consider that has better integrity with regard to this issue?
I'm using PHPMailer on PHP on Apache2.0 on Unix with sendmail to create a webservice that can send emails to some customers.
This server doesn't have a domain and the email will have "From: xxx#domain.com" header as they will be sent in behalf of the mother website (let's say domain.com).
Now, everything works, but Gmail and Hotmail detect my email as spam.
It seems legit as there is currently no correlation between the sender server and the mail sender address.
What do I have to do to tell google that the email are authorized?
How do I have to set an SPF record for domain.com ?
Thank you