Email Reliability: use an SPF record

A while back I outlined my system for preventing comment spam. One of the core fundamentals in there is that I send people an email to verify their email address before their comment is published. For this to work well, I need to trust on my email to be received. As it turns out, email reliability is far from easy, let alone email reliability for email coming from your own web server. One of the important things is setting up an SPF record.

There’s all sorts of factors that decide on whether your email is delivered or not, but one of the most important ones is a DNS record called SPF. SPF stands for Sender Policy Framework and let’s the receiving mail server reliably determine whether the server that is sending you email is actually allowed to send you email. Adding one will increase your email reliability incredibly.

As with most DNS type records, the syntax is quite hard to explain so I won’t even try. Let me link you to the Wikipedia page if you really want to know. What I found way more helpful though when I was searching and trying to figure out how to do this is Microsoft’s wizard for this stuff. It asks you a bunch of questions and will still require some time from your side but it got me to the desired end-result a lot faster.

SPF records, Google Apps for Domain and email reliability

I use Google Apps for domain to handle my email, which means that I do most of my sending through a Google SMTP server. Because of that I had set the SPF record in the manner Google suggests here. The thing missing from that is very, very subtle, but makes all the difference. It’s a few letters, let’s see if you can spot it. This is the SPF record Google gave me:

v=spf1 include:_spf.google.com ~all

This is what it actually needed to be:

v=spf1 a include:_spf.google.com ~all

You will have spotted the addition of “a ” after “spf1”. This simple addition means that all web servers that are identified in my domains A records, hence, all the web servers from which I run my domain and subdomains, are allowed to send email as well.

The include directive means that Google can setup SPF records for the domain _spf.google.com and thus add or remove mail servers without you having to change anything.

How to test email reliability

If you’re now thinking “I don’t know whether this has been set up correctly for my domain”, don’t fret. You can test it quite easily. Go to this SPF testing tool and use the 3rd form on the page. Using only the first and third input of that form, enter your web server’s IP address and your from address, which is usually wordpress@yourdomain.com if you’re running WordPress. With my initial test, it gave this result:

This means that this test won’t fail your email per se (as there was no SPF record), but for stricter email servers, it might, in other words, you’ve got quite low email reliability. Now I ran it with the SPF record I has just fashioned using Microsoft’s wizard and it gave me this:

That is the result you want to see, as that means my server’s email reliability just went up quite a bit.

WordPress specific email reliability: using another SMTP server

Quite often email from your own server won’t work as expected, especially when you’re on a shared host it can give issues. There are quite a few plugins out there to help you set up an external SMTP server, I’ve relied on Coffee2Code’s Configure SMTP plugin myself a few times. There’s some issues with that though, especially once you’re starting to get more visitors, as most SMTP servers for free email services have a limit to how many emails you can send per day.

If you can, just use your own server or outsource the email delivery to a third party that specializes in sending service emails. I’ve been testing SendGrid myself, but wasn’t completely happy with it. Their reliability was a lot higher but the costs are quite high too when you get several hundreds of comments. You might think “that’s only a couple of hundred emails”, well, it’s not.

If you have subscribe to comments enabled, which I highly suggest you do, it’ll be a lot more. I get anywhere from 20 to 200 comments on a post, average about 80 at the moment. If 50% subscribes to comment notifications, that adds up to an enormous amount of email being sent.

As for newsletters, there are plugins for sending those from your WordPress install too. I highly encourage you not to do that. Use Mailchimp, or any other newsletter service for that. Their reliability is way higher and you get awesome statistics and subscription services to boot.

Are you using other services that send email for you?

If you’re using other services that send email for you, for instance if you’re using Freshbooks (aff) for invoicing like I do, be sure to include them in your SPF too, just add another include like we did above for Google:

include:_spf.freshbooks.com

There are more services that support this, be sure to check if you’re using any services that send email on your behalf. Email reliability is important, but even more important when it’s sending your invoices!

Update from Antonio Romero in the comments, the same goes for MailChimp:

include:servers.mcsv.net

Just updated my own SPF with that as I use my own email address as a from address there.

Conclusion: make sure your email reliability is high!

Whether you run your own server or not, it can’t hurt to do the check above to see whether your email has a high chance of being delivered. If you’re sending email from your web server, be sure to do the above check and make the necessary changes to your SPF record if needed!

Bonus tip: DKIM

If you’re using Google Apps for domain, be sure to read this guide and implement everything in it. It’ll help you set up domain keys, which adds another layer of spam protection.