SPF + DKIM + DMARC = Passed yet message ends in spam

Question

Trying to send out emails yet they end up in spam folders for some reason. So we tweaked and adjusted Dkim and Dmarc, now all records show passed within Gmail, yet still flags as spam.

Also tested via dkimvalidator , this results in all records pass and showing

SpamAssassin Score: -0.1
Message is NOT marked as spam

Now the breakdown of an email is shown below.

Sending IP has been changed for this post to 123.456.789.12

Sending domain has been changed to somedomain.net

sending email address has been changed to support@somedomain.net

Receiver email address has been changed to someuser@gmail.com

Original Message
Message ID  <3164f55daebbc258d0a4846eda47142b@somedomain.net>
Created at: Fri, Mar 15, 2019 at 3:06 PM (Delivered after 1 second)
From:   support@somedomain.net
To: someuser@gmail.com
Subject:    Are you getting our emails?
SPF:    PASS with IP 123.456.789.12Learn more
DKIM:   'PASS' with domain somedomain.netLearn more
DMARC:  'PASS' Learn more





Delivered-To: someuser@gmail.com
Received: by 2002:a05:6504:1158:0:0:0:0 with SMTP id r24csp952466ltn;
        Fri, 15 Mar 2019 12:06:09 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwbxqRfiq2UKjVTB57wP4g1MW2NvFWKdyYY9P4PITERpXVsMmcdriTP6Fp9rsf+DU2Ky1nQ
X-Received: by 2002:a1c:230e:: with SMTP id j14mr3316801wmj.9.1552676769338;
        Fri, 15 Mar 2019 12:06:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552676769; cv=none;
        d=google.com; s=arc-20160816;
        b=kI1D5Zd50f7UIVNtLYscVA3w9dhrAzg3YfuSMJWIIag6Le+YNqzYUpTxlQ11pK0Jvd
         9bQ8KztlKnEwTWvC90bUrX7FvNTdKTEeatTQao5I5z77QxBG8q96cYYnbmzHVzsKxcS6
         eBJYwO7gabkTsJzdGHYeYR9pYHPANr5vhtkpGYn4OSEAvrTokXHnI7Lma5MlI+QcJFhO
         eGb6omkWY05TGfZZYMJ9ny/8WBhG6W3mpuT+x3Z0mv9IWnuxhhnDWgYGb+qEK/cUkCjl
         CLHaxq+uRh8MXnjzoChWHXc4elm8yKo9CS3qqAppMThxQ3X/2kp9SVg+EPKut9R3OtG0
         D+ng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=message-id:user-agent:subject:to:from:date
         :content-transfer-encoding:mime-version:dkim-signature;
        bh=GrxIPJ9zPlbqzf38J/MOr7Lt7eP6CUv0wQxJqM2McmE=;
        b=QgXB7YGir4NdgYnbt+2pORQCK5bMsOT+mHtSghj+CrTIORIqW04ie/3v8iWpMop2uc
         ZYby4O/YD5TohP7VnYT1/lHGcQO8BCK+BCqXJaJb1JyzoRFyAM2aVMfJonRphm3VSfzH
         JCGAAQjW3hTRsANmiU4Toh5IgXVgLvz2ZFSbOjY+xEopHJar1XXg9kN9N+A8kZMJWIIk
         dVXrhwSDV/1Z0/8ObepuXI+KZNRpyKItMjMMDDyh1Py7cQl1MJXnoTzr53aCeDw3nWWg
         yUDRjq3kDUK2Rm0X/O43DGHQvAHvk7gge4UaE5rDFjtBphLVYO0Zadto3bQAFwAMouR9
         H9Qg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@esomedomain.net header.s=mail header.b="cLQsKmq/";
       spf=pass (google.com: domain of support@somedomain.net designates 123.456.789.12 as permitted sender) smtp.mailfrom=support@somedomain.net;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=somedomain.net
Return-Path: <support@somedomain.net>
Received: from ms101.somedomain.net (vmi247326.someotherotherdomain.net. [123.456.789.12])
        by mx.google.com with ESMTPS id k4si945224wmi.131.2019.03.15.12.06.09
        for <someuser@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 15 Mar 2019 12:06:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of support@somedomain.net designates 123.456.789.12 as permitted sender) client-ip=123.456.789.12;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@somedomain.net header.s=mail header.b="cLQsKmq/";
       spf=pass (google.com: domain of support@somedomain.net designates 123.456.789.12 as permitted sender) smtp.mailfrom=support@somedomain.net;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=somedomain.net
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=somedomain.net; s=mail; h=Message-ID:Subject:To:From:Date: Content-Transfer-Encoding:Content-Type:MIME-Version:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
     bh=GrxIPJ9zPlbqzf38J/MOr7Lt7eP6CUv0wQxJqM2McmE=; b=cLQsKmq/CfXyv0nzG9Fwi6cs4 Ei3zkeoZTgWBvLZfF303+EVPnwUdqgKKlXfLntlfW+8lp54rm3S/dI9p640dC6IIoGJrdkYwWUw+0 J0K6U9rSTs1yUJ8mM6kWdYURmUQ7eAMvbqFtCIXhcXPBBlKDgvFGCpwz5GnSark8zkU7c=;
Received: from localhost ([127.0.0.1] helo=ms101.somedomain.net) by vmi247326.someotherdomain.net with esmtp (Exim 4.91) (envelope-from <support@somedomain.net>) id 1h4s9g-0001pt-Nb for someuser@gmail.com; Fri, 15 Mar 2019 15:06:08 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Date: Fri, 15 Mar 2019 15:06:08 -0400
From: suppor@somedomain.net
To: someuser@gmail.com
Subject: Are you getting our emails?
User-Agent: Roundcube Webmail/1.4-rc1
Message-ID: <3164f55daebbc258d0a4846eda47142b@somedomain.net>
X-Sender: support@somedomain.net

Currently running centos 7 --> VestaCP Roundcube using postfix, yet don't mind switching to horde or 3rd party ESP if needed.

The only thing that I can think is the sending domain is a sub domain of the root yet we've added MX record with priority 1 within DNS on cloudflare to accept mail for root domain, yet the sub domain is hosted on same server and same IP.

The Message ID is being generated from somewhere, I am not sure. This may be the reason for spam flag as well.

Any help is greatly appreciated.

Answer 1

I worked in G Suite support a while back, spent a lot of time working with Gmail.

Some things to keep in mind,

1) Try to have your SPF with ~all instead of ?all (I can still see your domain in the return path, you may want to edit that out).

2) Your DKIM needs to be added into the domain listed in the return path. If the return-path is domaina.com, the DKIM needs to be from domaina.com

3) DMARC doesn't really help that much when sending email, is mostly used to prevent inbound spoofing against your domain, it's still good to have it nonetheless.

4) Try sending emails from a different server, sometimes specific servers have pretty bad rep, causing emails to be marked as spam (mail-tester.com tool helps get an idea of how spammy your emails are).

5) Try not to send marketing emails to people who have never heard from you. In case you're actually doing that, use a dedicated service (like Mailchimp) that maay help the delivery (also, avoid bccs).

Other than that, the tough answer, you can do everything good, but there is 0 guarantee that your email will never be marked as spam, sadly, it's half in your control, the other half is what others have reported from your domain, your server, your content, your actual username, links included, etc. Keep in mind that your reputaion varies per server, so if emails land in spam in Gmail, it doesn't necesarily mean that it'll land in spam in hotmail. Sometimes using a completely different domain/server/service helps, but if the reputation is already tainted, only marking emails as 'not spam' would eventually help the delivery (I know, it sucks when that happens).

Cheers!