Avoid Sending Spam With Craft CMS

Posted: 24th Sep 2021

If you've tried sending emails with Craft CMS, or with any tech stack, you've probably found yourself being sent to the dreaded spam box. Critical emails go missing, users get confused - not a good situation.

Figuring out why emails get marked as spam by email clients can seem pretty opaque and unclear at first, and can be particularly annoying if you only need to send a handful for password resets, invite links, etc.

Let's have a look at what we can do to get emails actually landing in our users' inboxes.

1. Don't use sendmail

Out of the box, Craft CMS will use "sendmail" to... send mail. In other words, it's the default "Transport Type" in the Craft's control panel email settings.

But what is it exactly?

Sendmail is a tool, commonly called via the command-line, which triggers emails to be sent to any address you give it. It's very straightforward to use, especially with Craft, and it's available on a lot of hosting providers.

But! Because of its availability and simplicity it's often used by spammers to fire out thousands of unwanted emails. This could be done via their own personal laptop, or via a network of spambots.

Consequently, you have to tick a lot more boxes to get email clients to trust your sendmail emails. Extra configuration, getting recognised and whitelisted by popular email providers, etc.

At Servd, we don't even install it on our servers. This is to avoid intentional spamming, but is also a firm hint to our customers that there are better ways to send emails out there. Ones that will result in fewer emails being marked as spam. 👇

2. Use SMTP

You'll notice another email transport type that Craft comes with out of the box is "SMTP".

90% of the time, the SMTP option is the one you want'll to use if your site sends any emails. It allows you to connect to third party email server via SMTP, and request they send emails on your behalf.

Why is this better than using sendmail? These third parties (e.g. AWS SES, Mailgun, Postmark, SendGrid, Mandrill, etc) are reputable and trusted email senders that monitor their traffic and promptly block spammers who mean to piggyback on their credible reputation. Therefore, email clients are much less likely to mark emails sent from these services as spam.

Compared with properly configuring sendmail, SMTP is more straightforward:

  1. Sign up for an account with a trusted sender.
  2. Grab a set of SMTP credentials from them.
  3. Add the credentials to your Craft email settings.
  4. Hit the "Test" button to send a test email to your control panel email address.

One disadvantage of using these third party senders is that you often have to pay a recurring monthly subscription to use them. This can be a little frustrating, especially if your site only sends a handful of emails every month.

To get around this, we've partnered with ElasticEmail to provide each Craft CMS site hosted on Servd with 200 free email sends per month. To make it even easier, we automatically add all the required SMTP credentials as environment variables to your Craft project too! 😙👌

3. Set up a SPF DNS record

So now you're sending from a reputable source, we need to tell the world that this source is actually allowed to send emails on our behalf.

We do this by adding a SPF DNS record to the domain that corresponds to the "System Email Address" in your Craft email settings. E.g. if I want to send emails from joe@example.com, I would add the SPF record to the example.com domain.

What do SPF DNS records look like?

  • They're a TXT record.
  • Their DNS keys are the subdomain the SPF record is describing. This would be @ if it's the apex domain, e.g. example.com, or mysubdomain if it's describing mysubdomain.example.com.
  • Their DNS values always starts with v=spf1, this is what identifies them as an SPF record.

What do the DNS record values look like?

v=spf1 a mx include:_spf.elasticemail.com ~all

    You'll notice after the v=spf1, there's a bunch of stuff going on. Each segment is known as a "directive", or rule, that tells the email recipient where to check for allowed senders for this domain, defined via its own special syntax.

    The email recipient will check the IP address the email was sent from against all the SPF directives for the sender domain to see if it can find one that mentions the IP address. If they can't find it, then that's a strong sign that someone's trying to impersonate you, which means straight to the spam hole.

      4. Set up a DKIM DNS record

      DKIM is another type of DNS record that will improve the your emails' deliverability. The core thing it does is prove to the recipient of your email that you sent it, which it does via public-private key cryptography.

      When you add a DKIM record to your domain's DNS, you're sharing a public key with the world. The private key is held by your SMTP provider, and is used to sign the emails it sends on your behalf. When someone receives an email from you, their client will verify the email using your DKIM public key. If everything checks out, it's further proof that the email was indeed sent by you.

      What do DKIM DNS records look like?

      • They're a TXT record.
      • Their DNS keys always contain domainkey.
      • Their DNS values are usually long cryptographic keys.

      What do the DNS record values look like?

      k=rsa;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbmGbQMzYeMvxwtNQoXN0waGYaciuKx8mtMh5czguT4EZlJXuCt6V+l56mmt3t68FEX5JJ0q4ijG71BGoFRkl87uJi7LrQt1ZZmZCvrEII0YO4mp8sDLXC8g1aUAoi8TJgxq2MJqCaMyj5kAm3Fdy2tzftPCV/lbdiJqmBnWKjtwIDAQAB

      5. Set up a DMARC DNS record

      DMARC is another protocol that:

      • Checks your SPF and DKIM are both passing.
      • Tells recipients what to do if DMARC fails for some reason.
      • Provides an email address to report back to when DMARC fails.

      It's another string in your bow to prevent someone pretending to be you, and builds further confidence that you are who you say you are when sending emails.

      What do DMARC DNS records look like?

      • They're also TXT record.
      • Their DNS keys always contain _dmarc.
      • Like SPF, the record values use their own special syntax to define how DMARC should be configured for this domain.

      What do the DNS record values look like?

      v=DMARC1;p=none;pct=100;rua=mailto:joe@example.com;ruf=mailto:joe@example.com

      Again like SPF, the first part of a DMARC "policy" is v=DMARC1 which indicates that this record is a DMARC record.

      Summary

      Looking back at all the key points:

      1. Avoid sending emails yourself via sendmail.
      2. Prefer using SMTP through a trusted third party sender.
      3. Add SPF, DKIM and DMARC records to your domain's DNS records.

      Confused?

      If you just want to send a handful of emails, it's definitely quite a lot to take in. That's why we've tried to make the process as easy as possible when you host your site with Servd.

      • SMTP config is automatically passed to your Craft control panel.
      • We generate SPF, DKIM and DMARC DNS records to allow you to simply copy and paste them into your DNS settings.
      • If you're a Cloudflare user, when you connect your account to Servd we'll automatically add the records to your Cloudflare DNS.
      • Flexible pricing to allow you to send more emails if you need!