TL;DR

Mails sent from shared hosting (such as a cheap domain from Unoeuro or One.com) end up in spam. How to fix?

Details

I made a mail-system, that first generated a PDF-file (using FPDF), whereafter it sent the PDF-file as an attachment with PHP's Swiftmailer. This email was sent out to 130 people (as a 'one-of' invoice). But it landed in the spam-filter for almost everybody. I tried adjusting SwiftMailers header-settings, but without any luck. Even mails that I haven't sent to before (thoroughly tested). This was my initial setup:

function sendMailEt($toEmail, $toName, $invoiceNumber){

  $username = '[email protected]';
  $pw = 'THE-PASSWORD';
  $from_company = 'FROM COMPANY';
  $subject = 'Thanks for signing up - COMPANY NAME';
  $sender_array = ['[email protected]' => 'Company name'];
  $body_text = 'A brief body, that explains that this is an invoice and that it has to be paid within 5 days. (written in danish)'
  $pdf_url = '/URL-TO-THE-PDF-FILE.pdf';

  require_once('includes/lib/swift_required.php');
  $transport = Swift_SmtpTransport::newInstance('mailout.one.com', 25)
    ->setUsername($username)
    ->setPassword($pw);    

  $mailer = Swift_Mailer::newInstance($transport);

  $message = Swift_Message::newInstance($from_company)
        ->setSubject($subject)
        ->setFrom($sender_array)
        ->setTo(array($toEmail => $toName))
          ->setBody($body_text)
          ->addPart($body_text, 'text/html')
          ->attach(Swift_Attachment::fromPath($pdf_url));
  $result = $mailer->send($message);
}

I also tried sending out the emails with PHP's native mail()-function, and then simply link to the invoice ( http://www.company-domain-name.dk/invoice/base64_encoded-name.pdf )... Same result (spam).

I tried writing the entire header myself. I've read a numerous amount of forums about what headers should include, but they all wrote different things. So I tried a few different things (both emails I had sent to previously and emails I hadn't)... Same result (spam).

Then I tried writing the header exactly as MailChimps does, in their header. That led me to this:

$headers = "Reply-To: Company name <[email protected]>\r\n"; 
$headers .= "Return-Path: Company name <[email protected]>\r\n"; 
$headers .= "From: Message from Company name <[email protected]>\r\n"; 
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Sender: Message from Company name <[email protected]>\r\n";
$headers .= "Content-type: text/plain; charset=\"utf-8\"; \r\n";
$headers .= "X-Mailer: PHP". phpversion() ."\r\n";

I send the mail like this:

mail($toName . '<'.$toEmail.'>', utf8_decode('Faktura på depositumet'), utf8_decode($someMessage), $headers);

... Same result (spam).

The webspace is with One.com, so I can't use PHPmailer (since that has to be installed, and that can't be done on one.com's servers). And I can't define a SPF with One.com.

All I want, is to be able to send emails that doesn't go to spam.

Questions

1. Is it because my header is off, or is it something 'deeper down'?

2. Does the Gmail-spam filter ban single email accounts (such as [email protected]) or does it ban entire domains (such as @example.com)?

3. Can one get a blacklisted email whitelisted somehow?

Additional comment 1 - Further attempts

I have now tried a further number of things:

• I tried adding LoneWolfPR's returnpath, like recommended, and it didn't help.
• I contacted One.com (the hosting company), and confirmed with them, that it isn't possible to set a SPF-record or a DKIM-record. It still isn't.
• I considered setting up an 'unsubscribe'-link, with a link to a website with a form, but I didn't believe that approach. I mean - invoices are sent all the time, with e-mails. And why should you be able to unsubscribe an invoice?! Since that made so far from sense in my head, then I only tried it for about 20 minutes (obviously, without results).

My current email header (gotten from Gmail, by clicking the 'View original'):

Delivered-To: [email protected]
Received: by 10.76.75.104 with SMTP id b8csp48728oaw;
        Sat, 16 Mar 2013 17:32:56 -0700 (PDT)
X-Received: by 10.152.116.45 with SMTP id jt13mr7897860lab.0.1363480376067;
        Sat, 16 Mar 2013 17:32:56 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mail-out2.b-one.net (mail-out2.one.com. [91.198.169.19])
        by mx.google.com with ESMTP id p10si4637427lbb.120.2013.03.16.17.32.55;
        Sat, 16 Mar 2013 17:32:55 -0700 (PDT)
Received-SPF: neutral (google.com: 91.198.169.19 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=91.198.169.19;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 91.198.169.19 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Date: Sat, 16 Mar 2013 17:32:55 -0700 (PDT)
Message-Id: <[email protected]>
Received: from localhost.localdomain (srv18.one.com [193.202.110.18])
  by mail-out2.b-one.net (Postfix) with ESMTP id F3D0B10365
  for <[email protected]>; Sun, 17 Mar 2013 01:32:53 +0100 (CET)
Received: from 85.218.159.219 by www.DOMAIN-NAME.dk via URL_TO_THE_SCRIPT.php with HTTP; Sun, 17 Mar 2013 00:32:53 +0000
To: RECIEVERS_NAME <[email protected]>
Subject: EMAIL-SUBJECT
X-PHP-Originating-Script: 87486:NAME-OF-THE-SCRIPT-THE-E-MAIL-WAS-SENT-FROM.php
Reply-To: COMPANY NAME <[email protected]>
From: Besked fra COMPANY NAME <[email protected]>
MIME-Version: 1.0
Sender: Besked fra COMPANY NAME <[email protected]>
Content-type: text/plain; charset="utf-8"; 
X-Mailer: PHP5.3.21

Solution: Use Mailgun (not tested) or Sendgrid (tested and works wonders!). There is a price-difference between the two, - but in short: Mailgun is good if you're small; Sendgrid is good if you're big.

Either that, - or send mails using MailChimps API or something. It's can't be fixed on shared hosts (most likely). The reason is below.

Explanation: I've later learned more about how shared hosts work. Imagine that several different sites are located on the same server (such as domain-1.org, domain-2.org and domain-3.org). That means that if domain-3.org sends a bunch of crap-emails, then Gmail (and other spam-filters) mark that IP-address as spam. So if domain-2.org then send out stuff, then that'll (probably) come from the some IP-address and therefore end up in spam. Shared hosts can't really do anything about it (and don't care, since so few people have this problem). And that is why it's so cheap.

Sendgrid and Mailguns IP-addresses are marked as 'fine' by all the spam-filters, and that's the service that you're paying for with them. They keep it that way, by monitoring how many emails you send out are being marked as 'spam'. If it's something like 5%-10% or something crazy low, then Sendgrid/Mailgun will block your account until you fix it (going through a long process, where you have to contact their customer service and do 1.000 hail-Mary's and all kinds of wierd stuff).

I heard that if you get your own server (which is way more expensive), and set up your own mail-server, then you have to be really careful, not to be marked as spam. Cause spam-filter are really tough nowadays...

1) Normally an email address won't go easily into a blacklist, it takes time and/or a lot of people to tag you as spammer to actually get that address into a blacklist.

2) Yes. A whole domain name can be blacklisted, because spammers normally generate random email addresses like [email protected].

3) It doesn't matter how many times it went to the spambox, basically, the spam filters nowadays are strong, because spammers try to improve their ways to get around day by day, so the filters gets more strict every day. If it goes into spam folder first time, and the user didn't actually put it into the spam box, it will continue going unless users unmark it, or you fix the troubles.

How to avoid spambox?

Basically you need some signatures, and a lot of access to your DNS records, because there is where we are going to do most of the setups.

• Reverse DNS Lookup: On dedicated servers or even on some VPS you are able to set up a reverse dns record, sometimes you just open a ticket and the IT's set it up for you. If you can't have it, change your hosting or keep being tagged as spammer xD. This is to preven header forgeries, as you could set on your headers that your email comes from gmail.com but it doesn't this is the way the email servers check it.

• SPF is a must have as well, if you can't set a SPF then don't even try any further, consider changing your hosting, and you can almost stop reading by here xD.

• DKIM/Domain Key: preferably DKIM, is a encrypted signature, you set the public key on the DNS, and store a private key in your email server, when a server receives an email, it has the private key attached in the headers (you need a mailserver software which manages DKIM, for windows for example it worked for me hmailserver) and the mail service (gmail for example) will check your dns record to see if the public key matches. This is almost a must have as well

Those three were the basics, if you Set up DMARC and ADSP it will get you better score for the SpamAssassins. To get a even better score search for some spam keywords lists on google and try to avoid them, some stuff like starting an email with "Dear xxx" are harmful for your score, Set up the unsuscribe system(even if it's crappy, as long as you provide a clear link) will help you a bit as well.

Also:

• Avoid sloppy html and white text over (any) backgrounds, some spammers use it to fit in hidden text, those filters are smarter than you think.

• Read the specific recommendations. Most email services have a FAQ or something in their website with some tips to help you sending emails and not going into the junk. on Some of them you can even apply for getting into a white list ( at least some years ago, on some services like gmail they don't do it anymore)

• If you are sending in bulk, watch the time! If you have X emails per second sent into somewhere, you are likely to get into blacklist, set up a script or something to get a 1sec delay or so, the delay might depend on the destinatary to get into the blacklist or not.

Hope those tips help you, I had to deal with some spam filters recently and it's a pain in the ass, that's why I know all that info, that's all my research xD Even after all the signatures and things I have set up, some of the emails are still going into spambox(a smaller percentage but it still hurts me) The only reliable way is to get the users adding you to the contacts list (while having the signatures and headers correctly), so remind them to do so if possible.

One thing to bear in mind, I had trouble with emails being blocked by Gmail and Yahoo! mail from php because the Return-Path header didn't match the from. On a lot of servers if you explicitly set the Return-Path in the headers PHP Mail will ignore that and set the return path to the machine name. You have to force it in the 'additional parameters' section of the mail function using the '-f' flag. Now I've never used Swift Mailer so I don't know the equivalent to PHP's native mail() function, but here's what it would look like using mail();

mail($to,$subject,$message,$headers,'-f [email protected]')

If you can find out the equivalent to this in swift mailer it might solve your problem.

Edit:

It looks like you're not actually setting the Return-Path at all. I know GMail really doesn't like that to be left out. Try setting it explicitly to your Swift_Mailer message (and make sure it matches your From):

$message->setReturnPath('[email protected]');

Solution: Use Mailgun (not tested) or Sendgrid (tested and works wonders!). There is a price-difference between the two, - but in short: Mailgun is good if you're small; Sendgrid is good if you're big.

Either that, - or send mails using MailChimps API or something. It's can't be fixed on shared hosts (most likely). The reason is below.

Explanation: I've later learned more about how shared hosts work. Imagine that several different sites are located on the same server (such as domain-1.org, domain-2.org and domain-3.org). That means that if domain-3.org sends a bunch of crap-emails, then Gmail (and other spam-filters) mark that IP-address as spam. So if domain-2.org then send out stuff, then that'll (probably) come from the some IP-address and therefore end up in spam. Shared hosts can't really do anything about it (and don't care, since so few people have this problem). And that is why it's so cheap.

Sendgrid and Mailguns IP-addresses are marked as 'fine' by all the spam-filters, and that's the service that you're paying for with them. They keep it that way, by monitoring how many emails you send out are being marked as 'spam'. If it's something like 5%-10% or something crazy low, then Sendgrid/Mailgun will block your account until you fix it (going through a long process, where you have to contact their customer service and do 1.000 hail-Mary's and all kinds of wierd stuff).

I heard that if you get your own server (which is way more expensive), and set up your own mail-server, then you have to be really careful, not to be marked as spam. Cause spam-filter are really tough nowadays...

Make sure the email address you are using as the FROM is actually an email address. I have had the same issue been resolved by going into my account management from the host (one.com for you) and adding the account that I want the email to be from. I added an account called "mailer" and through the panel I was able to setup an auto-responder that said, "Sorry. This email address is reserved for server functions".

in the from header you would then use ([email protected])

having that actual email address and auto-reponder did the trick. I think gmail is just smart enough to know that an email adress that has never been used before is spam. Also, the email address must come from the domain that the script lives on so that when it says it is FROM there it is not lying.

here is the code that I use when I want to send email from my shared host (justhost.com) , It does not go to spam (this is using post data from a web form):

<?php



// Contact subject

$subject = $_POST["subject"];



// Details

$message=$_POST["detail"];



// Email of sender

$mail_from=$_POST["customer_mail"]; 

//Name of sender

$name=$_POST["name"];
putenv("TZ=America/Phoenix");
$now = date("F j, Y, g:i a T");

$header="Reply-To: $name <$mail_from>";

$header .= "From: MyDomainName.com <[email protected]>";
$header .= "\r\n";
$header .= "Reply-To: $name <$mail_from>"; 
$introMSG= "Message From:".$name." <".$mail_from.">"."\r\n"
."Sent On:".$now."\r\n"."From a web form on MyDomaiNname.com"."\r\n"."-----------
-----------------------"."\r\n"."\r\n";


$to ='[email protected]'; // Domain Owners Email Address

$send_contact=mail($to,$subject,$introMSG.$message,$header);

$send_copy=mail($mail_from,"Copy Of:".$subject,$introMSG.$message,$header);

// Check if message sent


if($send_contact){

echo "<strong>Thanks! Your message has been sent to me.</strong>";

}

else {

echo "<strong>There was an error sending your message </strong>"; 

}



if($send_copy){
echo "<strong><br>A copy of this message was sent to your email.<br>If you do not
receive a copy please check your spam folder</strong>";

}

else{
echo "<strong> There was an error sending a copy of this message to your email
</strong>"; 

}



$send_reminder=mail("[email protected]","","You Have a new contact message from
".$name.", remember to check your spam folder.",$header);

if($send_reminder){

echo ".";

}

else {

echo "<br><strong>TXT Error</strong>";

}

?>

There are at least two "spammy" looking things that jump out of your email headers:

Message-Id: <[email protected]>

Notice the SMTPIN_ADDED_MISSING section? You aren't behaving like a proper mailer and generating a unique Message-ID. You might find reading RFC 5322 to be instructional.

Received: from localhost.localdomain (srv18.one.com [193.202.110.18])
by mail-out2.b-one.net (Postfix) with ESMTP id F3D0B10365
for <[email protected]>; Sun, 17 Mar 2013 01:32:53 +0100 (CET)

That initial received header has an illegal HELO hostname (localhost.localdomain). Your mailer app should provide a way for you to set that to a valid value. It might even be as easy as configuring the hostname of the machine running PHP. See RFC 1035 (hostname validity), RFC 2821 (SMTP) and RFC 5321 (SMTP).