5

When my website sends emails to set or reset the password, they sometimes don't arrive at the recipient.

This problem does not arise for email addresses at large providers (as Google or Microsoft), but often email servers of schools or state institutions.

I guess that this is due to some bad spam filtering, where the email is just deleted without any notice to the recipient.

What I tried so far to reduce the problem:

  • use a real email account, not something like sendmail
  • start the email with "Hello X Y", where X Y is the real given name and surname of the addressed person.

But this had not the desired effect.

Improve this question
7
  • 19
    This is not a deterministically solvable problem. You're trying to figure out how other parties may have decided to intentionally filter your content, and are trying to circumvent those rules. The rules are in place specifically to stop certain communications from reaching users. These agents constantly try to circumvent the rules to get their mail delivered anyway. There is no way for you to conclusively convince others that your content is not spam, because the ability to do so would immediately be abused by spammers. Even if you answer this, the goalposts will move eventually.
    – Flater
    Commented Dec 13, 2023 at 23:26
  • @Flater I see the point, but two thoughts: First, deleting suspected spam without notifying the recipient is not a good idea, but this is obviously done at some places. Secondly, I have information that the usual spammer does not have, e.g. by putting the full, correct name of the recipient into the email, I give a strong hint that I am not a spammer.
    – J Fabian Meier
    Commented Dec 14, 2023 at 7:13
  • 4
    Just another thing to consider. My university runs a barracuda server, which can flag and stop suspicious email from even making it to your spam folder. If your clients aren't even seeing a message in spam, then this may be what is happening. If they contact their organisation's IT department they may well be redirected to their barracuda server (or equivalent) to authorise those emails (which may or may not also end up in spam once delivered).
    – Tasos Papastylianou
    Commented Dec 14, 2023 at 9:39
  • 8
    @JFabianMeier Containing the full name of the recipient is not a strong signal. Leaked or harvested address information is a dime a dozen.
    – Bergi
    Commented Dec 14, 2023 at 12:58
  • 3
    mail-tester.com (not affiliated) getting 10/10 is perfectly doable. Anything less should be fixed.
    – Daniël van den Berg
    Commented Dec 14, 2023 at 16:20

4 Answers 4

Reset to default
26

There is no magic bullet here. What's surprising to me is it's not the big orgs that are intercepting your email. I've found Google very prone to intercepting these kinds of emails.

A few things to look at:

These tell the receiving server that the email is coming from a location that is approved to send email on behalf of the domain, and in the case of DMARC suggest a course of action for the receiving server.

When you get these set up, you should see an improvement. But ultimately you have no control over whether or not an email is delivered.

Improve this answer
5
  • Are these two things (SPF records and domain keys) something I should expect from a "regular" email account to have, or do I have to talk to the admin of the email provider?
    – J Fabian Meier
    Commented Dec 13, 2023 at 19:10
  • 1
    @JFabianMeier Recently, google and apple reinforeced their filtering policies. I had a sililar issue with a private mail address hosted at a well known hoster. The absence of spf (or dkim, but this is more complex to setup) is considered as a high suspicion of spam. One was apparently also checking that there is a dmarc policy defined and spf was not enough. While this is annoying (took me half a day to find out, set the domain parameters and solve as I am not a professional email admin), on the positive side, it also helps to really reduce the number of spams politing my inbox
    – Christophe
    Commented Dec 13, 2023 at 19:29
  • 2
    @JFabianMeier They would be something the domain should have set up. If you have a gmail account or something its not needed. But if you are sending email out under your own domain name then you'd want it.
    – GrandmasterB
    Commented Dec 13, 2023 at 19:49
  • 1
    @Christophe I forgot about the demarc policy. I knew there was a 3rd item to deal with. I'll add it.
    – GrandmasterB
    Commented Dec 13, 2023 at 19:52
  • 6
    @JFabianMeier All three (SPF, DKIM, and DMARC) are tied to the domain, not the mail provider. If you are using an external provider and sending through their domain, it shouldn’t be an issue, but if it’s a domain you manage you’ll have to set it up yourself. SPF is trivial to set up (literally just a couple of extra DNS records), DKIM is a bit of a pain, but once set up properly is almost zero maintenance, and DMARC is pretty trivial once you have SPF and DKIM.
    – Austin Hemmelgarn
    Commented Dec 14, 2023 at 2:21
9

You have low delivery rate for your messages. This is a non-trivial problem. Profitable services like Mailchip, Brevo, and Constant Contact are happy to accept compensation in return for solving it.

There are lots of details, and you have gathered very few of them. We do not yet know whether your outbound MTA experiences greylisting delays, an immediate SMTP bounce, or a store-and-forward bounce / blackhole. You didn't even mention whether your MTA uses unique per-message envelope sender (SMTP "MAIL FROM:" verb), something which is pretty essential for understanding bounce behavior across a large population of recipients. You have not yet enlisted the aid of distant postmasters to understand what their server logged.

The technical details matter, and there are many of them. Seek professional assistance.

Consider offering multiple channels for credentials, such as an SMS phone number or an Authenticator app that generates pseudo-random digits. This will (A.) keep an existing customer happy with an automated action that yields instant gratification, and (B.) will reveal patterns about email suffixes which always opt for a non-email channel.

Improve this answer
2
  • Thanks. For the "lost" emails, I don't get any message back, so how can I investigate what kind of problem occurred? I did not understand the part about "unique per-message envelope sender". The password reset emails are send from an email account and so the sender name should be just the name and email of that account.
    – J Fabian Meier
    Commented Dec 13, 2023 at 19:07
  • 3
    @JFabianMeier: SMTP has its own "Envelope" fields separate from the usual From:/To: headers that are within the message. The message header is what shows up in mail apps, the envelope is what controls delivery and is e.g. used to control where "bounce" messages go. So the system that sends the message can specify e.g. "From: [email protected]" in the mail headers but "FROM:<[email protected]>" in the SMTP envelope.
    – user1686
    Commented Dec 14, 2023 at 10:00
2

@GrandmasterB's answer already lists most of the things you can do. Alas, addressing the recipients by their full name would not help convince automated spam filters, so although it's certainly a good practice, it's probably not going to help.

I don't know your audience, but never underestimate the probability of them not looking at the obvious places (a spam folder etc.) or inadvertently deleting the e-mail themselves. Technical incompetence regarding e-mail is rampant, even among supposedly tech-savvy persons.

If mails are missing, your only option is to trace them step by step, and get the recipient to provide you with info that you can't access. You may want to give some information on your page where users request a new password about the timescale in which they should expect the mail in their inbox so they would contact you timely.

In the extreme, the providers of recipient's mailboxes may be able to help with logging info, but in my experience, their willingness might be pretty low.

Improve this answer
2

The answers so far cover this pretty well given the limited information we have, but one thing to add: this is a worthwhile problem to attempt to solve rather than looking to outsource it to mail delivery companies that promise to solve it in exchange for money.

Unlike your current setup, which is non-spam that some poorly behaved recipient setups are misclassifying as spam, mail sent through one of these services is mail sent by a known spammer, and if it's blocked, it's being rightly blocked.

Moreover, and this is the really important part, password reset emails contain extremely critical secrets that can be used for account takeover. They should not be entrusted to sketchy providers of delivery services for spammers. In addition to possible incompetence by these services in protecting the confidentiality of mail sent through them - which is often not even considered a priority because the bulk of the service they provide is marketing junk - they are treasure troves for outside attackers and insider threats who want to intercept account credentials from services who outsource to them.

Improve this answer
1
  • 2
    Yeah, I agree with all these points, in the general case, +1. In this specific case I was trying to meet OP where they are, which is "I have a business problem and my organization is not technically sophisticated enough to robustly diagnose or support an SMTP-based service." There are numerous resources that describe the challenges of high delivery rates, but OP revealed their level of commitment to devote effort to a solution by coming here hoping for a quick fix.
    – J_H
    Commented Dec 14, 2023 at 21:27

Not the answer you're looking for? Browse other questions tagged or ask your own question.