From Leo's Notes
Last edited on 14 June 2020, at 23:36.


An email system has 3 main components:

  1. The Mail User Agent (MUA), which is the email client (eg. Mutt, Outlook, Thunderbird)
  2. The Mail Transfer Agent (MTA), which transfers emails from one computer to another (eg. Exim, Sendmail, Postfix)
  3. The Mail Delivery Agent (MDA), which delivers incoming mail to user's inbox (eg. Dovecot, procmail)

Users use a mail client (MUA) to send an email message to their mail server (MTA). The mail server will determine the next hop for the message to take based on any routes that are configured, or typically by looking up the MX record of the recipient domain name. Each time a MTA receives an email message, it adds a Received trace header to the message, allowing for a sequential record of all MTAs that handled the message. If all goes well, the message will end up on a server with a MDA that can deliver the message to the recipient's inbox. The recipient will then use an access protocol such as IMAP, POP3, or Exchange/MAPI to read the email message from their inbox.

Like any other networks, failures may occur in any of the steps in between. MTAs will need to be able to handle problems such as an unavailable remote MTA. Typically, MTAs are configured to defer any messages on failures and to retry at a later time. A bounce email may be sent to the sender notifying them of the issue.



Sender Policy Framework (SPF) is used to detect forged sender addresses. The MTA will look up the TXT or SPF record on the sending domain for a SPF value outlining which servers can actually send mail. If the incoming mail is not listed as one of the allowed servers for the domain, the mail is rejected.

A SPF DNS entry is published under the sending domain as a TXT record. An entry looks something like this: 600 IN TXT "v=spf1 mx -all" 600 IN SPF "v=spf1 mx -all"

When using email forwarders, forwarded messages will fail SPF on the final MTA because the message was sent via an intermediate server not approved by the originating domain. Email services should not reject emails with failing SPF. Services such as Gmail will list such emails as 'Soft Fail'.

If email forwarding is required and SPF failing is not an option, look into email remailing where the envelope sender is rewritten.


DomainKeys Identified Mail (DKIM) adds an additional layer of security to SPF by affixing a digital signature to each outgoing mail that is sent. The authenticity of the signature can be verified by the receiving MTAs by looking up the public key that is published as a TXT record on the sending domain.

A DKIM DNS record is published under the selector._domainkey subdomain. A DKIM public key entry looks like this: 600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDB5nBvGK/YgkA38tPxxikD/w2OW3Ob3WL9iaS8bA+4i4Kkjr4GQHq+H2khVVsyTxUpZErv4jVW+Kk1wWUysWKQU1P2ImAY0luP7Ujdne4JykXm75n4HjE0Sa4q1y3EaVQOH58aEfjcUS26N1MoSVt87uf1669gv3Wh+0ySfXHNdQIDAQAB"


Domain-based Message Authentication, Reporting and Conformance (DMARC) extends the previous mechanisms by defining a policy on the sending domain on how to handle SPF and/or DKIM. A policy can either reject or quarantine messages with one or both of these authentication mechanisms fail, or how the receiving server can report back about messages that fail.

The sending MTA can capture and aggregate reports of failed messages.

DMARC DNS records are published under the _dmarc subdomain. 600 IN TXT "v=DMARC1; p=reject;;; adkim=s; aspf=s"
  • v is version
  • p is policy. none, quarantine, or reject
  • sp is the subdomain policy
  • rua is the URI to send aggregate reports to
  • ruf is the URI to send forensic reports to
  • adkim specifies the DKIM policy. s for strict; r for relaxed, default.
  • aspf specifies the SPF policy. s for strict; r for relaxed, default.

More information on DMARC tags:


Emails Going to Junk Folder on Outlook

For some reason, emails from my server at LiquidWeb are ending up in the Junk folder on hosted accounts (ie. MSN, Hotmail).

Emails are getting set a SCL (Spam Confidence Level) of 5 from the server despite the message having passed DKIM and SPF.

Some other people have the same issue:

More information about Microsoft's filtering:

I'm not sure how to fix. I submitted a request as noted by that thread but don't expect anything to change.