I love Mailgun -- I have had the experience of working for an email company before, and I know email is hard to get right. As a result, deciding to offload transactional mail when developing Zoetic was a no-brainer. However, the expectation is that a company focused on email would be experts in email and get it right.

The problem is, if you're using Mailgun right now to forward your email to Gmail or another destination, it's not always done right. We noticed that many of our Mailgun-forwarded incoming emails were ending up classified as spam by Gmail, at a false-positive rate higher than we had experienced before. It turns out that these emails are failing the DKIM authentication check:

Received: by with SMTP id c206csp112846lfd;
        Fri, 19 Sep 2014 07:46:41 -0700 (PDT)
X-Received: by with SMTP id z9mr3549915wiv.51.1411138001622;
        Fri, 19 Sep 2014 07:46:41 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mail-s62.mailgun.us (mail-s62.mailgun.us. [])
        by mx.google.com with ESMTPS id fu1si2344154wjb.120.2014.
        for <[email protected]>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 19 Sep 2014 07:46:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates as permitted sender) client-ip=;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates as permitted sender) [email protected];
       dkim=fail [email protected]

This was strange, because if all is right, forwarded email should still pass DKIM. In addition, we determined it was not misconfiguration of the origin email domain because emails not passing through Mailgun were not being classified as spam, and this was happening across many well-known email domains. At first I thought this was because Mailgun was appending and prepending headers to the email-- which, as Mailgun support pointed out, is actually okay as long as there are no modifications to the existing header sets.

Just as an aside, for those not familiar with DKIM-- essentially, a DNS TXT record holds a public key corresponding to a private key the originating SMTP server uses to sign the email headers and body. This allows the recipient to check the signature and ensure the email is authentic (i.e. sent from a server that the domain allows).

While having DKIM authentication fail does not automatically mean that an email will be classified as spam, it is a strong indicator. However, for many 'high-profile' domains it actually triggers automatic spam/phishing classification due to another standard: DMARC. DMARC allows domain owners to receive feedback on their email failure rates and also institute a hard-rejection policy for their domains so that providers like Gmail will treat DKIM fails as definite indicators of spam/phishing.

So why is DKIM failing (sometimes) with Mailgun forwards? It turns out it is because of the 'X-Feedback-Id' header. Many mailing lists already include this header (including all Mailchimp emails), and it turns out that without regard to this, Mailgun prepends its own X-Feedback-Id header, even in cases where this header is already DKIM signed by the origin. This is a problem because while not clearly defined by the standard, having a duplicate header means the existing signature fails because the recipient does not know which X-Feedback-Id was signed, and the new one will fail.

X-Feedback-Id: 5285452efea3986f357c1a89:mailgun
X-Mc-User: 17493a0db65f3xxxxxxx
X-Feedback-Id: 24143267:24143267.342429:us3:mc
X-Accounttype: pd
List-Unsubscribe: <mailto:[email protected]net?subject=unsubscribe>,
Content-Type: multipart/alternative; boundary="_----------=_MCPart_1048281594"
Mime-Version: 1.0
X-Mailgun-Incoming: Yes
X-Mailgun-Sflag: No
X-Mailgun-Sscore: 0.0
X-Mailgun-Spf: Neutral
X-Mailgun-Sid: WyIwZmQyZCIsICJwaWNvbGlnYW5jZUBnbWFpbC5jb20iLCAiMTcwYWIiXQ==

The combination of DKIM failing and DMARC policies means that the originating domain and mailserver will be seen to be sending phishing emails and therefore over time be classified as such (see Google's Best Practices: Authentication). What this means for us is that now our legitimate outgoing email sent by our domain is being sent straight to spam as Gmail has classified us as a phishing domain.

After a week of back and forth with Mailgun support, they finally acknowledged the issue and while I prompted them that this was urgent, I have not received another reply for the last week, prompting me to share this for fear that other customers may be unknowingly tarnishing their domain's email reputation. I do not know if similar services have this problem, but we have not had this issue with the much simpler forwarding by Namecheap. The lesson we learned from this is that we should separate our transactional mail domain from our 'real email'. Also, if anyone knows any inexpensive solutions designed for just email forwarding, I would love to hear them.


comments powered by Disqus