Mailgun forwarding can result in your domain being treated as spam

I love Mailgun -- I have had the experience of working for an email company before, and I know email is hard to get right. As a result, deciding to offload transactional mail when developing Zoetic was a no-brainer. However, the expectation is that a company focused on email would be experts in email and get it right.

The problem is, if you're using Mailgun right now to forward your email to Gmail or another destination, it's not always done right. We noticed that many of our Mailgun-forwarded incoming emails were ending up classified as spam by Gmail, at a false-positive rate higher than we had experienced before. It turns out that these emails are failing the DKIM authentication check:

Received: by 10.25.129.215 with SMTP id c206csp112846lfd;
        Fri, 19 Sep 2014 07:46:41 -0700 (PDT)
X-Received: by 10.180.75.41 with SMTP id z9mr3549915wiv.51.1411138001622;
        Fri, 19 Sep 2014 07:46:41 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mail-s62.mailgun.us (mail-s62.mailgun.us. [184.173.153.62])
        by mx.google.com with ESMTPS id fu1si2344154wjb.120.2014.09.19.07.46.40
        for <[email protected]>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 19 Sep 2014 07:46:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 184.173.153.62 as permitted sender) client-ip=184.173.153.62;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates 184.173.153.62 as permitted sender) [email protected];
       dkim=fail [email protected]

This was strange, because if all is right, forwarded email should still pass DKIM. In addition, we determined it was not misconfiguration of the origin email domain because emails not passing through Mailgun were not being classified as spam, and this was happening across many well-known email domains. At first I thought this was because Mailgun was appending and prepending headers to the email-- which, as Mailgun support pointed out, is actually okay as long as there are no modifications to the existing header sets.

Just as an aside, for those not familiar with DKIM-- essentially, a DNS TXT record holds a public key corresponding to a private key the originating SMTP server uses to sign the email headers and body. This allows the recipient to check the signature and ensure the email is authentic (i.e. sent from a server that the domain allows).

While having DKIM authentication fail does not automatically mean that an email ...

continue reading this post ...