1. Consider a professional email hosting service
If you are hosting your email on your own dedicated, cloud, or VPS server, by using your own SMTP application, you should first understand the reprocussions of being your own mail system admin.
By maintaining your own mail server, you leave your device susceptible to any and all viruses, malware, and exploits, known and unknown. With a compromised mail server you could be unknowingly sending illegal spam, phishing, and hacking emails to unsuspecting people. By maintaining your own mail server, you are also responsible for remaining off of blacklists.
If you do not have the qualified systems administrators to set up and maintain your email server, then you should consider letting a well-known email host take care of it for you. The engineers at IONOS have several years of experience running well-known and authenticated email servers. I highly recommend checking out IONOS Mail Business here:
2. Fix incorrectly set sender for outgoing mail
If you have the incorrectly set sender for outgoing mail it’s more likely that it will be flagged for spam.
In Plesk go to Tools & Settings > Mail Server Settings. Enable the checkbox for “Fix incorrectly set sender for outgoing mail”.
3. Enable SPF
An SPF record is essential in email deliverability today. Without it you can expect emails to be delivered to spam or even blacklisted.
In Plesk go to Tools & Settings > Mail Server Settings > SPF spam protection. Enable SPF spam protection to check incoming mail. Set SPF checking mode to Reject mail when SPF resolves to “fail” (deny). Add your SPF record to your DNS host (name server):
Host Name: @
Value: v=spf1 a mx a:yourdomain.com -all
4. Send email from the domain IP address
If there’s more than one domain on the server and the receiving server uses CBL, or the domain doesn’t match the hostname, outgoing emails may be incorrectly marked as spam. Make sure you don’t include the domain name in the SMTP greeting:
In Plesk go to Tools & Settings > Mail Server Settings. Set the outgoing mail mode to “Send from domain IP addresses” and click OK.
5. Enable and verify DKIM
DKIM is an additional layer of email secure that can help prevent spoofing.
Verify that DKIM is enabled in server-wide setting at Tool & Settings > Mail Server Settings.
Verify that DKIM spam protection system is enabled for a domain at Domains > Mail Settings. Keep the “Use DKIM spam protection system to sign outgoing email messages” checkbox selected. Click the “How to configure external DNS” hint. Copy two DNS records you see there and add them to your DNS host.
See the following guide for checking that DKIM is working for the domain:
6. Enable DMARC
DMARC adds yet another cover of security for incoming and outgoing emails.
In Plesk go to Tools & Settings > Mail Server Settings (under “Mail”). In the DMARC section, click the “Enable DMARC to check incoming mail” checkbox and then click OK.
Add your SPF record to your DNS host (name server):
Host Name: _dmarc
Value: v=DMARC1;p=reject;rua=mailto:your@email.com
7. Setup outgoing email protection
Prevent potential abuse by setting up outgoing email protection.
Turn on limitations on outgoing mail in the mail server settings at Tools & Settings > Mail Server Settings.
Remove all IP addresses and networks from the mail server’s white list (located in Plesk for Linux in Tools & Settings > Mail Server Settings > White List tab; in Plesk for Windows in Tools & Settings > Mail Server Settings > Relay options > Use no relay restrictions for the following networks). The limits on outgoing mail will not work for mail senders whose IP addresses are in the white list.
8. Setup outgoing spam filter
Consider installing or purchasing an email extension that will filter outgoing emails for potential spam. Find out more information on Plesk Email Security here:
https://www.plesk.com/extensions/email-security/
9. Restrict mismatch of the “From” headers
You can restrict mismatch of “From” header for emails and prevent outbound mail spoofing by following the directions in this guide:
10. Fix hostname
In Plesk go to Tools & Settings > Server Settings. Update the ‘Full hostname’ to match either the MX record (mail.yourdomain.com) or a domain/subdomain that exists on the server and click OK.
11. Add rDNS (PTR) record
A Reverse DNS record, also known as PTR, is required for identifying your mail server’s association with the IP address. Adding this record is done at the hosting company, so instructions vary. IONOS customers can follow this guide:
12. Check, enable, and update TLS
TLS 1.0 and 1.1 have been considered obsolete and a PCI violation since June 30, 2018. Most browsers, software products, and cloud services have stopped or will stop supporting them. Check your SMTP server’s TLS version using this free online tool:
https://luxsci.com/smtp-tls-checker
How to enable/disable TLS protocol versions in Plesk for Linux:
https://support.plesk.com/hc/en-us/articles/12377600456727-How-to-enable-disable-TLS-protocol-versions-in-Plesk-for-Linux
Protecting Webmail and Mail with SSL/TLS Certificates:
https://docs.plesk.com/en-US/obsidian/customer-guide/websites-and-domains/securing-connections-with-ssltls-certificates/protecting-webmail-and-mail-with-ssltls-certificates.76531/
13. Tweak anti-malware settings
If you are running anti-malware software on your firewall or SMTP server, check for the setting “Internet Email Auto Protect” or “Internet Email Protection.” If you are experiencing false spam positives for outgoing email, disable this setting and try sending a test message again.
14. Check your DNS server
Try connecting to mail.hotmail.com from your server via port 25. If you are unable to connect, then attempt to telnet over port 25 directly to their email servers (MTAs). You can find a current list of Hotmail testing MTAs by querying “nslookup –q=mx hotmail.com” from a command prompt (this should work in a variety of Operating Systems). Currently, the addresses for these servers are mx1.hotmail.com, mx2.hotmail.com, mx3.hotmail.com and mx4.hotmail.com. If that doesn’t work, try connecting directly to the IPs. If you are able to connect directly to the IP and not mail.hotmail.com, then it is likely there is an issue with your DNS server.
How to change DNS servers on Ubuntu:
https://www.ionos.com/digitalguide/server/configuration/change-dns-server-on-ubuntu/
How to change DNS servers on Windows (Server 2019/2022 can use Windows 10 instructions):
https://www.ionos.com/digitalguide/server/configuration/how-to-change-dns-server/
15. Use an email tester
Double check all of your work so far using this free online email tester:
https://www.mail-tester.com/test-olfx40mfn&reloaded=1
Google Admin Toolbox has an MX checker tool that provides some helpful hints:
https://toolbox.googleapps.com/apps/checkmx/
For a really detailed review you can use CheckTLS:
https://www.checktls.com/TestReceiver
16. Report an email mislabeled as spam/phishing
Google/Gmail has an online form for submitting mislabeled emails that are being wrongfully blocked, blacklisted, or marked as spam:
https://support.google.com/mail/troubleshooter/2696779
If you send more than 100 emails per day to Google/Gmail addresses, it’s also a good idea to sign up for their free Postmaster Tools to monitor IP reputation and deliverability:
https://postmaster.google.com/
Microsoft/Outlook/Exchange has an online form for submitting mislabled spam/blacklisted emails here:
You can also login to a Microsoft account and contact their support here:
http://go.microsoft.com/fwlink/?LinkID=614866
You can also forward the rejected/bounced email to Microsoft’s delisting team: delist@microsoft.com
Lastly, Microsoft’s SNDS program allows you to monitor the “health” and reputation of your registered IPs by providing data about traffic such as mail volume and complaint rates seen originating from your IPs. This data is only provided for IPs which send more than 100 emails per day to Microsoft OLC accounts:
To register, please visit: https://sendersupport.olc.protection.outlook.com/snds/
17. Add an unsubscribe link
If your emails are marketing or mass emails, don’t forget to include an ubsubscribe link in your email. Letting people opt out of your messages can improve open rates, click-through rates, and sending efficiency. Check out Google’s guide here:
18. Fix your links and signature
If your signature contains a link, or you use short-links it could cause false spam-positives. For example, some individuals use URL link shorteners which can be misconstrued as an attempt to hide a malicious link/URL. Consider only linking text that contains the exact full URL they link to, and remove any un-necessary links.
19. Avoid attachments
Attaching files can cause false-positives, delay or prevent delivery. Consider using an upload service such as HiDrive Share instead:
20. Paid approval/delisting (not endorsed or personally tested)
Microsoft Outlook partners with Return Path, Inc. who helps ensure the legitimacy of certain senders via their Return Path Certification program. This program allows Outlook.com to exercise greater assurance about mail from certified senders in good standing. You can learn more about joining the Return Path Certification program here:
https://www.validity.com/everest/sender-certification/
UCEProtect is one of the stricter spamlists out there, with L1 listing possible from one misconstructed email. Every IP address temporarily listed as Level 1 blacklisting expires automatically 7 days after the last spam email from it hits their SPAMTRAPS. Although it’s not advised, it is possible to pay for quicker delisting after you’ve fixed the problem that caused the initial issue:
https://www.uceprotect.net/en/rblcheck.php
Microsoft themselves recommend that if you are blacklisted by UCEProtect to contact the remote email server administrator and tell them to whitelist you:
Our recommendation: Contact the server admin and tell them to stop using UCEProtect L2 or L3 listing, as these depend on the subnet, ASN, or ISP. Only L1 listing is caused by the individual server itself.