Bypass Gmail's spam filter (mails sent with PHP from a shared host)

Question

TL;DR: Mails sent from shared hosting (such as a cheap domain from Unoeuro or One.com) end up in spam. How to fix?

---

I made a mail-system, that first generated a PDF-file (using FPDF), whereafter it sent the PDF-file as an attachment with PHP's Swiftmailer. This email was sent out to 130 people (as a 'one-of' invoice). But it landed in the spam-filter for almost everybody. I tried adjusting SwiftMailers header-settings, but without any luck. Even mails that I haven't sent to before (thoroughly tested). This was my initial setup:

function sendMailEt($toEmail, $toName, $invoiceNumber){

require_once('includes/lib/swift_required.php');

$transport = Swift_SmtpTransport::newInstance('mailout.one.com', 25)
  ->setUsername('[email protected]')
  ->setPassword('THE-PASSWORD')
  ;    

$mailer = Swift_Mailer::newInstance($transport);

$message = Swift_Message::newInstance('FROM COMPANY')
      ->setSubject('Thanks for signing up - COMPANY')
  ->setFrom(array('[email protected]' => 'Company name'))
  ->setTo(array($toEmail => $toName))
      ->setBody('A brief body, that explains that this is an invoice and that it has to be paid within 5 days. (written in danish)')
      ->addPart('A brief body, that explains that this is an invoice and that it has to be paid within 5 days. (written in danish)', 'text/html')

   ->attach(Swift_Attachment::fromPath('/URL-TO-THE-PDF-FILE.pdf'))
  ;

$result = $mailer->send($message);
}

I also tried sending out the emails with PHP's native mail()-function, and then simply link to the invoice ( http://www.company-domain-name.dk/invoice/base64_encoded-name.pdf )... Same result (spam).

I tried writing the entire header myself. I've read a numerous amount of forums about what headers should include, but they all wrote different things. So I tried a few different things (both emails I had sent to previously and emails I hadn't)... Same result (spam).

Then I tried writing the header exactly as MailChimps does, in their header. That led me to this:

 $headers = "Reply-To: Company name <[email protected]>\r\n"; 
 $headers .= "Return-Path: Company name <[email protected]>\r\n"; 
 $headers .= "From: Message from Company name <[email protected]>\r\n"; 
 $headers .= "MIME-Version: 1.0\r\n";
 $headers .= "Sender: Message from Company name <[email protected]>\r\n";
 $headers .= "Content-type: text/plain; charset=\"utf-8\"; \r\n";
 $headers .= "X-Mailer: PHP". phpversion() ."\r\n";

And then I send the mail like this:

mail($toName . '<'.$toEmail.'>', utf8_decode('Faktura på depositumet'), utf8_decode($someMessage), $headers);

... Same result (spam).

The webspace is with One.com, so I can't use PHPmailer (since that has to be installed, and that can't be done on one.com's servers). And I can't define a SPF with One.com.

All I want, is to be able to send emails that doesn't go to spam.

Here are my questions:

1. Is it because my header is off, or is it something 'deeper down'?

2. Does the Gmail-spam filter ban single email accounts (such as [email protected]) or does it ban entire domains (such as @example.com)?

3. Can one get a blacklisted email whitelisted somehow?

---

* Addition 1 *

Ok... I have now tried a number of things:

• I tried adding LoneWolfPR's returnpath, like recommended, and it didn't help.
• I contacted One.com (the hosting company), and confirmed with them, that it isn't possible to set a SPF-record or a DKIM-record. It still isn't.
• I considered setting up an 'unsubscribe'-link, with a link to a website with a form, but I didn't believe that approach. I mean - invoices are sent all the time, with e-mails. And why should you be able to unsubscribe an invoice?! Since that made so far from sense in my head, then I only tried it for about 20 minutes (obviously, without results).

Here is my current email header (gotten from Gmail, by clicking the 'View original'):

Delivered-To: [email protected]
Received: by 10.76.75.104 with SMTP id b8csp48728oaw;
        Sat, 16 Mar 2013 17:32:56 -0700 (PDT)
X-Received: by 10.152.116.45 with SMTP id jt13mr7897860lab.0.1363480376067;
        Sat, 16 Mar 2013 17:32:56 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mail-out2.b-one.net (mail-out2.one.com. [91.198.169.19])
        by mx.google.com with ESMTP id p10si4637427lbb.120.2013.03.16.17.32.55;
        Sat, 16 Mar 2013 17:32:55 -0700 (PDT)
Received-SPF: neutral (google.com: 91.198.169.19 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=91.198.169.19;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 91.198.169.19 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Date: Sat, 16 Mar 2013 17:32:55 -0700 (PDT)
Message-Id: <[email protected]>
Received: from localhost.localdomain (srv18.one.com [193.202.110.18])
    by mail-out2.b-one.net (Postfix) with ESMTP id F3D0B10365
    for <[email protected]>; Sun, 17 Mar 2013 01:32:53 +0100 (CET)
Received: from 85.218.159.219 by www.DOMAIN-NAME.dk via URL_TO_THE_SCRIPT.php with HTTP; Sun, 17 Mar 2013 00:32:53 +0000
To: RECIEVERS_NAME <[email protected]>
Subject: EMAIL-SUBJECT
X-PHP-Originating-Script: 87486:NAME-OF-THE-SCRIPT-THE-E-MAIL-WAS-SENT-FROM.php
Reply-To: COMPANY NAME <[email protected]>
From: Besked fra COMPANY NAME <[email protected]>
MIME-Version: 1.0
Sender: Besked fra COMPANY NAME <[email protected]>
Content-type: text/plain; charset="utf-8"; 
X-Mailer: PHP5.3.21

Answer 1

1) Normally an email address won't go easily into a blacklist, it takes time and/or a lot of people to tag you as spammer to actually get that address into a blacklist.

2) Yes. A whole domain name can be blacklisted, because spammers normally generate random email addresses like [email protected].

3) It doesn't matter how many times it went to the spambox, basically, the spam filters nowadays are strong, because spammers try to improve their ways to get around day by day, so the filters gets more strict every day. If it goes into spam folder first time, and the user didn't actually put it into the spam box, it will continue going unless users unmark it, or you fix the troubles.

How to avoid spambox?

Basically you need some signatures, and a lot of access to your DNS records, because there is where we are going to do most of the setups.

• Reverse DNS Lookup: On dedicated servers or even on some VPS you are able to set up a reverse dns record, sometimes you just open a ticket and the IT's set it up for you. If you can't have it, change your hosting or keep being tagged as spammer xD. This is to preven header forgeries, as you could set on your headers that your email comes from gmail.com but it doesn't this is the way the email servers check it.

• SPF is a must have as well, if you can't set a SPF then don't even try any further, consider changing your hosting, and you can almost stop reading by here xD.

• DKIM/Domain Key: preferably DKIM, is a encrypted signature, you set the public key on the DNS, and store a private key in your email server, when a server receives an email, it has the private key attached in the headers (you need a mailserver software which manages DKIM, for windows for example it worked for me hmailserver) and the mail service (gmail for example) will check your dns record to see if the public key matches. This is almost a must have as well

---

Those three were the basics, if you Set up DMARC and ADSP it will get you better score for the SpamAssassins. To get a even better score search for some spam keywords lists on google and try to avoid them, some stuff like starting an email with "Dear xxx" are harmful for your score, Set up the unsuscribe system(even if it's crappy, as long as you provide a clear link) will help you a bit as well.

Also:

• Avoid sloppy html and white text over (any) backgrounds, some spammers use it to fit in hidden text, those filters are smarter than you think.

• Read the specific recommendations. Most email services have a FAQ or something in their website with some tips to help you sending emails and not going into the junk. on Some of them you can even apply for getting into a white list ( at least some years ago, on some services like gmail they don't do it anymore)

• If you are sending in bulk, watch the time! If you have X emails per second sent into somewhere, you are likely to get into blacklist, set up a script or something to get a 1sec delay or so, the delay might depend on the destinatary to get into the blacklist or not.

---

Hope those tips help you, I had to deal with some spam filters recently and it's a pain in the ass, that's why I know all that info, that's all my research xD Even after all the signatures and things I have set up, some of the emails are still going into spambox(a smaller percentage but it still hurts me) The only reliable way is to get the users adding you to the contacts list (while having the signatures and headers correctly), so remind them to do so if possible.