Improve mail SPAM reputation

My outgoing mail from this service have a SPAM score of 6/15 (lower is better).
Score is calculated in this way:

  • HTML_SHORT_LINK_IMG_1 (2): remote content (links to images stored in my Bitwarden instance)
  • MISSING_MIME_VERSION (2): “MIME-Version” header is missing from MIME message
  • MIME_BASE64_TEXT_BOGUS (1): there is text encoded in base64 that does not contain any 8bit characters
  • MID_CONTAINS_FROM (1): “Message-ID” contains “From” address
  • MIME_BASE64_TEXT (0.1): there is text encoded in base64
  • MIME_GOOD (-0.1): Content part is ok
  • Other 0 score parameters

An example mail looks like this (can’t attach text file):

Return-Path: <bitwarden@example.org>
Delivered-To: user@example.org
Received: from example.org
	by ExampleORG with LMTP
	id vb74Jh1//19FEwAAUprYAg
	(envelope-from <bitwarden@example.org>)
	for <user@example.org>; Thu, 14 Jan 2021 00:15:41 +0100
X-Original-To: <user@example.org>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org;
	s=r; t=1610579738;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:content-type:content-type;
	bh=+pJwRCrL5OCaYf+yFOX4GlJSm5M1hWaImHBTUSQkJm8=;
	b=TzK5HcwFTdrplC/thCZmJLqnw5iDOvidfmoJBcx+wRgM2pr9ha8RcdBrBLoqGcIoNahbfn
	DqL/2VYP1Bt2dPaAgGvTKI9s7ijB3GsYirHVJI8Dvs+1HUHlei6vbmNh4kB5/+VVaqNLA5
	TTfT6Wt4S1ZT6f9s44NWmtIP5zrNG1jWc4onyCsUJOFt21U/CauzVo5at5YUFeJH5VV5pe
	VkWSGpGOyZDD4+nLm7QN4fyou1wc15yCUa0h5MbbDr9qPuNv5BcbdfSyZuOATQD1yuQ2ZM
	5f3Xe83PPVj/GgjhNzpLl/lBDvhSn2MxF5XcDUwt8CUWHxemAxKAsI6/AEr5SA==
Message-Id: <1e90339fa1c844109dd9b5341e091ffd.bitwarden@example.org>
To: user@example.org
From: Bitwarden | ExampleORG <bitwarden@example.org>
Subject: New Device Logged In From Browser
Date: Wed, 13 Jan 2021 23:15:36 GMT
Content-Type: multipart/alternative; boundary="_Part_1e90339fa1c844109dd9b5341e091ffd_"
X-Spam: Yes

--_Part_1e90339fa1c844109dd9b5341e091ffd_
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset=utf-8

WW91ciBhY2NvdW50IHdhcyBqdXN0IGxvZ2dlZCBpbnRvIGZyb20gYSBuZXcgZGV2aWNlLgoKKiBEYXRlOiBUaHVyc2RheSwgSmFudWFyeSAxNCwgMjAyMSBhdCAxMjoxNTozNiBBTSArMDE6MDAKKiBJUCBBZGRyZXNzOiAxMC4xMC4xMC4xMAoqIERldmljZSBUeXBlOiBCcm93c2VyCgpZb3UgY2FuIGRlYXV0aG9yaXplIGFsbCBkZXZpY2VzIHRoYXQgaGF2ZSBhY2Nlc3MgdG8geW91ciBhY2NvdW50IGZyb20gdGhlIHdlYiB2YXVsdCAoIGh0dHBzOi8vYml0d2FyZGVuLmV4YW1wbGUub3JnLyApIHVuZGVyIFNldHRpbmdzID4gTXkgQWNjb3VudCA+IERlYXV0aG9yaXplIFNlc3Npb25zLgoKPT09CkdpdGh1YjogaHR0cHM6Ly9naXRodWIuY29tL2RhbmktZ2FyY2lhL2JpdHdhcmRlbl9ycw==
--_Part_1e90339fa1c844109dd9b5341e091ffd_
Content-Transfer-Encoding: base64
Content-Type: text/html; charset=utf-8


--_Part_1e90339fa1c844109dd9b5341e091ffd_--


Not related to SPAM, but how can setting “SMTP_DEBUG=true” show password? Aren’t they encrypted client side?

I will see what we can do about these spam-triggers on our side.
There are also some changes at the mail library which arn’t finalized yet which can help with this.

Regarding the disclosure of sensitive data.
Well, smtp is a plain/text protocol including auth. This information could also be displayed in the smtp logs, that is why. Besides other information like username, host etc…

Oh ok, so you were referring to SMTP credentials, not Bitwarden users’ passwords, got it

I’m currently updating the mail code.
I don’t know why your mail doesn’t contain the Mime-Version header, but it should have that.
Maybe you are using an older version of bitwarden_rs which does not have some other changes, in all my tests it has this mime header.

I did fixed the Message-ID, so that should at least be 1 point less.
Regarding the Base64, that is not going to change, we had some strange issues without using Base64 encoding which caused broken links or not visible e-mails in some clients.

And the HTML_SHORT_LINK_IMG, that is probably because you have a very short DOMAIN i think.
Also, that is not something we can fix, unless we are going to embed the images, which could be an option. But not something i will add right now.

I don’t know why your mail doesn’t contain the Mime-Version header, but it should have that.

Just checked, it was a MTA misconfiguration on my side