It became a self fulfilling prophecy. Our email would trigger a rule in big co's third party security app, which would then report to a centralized rule breaker clearing house automatically. Clients couldn't receive our emails, we would dive in, submit appeal to clearing house, get clear and a week later do it all again.
Everything was configured properly on our end. We passed all the online validation engines. IPs were our own personally owned block and pristine.
It became too much.
Switched to office365 and all problems magically disappeared. Sent emails to same big cos with third party email security and haven't had a single issue.
I was there for 10 years, and this was only a problem in the final ~2 years of my employment, which roughly lines up with your 4 years remark.
It's not about setting up perfect signed email and all the new techs. It's not about having the same clean IP for a decade. It's just the same old network effect combined with profit motive. The obvious change in the last few years (I've run a mailserver for 9) is managerial not technical.
In my humble opinion, leaving email to mega-corp alone can be a freedom risk, even if a small one.
People make a big deal of SPF/DKIM etc. I think you should, for the sake of best practice. But you can set yourself up with gsuite or Office 365 and pay no attention to these things, and you can fully expect mail to get through to everyone. You can even setup a broken SPF record that disallows office 365 email and for the most part, everyone will still get your email.
Things worked fine, but I think 2 years ago I realized that my e-mail started going to a spam folder. Fortunately adding SPF/DKIM appeared to fix it, but it feels like it is getting harder and harder now to have own mail server.
I would probably gave up, but it's infuriating to me that from courts rulings if your mail is handled by 3rd party, the 4th amendment no longer applies.
However if a domain signs up for Google Apps, magically you get whitelisted, even if you are handling your own email, funny thing that.
I guess Google's customers are just more trustworthy...
I wish. I've been having issues with being sent to spam when replying to a colleague on the same domain which is on Google. The email never left their servers, everybody was authenticated, and the emails were within an hour of each other, so it's pretty obvious that it's a reply. Still: off to spam it went.
We now have a filter rule to always consider our own domain as not spam, because it's just too unreliable otherwise.
In that time I've had a single incident (earlier this year) where spammers got it and sent 20k spam mails in less that 24h mails. Luckily I noticed this and stopped it pretty quickly.
I had mails to some destinations bounce for around a week after that.
Beyond that incident, it's very rare to have trouble delivering mail - I think maybe once in the past 5 years there was a company who I had trouble with.
Having said all that, the spam incident this year highlighted how fragile hosting your own mail server can be if things go wrong, and I felt really bad about the spam mails sent from my server - continuing to run it almost feels like a liability, and when time permits I plan to move our mailboxes to O365
People here are speaking about how gmail will "effectively spambox your mails by default". That's not been my experience (from setting up multiple small customers). Anyway, at least I've never heard of gmail just eating your e-mails. They either get rejected or accepted and put somewhere (maybe the spam folder, but at least somewhere).
Office365 / hosted Exchange / Outlook Protection or whatever is it called these days... they should be routed to /dev/null by everyone.
They just won't track your reputation unless you send them more than 100 mails per day. Does this sound bad? There's more: if they don't have reputation info from you (because they refuse to track it due to the low volume), your mails will go to spam inboxes even when their filters indicate that the message is not spam.
And there's more! Don't dare to ever get a bad reputation (i.e.: a user managing to get hacked and their account used to send a couple hundred spam e-mails before triggering your countermeasures). If this happens you are 100% fucked. Now they will DROP your e-mails. Hear, hear: their servers will accept your mails and just DELETE them. No spam folder, nothing.
You will try every possible thing: set up everything for their feedback loop, sign up in their "Smart Network Data Services" to track your reputation (it will be empty except for that day)... and finally contacting them at their sender support.
Do you want to know what they will reply? That you should be patient and let your reputation build up over time. What a joke! How on earth can your reputation improve when users cannot mark your mails as "not spam" because they (outlook, not the users) are simply DELETING them without a trace?
Oh, there's a way out of all this though: obtain a "Return Path Certification" [1]. That is, pay them an absurd amount of money and your mails are guaranteed to get to the users' inbox unless you are clearly spamming (all of the above assumed you are NOT).
Up to this final point you could think they just do their best and all that I've explained is collateral damage. That last "pay and we let you off the hook" is what clearly signals to me that this is an elaborate scheme to get small players to either pay them anyway or just give up and use a big-provider service.
[1] https://sendersupport.olc.protection.outlook.com/pm/services...
It's harder to sign up for a Gmail account than it is to register a domain and get some hosting. And Google has their own protections against sending large amounts of mail built-in. The system is as it is now because spammers will abuse it otherwise.
You don't have to throw out the baby with the bathwater (:
No real issues. Sure, you make it on a spam blacklist once in a while, but at least you know when it's going to be fixed, instead of dealing with zero response (or denial) from a big hosted mail provider.
Besides, not all of "our email" comes out of our office, our CRM and ERP products send mail on our behalf, and they have problems delivering mail more than we do.
a) a docker container (or other standardized, easy to deploy technology) with a "mail server in a box implementing best practices"
b) a test for the stuff that Docker can't cover like DNS config, ideally with scripts to set it up on the most popular providers and clear copy&paste instructions for the rest.
People shouldn't need to fully understand DKIM, SPF, etc. - they should just be able to click a button, copy&paste generated DNS records, and be up and running.
Otherwise, commercial providers are just the only option that makes operational sense for most cases, _even if you know how to do it right_, because doing everything right manually step by step is still to much work to be worth it in many cases.
None of this seems _hard_, it's just tedious.
It’s pretty good, I use it for my own server. It still requires some config, but better than running all the services from scratch.
Email has serious economies of scale and keeping such a critical system operational, on a small scale, was going to be some deal of stress.
So I just went with my hosting providers Plesk-fronted setup, which matches your para.3 description.
To me maddy would feel like sleeping on live electrical wires, only they are insulated by a thin layer of paper. Hope the isolation does not get scratched anywhere while you sleep. Even a non-dockerized, traditional setup like postfix+dovecot has better isolation.
A simple `docker-compose up -d` does the job. Then you just have to configure your records (SPF, MX, DMARC, ...) and it's all set.
A really nice work from the mailcow's team !
I oppose this. People should know what they are configuring. This applies to all stuff related to mailservers.
You probably learn more by setting it up the "hard" way (without containers) so that in case of failure you at least have a little insight in how the components work.
If it breaks, then you get someone else to fix it / get a better product is all they need to know.
Automatically checks DKIM, SPF and DMARC settings for your domain, comes with docker and can be upgraded by running a single script, and has a webgui and spam protection.
I have been running my own UNIX mailserver since 1997. I have consistently and loudly evangelized this practice, especially here on HN, and pushed back against the notion that it was too difficult or too time-consuming to implement and maintain one's own mailserver.
But ...
Having just recently made the major transition from relying solely on clean IP space and proper DNS records (which, in the last 18 months, has become increasingly untenable[1]) I have changed my mind.
I will continue to run my own mailserver, for activist, ideological reasons, but I must now agree that it is too difficult and complicated - and fragile.
In no particular order, some of the things that I find overly complex and disturbing are:
- The DKIM implementations are very, very over-engineered. I understand, in principle, why we want DKIM to be a pluggable component that can be used as a general building block in various implementations, blah blah blah, but there is no reason that DKIM can't just be a feature, with a corresponding blob of config lines, in sendmail or OpenSMTPd or whatever. Having to pkg-install, and track, and maintain, whatever DKIM implementation you choose, along with all of its various dependencies, etc., is a big truckload of complexity and fragility that I just can't see ever appreciating. And the irony ? A popular DKIM implementation is to use the bundled DKIM functionality built into rspamd (!) ... so it ended up being just a feature anyway.
- The whole SSL component ... I appreciate this, I understand this, and for many use-cases I just don't care. I don't currently need encrypted email and if someone makes a decision to disallow sending to addresses/domains that don't support it, fine. Of course, if all of gmail decides not to, now I have another giant truckload of complexity and fragility that I need to implement and maintain. My mailserver should be an extremely tight, stripped down host with as few packages and daemons possible[2]. Instead, I am now installing a big list of packages just so that letsencrypt can fire up a temporary web server to clicky click make my certificates[3].
- Now my mailserver is running a database (Redis) which is required to run rspamd, which is required to implement DKIM, without which I cannot send mail to yahoo.com addresses. True story.
So much complexity and fragility ...
[1] About 18 months ago yahoo.com stopped, with no errors or bounces, delivering mail from an 11 year clean IP with proper DNS/MX entries. I implemented DKIM and the problem is solved.
[2] My mailserver is a FreeBSD jail and previously ran only sendmail - and nothing else. Now I am running OpenSMTPd, rspamd, redis ... and once in a while I am running a webserver to communicate with letsencrypt.
[3] Speaking of letsencrypt ... requesting, generating and implementing SSL certs (even for use on the web) is simply creating, and trading, blocks of plain old ASCII text. I haven't looked into this, but is there an "expert mode" somewhere in letsencrypt where I don't have to run webserver instances and ... I can just run openssl command lines and cut and paste blobs of ASCII ?
I think of it as a process of punctuated equilibrium.
Every several years (or ten), it requires a flurry of activity to update to new preferred daemons, or new hardware.
Between these brief periods, everything is stable and solid. I don't have to think about it at all. In 25 years, I've rebuilt things 5 or 6 times. After the first few times, it has been more of a chore than an adventure, but it's still worth it to me, for now.
One development that might change my mind about that: Ubiquitous and non-vendor-dependent MFA. If email was not the security mechanism of last resort (or the skeleton key), then I might consider outsourcing it.
...
Re: Rspamd: It works well, but I did not enjoy the configuration effort. And yes, I never wanted Redis on my mailserver, but there it is -- along with an astonishing amount of RAM usage, which offends me in theory even if it has no practical impact. On the positive side, after the initial few hours of effort to get things set up, I have spent zero hours maintaining any of it, so I can't reasonably complain.
Re: letsencrypt: I use dehydrated for certificate renewal, and I run a temporary webserver as you describe. Not a full dedicated webserver package, just python (or ruby) which is already installed. It's launched from the same script that automates the license renewal. Not elegant, but adequate. You could probably get away with netcat.
Of course you can validate by DNS instead of HTTP. But that's not always convenient either.
I think you are correct and this is a decent description of how this has worked.
I don't begrudge the every 5-10 year burst of activity/implementation. What I begrudge is the increased complexity. We're both talking about Redis as a hard requirement for rspamd which is the typical recipe for implementing DKIM which is required for email. That's a lot of moving parts.
Currently I'm using postfix, dovecot, and rspamd, with several users using pine and mutt locally. Every time I do a major server upgrade, I re-evaluate the configuration.
My mail server also runs a web server for some static sites, so the letsencrypt part was simple.
Regarding letsencrypt, you can use DNS challenges. See https://letsencrypt.org/docs/challenge-types/ .
If that happens on the wrong email provider you're out of luck. One of the mail servers I have a hand in has been blocked by one of those difficult providers for the past 2 months and we sent them 4 mails/week before the block on average :)
I have DKIM set up just fine without running Redis or rspamd so this part is purely down to your choices.
> Speaking of letsencrypt
Let's Encrypt is a website/service. There are many clients and you can write your own. At some point Let's encrypt will need to verify that you control the domain so you will need to be able to either host something via HTTP or have sufficient dynamic control over the DNS server. Neither DNS nor HTTP needs to be hosted on the same host as your mail server though.
Postfix+opendkim+opendmarc works fine and it is very simple to setup as well.
There are all valid points and I question my decision to run my mailserver, but in the spirit of the Internet I continue to do so.
Let's Encrypt provides an ACME service. So, you will want to (run something that can) speak ACME, a somewhat RESTful HTTP API documented in RFC 8555 - https://tools.ietf.org/html/rfc8555. You can use a web service to do this part, but then you're relying on some random web service and you have to manually do a bunch of steps to renew at least every 90 days which I'm going to assume you agree sucks.
There are lots of people who have built such tools that can look after this for you automatically, perhaps you would like https://acme.sh/ which as its name might suggest is a shell script.
Let's Encrypt offers three of the (increasingly misnamed) Ten Blessed Methods, you can prove control over a DNS name by doing any of these three things:
1. Running an HTTP server on port 80 which can answer certain well-known requests in a specific way acknowledging your ACME keys. This server needn't have any privileges, acme.sh can help you spin one up that will basically say "Yes, rsync is allowed this certificate" for any request. Except instead of "rsync" it's a key only you have, so your server answering this way never helps any bad guys so long as you keep your ACME keys secure. [You may not be aware you have "ACME keys" the software you've used probably just minted some and squirreled them away in a dot directory]. With that server in place, your requests for a certificate for that name will always work, because the key matches, Let's Encrypt will call your server, make up a random nonce and ask if that's authorised and for who, your HTTP server will always answer "rsync is authorised" so it works, tidy.
2. ALPN on port 443. A TLS server answering port 443 can accept a special ACME-only ALPN protocol choice from the Let's Encrypt servers and use that to prove control. You almost certainly don't want this unless you implement web servers (which run on port 443 with TLS already)
3. DNS queries for a magic name that can't be a hostname. The queries ask for _acme-challenge which has an underscore in it. Underscores are allowed in DNS but can't be hostnames, which is fine because this isn't a hostname. Your ACME client will need to write to DNS, it can either have a way to write to your actual DNS, or you can use a CNAME to redirect the names you need to another DNS server and give the ACME client control over that. [Edited to fix DNS name mistake]
You can insulate the ACME client from the server completely with either the trick I described in (1) or using DNS like (3) and using a Certificate Signing Request, CSR, which is one of the many ASCII text blobs you can get from OpenSSL. If you're comfortable re-using a private key for longer periods than the 90-days assumed in Let's Encrypt (a 2048-bit RSA key seems safe to me for the usual lifetime of a mailserver) you can even re-use the same CSR again and again to request each new certificate without sending any data from the mail server to the system calling Let's Encrypt.
You will need to arrange to get each new certificate installed (the private keys don't change in this scenario). But certificates are public documents, if it came to it the mail server can (this is very silly but it would actually work) just wait until 24h after the certificate should have been issued and then go get it from https://crt.sh/ -- In reality you can probably find some sensible way to get this public information back to the mail server each time the certificate is renewed.
P.S. I'm coming out with a fully-fledged email service built on top of my R&D with Forward Email.
(This is the first time I've become aware of Forward Email despite having run my own forwarding email server for years -- you should do more/better marketing/outreach!)
And we're completely open-source, store zero logs, and store zero metadata too. All source code is on GitHub as well.
I formerly worked at DuckDuckGo, and take privacy very seriously.
Privacy Policy: https://forwardemail.net/privacy Terms: https://forwardemail.net/terms
You can delete your account at any time.
Reading through the about and FAQ they also seem to be driven by decent principles.
In my organization we have ~10 linux VM and they are all configured to send email to an exim MTA. For example monitoring stuff. The system mail name is set to vmName.srv.domain.name (domain.name is replaced by our actual domain and this resolve to a local address) so it's quite common to receive mail from root@vmName.srv.domain.name. This cause no issue when it's delivered to the local Cyrus server but when it's transfered to a Gmail address for some reason Gmail reject the email because the headers are bad.
I am considering rewriting the address to user.vmName.srv@domain.name in exim when receiving email from local VMs and I am wondering if this could be a bad idea.
I'm going to redo this mail server from scratch soon because it has been left untouched for something like 6 years. Some software was compiled on it with shared libraries which then were updated but the software was not recompiled. It's a dumpster fire and I'm actually surprised most of our emails seem to go through.
I would also add to the article that's it's a good idea to have some rate limit on outbound email, outbound email spam checks and to check that the user sending email has the right to use that address.
Each user can also have many alternative addresses that map to an unique mailbox
Those mailings lists are used a lot internally and managed with internally developed tools. This make migrating to an external service difficult.
That's the classic example of some critical piece of infrastructure that nobody dare to touch because it works... until it doesn't anymore.
That's why we don't use external services to receive email. I'll consider using mailJet if setting up exim & related stuff correctly to send email in 2020 proves too painful.
@vmName.srv.domain.name is not configured so it goes to spam.
I'll do it though i'm not FastMail!
I'm working on a SES backed email client so SES takes care of deliverability (assuming the user does the basic DKIM, MX, TXT set ups) so it will work out much cheaper to send and receive mails than a FastMail/GSuite type solution.
Plus you'll get unlimited disposable emails for free, a shared inbox (if you want to share an inbox with your family to help stay on top of every one's schedules, for exam), and while the client I have built is pretty rudimentary, i'll be adding bells and whistles to make it better.
Github @ https://github.com/saiorama/ses-email-client Landing page to submit a request @ https://shared-inbox.landen.co/
Note to others - I'm open to collaborating to take back email from the big guys. Hit me up via Github.
If the point is to take back email from the big guys, building on top of AWS SES seems to do exactly the opposite of that.
It's built on a completely proprietary service, which you have very little control over. If you're having issues with it, you're SOL unless you're paying for an AWS Support Plan, which is already well over the cost of Fastmail etc.
And on top of that, now you are stuck on a specific web email client as well, instead of POP, SMTP and IMAP which all of email has been running on for decades.
Some mail delivery systems start to notice that your domain name is being used as part of a lot of spam / bogus emails, so you can have perfect IP history / no spam and STILL start triggering some random filters (no big players but smaller protection product filters).
So the game must be absolutely never ending for everyone and the inbox a valuable target - especially now that unsolicited phone calls really do seem to get ignored these days - I feel like spammers killed the golden goose on phone calls and the telcos let them.
I will say DKIM / DMARC is working well, except google (which we now use for outbound) gives us transient SPF errors even though we are 100% using their IPs. Not sure why that is (ie, SPF failure on an IP that should clear)
Ie, if you are paying for google apps, have credit card on file, meet their rate limiting rules for outbound with SPF / Dkim etc then you are probably OK. Some random IP doing direct mail? Much less likely to be OK.
Given govt has done such a bad job in this space, these big corps are essentially picking up the slack / trust that you'd normally say govt was responsible for. Gives them a metric ton of power, and they don't tax so have no money to provide any corresponding service.
I worked at a SaaS company that had about 50 sales reps. They were sending emails day and night, eventually getting the main corporate domain flagged. The product's transactional emails (signup, confirmation, etc.) would be flagged as spam, until we moved them to their own domain.
Sometimes when businesses send sensitive documents they use a third party "secure" service, if the realtor's domain isn't configured correctly (common) to allow that third party to masquerade, it would correctly be flagged as spam.
Plus I get actual spam (and even generated blackmail) with personal information in it (inc. old passwords), farmed from one of a dozen service break-ins over the last 20+ years (thanks Adobe, amongst others).
Trust me when i say you can have a 100% flawless email setup in every technical respect (the full works from this article and more) and still end up spam boxed by Gmail approximately 100% of the time.
Conversely, people that Gmail feels are important wont get spamboxed for minor technical reasons either...
(Microsoft actually offer a custom domain email solution for families that doesn’t charge per user provided you host your domain with GoDaddy, but it has some limitations, eg with respect to aliases, so that wasn’t quite right for me.)
I did so with some trepidation, having been told by multiple people that I shouldn’t. Maybe I got lucky and had an IP with good reputation, but I was able to send mail to Gmail, Outlook, Yahoo and specific email lists after a few rounds of configuration.
The only problem I had was with Apple’s iCloud email, but engaging with ProofPoint soon fixed that.
Overall it wasn’t too bad an experience. I’d class myself as beginner level in that I’ve done this for myself ages ago (but never in a professional capacity).
Just leaving this anecdote out here as a small counterpoint to all the horror stories out there. If you’ve got an IP address with a poor reputation I can imagine it’d be a much more difficult exercise.
github.com/sovereign/sovereign
I was an early contributor to Sovereign and used it for many years, but I found that we kept adding features to it and it got too large for my liking. Now I use docker-mailserver:
Yet, my IP address predictably ends up on Microsoft's "blacklist" every two months or so because of "spam behaviour or user complaints". I am rather sure that neither is true. Every time I have to fill in their appeal form, get unlocked immediately but have to do the same dance again two months later.
They have every right to reject a mail server but at least they shouldn't lie about the reason. My server's IP address gets blacklisted again and again even during months I don't send any mail to Microsoft addresses.
I'm also trying to build my own email client for SES @ https://github.com/saiorama/ses-email-client. Happy to collaborate in case you want to work on this issue.
- It's a hobby and I enjoy it
- It like fiddling around with advanced features, like wildcard addresses, server side filtering (via dovecot-sieve), and other fun stuff. For instance, a friend once was mulling on facebook on detecting tone of email and rejecting ones that were too mean. I made a simple python script that attempted this and had her try it out. It was funny. (See previous point about hobby)
- I figure that being on your own server you're at least slightly less likely to be a victim of a big internal platform hack like twitter's recent one, or state-run ones.
- It feels slightly badass.
I don't recommend it to people who don't want to do it for fun.
* Setup ARC (RFC8617) for all mailing lists and forwarding.
* Sign up for the Google & Microsoft postmaster tools. They're not great, but it's better than nothing.
* Implement RFC8058 / RFC2369 unsubscribe mechanisms.
* Use an outbound suppression list to ensure that unsubscribe requests or unwanted mail complaints have lasting effect.
* Article touches on DMARC reporting, for which I suggest Postmark's free monitoring tool at https://dmarc.postmarkapp.com/
* From time to time run your domain name(s) and IP address(es) through a panel of reputation services. Check out any red flags (some of them matter, some don't).
And for content:
* Re-evaluate email templates. Many out there are hot garbage, practically inviting users to hit the junk button, which just hurts sender reputation. Ensure there's always a plaintext part. Don't use tracking/opening pixels. Write validating HTML. Minimise size. Don't bury the unsubscribe link, put it at the top, and make sure it clearly works without hostile barriers like "are you sure" pages or sign-in.
* In the very first paragraph, and without scrolling on a mobile, we must explain, honestly and concisely, why we are contacting someone, and why they might want to read the rest, because we have no entitlement to someone's attention.
* Run all mailers through a spam scoring tool as part of CI/CD, because a high score is a bug.
In addition, Google's sender guidelines are well worth reading, they're more than just self-serving gatekeeping: https://support.google.com/mail/answer/81126?hl=en
Almost more important than monitoring failed logons, monitor successful logons, for instance by country. If it is a small mail server, chances are your users are in a handful of countries. If you suddenly see a successful logon from vietnam or brazil, you probably want to be notified ASAP.
This year though, most of my dodgy SMTP traffic is coming 3 new problem children - Gmail(spam), Amazon(spam, other) and Microsoft Azure(other).
"Other" here is anything besides spam, like dictionary attacks, transactionless connections or service probes.
The idea was to accept emails sent to a unique, per-user address and forward all attachments to the user’s cloud storage account.
I looked into using mail services like SES and Mailgun, but given the average expected email size and the fact that I would primarily receiving mail, the additional cost didn’t make sense. Along the way, I ended up learning quite a bit about Postfix filters, virtual domains, SPF, and DKIM.
I also learned how quickly spammers can detect open relays. Apparently, while copy-pasting a config from somewhere, I had a slightly incorrect 172.x subnet listed as part of “mynetworks”. As a result, a spammer with a machine belonging to this subnet was able to use my server as an open relay. Long story short, it took me quite a while to root cause the issue and get my domain off the blacklists!
Sorry for going off topic but everyone should host their own web site(s) and stop putting their content on other people's platforms.
* Docker-based e-mail setup, with comments about their experience, like https://github.com/tomav/docker-mailserver (which incidentally IIRC was recently looking for a new maintainer).
* ...ideally that would have one host running SMTP facing the big bad public Internet and therefore minimalistic, and a separate more isolated host that runs the IMAP server. (My current setup does that with, looking for hints but perhaps I have more to share than to learn this time.) -- https://foxcpp.dev/maddy/ mentioned in this conversation may simplify things but with IMAP and SMTP inside one process you'll get a hard time doing this separation, not a good point for security.
* perhaps advanced mail routing like user-selectable option to automatically create mailboxes, per mailing-list and envelope address, although technically we could start another conversation about this. (My current setup does that, looking for hints but perhaps I have more to share than to learn this time. One pain point is many senders generate uninformative List-Id or even change them at each message, even Mozilla for example, making things messy.)
My current setup runs Postfix for SMTP on one host, doing all the rejection of spam and forwards approved messages via LMTP to another machine holds the private mailboxes contents to be served via IMAP by Dovecot. Plus custom recipient delimiter instead of the traditional "+". And all point above except being Dockerized.
It’s not worth the pain.
Many things on that list are not necessary to get emails accepted by the big players. There are many email servers with bad or outdated configurations that still work. To keep emails flowing to outlook/hotmail/live etc you need to sign up to SNDS and their junk mail reporting program and if you haven't sent emails there regularly enough to maintain a reputation expect to be blocked for no reason. If that happens there are ways to escalate the issue.
The basics you must do is secure your email server. Don't relay email. Have all senders authenticated over secure connection. Web email forms are a bad idea. You don't want to have to recover from being on everyone's block list. If you do any sort of mass mailing you would probably be better off moving it to a specialised email marketing platform. I handle some application related emails myself and you have to be prepared to check delivery problems and follow up. The ones I do are B2B, opt-in, relatively low volume, small number of business email systems who can whitelist and are expecting emails which is just about manageable.
The bare minimum to be a good email sender is to have your mail name, hostname and reverse ip all match up and to advertise SPF. I would recommend also signing with DKIM, advertising a DMARC record as these are very widely checked and not that hard. They generally will give a slight negative spam score although the downside is you get the occasional business that doesn't know how to configure their mail system to work with third party filter (eg mimecast). They may reject emails according to your dmarc policy for correctly recognising that your email has been intercepted and tampered with but usually those sort of mistakes get discovered and fixed. If you use an intermediary like this to validate your emails you have to turn off validation of these things on your own server.
It probably won't be long until MTA-STS is as widely supported by big emailers and used as a reputation signal so it doesn't hurt to set up a sensible cipher suite and a certificate on your server even if you don't care if emails are sent over tls or not. These addons are mainly a hassle because they all rely on dealing with lots of separate services - mail servers, certificate authorities, web servers, dns servers but this is because smtp didn't anticipate the abuses of the modern world.
I have dnssec and DANE as well but it is just for my own amusement like trying to collect all the moons in Mario Odyssey. No big email providers even look at it as far as I know.
