{"id":1742053,"date":"2026-07-17T07:47:48","date_gmt":"2026-07-17T05:47:48","guid":{"rendered":"https:\/\/blog.wedos.com\/?p=1742053"},"modified":"2026-07-17T07:47:50","modified_gmt":"2026-07-17T05:47:50","slug":"neposkozujte-reputaci-sveho-e-mailu-pri-automatickych-rozesilkach","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/neposkozujte-reputaci-sveho-e-mailu-pri-automatickych-rozesilkach","title":{"rendered":"Nepo\u0161kozujte reputaci sv\u00e9ho e-mailu p\u0159i automatick\u00fdch rozes\u00edlk\u00e1ch"},"content":{"rendered":"\n<p>Potvrzen\u00ed registrace, faktura, obnova hesla, notifikace z formul\u00e1\u0159e. V\u00e1\u0161 web rozes\u00edl\u00e1 e-maily nep\u0159etr\u017eit\u011b a bez va\u0161eho p\u0159i\u010din\u011bn\u00ed, a ka\u017ed\u00e1 jedna z t\u011bchto zpr\u00e1v p\u0159itom buduje, nebo naopak po\u0161kozuje reputaci va\u0161\u00ed dom\u00e9ny u Gmailu, Outlooku a dal\u0161\u00edch velk\u00fdch p\u0159\u00edjemc\u016f. Pr\u00e1v\u011b automatick\u00e9 rozes\u00edlky jsou nej\u010dast\u011bj\u0161\u00ed m\u00edsto, kde reputace ti\u0161e krv\u00e1c\u00ed: b\u011b\u017e\u00ed samy, nikdo je nekontroluje a chyba v nastaven\u00ed se n\u00e1sob\u00ed ka\u017edou odeslanou zpr\u00e1vou. V tomto \u010dl\u00e1nku si uk\u00e1\u017eeme, jak jednomu z nej\u010dast\u011bj\u0161\u00edch probl\u00e9m\u016f p\u0159edej\u00edt vlastn\u00edm DKIM podpisem, kter\u00fd si nasad\u00edte sami b\u011bhem p\u016fl hodiny.<\/p>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\">Reputaci dom\u00e9ny p\u00ed\u0161e ka\u017ed\u00e1 odeslan\u00e1 zpr\u00e1va<\/h2>\n\n\n\n<p>Velc\u00ed poskytovatel\u00e9 schr\u00e1nek si o ka\u017ed\u00e9 odes\u00edlaj\u00edc\u00ed dom\u00e9n\u011b vedou sk\u00f3re: kolik po\u0161ty pos\u00edl\u00e1, jak \u010dasto ji p\u0159\u00edjemci ozna\u010duj\u00ed za spam, a hlavn\u011b jak spolehliv\u011b je ov\u011b\u0159en\u00e1. Dom\u00e9na, jej\u00ed\u017e zpr\u00e1vy pravideln\u011b p\u0159ich\u00e1zej\u00ed spr\u00e1vn\u011b podepsan\u00e9 a zarovnan\u00e9, si buduje historii d\u016fv\u011bryhodn\u00e9ho odes\u00edlatele. Dom\u00e9na, jej\u00ed\u017e po\u0161ta chod\u00ed neov\u011b\u0159en\u00e1 nebo se ov\u011b\u0159en\u00ed rozpad\u00e1 cestou, \u017e\u00e1dnou historii nebuduje, a v hor\u0161\u00edm p\u0159\u00edpad\u011b sb\u00edr\u00e1 negativn\u00ed sign\u00e1ly. U transak\u010dn\u00edch e-mail\u016f je to dvojn\u00e1sob citliv\u00e9: potvrzen\u00ed objedn\u00e1vky nebo obnovu hesla z\u00e1kazn\u00edk pot\u0159ebuje hned, a kdy\u017e skon\u010d\u00ed ve spamu, p\u00ed\u0161e v\u00e1m na\u0161tvan\u00fd na podporu.<\/p>\n\n\n\n<p>O tom, jestli se zpr\u00e1va po\u010d\u00edt\u00e1 va\u0161\u00ed dom\u00e9n\u011b k dobru, rozhoduje trojice SPF, DKIM a DMARC. A tady je kl\u00ed\u010dov\u00e9 slovo zarovn\u00e1n\u00ed (alignment): DMARC vy\u017eaduje, aby ov\u011b\u0159en\u00ed pro\u0161lo pro stejnou dom\u00e9nu, jakou m\u00e1te v adrese odes\u00edlatele (hlavi\u010dka From). Ov\u011b\u0159en\u00ed ciz\u00ed dom\u00e9ny je technicky platn\u00e9, ale va\u0161\u00ed dom\u00e9n\u011b reputaci nestav\u00ed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">H\u00e1\u010dek sd\u00edlen\u00e9ho hostingu<\/h2>\n\n\n\n<p>Sd\u00edlen\u00fd webhosting odes\u00edl\u00e1 po\u0161tu p\u0159es spole\u010dn\u00fd mailserver a ten zpr\u00e1vy podepisuje sd\u00edlen\u00fdm kl\u00ed\u010dem, tedy dom\u00e9nou poskytovatele, ne va\u0161\u00ed. Z pohledu DKIM je v\u0161e validn\u00ed, jen\u017ee podpis nen\u00ed zarovnan\u00fd s va\u0161\u00ed dom\u00e9nou ve From. Kredit za poctiv\u011b odeslanou po\u0161tu tak nesb\u00edr\u00e1 va\u0161e dom\u00e9na a jej\u00ed DMARC vyhodnocen\u00ed stoj\u00ed \u010dist\u011b na SPF.<\/p>\n\n\n\n<p>A SPF m\u00e1 zn\u00e1mou slabinu: nep\u0159e\u017eije p\u0159eposl\u00e1n\u00ed. Jakmile si p\u0159\u00edjemce nech\u00e1v\u00e1 po\u0161tu forwardovat (firemn\u00ed alias, star\u00e1 schr\u00e1nka p\u0159esm\u011brovan\u00e1 na novou), SPF kontrola u fin\u00e1ln\u00edho serveru sel\u017ee, proto\u017ee zpr\u00e1va u\u017e nep\u0159ich\u00e1z\u00ed z p\u016fvodn\u00ed IP adresy. Bez zarovnan\u00e9ho DKIM podpisu t\u00edm pad\u00e1 cel\u00e9 DMARC, zpr\u00e1va m\u00ed\u0159\u00ed do spamu a va\u0161e dom\u00e9na si p\u0159ipisuje dal\u0161\u00ed ne\u00fasp\u011b\u0161n\u00e9 doru\u010den\u00ed. Zarovnan\u00fd DKIM podpis naproti tomu cestuje uvnit\u0159 zpr\u00e1vy a p\u0159eposl\u00e1n\u00ed v drtiv\u00e9 v\u011bt\u0161in\u011b p\u0159\u00edpad\u016f p\u0159e\u017eije.<\/p>\n\n\n\n<p>\u0158e\u0161en\u00ed je p\u0159\u00edmo\u010dar\u00e9: podepisovat zpr\u00e1vy vlastn\u00edm kl\u00ed\u010dem a vlastn\u00ed dom\u00e9nou p\u0159\u00edmo v aplikaci, kter\u00e1 e-mail sestavuje. Sd\u00edlen\u00fd server pak p\u0159id\u00e1 je\u0161t\u011b sv\u016fj podpis, ale to v\u016fbec nevad\u00ed. Zpr\u00e1va sm\u00ed n\u00e9st podpis\u016f v\u00edce a p\u0159\u00edjemce si pro DMARC vybere ten, kter\u00fd je zarovnan\u00fd s va\u0161\u00ed dom\u00e9nou.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Krok 1: Vygenerujte si p\u00e1r kl\u00ed\u010d\u016f<\/h2>\n\n\n\n<p>Pot\u0159ebujete priv\u00e1tn\u00ed kl\u00ed\u010d (z\u016fstane u v\u00e1s na hostingu) a ve\u0159ejn\u00fd kl\u00ed\u010d (p\u016fjde do DNS). Vygenerujete je jedn\u00edm n\u00e1strojem, kter\u00fd je dnes v\u0161ude: OpenSSL. Na Linuxu a macOS ho m\u00e1te v termin\u00e1lu, na Windows je sou\u010d\u00e1st\u00ed Git Bash. Doporu\u010den\u00e1 d\u00e9lka je 2048 bit\u016f.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl genrsa -out dkim_private.pem 2048\nopenssl rsa -in dkim_private.pem -pubout -out dkim_public.pem<\/code><\/pre>\n\n\n\n<p>Priv\u00e1tn\u00ed kl\u00ed\u010d nahrajte na hosting mimo ve\u0159ejn\u00fd webroot (tedy ne do slo\u017eky, kam vede web, ide\u00e1ln\u011b o \u00farove\u0148 v\u00fd\u0161) a nastavte mu co nejp\u0159\u00edsn\u011bj\u0161\u00ed pr\u00e1va. Kdo z\u00edsk\u00e1 priv\u00e1tn\u00ed kl\u00ed\u010d, m\u016f\u017ee podepisovat po\u0161tu va\u0161\u00edm jm\u00e9nem.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Krok 2: Ve\u0159ejn\u00fd kl\u00ed\u010d do DNS<\/h2>\n\n\n\n<p>Ve\u0159ejn\u00fd kl\u00ed\u010d zve\u0159ejn\u00edte jako TXT z\u00e1znam na jm\u00e9n\u011b ve tvaru selektor._domainkey.vasedomena.cz. Selektor je libovoln\u00fd identifik\u00e1tor kl\u00ed\u010de, kter\u00fd si zvol\u00edte, nap\u0159\u00edklad web2026. D\u00edky selektor\u016fm m\u016f\u017eete m\u00edt kl\u00ed\u010d\u016f v\u00edce vedle sebe a v budoucnu je bez v\u00fdpadku m\u011bnit. Obsah z\u00e1znamu je ve\u0159ejn\u00fd kl\u00ed\u010d bez hlavi\u010dek BEGIN\/END a bez zalomen\u00ed \u0159\u00e1dk\u016f:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>web2026._domainkey.vasedomena.cz.  TXT  \"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC...zbytek kl\u00ed\u010de...IDAQAB\"<\/code><\/pre>\n\n\n\n<p>Z\u00e1znam p\u0159id\u00e1te v administraci DNS sv\u00e9 dom\u00e9ny stejn\u011b jako jak\u00fdkoliv jin\u00fd TXT z\u00e1znam (postup najdete v n\u00e1vodu <a href=\"https:\/\/kb.vedos.cz\/dns-zaznamy\/\" target=\"_blank\" rel=\"noopener\">DNS \u2013 Z\u00e1znamy dom\u00e9ny<\/a>). Nov\u00fd z\u00e1znam se prop\u00ed\u0161e b\u011bhem n\u011bkolika minut, pot\u00e9 si ho ov\u011b\u0159te:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dig TXT web2026._domainkey.vasedomena.cz +short<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Krok 3: Podepisujte v aplikaci<\/h2>\n\n\n\n<p>Te\u010f zb\u00fdv\u00e1 \u0159\u00edct aplikaci, aby odchoz\u00ed po\u0161tu podepisovala. Pokud pou\u017e\u00edv\u00e1te PHPMailer (dnes de facto standard pro odes\u00edl\u00e1n\u00ed po\u0161ty z PHP), m\u00e1 podporu DKIM vestav\u011bnou a sta\u010d\u00ed \u010dty\u0159i \u0159\u00e1dky:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$mail = new PHPMailer(true);\n\n\/\/ ... b\u011b\u017en\u00e9 nastaven\u00ed From, adres\u00e1t\u016f, obsahu ...\n\n$mail-&gt;DKIM_domain   = 'vasedomena.cz';\n$mail-&gt;DKIM_selector = 'web2026';\n$mail-&gt;DKIM_private  = '\/cesta\/mimo\/webroot\/dkim_private.pem';\n$mail-&gt;DKIM_identity = $mail-&gt;From;\n\n$mail-&gt;send();<\/code><\/pre>\n\n\n\n<p>Ve WordPressu nemus\u00edte zasahovat do \u017e\u00e1dn\u00e9ho pluginu. WordPress pos\u00edl\u00e1 ve\u0161kerou po\u0161tu p\u0159es PHPMailer a nab\u00edz\u00ed h\u00e1\u010dek phpmailer_init, kter\u00fdm podpis zapnete glob\u00e1ln\u011b pro cel\u00fd web, od notifikac\u00ed po formul\u00e1\u0159e. N\u00e1sleduj\u00edc\u00ed k\u00f3d vlo\u017ete do souboru functions.php va\u0161eho (child) motivu nebo do mal\u00e9ho vlastn\u00edho pluginu:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>add_action('phpmailer_init', function ($phpmailer) {\n    $phpmailer-&gt;DKIM_domain   = 'vasedomena.cz';\n    $phpmailer-&gt;DKIM_selector = 'web2026';\n    $phpmailer-&gt;DKIM_private  = '\/cesta\/mimo\/webroot\/dkim_private.pem';\n    $phpmailer-&gt;DKIM_identity = $phpmailer-&gt;From;\n});<\/code><\/pre>\n\n\n\n<p>Jedin\u00e1 podm\u00ednka: adresa ve From mus\u00ed b\u00fdt na dom\u00e9n\u011b, pro kterou jste kl\u00ed\u010d zve\u0159ejnili. Podepisovat vasedomena.cz a odes\u00edlat z gmail.com ned\u00e1v\u00e1 smysl a zarovn\u00e1n\u00ed nevznikne.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ov\u011b\u0159en\u00ed, \u017ee to funguje<\/h2>\n\n\n\n<p>Po\u0161lete si testovac\u00ed zpr\u00e1vu do Gmailu a otev\u0159ete Zobrazit origin\u00e1l (Show original). V p\u0159ehledu naho\u0159e by m\u011blo sv\u00edtit DKIM: PASS s va\u0161\u00ed dom\u00e9nou a pod t\u00edm zpravidla i druh\u00fd podpis sd\u00edlen\u00e9ho serveru, co\u017e je v po\u0159\u00e1dku. V hlavi\u010dk\u00e1ch zpr\u00e1vy uvid\u00edte \u0159\u00e1dek Authentication-Results, kde hled\u00e1te dkim=pass a u DMARC zarovn\u00e1n\u00ed s va\u0161\u00ed dom\u00e9nou. Rychlou celkovou kontrolu odes\u00edl\u00e1n\u00ed (SPF, DKIM, DMARC i obsah) ud\u011bl\u00e1te p\u0159es slu\u017ebu mail-tester.com: po\u0161lete zpr\u00e1vu na vygenerovanou adresu a dostanete p\u0159ehledn\u00e9 hodnocen\u00ed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Zpozorn\u011bte, kdy\u017e se vrac\u00ed mailer-daemon<\/h2>\n\n\n\n<p>Vr\u00e1cen\u00e1 zpr\u00e1va od mailer-daemon (nedoru\u010denka) nen\u00ed \u0161um, kter\u00fd sta\u010d\u00ed smazat. Je to nej\u010dasn\u011bj\u0161\u00ed varovn\u00fd sign\u00e1l, \u017ee s va\u0161\u00edm odes\u00edl\u00e1n\u00edm n\u011bco nen\u00ed v po\u0159\u00e1dku, a u automatick\u00fdch rozes\u00edlek \u010dasto jedin\u00fd, proto\u017ee si jich jinak nikdo nev\u0161imne. Otev\u0159ete ji a p\u0159e\u010dt\u011bte si d\u016fvod odm\u00edtnut\u00ed: k\u00f3d 550 s hl\u00e1\u0161kou o neexistuj\u00edc\u00ed schr\u00e1nce znamen\u00e1 mrtvou adresu v datab\u00e1zi, zm\u00ednka o spamu, politice nebo autentizaci ukazuje na probl\u00e9m s SPF, DKIM \u010di DMARC, kter\u00fd je pot\u0159eba \u0159e\u0161it hned.<\/p>\n\n\n\n<p>Hlavn\u011b to aktivn\u011b \u0159e\u0161te, nep\u0159ehl\u00ed\u017eejte to. Opakovan\u00e9 odes\u00edl\u00e1n\u00ed na neexistuj\u00edc\u00ed adresy je jeden z nejsiln\u011bj\u0161\u00edch negativn\u00edch sign\u00e1l\u016f, jak\u00e9 o sob\u011b dom\u00e9na m\u016f\u017ee vyslat, tak\u017ee adresy, kter\u00e9 se trvale vracej\u00ed, z rozes\u00edlek vy\u0159azujte. A proto\u017ee automatick\u00e9 syst\u00e9my \u010dasto odes\u00edlaj\u00ed z adresy, kterou nikdo ne\u010dte, ov\u011b\u0159te si, \u017ee se nedoru\u010denky vracej\u00ed do schr\u00e1nky, kterou n\u011bkdo skute\u010dn\u011b sleduje. Ignorovan\u00e1 chyba v automatick\u00e9 rozes\u00edlce se opakuje s ka\u017edou dal\u0161\u00ed zpr\u00e1vou a reputaci dom\u00e9ny ukrajuje potichu, ale vytrvale.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">P\u00e1r tip\u016f na z\u00e1v\u011br<\/h2>\n\n\n\n<p>Podpis nastavte tak, aby jeho p\u0159\u00edpadn\u00e9 selh\u00e1n\u00ed neshodilo odes\u00edl\u00e1n\u00ed: pokud kl\u00ed\u010d chyb\u00ed nebo se podpis nepovede, je lep\u0161\u00ed poslat zpr\u00e1vu nepodepsanou ne\u017e neposlat v\u016fbec. Priv\u00e1tn\u00ed kl\u00ed\u010d dr\u017ete d\u016fsledn\u011b mimo webroot a nikdy ho nevkl\u00e1dejte do ve\u0159ejn\u00e9ho repozit\u00e1\u0159e. Selektor pojmenujte tak, aby nesl rok nebo verzi (web2026), rotace kl\u00ed\u010de je pak jen ot\u00e1zka vygenerov\u00e1n\u00ed nov\u00e9ho p\u00e1ru, p\u0159id\u00e1n\u00ed druh\u00e9ho TXT z\u00e1znamu a p\u0159epnut\u00ed selektoru v aplikaci, star\u00fd z\u00e1znam sma\u017eete a\u017e po p\u00e1r t\u00fddnech. A pokud m\u00e1te na dom\u00e9n\u011b publikovanou DMARC politiku s reportingem, po nasazen\u00ed vlastn\u00edho podpisu uvid\u00edte v reportech sami, jak se zarovn\u00e1n\u00ed zlep\u0161ilo.<\/p>\n\n\n\n<p>Shrnuto: automatick\u00e9 rozes\u00edlky jsou vizitka va\u0161\u00ed dom\u00e9ny a jej\u00ed reputace se p\u00ed\u0161e ka\u017edou jednotlivou zpr\u00e1vou, kterou v\u00e1\u0161 web ode\u0161le. Vlastn\u00ed DKIM kl\u00ed\u010d, jeden TXT z\u00e1znam a p\u00e1r \u0159\u00e1dk\u016f v aplikaci zajist\u00ed, \u017ee se ka\u017ed\u00e9 potvrzen\u00ed registrace, faktura i notifikace po\u010d\u00edt\u00e1 va\u0161\u00ed dom\u00e9n\u011b k dobru, p\u0159e\u017eije p\u0159eposl\u00e1n\u00ed a spolehliv\u011b doraz\u00ed tam, kam m\u00e1.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Potvrzen\u00ed registrace, faktura, obnova hesla, notifikace z formul\u00e1\u0159e. V\u00e1\u0161 web rozes\u00edl\u00e1 e-maily nep\u0159etr\u017eit\u011b a bez va\u0161eho p\u0159i\u010din\u011bn\u00ed, a ka\u017ed\u00e1 jedna z t\u011bchto zpr\u00e1v p\u0159itom buduje, nebo naopak po\u0161kozuje reputaci va\u0161\u00ed dom\u00e9ny u Gmailu, Outlooku a dal\u0161\u00edch velk\u00fdch p\u0159\u00edjemc\u016f. Pr\u00e1v\u011b automatick\u00e9 rozes\u00edlky jsou nej\u010dast\u011bj\u0161\u00ed m\u00edsto, kde reputace ti\u0161e krv\u00e1c\u00ed: b\u011b\u017e\u00ed samy, nikdo je nekontroluje a chyba &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/blog.wedos.com\/cs\/neposkozujte-reputaci-sveho-e-mailu-pri-automatickych-rozesilkach\" class=\"more-link\">Pokra\u010dovat ve \u010dten\u00ed<span class=\"screen-reader-text\"> &#8222;Nepo\u0161kozujte reputaci sv\u00e9ho e-mailu p\u0159i automatick\u00fdch rozes\u00edlk\u00e1ch&#8220;<\/span><\/a><\/p>\n","protected":false},"author":16,"featured_media":1742057,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1742053","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-spolecnost"],"_links":{"self":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1742053","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/users\/16"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/comments?post=1742053"}],"version-history":[{"count":1,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1742053\/revisions"}],"predecessor-version":[{"id":1742077,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/1742053\/revisions\/1742077"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media\/1742057"}],"wp:attachment":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media?parent=1742053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/categories?post=1742053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/tags?post=1742053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}