I'm working on a product where we use SendGrid.com so send system e-mails to our customers end users. These e-mails origniate from our own domain - let's call it ourdomain.com. This is done by going through SendGrids' authenticated domain flow to set up DNS-records to validate the domain.
Several of our customers have asked if we can send the system e-mails from their own domain. E.g. they would like if e-mails sent from the system was sent on behalf of #customerdomain.com.
The question is - how do I set this up in SendGrid so that we can deliver DNS-settings to the customers?
I really don't want this to be a manuel proces as we might have hundreds of customers who wants to use their own domain. I've tried reaching out to SendGrid support, but they basically keeps linking to this page: https://docs.sendgrid.com/ui/account-and-settings/how-to-set-up-domain-authentication. This is what we've done for our own domain, but this isn't really a viable solution if we need to handle hundreds of domains from different customers.
Does anyone know if the process can be automated via the SendGrid API? Something like this perhaps:
The customer creates an account with us (domain: customerdomain.com)
We call SendGrids API saying "create domain validation for domain customerdomain.com"
We get back the DNS entries the customer (owner of customerdomain.com) needs to enter into their DNS setup
We start sending e-mails with the FROM-address set to something#customerdomain.com
Maybe I'm looking in all the wrong places, but I simply can't figure out how to do this the right way.
Any help will be greatly appreciated!
Related
I'm currently running a SAAS application and mails are being sent from our application using Mailjet.
Some of the larger customers have been asking to allow the emails to be sent from their domain (e.g. info#largehotel.com) instead of our system (notifications#saasapp.com).
Are there any initial pointers I will need to look at? I'm guessing they will need to add our SPF records to their SPF records too and that they will need add a DKIM key that we generate for them to add to their records too? Then do some validation on them on the DNS level and mark them as validated?
I have some understanding to have customers run their own domain against our SAAS domain but a bit lost on the sending from their email domain requirement.
First, for the record, my SaaS platform does this (vía option 2b). It’s an e-commerce marketplace and I need the receipts to be sent from the email address of the product seller, not from me (the marketplace)
You have two(ish) options
Send email through your client’s mail servers (instead of mailjet)
Verify the client’s domain on your Mailjet (or similar email) service
option 1
With option 1, you’ll need to ask your client’s IT team to setup a username and password for you to access their SMTP server. This is essentially just like them creating an email account for you to use. This may seem like the easiest path available for you, but there are potential pitfalls and disadvantages:
Doing this, you will lose the mail open/click/bounce tracking functionality you get with mailjet; because you’ll be using the company’s SMTP server instead.
If you’re sending out as a fairly common email address (eg info#your-client.com) the client may already have that account active on their mail servers. That would allow them to receive replies into the existing infrastructure but make them wary of the security issues with sharing a password to their mail server with you.
You might find that they don’t even have the ability to give you a username and password. Modern mail services don’t allow for SMTP access (which is what your web app will need); and security conscious companies require 2 factor authentication on mail accounts (which your web app can’t answer)
Option 2
For this, you will need to ask their IT team to configure some DNS records to prove to mailjet, and to the email recipient, that you’re allowed to send on behalf of your client.
You did this for your own domain when you first setup mailjet. See https://app.mailjet.com/support/how-to-add-a-sender-address,96.htm for what this involves, but it’s a case of asking the client to configure a DNS record.
That tells mailjet that you’re allowed to send on behalf of that domain; but you’ll also want the client to adjust their SPF and DKIM records so as the recipient of the emails knows to trust Mailjet’s servers with emails sent from your client’s domain name. Normally, recipients only trust email sent from your client’s mail server (which you have as option 1) and distrust email sent from SAAS providers.
You will (or should) have done this on mailjet for your own domain already as well. https://app.mailjet.com/docs/spf-dkim-guide
So for this, you’ll need your client to setup 3 DNS records.
If you go this way, you could setup a separate Mailjet account which they and you have access to. That way they ca see their dashboard directly and feel a sense of ownership and security around it. But you won’t be able to markup the price of it 😜
Conclusion
How important is the tracking? If you can’t lose that you need to go with option 2.
How technically savvy is the client? Are they going to be able to have those DNS records changed? Are they going to be (rightly) security conscious around giving you an account on their main mail sever.
Option 2 would be my preference. You might need to hold their hand through the DNS setup so get it configured on Mailjet (And ask about SPF in here to make sure you get it right) so you can provide them with clear instructions of the specific 3 DNS records to create/update.
Whatever approach you take make sure you’re talking to the right people at your clients side soon. Their marketing team may be keen to do this with you, but if their IT feels left out of the conversation they will be difficult to get on board when you need them to make the changes. Us IT folk can be grumpy and obstinate 😀
your web app
This is going to need some adjustment. You probably already store your Mailjet credentials in a file or environment variables; these might need to move these to a dB table so you can relate credentials with specific accounts. But we’d need more info on the web app to be able to speak more to that side of the challenge.
option 2b
just as a note instead of a real suggestion. Be aware that some email service provers allow the sending verification part to be done by sending an email to someone on that domain (eg admin#yourclient.com) and then allowing sending vía the API if the recipient clicks on the approve link on that email. But, even with that setup you still need the client to configure SPF and DKIM on their DNS, so the extra one record isn’t a big ask. AWS’s SES allows for this. This works for me; but I have different requirements around deliver ability, and a large number of non-tech users (as opposed to your one or two big clients)
you can ask your client to generate programmatic(app key/password) user for email need to use for example info#largehotel.com and some other info like (host:gmail, protocol: smtp,...) all basic info needed then in your saas retrieve all this info to create object with client info that you stored before to send email for the target (from developer prospective non network engineering )
The SPF is the most important think to do. In most cases you have to be very careful about the IP reputation, but since you are using Mailjet it's up to them to manage this part.
Be attentive to the overall quality of the email, text/image ratio... Also offers a text body version of the content and dont forget the unsubscribe link. Since you already send emails with your service, I guess it's points are already correct.
My company is developing a cloud contact management service and on our iOS app we're having some problems launching a particular enterprise email client app when the user presses the "Email" button on one of their contacts.
One member of our team came up with an idea to get around the problems with this enterprise app:
We let the user specify their email address in the app's settings and create our own email composing screen. Tapping the email button on a contact would open the composing screen, they would write their message and then we would send it on their behalf from our servers (or via service like mailchimp).
Basically, this would mean we would have to create an endpoint on our api that would accept a POST request with 'from', 'to', 'subject', and 'body' fields which would send the appropriate email.
This seems like a very bad idea as it's essentially creating a free, anonymous email service that could easily be abused send spam.
A few extra notes about our setup:
We don't verify an accounts email when they sign up
Even if we did verify the account's email, the user would need to be able to specify any email, as they may have signed up with personal email, but want to email someone from their work email.
Our API doesn't currently have any kind of rate limiting
Instead of having a from field in the request, we could instead send the id of the contact they want to email. This doesn't really change anything because if someone wants to abuse the send email endpoint they can also abuse the create contact endpoint.
So exactly how much of a bad idea is this, and how can I convince my team not to do this?
A few thoughts against doing it:
This is the perfect spamming service, which could damage the reputation of your company (reputational risk).
Your email servers would very quickly make it into blacklists (RBLs), making your outgoing emails land in spam folders in very many recipients' mailboxes.
Even if your servers are not yet in RBLs, if you send a forged email like that and proper email security is set up at the recipient end, your emails will still have a good chance to get classified as spam. Have a look at things like SPF and DKIM.
This could even have legal implications. Imagine the scenario when one of your users uses this service for something like blackmail. Would you be able to prove it was not you? Probably yes with the right controls, but would you want the hassle?
Still on the legal side, many countries (the EU, mainly) have data protection regulations which strictly control how personal data like email addresses can be used, especially for commercial advertisement. You probably want to adhere to that, but that would be hard with such a service (note that I'm not a lawyer, in such a case it's probably the abuser of your service that would offend these regulations and not you, I don't know, but it's something to consider).
If anyone can just send emails, it will be fairly easy to perform a denial of service attack against your services.
A few controls you could implement to mitigate some risks:
When adding a sender (from) address, you should validate that by for example sending a (cryptographically random) token and checking if the user can send it back (eg. by clicking a link in the email). If he can, that proves to some extent that he controls the email address and is probably a valid sender.
Limit the possible recipient addresses if you can. The best would be if recipients had to opt in to receive emails. If this is not possible, at least let recipients opt out from further emails. For this, you would have to add something like a footer to emails with "never again" links, and implement a facility to maintain recipients to which you must not send anymore.
Implement rate limiting. Depending on your exact scenario and use case, only allow to send the least number of emails acceptable for your application.
Implement proper logging so that you have an audit log of who exactly sent what email to whom. For this, log metadata like IP addresses as well. For this, you will likely have to authenticate your users.
On an operational level, have monitoring in place, and be prepared to ban offending users, based on a clear ToS shared with your users.
I'm trying to understand a few concepts around sendgrid, whitelabeling and different servers that I plan to deploy the same sendgrid account in.
So my questions are:
1) Is whitelabelling purely for masking the via sendgrid.me and will I have any issues if I dont use it with my current setup(i.e. same account on several domains)
2) How does sendgrid deal with messages that have a "From" email that doesnt match the domain the email is sent from? Cause I read that it would silently drop them but instead I see that emails do get delivered however the statistics in sendgrid's dashboard are not being updated.
3) Upon creating a demo account I was asked to provide the domain from which the emails will be triggered but since I want to deploy this in several different domains will I need multiple accounts or is there an alternative option when you go for a paid plan?
Mike
Yes - whitelabelling will replace the sendgrid.me with your own domain.
You can also setup multiple domains inside SendGrid and assign each to a subuser. That will get you one SendGrid account, with multiple whitelabelled domains and separate sender reputation for each.
SendGrid will attempt delivery of whatever you ask it to send -- if you send an email with a different from domain than the signed sending domain, it's up to the receiving mail server to decide whether to block, flag as spam, or allow the email. Different receiving domains will behave differently.
It's generally best practice to always have your from domain match your signed sender domain.
Once you have one domain setup, you can setup additional domains using SendGrid subusers -- more info here.
If you have a complicated multi-domain setup, you might want to check out a templating API, like sendwithus, for making things easier to manage. They'll integrate directly with your SendGrid subusers on your behalf.
We have custom cms that currently sits on a vendor's subdomain, such as cms.vendor.com. It sends email out as coming from user#vendor.com and it seems to be working fine (using Email Queuing + SwiftMailer)
Our vendor asked us to put in the functionality for his users to be able to select from a dropdown, 3-4 other emails address associated with them from other domains he owns. Basically we need to be able to send out emails from our server labeled as being sent from #hisdomains.com, multiple domains.
I am a web programmer and have no clue when it comes to relaying messages. How would I go about being able to send out emails from his other domains? Does he need to setup permissions on his mail servers, or do I need to get into his SMTP servers to send out?
What are some things I should look out for when it comes to SPAM and gmail trusting us?
EDIT:
Not sure if my original question was clear enough. Vendor owns three domains: mysite.com, myothersite.com, mythirdsite.com. He wants a user from our crm to be able to send emails he has on those domains. So my dedicated server will be trying to send an email out as user#mysite.com, user#myothersite.com, and user#mythirdsite.com in the FROM: header.
As long as your server is allowed to send on behalf of a domain your vendor owns, you should not have a problem; just change the From: header to something else when you send out the e-mail.
Stuff like SPF, Sender ID and DKIM have to be properly configured to allow your server to send on behalf of any domain.
See also: http://en.wikipedia.org/wiki/E-mail_authentication
Any domain where the mx record resolves to the same server will work. so user#any.domain will email the same user on the mx contingent server.
To answer your question - just make sure that the mx records in the DNS zone file for each domain name points to the same server as the domain you want to share emails on.
also dependent on server configuration (like shared or whatever) I'm assuming it's dedicated with a simple email server installed. I'm not sure on cPanel/shared servers. but possibly the same.
I have a PHP web app that is going to send out about 1,000 emails. I would love to test the performance beforehand. Is there any kind of service that provides dummy email addresses to send to, for this kind of testing? I can't find anything that's not just a general bulk-email service. The key here is I just want dummy addresses to send to.
If you have the ability to just purchase a domain name from a hosting service, I know at least 1&1 gives you like 2500 email addresses per domain so you could literally spam yourself to death and not worry about any other 3rd party. You can pick up a domain name for like
When you say "test the performance", do you mean you want to know about your deliverability rates, or how your emails look?
Deliverability Rates
This is entirely dependent on your SMTP server and the reputation of the IP that it will be sending from along with your domain's SPF records and the content of your email. To maximize this, I would recommend using a marketing email service such as MailChimp or MadMimi.
Appearance of Emails
You could always just send yourself a test email to see how it looks. An alternative is to use a service like PostageApp that has a built in template designer that has both an easy email preview function and a test send email function.
(Full Disclosure: I am the Product Manager of PostageApp.)
If you use "Post Hoc" you can send email to an unlimited number of email addresses. Post Hoc acts like an SMTP server, and receives the email messages that you are sending, but it does not forward them on anywhere. You do not need to set up any email inboxes ahead of time, so there is no problem if you have 1000 different unique email addresses. They do not need to be from a single domain -- you can use any email address you want. It stores the email messages received so that you can inspect them if necessary. You would run it locally so that there is no concern about network problems, and it is very low overhead since it does almost no processing of the email. This way, the performance measure will be mostly the sending side processing. Best of all, it is open source and freely available:
Find it on GitHub: GitHub for Post Hoc
Also see the blog post: PostHoc: Testing Apps that Send Email