I am using SendGrid as the email provider in my application. When I place a link in the email it gets re-encoded to a link on the SendGrid servers. Can I trust this link with my password resets? I know that I am already trusting SendGrid with my links by sending through their servers but what is the purpose of rewriting the urls. To use the link you need to also know the email address and it is only valid for 20 minutes.
The link in my email looks like
http://myserver/resetpassword/oLsjShCLh7tFpyl8cEzbghHpS59iazhD
and it gets encoded in the email as
https://u5478763.ct.sendgrid.net/wf/click?upn=hvVg2ntCa8InWO5OtVSRJPdvIiofcS3RGII270TrJ9aOSJX2MZ9RkcgQLgnRLLNMjjo5mMQVejYxIGVPoz-2BfxtM55lXWiXwtNWvE42LzFPE-3D_Q0Y0L54uOhrrHtFzGFlMm55yZkDAUn39DjKFOTu4BtReZW14K4ruKT7IkXyh4pWHctN-2FYlmmFj2J7a6-2BHy0UN0PZDTzqKnADTi10YJeXfirMSGqGLkjKxZZY1iGRjCkgddBCiyIBiLfBs3VS4GmrB5SPa7uCb9KYcZdqm5AvebY6pyGitqdcpmDSVV6zHjR1oK3NZQboFfjng-2Fqv6PQHekU7irw1BWOtP5ja3RxfUKE-3D
This is because you have Click Tracking enabled in your account. Log into your SendGrid dashboard, and from the navbar on the left side click on Settings -> Tracking and disable Click Tracking.
Related
I am new to firebase and I am trying to handle firebase user authentication in React.js. I did manage to create users with email and passwords. But, now I would like to send the user an Email link to reset their password.
My code currently look like this.
// This line of code belongs to the top
import { auth } from '../firebaseConfig'
//This part goes under the React component
<p onClick={async () => {
try{
await sendPasswordResetEmail(auth, // My Email Id)
alert('Password reset link has been sent to your email')
}
catch(err){
alert(err)
}
}}
>Forgot your Password ?</p>
However, I do not get any error messages and I do get the alert message that says "Password reset link has been sent to your email." Unfortunately, I didn't receive any email. Note that I have given my own email id as the parameter for testing purposes.
firebaser here
Did you check your spam folder? We recently see a lot of the emails from Firebase Authentication ending up in the user's spam folder or being marked as spam in a system along the way. This is being tracked in this status message on the Firebase dashboard and in public issue #253291461.
To reduce the chances of the messages getting marked as spam, consider taking more control of the email delivery yourself.
As a first step, consider using a custom domain with your project. Email that comes from a custom domain has less chance of being marked as span.
As a second step, consider setting up your own SMTP server.) for delivering the email, so that the emails are not being delivered from Firebase's shared infrastructure anymore.
While these steps are more involved, they typically will drastically reduce the cases where the messages from Firebase Authentication are marked as spam.
Full Guide Based on Frank's Answer
Firstly create a new email account you can use to relay the Firebase emails through the SMTP server with. I personally chose Gmail, but I tested with Outlook and it also works.
You can now find an SMTP server host that will work for your scenario. If you're sending less than 1000 emails per month you can find free and reliable hosts. I chose SMTP2GO's free option.
Now you've found the SMTP host, add the email address you've chosen as a single sender email (note that if you do own a domain, you can alternatively use that to send emails).
Note that you will have to verify the email, usually by your host sending a link to the email's inbox. Make sure to check spam.
Once verified, navigate to where you host allows you to add SMTP Users and add a new user. This will allocate an SMTP username and password.
Navigate to the Firebase console, and choose the Authentication option from the sidebar (within the Build product category).
Go to Templates → SMTP Settings and enter the details of your SMTP server. The username and password fields are to be filled with the SMTP user login you created in the step above.
It is better to use TLS, but I believe SSL should work too but it is untested.
Click save, and you're all set up - but there may still be steps to perform depending on your email provider.
Provider Specific Steps
If the emails are being sent to an account managed by Google you will have no issues with your emails being quarantined by anti-spam policies and it will work immediately.
If you are using Outlook, you will have a different problem on your hands. Outlook's built in defender will most likely have auto-quarantined your email under multiple policies - that bit is important.
These policies are likely to be both spam and phish policies. If you unblock one of them, the other will catch it and re-quarantine.
Unblock both policies for the email address, and test. You can see the status of quarantined messages in Microsoft 365 Defender app under Review → Quarantine. Please note that you will need to be an administrator to add global allow policies to your email accounts.
If this still doesn't work it is likely that your company has an additional external filter (as mine did), and you will have to add the IP's manually to the Tenant Allow/Block Lists spoofed senders tab.
Websites will often send notification emails from addresses like hello#example.com or no-reply#example.com. When these show up in Gmail / Inbox, they often have a name and an avatar associated, like this one from Zeplin:
I know if you're using Google Apps, as an administrator you could create a user called no-reply and set their avatar. But this also uses up one user slot which costs $5 / month. And I'm not sure if this technique works outside of Gmail or Inbox.
Are there other ways to set the avatar for automated email addresses?
Have a look at Gravatar.
What Is Gravatar?
An "avatar" is an image that represents you online—a little picture
that appears next to your name when you interact with websites.
A Gravatar is a Globally Recognized Avatar. You upload it and create
your profile just once, and then when you participate in any
Gravatar-enabled site, your Gravatar image will automatically follow
you there.
More info here:
https://en.gravatar.com/
This is the result for the email above.
A catch all email address allows you can receive the Gravatar activation emails for non existent email addresses.
Details for Google Apps:
Google Admin console
From the dashboard, click Apps, then click G Suite
Gmail
User settings.
Catch-all address section
TL;DR Get a verified Google+ Brand Page and enable DKIM authentication for any external service you send email through (ala Mailchimp).
These steps are not documented and Google themselves did not help. But, after implementing them, my business avatar started to appear for emails sent via Mailchimp or Mandrill or some such with a return email address of my domain.
1) Create a Google+ Brand Account page (https://support.google.com/plus/answer/1710600). You may already have one set up as part of general SEO, but you need one for the avatar to work. Make sure too, at the end of the process (which is again, is poorly documented) that on your Google+ brand page, you see the little verified badge next to your business name.
2) Set the avatar you want on your brand page.
3) From whatever external service you send email from, set up DKIM authentication for your domain. Google Inbox won't display an avatar if it detects the email as being sent 'on behalf' of your domain; the DKIM authentication will make Inbox believe your domain actually sent it, and then apply the avatar. (These instructions vary wildly depending on your email provider, but here are the ones for Mailchimp).
Go to https://myaccount.google.com/email
Click on "Advanced Settings" then on "Alternate Email".
Verify emails.
Websites will often send notification emails from addresses like hello#example.com or no-reply#example.com. When these show up in Gmail / Inbox, they often have a name and an avatar associated, like this one from Zeplin:
I know if you're using Google Apps, as an administrator you could create a user called no-reply and set their avatar. But this also uses up one user slot which costs $5 / month. And I'm not sure if this technique works outside of Gmail or Inbox.
Are there other ways to set the avatar for automated email addresses?
Have a look at Gravatar.
What Is Gravatar?
An "avatar" is an image that represents you online—a little picture
that appears next to your name when you interact with websites.
A Gravatar is a Globally Recognized Avatar. You upload it and create
your profile just once, and then when you participate in any
Gravatar-enabled site, your Gravatar image will automatically follow
you there.
More info here:
https://en.gravatar.com/
This is the result for the email above.
A catch all email address allows you can receive the Gravatar activation emails for non existent email addresses.
Details for Google Apps:
Google Admin console
From the dashboard, click Apps, then click G Suite
Gmail
User settings.
Catch-all address section
TL;DR Get a verified Google+ Brand Page and enable DKIM authentication for any external service you send email through (ala Mailchimp).
These steps are not documented and Google themselves did not help. But, after implementing them, my business avatar started to appear for emails sent via Mailchimp or Mandrill or some such with a return email address of my domain.
1) Create a Google+ Brand Account page (https://support.google.com/plus/answer/1710600). You may already have one set up as part of general SEO, but you need one for the avatar to work. Make sure too, at the end of the process (which is again, is poorly documented) that on your Google+ brand page, you see the little verified badge next to your business name.
2) Set the avatar you want on your brand page.
3) From whatever external service you send email from, set up DKIM authentication for your domain. Google Inbox won't display an avatar if it detects the email as being sent 'on behalf' of your domain; the DKIM authentication will make Inbox believe your domain actually sent it, and then apply the avatar. (These instructions vary wildly depending on your email provider, but here are the ones for Mailchimp).
Go to https://myaccount.google.com/email
Click on "Advanced Settings" then on "Alternate Email".
Verify emails.
I want to be able to send emails from Magnolia CMS using a Gmail account. What are the steps to follow?
I am having authentication issue when trying to verify the setup by sending a test email.
Here are the steps for dummies:
Back in Magnolia, go to your user profile and provide an email. That’s where the test email will be sent to (see step 7) /admincentral#app:security:systemUsers;/:treeview:
Back in your Gmail account: settings: allow IMAP
Back in Magnolia, go to the mail app: /admincentral#app:mail:main;
Add your SMTP settings (auth via SSL worked for me) as described here
Always in Magnolia, try to send a test email: /admincentral#app:mail:verify;
Back in your Gmail account: receive that warning email from Google (see screenshot) & follow the link in that email to allow "less safe apps"
Back in Magnolia, try to send a test email again /admincentral#app:mail:verify;
Voila :)
Note: the /admincentral* are the url path to jump directly to the relevant section of admin central, this is only informative & hopefully will help you save time.
Resources
Magnolia CMS mail module: documentation.magnolia-cms.com/display/DOCS/Mail
support.google.com/mail/answer/7126229?visit_id=1-636117997050481062-4194544010&rd=2
support.google.com/a/answer/176600?hl=en
I have set up a magento store of my own for my business of grocery products.
I have almost configured each and everything.
I have a mail server and can have as many email addresses as I require.
I have a theme set up for the store.
While a user tries to log in and has forgot a password, there is a link to click saying "Forgot Password".
On clicking it, it displays "An email has been sent to your account with new password details."
I know this will not send an email as I have to configure entire system.
I do not want to send a new password by email. Instead I want to send a link. On clicking this link, the user can go the it and have an option of password reset.
Please help me with this. It will be much much appreciated.
Magento's standard "Forgot Password" functionality works exactly as you've described - it sends a link to the user to reset his or her password - it doesn't just send a new password.
Magento uses Zend_Mail to send emails. By default, Zend_Mail will use PHP's mail() function (via Zend_Mail_Transport_Sendmail), which will usually send emails via sendmail or similar, depending on the PHP configuration.
If you have your own mail server that you'd prefer to use, you can configure Magento to use SMTP. This does require some code, but, luckily, there are some good extensions out there that already do this, like aschroder/Magento-SMTP-Pro-Email-Extension.