In regards to #3, I'm an engineer on Postmark https://postmarkapp.com/. While we only do transactional email, we have great deliverability and straightforward pay for what you use pricing. Feel free to hit me up with any questions!
We use PostMark at work. I don't interact with it too much, but it's free for the first 25,000 emails and offers a built-in templates system (which would eliminate the need for a a bunch of Rails mailer views in your project).
I got the same notice today, and may move in this direction.
You don't store passwords in plaintext. You store salted and hashed passwords. When the user enters their credentials you salt and hash the input and match against the stored details. You only allow them to submit over HTTPS.
If the user forgets theirs you send them a link via email to reset the password.
Make sure SPF, DKIM and DMARC are set up correctly at a minimum. (Google around for these).
However, Amazon has notoriously poor deliverability with their email service. I would recommend using Postmark. Leaps and bounds better than any other service I’ve used (mailgun, sendgrid, and a couple others)
C'est l'Union Européenne qui a voté l'entrée en vigeur de la General Data Protection Regulation (GDPR). Ça touche chaque site qui servent des clients en Europe donc pratiquement tout les sites populaire dans le monde.
https://fr.wikipedia.org/wiki/R%C3%A8glement_g%C3%A9n%C3%A9ral_sur_la_protection_des_donn%C3%A9es
Si tu veux un truc plus concret pour comprendre, j'ai ça en anglais: https://postmarkapp.com/blog/gdpr-get-ready
SPF, DKIM and DMARC. These are industry standard ways to secure against fraudulent mails and secure your mail infrastructure. Entire books have been written about this. Google "CEO mail fraud" for many, many examples.
If you don't have any intermediary mail servers, like spam filters or encryption providers, you can relatively smoothly start implementing SPF and get the biggest benefit of all. Your clients will look at every mail and see if it's sent from a Microsoft mail server, and if not, it'll mark it as SPF FAIL and send it to junk. Note this only goes for your clients and whoever else chooses to look for SPF.
SPF only protects against unwanted mail servers. That means if any spoofers send from an @outlook or other Microsoft hosted mail, it'll pass SPF. Look at DKIM to protect headers after SPF has passed.
Big fan of postmarkapp.com. They vet all [new] clients to ensure a low spam reputation and thus their sending IPs are trustworthy. We have very little "went to spam" issues and we send about 90K emails a month.
SPF TXT record is supposed to include the email servers that are assigned as your domains SMTP/MX hosts and used by users to relay email, ie: mail.foobar.bar. In your case you would need to know what SMTP host you use, ie. Spectrums and add it to SPF.
Also, Google/Microsoft/etc are also quite picky, I would suggest also implementing DMARC.
I use postmarkapp.com for this. Sending emails from azure servers (and I assume aws etc..) hits the spam filter more often than not. There's integration for receiving webhooks when a user responds to the email too.
https://wildbit.com/privacy-policy
https://postmarkapp.com/support/article/1088-dmarc-reporting-tool-faq
> We provide DMARC reports as a free service. As such, there are certain limitations to the service at the moment to help us keep everything running smoothly:
>
>We will only fully process DMARC reports with less than 100,000 records (DMARC report records are XML nodes that contain aggregated information for a specific IP address). Any report exceeding this limit will be truncated to the first 100,000 items.
>
>We will store raw reports for up to 9 months. The maximum size of an unarchived DMARC report that we will store is 3MB. For larger reports we will first extract the metadata and make it available to you, and then the reports will be discarded.
>
>We will store the reports metadata in a form retrievable via the API for up to 9 weeks.
Thankfully, no! If a US company has gotten EU-US Privacy Shield certified, then data can be transferred to their services without additional consent because they have promised that their privacy protection is as strong as if they were in the EU and that they will be subject to fines by the US Federal Trade Commission (FTC) (or in some rare cases, DOT) if they do not.
https://postmarkapp.com/eu-privacy#privacy-shield
https://www.privacyshield.gov/participant_search (search for Wildbit to confirm for Postmark as that's the name of the company that runs Postmark)
Source: Did GDPR compliance for my organization and just read details on Postmarkapp.com to find specifics for them.
There has never been any need to get someone to do DMARC for you. The only "paid" bit is the interpretation of the results. DMARC is just a DNS entry which then sends emails to a destination of your choice. Postmark have a good guide here: https://postmarkapp.com/guides/dmarc
For smaller sites, I just have the results go to Postmark and get their reports weekly by email: https://dmarc.postmarkapp.com/
However if you want to create your own, then the guide outlines the structure and a couple of the report providers have a free tier.
One trick I have done is setup a group on the client () which is the email address put in to dmarc DNS record. Then I have a public folder/shared mailbox as a member. If I am evaluating services, I just create a contact and add them to the group. They will get the same emails that I do with the reports, but I don't have to keep changing the DNS record to accommodate them. Doesn't work for the Postmark service as they check DNS as well, so I do that one first, once it running, change the DNS entry and add their email address to the group.
Good to know. I'd suggest using https://postmarkapp.com if yours are transactional emails (like application emails). They are probably among the best in terms of deliverability. They have a policy that prohibit to use their service for marketing emails and so they have a good reputation among email providers (less spam complaints = better deliverability).
Are you worried about email delivery? Or email being received by your D9 application?
https://postmarkapp.com/transactional-email is what i use for delivery to humans.
I suspect you’ll need a valid inbox for incoming messages (humans responding to emails), but that should just be an account in your existing email infrastructure that the D9 install can read.
Same here. Love their service and huge fan of Wildbit (creators of Postmark)
By the way, they recently added support broadcast messages as well in addition to transactional: https://postmarkapp.com/message-streams
I've had good success with Postmark for these types of e-mails. Their API is pretty simple and they have SDKs available for a bunch of different languages. Not to mention, you get 25,000 credits (1 e-mail = 1 credit) when you sign up.
Some of the transactional email SaaS apps out there can process incoming mail and push it to your app. More than likely a lot easier to integrate than some custom email parsing solution. Although not guaranteed to be free, either.
Some of those services:
Congrats on having a huuuge open rate for your newsletter!
However, the open rate isn't as reliable as before. I'm saying this because Apple made changes that can skew the numbers. Read more on: https://postmarkapp.com/blog/how-apples-mail-privacy-changes-affect-email-open-tracking
Going back to the point of growing your newsletter subscriber count.
So to grow your newsletter you can try:
​
My newsletter has less than 20 subs, but here are some things I'm doing to grow:
​
You can also consider subscribing to newsletters, listening to podcasts, and following people on social media focused on growing a newsletter. Examples:
​
These are some ideas that came to mind about the topic
Most every mail server has raised their spam blocking to extreme levels in the last year.
We've had to switch to Postmark for sending out our invoices. It was the best thing we've done to remedy the blocked emails.
Link: https://postmarkapp.com/
There are many like it, just take some time to find the one that best suits your needs.
So yeah, this is the issue. You don't have a good IP and Domain reputation yet. Your domain is not known for sending email.
Please read:
https://postmarkapp.com/guides/how-to-improve-domain-reputation-for-better-email-deliverability
I get it but I want to know how they are sending this on behalf of their customers. Are they just changing the from address to match their customers so for example. From address would be and then the sender . If that's the case, this would be flagged as email spoofing? So I want to know how they are doing in the background, what technique or approach are they using? Here's the link about the post image https://postmarkapp.com/guides/best-practices-for-sending-on-behalf-of-your-users
Personally I use Postmark. They have great helpful support. A free tier if its a small app. And I trust them when it comes to respecting privacy of me and my users. When I visit their website I get no trackers, and according to https://postmarkapp.com/do-not-track they are actually honoring the do not track my browser sends out which is sadly quite rare.
PHPMailer is as close to the defacto standard for sending emails with PHP, at least the code portion anyway. Then you would need some service to actually send the emails, like Postmark, AWS SES, even Gmail works.
As for the code and personalized nature, you can generate the code before sending the email and replace parts of an email template that you then send.
>Postmark doesn't do bulk mail, so no lists as it doesn't support unsubscribe.
I think they did not support bulk emails before, but now they do. Unfortunately no list management within Postmark, though.
>If you're getting really bad deliverability with Sendgrid you might actually be sending spam. Have you checked your headers?
It even happens when sending a magic link for logging in. What do you mean by headers?
> They are just lies, crafted to deceive.
Emails are verifiable. Modern email metadata contains DKIM Headers to allow for independent verification of an email's genuine nature. Literally nobody has questioned the veracity. Especially since the emails in question here we're not leaked at all, but instead provided via a FOIA request Buzzfeed News made.
https://postmarkapp.com/ is exactly what you're looking for to send the emails. Integrates easy with WordPress, or many other options, or their own API. If your client goes to a VPS or something you could setup postmarkapp as a smart host to handle all outbound mail server wide.
I investigated the issue and found the software problem in their system but Binance.US refuses to check or fix it. I will probably have to resort to legal action.
The Binance.US platform uses postmark (https://postmarkapp.com/), an email delivery service, to send withdraw confirmation emails and other emails. This service allows Binance to know if an email was opened, clicked, etc for marketing/tracking purposes.
Postmark will mark an email address inactive and will not send future emails to the email address if the address has had at least 1 delivery error in the past (Commonly referred to as a Bounce). This is a *Well documented* issue with postmark and developers who use it and do not read the manual. See https://postmarkapp.com/guides/transactional-email-bounce-handling-best-practices where it states:
By default, Postmark will stop trying to deliver emails to an address that has had a hard bounce. Delivery can be reactivated via the API or the Postmark web interface, but you’ll likely only want to manually reactivate delivery on behalf of your users.
The Binance platform has no way to re-activate an email address in postmark from within the Binance platform UI and is *not* following the best practices outlined by PostMark.
I verified this by creating an email alias on my same domain name that points to my email address. I then registered a new Binance.US account and I could receive ALL withdrawal confirmations and all emails to the alias account.
I reached out to the CTO of Postmark but he will not help even though this issue is likely affecting thousands of Binance.US users. I even asked him to just contact Binance.US and tell them this is happening. No response.
I'm using Postmark (https://postmarkapp.com/send-email/ruby). They have a decent free tier for development, but gmail is definitely another option.
The github page for their postmark-rails gem is documented pretty well.
I struggled a bit when it came to setting up the model/controller/mailer/views to support emails being sent at form completion. I ended up looking at how Devise sends registration/confirmation emails and mimicked the setup for my contact forms. There are some gems that do this for you, but I was trying to avoid gem bloat.
PostMark is the majority of your answer:
>stored in an excel or google sheets database
This is the glue part, you have a few options of course:
You are supposed to use "ipv4:" or "ipv6:" for an IP address that you want to allow sending on behalf of your domain. The "a:" mechanism checks to see if the IP address that is sending the email has a DNS A record that matches the value after "a:"
You don't use "a:" for IP addresses
This article explains in detail: https://postmarkapp.com/blog/explaining-spf
There is ways in O(M)365 to setup a relay and what not for notification accounts. We found it was just easier to move everything over to https://postmarkapp.com . $10 a month and Done! No issues and decent reporting.
Did the person mean to say setting up your own decim versus using the default dkim of an ESP?
https://postmarkapp.com/blog/dkim-and-the-via-label-in-gmail
If so, then there are times where this could help boost your reputation initially, because you're essentially piggybacking off of their good reputation.
This depends on which ISPs you're sending to however. Gmail for example this will only help for a few days before your own "domain reputation" has enough "weight" that the minor boost of using their DKIM is irrelevant.
It has to do with what spam filters use to grade the credibility of a domain. Every vendor uses a different formula to grade your incoming mail. Trying to find something more specific but it's not like email spam filter vendors post their grading scale open source. I know for a fact it mattered on Barracuda filters when I installed and managed them.
I do agree that the logic is flawed, but I am sure it is embeded into the calculation formula of domain credibility. If you are doing everything else right, you likely wouldn't need the small bump it provides to credibility.
https://postmarkapp.com/guides/how-to-improve-domain-reputation-for-better-email-deliverability
I personally use https://postmarkapp.com/ on all my sites. It's pretty much the same as SendGrid and the process of setting up a site to use it is the same as you described with SendGrid.
However I've automated most of the setup process by writing a custom script that sets up the domain in postmark using their API and then adds the required DNS records through Cloudlfares API.
> You can possibly use the bridge, but it’s not a supported use case.
That's what I am thinking, it seems like a hassle and more work for me to maintain. I had a quick look at Postmark, would you recommend anything for free which offers SMTP and also offers privacy?
Thanks for your inputs :)
DKIM is in place, and we dont have a complicated setup at all. Just really would like to get a complete (or close to) understanding of what is in these reports :)
Will try the postmarkapp.com on my test tenant at first.
So your argument is a hypothetical "Wanna bet the Russian government has the abillity to modify DKIM headers?" DKIM headers are complex cryptographic keys, and your argument is fucking dumb. Read about DKIM headers here if you want: https://postmarkapp.com/blog/explaining-dkim
Here is another source for Douma, shouldnt have to provide you with one for the reasons mentioned previously however, here u go. Check out the leaked document (leaked by a team of engineers from the OPCW not WikiLeaks) in it: https://www.democracynow.org/2019/5/23/leaked_opcw_report_raises_new_question
Popular option is Mailgun Very generous free tier. They are more "bare metal" as far as email services go. I've had too many emails go missing with Mailgun
My favorite is Postmark If you're looking for a dead-simple high performant transactional email service Postmark is the best there is. It has a really nice interface, API, and docs.Postmark is stricly for transactional emails (no bulk marketing), whereas MailGun has marketing emails similar to SendGrid. Their free tier sucks, it's limited to 100 emails/months but it is enough for development.
Postmark is priced at a premium and is about double the cost of mailgun in the 1k-100k emails/month range but is only about 10% more expensive in the 100k-1m emails/month range, and they are cheaper than Mailgun one you're over 1m emails/month.
Don't confuse the visible FROM header with the ones that mostly get acted on by spam filtering like Return-Path. (https://postmarkapp.com/guides/spf)
When it comes to SPF for example Return-Path is the most important, you can slap a dead end top level on your From but specify a subdomain as your reply-to and return path.
As far as administration goes I prefer to chop up my ever increasing number of SaaS services into sub domains with their own SPF DKIM and DMARC to separate my transnational email from corporate email (the only one I want sending truly from the root.
As for how it looks to the end user likely matters more if you format the display and if your sub-domain is dumb and long.
Getting a "Shipment Notice" <> is probably fine.
Just doing will probably look odd to the user.
TO be honest having spend over 20years managing domains for a companies that sends transnational order emails, marketing email and corporate email the USER complaining is going to be the minority (it does happen). It is Google changing the security status icon because you didn't deliver via TLS correctly or a spam filter getting mad your SPF/DMKIM/DMARC are missing or wrong. Or the Content of the message looks like spam (hard to control).
Having a CLEAN not Blacklisted IP is also VERY VERY important. Simply using subdomains isn't going to help if you use the same source IP for delivery. That is one of the reasons we separate out our marketing email source systems to 3rd parties.
No, Mailgun and Postmark are managed email services, similar to SES. You send a request to their API (or use their library) and they send an email for you.
​
Now that I read over your post again, are you trying to set up mailboxes? Like, do you want to connect to the EC2 instance to check your email? There's an AWS service for that called WorkMail, I don't know anything about rolling your own though. I thought you were talking about sending password reset emails or something.
For SPF, their servers are always 0% for us, but I never thought anything of it, since their site says "DMARC only requires either SPF or DKIM to be aligned."
I think I misread the rest of it back then though, since I thought the ability to add a custom Return-Path--what will give you SPF alignment--wasn't available to us. I think it is though, so I'll try adding that record.
https://postmarkapp.com/support/article/1088-dmarc-reporting-tool-faq
You should check out https://postmarkapp.com - I use them as a mail destination, and any mails arriving at that mailbox POST the mail contents to a Python web hook I set up - the mail contents comes as JSON, so parsing is pretty easy.
Yes. You can't send any marketing emails or promotions, anything related to account like "review your purchase" shouldn't be a problem.
You can read more here.
Like others said, search for services that offer transactional email. We have used sendgrid and some other one that are used for marketing emails also and some mails go to spam because of this.
You can add this to your list: https://postmarkapp.com/
We’ve begun migrating to Postmark from Sendgrid and featurewise they are on par.
https://postmarkapp.com/guides/spf
"SPF is an open standard so that the owner of a domain can provide a public list of approved senders"
So if you implement SPF on your domain it validates what servers are allowed to send as you. It does not have any impact on the emails coming to your users.
The link only flags inbound messages. You're right, anything sent by the marketing department to your internal users via a third party could be flagged.
https://postmarkapp.com/eu-privacy#gdpr hth
I'm not a laywer, but afaik your data privacy policy should inform your customers that you use that service.
/u/gdffff : the GDPR does not require a service to be located in the EU (although the privacy shield shield framework is not really adequate imho).
Mailgun have some very high profile customers. I doubt they would have such customers if deliverability was that poor yet much cheaper (although I believe they are raising prices anytime now). Although only speculating here. We've sent millions of emails per day via mailgun with practically no problems with deliverability that we are aware of. But I'm sure postmarkapp have the extra features / value somewhere and I've not used them to know myself. EDIT: Although this page is pretty cool to be honest https://postmarkapp.com/why/delivery
I've used Postmark before to send these type of e-mails. Once you verify your domain you can set the 'From' address to whatever you want.
I usually use 'noreply@', and since it's not an actual account it won't use up accounts in G Suite.
The other option is to set up an alias under his account. You can have different e-mail addresses all go to/come from the same account. Downside to that is you have their password hard coded in your app and need to update that if the password is changed. (Security issue and inconvenience)
I've used SendGrid, Mandrill and Postmark. Postmark was by far the best service overall. Great interface, super fast, very high deliverability. https://postmarkapp.com/
If your company is bootstrapped, you can get additional credits for free (see footer on https://postmarkapp.com/pricing).
Maybe https://postmarkapp.com/
I have not used it (though I am planning to), but I use the deployment app from the same company and had a great experience, so I don't doubt this is a good quality service as well.
GMail is for personal emails.
Use something like Postmark or your own SMTP server.
Most email sites are going to block scripts from sending emails as best as they can to avoid allowing spam bots to send stuff through their servers.
Postmark has a very simple inbound email parsing API and it's really cheap ($1.50 per 1,000 emails) ... plus you get 10,000 free credits for signing up.
https://postmarkapp.com/inbound
The only downside I've run into with Postmark is that they don't keep your emails on file for more than 45 days, so you may need to set up a local log of inbound and outbound emails.