I'm sending mail to a third party-service from Gmail using Google Apps Script. This third party requires the sender email address be registered with them. If the sender is not registered, an error/marketing message is sent back to the original sender.
When the message is sent from Gmail manually, it is processed as expected by the third party. When the message is sent by a script, the message is not processed by the third party and no error response is sent as described above. After adding a different gmail address as a BCC on one such message, I found the script generated message shows "mailed-by: bounce.secureserver.net" and "signed-by: gmail.com"
I'm worried GAS is impersonating the sender in such a way that the third party does not recognize the sender as a registered address. Or, the third party may be dropping the messages as spam. (http://productforums.google.com/d/topic/apps-script/tGxlioK1ejg/discussion)
Community feedback on this problem is most appreciated.
According to Google's documentation, the sendEmail() method sends an email as the user running the script. That being said, additional parameters are automatically added to the email's header, and these might trigger some filtering rules on the recipient side. There is not much you can do about that, beside using a third-party email service like SendGrid which might do a better job at ensuring that your email will go through.
Related
Currently we are using AWS SES to send an authentication email to the user. (This email is not related to the usual login/register authentication, it's our own)
The email address is entered by the user and we are sending one and only one email per email address.
This leads to many bounced emails and AWS suspended our service (around 9000 sent emails and 15% bounce rate).
My question:
How to deal with this problem? Users will mistype their email all the time. There is no way to verify if an email is valid without sending an actual email, right? That means that all SMTP providers will suspend our ability to send emails sooner or later.
Using nodejs to send the email but that is not really relevant I think.
Check the bounces by adding a sns topic and subscribe to it to get more information when bounces emails. (It's not always because of faulty email)
Ask users to enter their email address twice
There are some services out there that you can pass email addresses to that will give you a classification as to how likely the address is to be a “good” address
Here is a document from AWS which describes your problem:
https://aws.amazon.com/blogs/messaging-and-targeting/what-do-i-do-if-my-registration-emails-themselves-have-high-bounce-rates/
I'm bulding website where I want to allow future customers to send me an email. I'm using Node.js to handle sending and thought SendGrid would be good solution. There's actually problem, because SendGrid requires me to define sender and that's impossible because I'd like to customer fill form with his email, etc so I would get this data on my inbox. Is it even possible with SendGrid or maybe there's other tool that would fit me better?
Thanks in advance
what I have implemented in the past was a solution where the application sends an email to it self, and the email address of the user was added to the email header reply-to, this way whenever somebody with the access to the email client would press the Reply button, the user's mail would be the destination.
Example:
admin#yoursystem.com ---> Sends an email to ---> admin#yoursystem.com (with the user's message and his email address in the mail header reply-to).
I don't have any technical problems, but I have a question that I would like to be answered out of curiosity.
Here is my current understanding of how email works:
One of the privileges of having your own domain is that you can hook it up to IMAP/POP3/SMTP servers and use them to send and receive messages to and from "anyone#yourdomain.com". With spam being such a problem, however, the SMTP server that you use to send messages must add a bunch of headers (DKIM, SPF, etc) to each message that you send in order to prove that the SMTP server has the authority to send emails from that domain. The receiving SMTP server can cross-check those headers with DNS records that it finds to verify the legitimacy of the email message.
So if you want to send emails with your domain cheaply, you can use Gmail's "Send Mail As" feature. I followed this help article to get mine working: https://support.google.com/domains/answer/9437157
Note: I unchecked the "Treat as an alias" option during the setup.
But wait... no additional DNS configuration required? I have my domain registered with Cloudflare, and there are no entries related to Google in there.
There is this step in the setup process:
But it seems that this only for Google to prevent you from using their servers to send spam. What is stopping Google from impersonating any email address they want? Why do receiving SMTP servers trust an email from "anyone#yourdomain.com" if Google's SMTP servers have no way of adding legitimate SPF/DKIM headers?
The short answer is that nothing prevents Google from doing this, and that DMARC was created for exactly this case.
There is nothing that stops Google from impersonating any domain. However, there are things receivers can (and should) do when they receive an email which isn't send from the server indicated in the From: field.
Try sending an email from the alias you just added to a different #gmail.com inbox. You will see that it says via gmail.com behind the sender email address. But other email receivers might do more: flag this message with red exclamation marks and scam warnings, throw it into spam or even deny receiving it completely. Gmail probably has some hardcoded trust, but try doing this from your own SMTP server and the above will very likely happen.
As you say in your question, you can authorize your emails by marking gmail.com as an authorized sender with SPF (which protects against forging from other domains, but doesn't stop Google), or even sign your emails with DKIM (not possible from Gmail UI, but you can do this in some email clients or send email with a custom Python script like me; Google can't do this without knowing the key).
However, that only solves one side of the problem – authorizing legitimate email messages. But what if an SMTP server still receives an unverified email? What if they have previously received an email from the same sender which was DKIM signed? What if DKIM passes, but SPF fails?
Because the behavior in that case is largely unspecified, and also the sender wants to check if their DKIM/SPF authorizations are actually working, and if anyone is attempting to spoof them, another standard was created: DMARC. It introduces another DNS TXT record where you can say what checks are required to pass, what to do if they fail, and also what basic analytics should the receivers report to the owner of the domain.
Of all webmail client providers, Google's Send mail as is actually the most well-implemented for a variety of reasons.
First of all, how it works is not different from when you set up POP3 or IMAP using a mail client like Outlook or Thunderbird. You have to specify the domain and port where you receive emails from, and the domain and port where you send emails from. For example, Google's incoming and outgoing servers for IMAP are as follows:
imap.gmail.com:993
smtp.gmail.com:465
The Send mail as feature is a partial implementation of that. It only implements the outgoing part.
How mail clients like Outlook and Thunderbird send emails, is basically that it sends the email to the outgoing mail server, and the outgoing mail server then sends the email. Usually, outgoing mail servers will require some sort of authentication, and will allow authenticated users to only send from specific email addresses.
Gmail works the same way. The outgoing mail server is the one that has to pass the SPF and DKIM tests, not Google's servers.
No other webmail clients do this. Hotmail used to do this, but they recently removed the feature. Now, the option is very difficult to find, and they just rewrite your FROM address and sends your email from Hotmail's SMTP server, which creates delivery problems.
They don't provide you with the option to send emails from another SMTP server, because this allows people to very easily set up virtual mail servers that can send emails under a domain of your choice, but use say a typical free Hotmail account to store incoming mails. This takes away business from their paid services, because both Hotmail and Gmail sell the option to host your company emails. I'm sure Google also knows about this, but it is really awesome of them to still keep the option available to free Gmail users.
If you want to learn more about virtual email servers, you can check out this article here: https://blog.terresquall.com/2022/01/setting-up-a-virtual-postfix-mail-server-part-1/
I have a web service that creates Docusign envelopes with a PDF that needs to be signed. On my test environment, after the envelope gets created I query for the envelope status, as well as the recipient status. When using the API call, the respondents with bad email addresses have the status "autoresponded".
Now on my Docusign Connect implementation, I have two separate routes that get hit. One for when the email gets successfully sent or if the request is completed, and another one specifically for email delivery failures. When I had a single route, none of the recipients were marked as "autoresponded" like the API call returned (the API call result ends up being returned before the Connect implementation gets hit by Docusign).
After splitting them apart, I expected the email delivery failure-specific route to have the correct signature status. Unfortunately when this route gets hit, all recipients have the status of "Sent", regardless if their email is valid or not.
I'd contacted Docusign a while ago and their response was the number of events a single Connect implementation was listening for. By that assumption, this delivery failure-specific route should be getting a status of "autoresponded" like our API call is receiving, which doesn't seem to be happening. How can I get the Connect implementation to return the correct recipient statuses?
Every time I've opened a support ticket on their website, the corresponding account can no longer log in, meaning it's always a one-way communication to their support team. Has anyone gotten around this issue before?
My thought is that if the email failure route gets hit, flag that account as having a bad email address for one of the recipients and force the user to log into their accounts to see the actual status. Another option would be to query the API for that envelope's status, however I feel like a lot of delivery failures could easily trigger the max number of API calls.
Posting an answer, the original poster figured it out in the comment, but here is the answer for everyone else per Ricky Story:
"Return Recipient Auto Responded Status in Connect/API" that DocuSign Support should be able to enable.
To do that you would need to contact the DocuSign Customer Support and request them to enable this option.
I believe there's an issue when sending out documents using REST API and 3rd party
accounts as senders where we try to get our account a cc back and it
doesn't appear in the management system while we get an email. This way the
envelope is not accessible when using our account and basically the only
option is to use the client account again to get the envelope status or
data. This does not reproduce when sending from that 3rd party account
using the DocuSign website. This way we get a correct CC that appears in
the 'completed' folder. It also works fine when sending form out DocuSign
account and setting the 3rd party account as a CC. This way this envelopes
successfully gets to their system. The difference that can be seen from the
API is that when a correct CC to our account is set, the userId is the same
as we can get from login_information request while in the case when we do
not get it into our system, the userId parameter is different but permanent across multiple envelopes sent while testing this way.
These test tell that it's not the case that CC person should be in the same
account with sender to get the envelope in his system. I've tested with 2
independent accounts and they still get CC and envelope access. I believe
that is a glitch or some kind of limitation and would appreciate any kind
of feedback on this.
(Also, is it allowed to send envelopes as other users under our integration if we
have their logins and passwords?)
I believe the system is behaving properly here. In the DocuSign platform, the account that sends a signature request is the one that has complete access to it. If you send a signature request from a given account and you include a CC recipient from a different account, then only the sending account will be able to see the CC in through the management system (i.e. the DocuSign Console).
The CC recipient from the other account will only receive the notification email and since they were not the sender they will not see it in their folders.