How to improve the reliability and security of email notifications

The reliability of email notifications originating from websites, for example for order notifications, customer enquires, and password resets is an ongoing pain for many website owners. Poor reliability of email notifications can result in lost revenue, damaged reputation and highly frustrated users, so it’s very important to find a solution.

The reason that such notifications are often blocked is quite genuine, with email services like Microsoft Exchange, G-Suite and Office 365, and the free mail platforms including Yahoo, Hotmail and Gmail constantly striving to reduce spam. Spam can be a huge frustration, accounting for around 45%^[1] of email traffic in 2018. It’s big business, spammers can earn thousands each day^[2].

Fighting spam is an on-going battle, but it can be difficult for email providers to determine which emails are genuine from the malicious ones. Often emails sent from your website are mistakenly flagged as spam because they haven’t originated from the actual mail server providing the domains email service, instead, they’re sent from a web server.

Emails sent from your website are known as ‘transactional email’. They’re usually triggered when something happens, and are tailored to the recipient — not to be confused with newsletters. Essentially the issue boils down to trustworthiness — proving you really are who you say you are.

There are a number of techniques that we use to improve the deliverability and reliability of transactional emails sent from our client’s websites.

HTTPS

All websites should use an SSL certificate to encrypt data between a users browser and the web server, this has been standard practice since Google algorithm changes in 2017. Another benefit, however, is to protect your user’s data when submitting forms and during delivery of transactional emails.

Spam prevention

Most importantly we embrace a number of different methods to reduce spam via contact forms on your site, we understand how frustrating it can be to have legitimate messages hidden amongst often unsavoury spam messages, or spammy leads injected into your Salesforce or CRM database.

Captcha provides a visual anti-spam device but is known to impact usability and isn’t completely reliable.

Honeypot doesn’t impact the user experience and quite successfully blocks the automated spam bots, which constantly roam the web looking for any type form to submit their junk to.

Local storage

The first technique we use to ensure we don’t lose any data is to save and store any transactional data, so in the event that a form submission fails, the data is safely stored. As part of our maintenance routine, we cross-reference local storage with the received transactional emails or data sync’ed with a CRM to ensure service reliability.

Tracking & reporting

We make the most of tools including Google Analytics to track goals, for example, completed orders and form submissions, which provides another form of measurement to make sure that everything is working as it should and tallies up.

SPF and DKIM

SPF has been around since 2000 but was relatively unnoticed until 2013, and DKIM was introduced much later, around 2015. Both systems were introduced to help reduce spam and fundamentally work in the same way, to provide a set of rules which a mail server can use to determine the validity of an email it receives. Servers which are permitted to send email on behalf of a domain are added into SPF and DKIM DNS records, which are queried by the receiving server.

If you complete an online query on your domain you’ll be able to view your SPF record, see our own as an example below:

v=spf1 ip4:31.3.233.105 ip4:31.3.233.119 include:spf.protection.outlook.com -all

This simply says that any email should have originated from either of those two IP address or any of the rules contained in spf.protection.outlook.com (since we use Office 365) and if it doesn’t then hard-fail (-all) or rejects the message.

Transactional email delivery services

We often use a transactional email service, such as Mailgun or Postmark which go further in developing reputation by adding various layers of trustworthiness and carefully manages the reputation of the IP address from which transactional emails are delivered.

Emails passing through these services are also get logged, allowing us to trace and report on errors and provides another form of backup. These services offer protection from the actions of others, for example, in the unlikely event somebody abuses the IP address assigned to your account, it can easily be changed out for another IP without affecting any other aspect of your website.

Mailgun

Currently our preferred solution, Mailgun is owned by Rackspace and is a powerful API and cloud service with advanced security and validation features.

• 5-day logging
• 10k email per month free, 100k emails cost $79/month

Postmark

Fast email delivery service with advanced stats and detailed reporting including API service for developer integrations.

• 45 days history
• 10k emails cost $10/month

Other transactional email services include:

• Amazon SES
• Mandrill by MailChimp
• Sendgrid
• Elastic Email
• Mailjet

Read this article for a quick summary of 10 transactional email service alternatives – https://mailbakery.com/blog/transactional-email-service-providers/

Setup and configuration

Granite 5 can help you to plan, setup and configure the different techniques to improve the reliability of your transactional emails. Get in touch with the team on 01223 208008 or email [email protected]

In summary

• We take several steps to ensure the reliability of emails delivered from your web server.
• We use Mailgun to deliver the messages which allow us to trace the message from the point it’s sent to the point it’s received and opened.
• We take full responsibility and accountability for the performance of your website.

References

[1] https://www.propellercrm.com/blog/email-spam-statistics
[2] https://www.wired.com/2011/02/st-equation-spamprofits/