How does Shootmail handle security?
subhendu singh
Table of Contents
We tackle the challenge of email security at three levels:
- Email Security: We follow the best practices to ensure that the sent emails land in the recipients’ inbox rather than landing in spam folder.
- Noisy Neighbours: If a bad actor sends spam emails and gets complaints or spam reports, we make sure, their reputation doesn’t impact the reputation of other senders sending emails using Shootmail.
- Self reputation: Even when the emails, mainly marketing communications, are sent with good intent, some users might not be interested in receiving them and may initiate a complaint or spam report. Shootmail allows you to separate your marketing and transactional email communication so that the reputation of one set of emails doesn’t impact the other.
Let’s see in detail how each of these work in practice.
Ensuring safe landing
Emails are a critical part of running a business. For every important event that occurs within your application in result to a customer action, you need to send a confirmation email to the customers. For example when a customer purchases a product or avails a service, on a new signup, password reset request and many more. These emails that are sent in response to a customer action, are called transactional emails.
You also send emails to acquire new customers or to engage your existing customers by announcing new offers, product features or more personalised emails like suggesting products based on customer’s purchase history. These emails are called marketing emails.
With transactional emails, most important part is speed. When a customer clicks on the signup button, they expect to receive the confirmation link immediately, or when a customer requests a password reset, they are expecting a quick response. Another important part is that the email should land in the inbox rather than landing in the spam folder.
With marketing emails, where the user is not already expecting your email, chances of them taking time out to open and read your communication are less. But, to increase those chances, you have to make sure the email lands in the inbox and the email looks good. Shootmail has you covered on the both parts. Let’s see how.
Domain Verification
Before a user can send any email from Shootmail, they have to first register their domain and verify its ownership using the records provided. These records mainly “TXT” or “CNAME” need to be configured with the DNS provider from where you purchased the domain. These records are called SPF, DKIM and DMARC. The combination of these 3 types of records will help you to achieve the highest level of security standards.
- SPF: Sender Policy Framework is designed to help prevent spoofing. Identifies which mail servers are allowed to send mail on behalf of your custom domain through a DNS TXT record that is used by DNS.
- DKIM: DomainKeys Identified Mail adds a digital signature to your outbound messages in the email header. Receiving email systems can use this digital signature to help verify whether incoming email is signed by a key owned by the domain.
- DMARC: Domain-based Message Authentication, Reporting and Conformance ensures that there is domain alignment with at least one of SPF and DKIM. Using SPF and DKIM alone does nothing to insure that the From address is authenticated. It also allows domain owners to specify how their email should be handled if it fails SPF or DKIM checks.
This is just a brief introduction to SPF, DKIM and DMARC records. If you want to read in detail, there is this guide written by Nicanor that explains these concepts in a simple manner.
Shootmail generates these records for you to add into your DNS settings to ensure high level of email security.
Handling noisy neighbours
Unless you are using dedicated IP, which we will support shortly, all the mails are sent out through a large pool of shared IP addresses. One bad actor sending out spam mails can impact the reputation of the other tenants whose emails are sent using the same shared IP pool and the mails sent using the domains with bad reputation either end up in the spam folder or are rejected by the receiving email client.
Shootmail tackles this issue by creating a separate configuration set for each user and each domain. Consider these configuration sets as separate boxes isolated from one-another. We track the bounce and complaint rates of each configuration set automatically and continuously. Whenever these reputation metrics go above a certain threshold, the user is warned and given some time to correct the metrics while the account is put on hold. In case, the metrics do not improve in the given time, the configuration set is disabled to send emails further.
This ensures that one bad actor doesn’t harm the reputation of the entire shared IP pool and the emails can keep landing in the inbox.
Preserving self reputation
By design, Shootmail separates transactional emails from the marketing ones. Every user has to register a separate subdomain one for each type of emails. Internally these domains are separated physically by servers and are assigned their own configuration sets for reputation monitoring as explained in the previous section.
This helps maintain the reputation of your transactional emails subdomain, even if you receive complaints on your marketing subdomain.
FAQs
Why subdomains and not apex domains?
It is very important to maintain the reputation of your domain on the internet. Using subdomains separates the reputation of your apex domain from the ones used to send mails. Hence, if a subdomain receives complaints or spam reports, that doesn’t impact the reputation of other subdomains or the main domain.
How do I know if the mail I am sending is transactional or a marketing email?
As a rule of thumb, consider the emails sent in response to an user initiated action as transactional emails for e.g. signup, reset password, magic link, order confirmation etc. And emails initiated by the business to attract new or existing customers or send a reminder, are marketing emails.