We just open a new e-commerce website and recently noticed Gmail treat our e-mails as spam (notice the red question mark). Our website run behind CloudFlare so the email server IP address is different than the domain.
We also did not send a bulk email at least not yet. There are some explanations in Google FAQ but not sure what it means or how I need to implement it. Can you please explain how to set these DKIM (preferred) or SPF.
Our website uses nopcommerce (3.70) and developed with ASP.Net.
Disclaimer: I'm not a "pro" at these things (more later):
IMHO, this is probably the simplest explanation of DKIM
SPF: in my own words: providing a DNS TXT record that identifies "where" all your emails (smtp/mta servers) can come from. The more complete/formal spec is here
You can implement both
Opinionated:
SPF is easier to implement
identify all the origins of your email, set them in your SPF record, which is a TXT record in DNS
DKIM: is more complex - your mail/smtp server/s must implement it.
As a "web developer" one can see how this would be done in ASP.Net/C#/VB - e.g. sign some payload and using HttClient send some signature in an HTTP header in some outbound request.
But this is done on an SMTP server, so unless you have one that already implements it, it's something you'll have to do...
IMHO, for DKIM, unless your SMTP/MTA implements it, I'd go for services that provide it. There are 2 types:
Transactional email services:
Not for bulk email. These are the usual "order confirmation" emails, standard support/customer service, etc. emails. They will likely have APIs for you to implement (e.g. sending your MailMessage using thier servers and/or constructing something that equates to it and send that "object" to their API).
Bulk email services
these providers will already have implementations because one of their core value propositions is "deliverability" of your bulk/marketing emails. They should (of course do your due diligence) have both implementations inherently. Will also have their own APIs for bulk email context.
Hth
Related
I work for a subscription fulfillment company, where we handle the subscriptions to various magazines (renewals, invoices primarily). So we email out to the subscribers when they purchase a magazine, that we are charging them for their monthly/annually renewal or they sent us a question about their subscription and we are answering them.
As of right now, we are creating email addresses on our domain for each of our clients (the publishers), but the publishers want us to send out the emails with their domain name as the from (not ours).
I know this can be done because we purchased email blasting software and it does it without a problem (the clients put in SPF records so that it won't be marked as SPAM). The problem is that when our .Net (specifically VB.Net) application goes to send out emails with a From from a different domain, I get back that the user we authenticated to our internal SMTP server with isn't authorized to send out on behalf of the From.
I got a partial idea from Send SMTP with From address of another domain that maybe I could ask the publishers to issue us credentials to their SMTP server and have the .Net code try using their server and credentials to send out the email, but I would prefer not to go that route.
On the same note, our people use Outlook 2010 to answer most of the customer service emails, so it would be good if the solution for the .Net could also work for Outlook. If it doesn't, it doesn't, but at least the .Net one is a step in the right direction.
Now, I am a .Net developer, not an SMTP administrator (but I'm the closest to it that we have). So any instructions need to be detailed, please assume that I am ignorant in this area, so if you say go run program such and such, please state where program such and such is.
I'm really just looking to see how much folly is in the below suggestion from a security perspective.
I have two websites. One is an administration portal and the other is a members portal.
Within the administration portal administrators can retrieve a listing of members and I need to offer the ability for administrators to login to the member portal without having to enter the members login credentials.
Both are separate websites within IIS and for this discussion lets say they are on different servers.
Both websites access the same SQL Server database.
I was thinking that I could on the administrator clicking a "Login as Member" link create a random code string and save this to the database along with the member number.
I could then pass the code and member number to the member portal as query string parameters.
The member portal then read in these values and checks them in the database to verify that the code string exists and if so that it matches the member number also being passed. I could then login the member and set a flag in the database to set the code as being used and therefore invalid for future requests.
I'm thinking to bypass this a hacker would need to successfully guess the random code and pass that to the page alongside the corresponding member number for that code and for that combination to be marked as unused in the database.
This would seem to be unlikely given that only seconds will pass between the code being generated and the code being used.
If necessary I could always check the IP address of the request as users of the administration portal all share the same fixed IP address.
So do you think the above would stand up to scrutiny on a security review or will I need to go down the SSO route?
Your approach is very sound. I can confirm because I have implemented just such a solution for just such a reason. We analyzed the options and exposure. And after implementation, our application passed a PCI Complaince Audit.
Reasons:
SSL is Esential! protects against sniffers. Essential. Without Encryption, sniffers could detect your GUID and may have a window to use it)
As Tony pointed out, the GUID is effectively unguessable.
Guid Tokens expiring should expire within 24 hours.
Suggestions:
Checking against IP is good. But don't be fooled into a feeling of security from it. Anyone can fake IP's in headers. To be Secure against XSS and CSRF by using AntiForgery tokens.
The AntiForgery token is a cookie that populates your HTTPHeaders with __RequestVerificationToken which is almost as hard to guess as your GUID.
Consider using an established Authentication framework like .NET Identity 2 and multitenancy.
An established framework takes the burden of encrypting your passwords. MS Frameworks like Simple Membership and Identity integrate into modern ASP.NET frameworks and give you very strong base of functionality to lean on.
If you're using an old framework like classic ASP or .NET 2.0, the classic Membership Provider is more appropriate.
If you are creating new MVC 5 applications utilizing Entity Framework, I strongly suggest using Identity 2.1.
Consider Mult-Tenancy. While there is nothing wrong with your solution, if Admins and users shared Membership Provider, your solution would be cleaner. An admin could log into the main site and "get" the token from the DB. Then no exposure.
Assuming the use of HTTPS and adequate physical and IT security processes and procedures in place for the administrators, this method should be adequate. It is more secure than most financial website password resets, which typically only require a compromised email account and some personal information to reset the password. If you check the IP address range of the originating client request as well, a hacker would have had to already have access to your systems or network. Also, if you make the code a GUID, it would be (pragmatically speaking) impossible for someone to guess.
You could add a layer of checking for hack attempts by storing a record in the database each time this event occurs (or at least each it fails due to a bad key), and each time it occurs run a check to see if it is happening too often (like 100 times in the past hour, or something--the right number depends on how often you expect it to happen). If it's happening too often, then have it send an alert to IT personnel and revert so that the user has to enter their credentials manually.
Disclaimer: I am not a security expert by any means, so I'll gladly defer to anyone claiming such status. I'm weighing in here due to a lack of answers.
I am using Contact Form 7 with Dynamic Text Extension on a WordPress site. The information does not get stored to a database, rather it is sent only via email. Is there a way that I can encrypt the information that is sent in the email?
We are going to purchase and install an SSL certificate to use for these forms, but I'm not fully familiar with how SSL works. Does any form data sent from an https link automatically get encrypted, or is this something that I have to implement? If so, how does it get unencrypted when it hits our mail server?
Thanks for any insight you can give.
Old question, but incorrect (or rather a partial) answer I believe. The question was whether HTTPS will secure the email being sent by CF7.
Back to basics...there are two transfers of the data that potentially could/need to be secured. The first is from the user's browser to the CF7 plugin form on the Wordpress server. This can be sent over an encrypted channel using https.
The second is when the form data is sent by the CF7 plugin by email. Setting up https/an SSL cert. on the Wordpress server does nothing to improve the security of this. Email is sent by SMTP from CF7 so all standard caveats regarding security of emails apply.
Stuart
https secures the communication between the client/user <-> server using a SSL certificate. This would be the best method to use if you do not want to code your own custom plugin that will encrypt it without the communication being encrypted. Since the communication to the server is secured it does not require you to decrypt anything as the server will obtain the information securely (which prevents man in the middle attacks and so on). More about https - http://en.wikipedia.org/wiki/HTTP_Secure
You can use a plugin to help you implement the communication to your site being secured:
http://wordpress.org/extend/plugins/wordpress-https/
Otherwise you can code your own plugin or contact form under PHP and directly encrypt the content that is being sent to your email or just to the submit form depending on how you would like this information encrypted
You're looking for the WP PGP Encrypted Emails plugin for WordPress. Install it, paste in your PGP public key (or your S/MIME certificate, whichever email encryption scheme you want to use), and it makes sure outgoing email your site or contact form plugins generate addressed to you are encrypted (and, optionally, even signed).
If you don't know much about email privacy or encryption, be sure you read the plugin's FAQ, which has a bunch of links to additional information.
Full disclaimer: I'm the developer of this plugin.
I'm new to Drupal, just made my first site and having some issues with email. Two questions:
I've enabled the site-wide contact form, and sometimes though not always, I'll receive two identical emails from my site when someone submits a message via the contact form.
I've found documentation on Drupal's email handling very sparse. Can someone give me a brief rundown on how Drupal sends email? I have it installed on a godaddy server, and I have my own domain name, but I never set up any email services from godaddy or configured any emails settings for Drupal (e.g. SMTP, POP), so I was surprised it could send emails right off the bat. On this topic, is there a better way to handle simple email tasks like the contact form than by using the built-in email features of Drupal core?
Thanks.
I'm not sure. Can you replicate this
problem yourself or is the just an occasional happening?
By default Drupal will
use the PHP mail() function
(http://php.net/manual/en/function.mail.php)
which (usually) does not require you to do any
explicit email configuration.
You can use the hook_mail_alter (http://api.drupal.org/api/drupal/developer--hooks--core.php/function/hook_mail_alter/6) in a custom module to peer more deeply into the emails that are being sent. This does require an understanding of PHP.
A very widely used (and better) alternative to the Contact Form is the Webform module (http://drupal.org/project/webform). It provides a very easy to use interface to generate custom forms and does not require any programming knowledge.
If you wish to send more sophisticated emails you may want to investigate the SMTP module (http://drupal.org/project/smtp) which allows you to send to an SMTP server. Also, check into the MimeMail module (http://drupal.org/project/mimemail) as it allows for things like attachments and HTML emails without having to crack open and modify an email's headers via hook_mail_alter.
Answers
Hard to say, it could be a few things, but answering question 2 may give clues about question 1. I am guessing it is due to the configuration of your current email server.
Drupal can be configured to send mail LOTS of different ways, but by default it uses the built in php mail() function. This is configured in your php.ini. I would imagine that godaddy probably set up an SMTP or sendmail server by default.
For both of these issues, I would look at how things are configured (which, due to the nature of godaddy, may not work very well) or by talking to godaddy.
My recommendation would be to use google apps to host your email. Then you can have email sent from your domain but with google reliability, and having it be free!. To connect with drupal, use this module which requires PHPmailer, which may or may not be installed already by godaddy (they should support it though!).
Hope that helps. Leave any more questions in the comments.
I develop applications using the ASP.NET framework for my academic organization. We also have an exchange server for internal accounts.
Since my organization is under the umbrella of a larger one, all our internal exchange accounts also have external parent accounts with the same names.
I'm facing an issue where automatic emails triggered using the system.net.mail classes are correctly routed to the required email addresses, but they go into exchange account's inbox.
While this is not a big problem for some users, there are a few who want the emails to go to the parent accounts so that they can view emails while working from home.
I was wondering if there is any way I can achieve this at the application layer - to instruct the SMTP server to send mails to the external accounts with the same names and ignore the local active directory accounts.
Thanks.
No, you can't. The SMTP protocol doesn't have any spec for this.
I believe you would have to setup and point to an alternate relay for this to happen.