Hacker News new | ask | show | jobs
by jrodom 3756 days ago
We are working on this based on what we have discovered so far, there appears to be a content issue that's impacting deliverability. We have ruled out any issues with the IP address these messages are being sent from. Our lead reputation engineer going through this and we've not been successful in reaching out to the inboxtrail team yet.

Disclosure: I lead product development for Mailgun.
1 comments
Savageman 3756 days ago
Though you definitely still have space for improvements. I have a Mailgun account and:

1. I didn't configure my MX so you don't track delayed (asynchronous) bounces. It should be your responsibility as an email provider to use an appropriate Return-Path so spam complaints/bounces reach back to the client in this situation.

2. I opened ticket #212817 a while ago (September) about how a MITM could capture emails and replay them by injecting duplicate Subject/From/To headers (article here: https://wordtothewise.com/2014/05/dkim-injected-headers/) but this still isn't fixed today :(

That said, we're very happy with the service :), one of the killer features is how easy it is to manage wildcard sub-domains (compared to the pain it is with Mandrill).

link
jrodom 3755 days ago
On issue #1, we're going to update the language around this in our control panel and put together better documentation. In reality, having MX records are important to allow for sender address verification [1], which many SMTP servers require.

On issue #2, Thanks and apologies for the slow response, This ticket slipped under our radar.

To give you a quick answer: we'll look into the approach you described in your blog post as well as RFC 6376. It seems legit but we'll need to do some more testing to ensure that deliverability does not suffer due to changing how we sign messages. If deliverability does suffer, we can always make this something that is an optional security setting that can be toggled, like how you can enable and disable TLS certificate validation now.

Our security engineer will take a look and reach out to you with more details in the ticket.

[1] https://en.wikipedia.org/wiki/Callback_verification

link
Savageman 3755 days ago
Thank you for replying. Glad you guys are considering this :)
link