[jcrites]

If you’re sending transactional emails like password resets or MFA, then the emails will have close to a 100% open rate. This is (likely) an important factor that Google uses to judge whether email is transactional, or more generally whether it is desired by recipients, alongside other factors like having a very low complaint rate.

[MaxGabriel]

100% open rate on transactional emails feels too high to me. Something like an e-commerce purchase might kick off multiple emails (purchase made, shipped, arrived), none of which the user opens

[stubish]

Kicking off a chain of emails a user cannot easily opt out of could well be the sort of emails users want to lose. There probably should be a one-click 'stop emailing me' button, for this and future purchases. Which would be a support burden, yes.

[blowski]

We’ve received your order … we’ve taken payment for your order … your order has left our warehouse … your order has arrived in another warehouse … your order is with a delivery driver … all for a $5 cable.

[behringer]

I watch for the subject line. I don't actually care what the content says...

[Wicher]

So... let's assume many users do this, and let's assume Google factors in the opening rate into the transactional-email-likeness score, and that transactional-email-senders become widely aware of this...

Then senders' incentive will become to make the subject line into clickbait for the content, so that you'll open the message. So instead of subjects like "Order placed", "Order paid", "Order shipped", "Order out for delivery" you'll get uniform subjects along the lines of "IMPORTANT UPDATE TO YOUR ORDER". You will lose efficiency getting through your emails, and over time the metric will lose its indicativeness. Everybody loses.

[plg94]

Some of these emails are legally required for online shops. Doesn't matter if the user wants to receive them or not, they _have to_ be sent and actually delivered to the user's inbox.

[persolb]

I'm not sure how the 'actually delivered' would be enforced. Does Google have an affirmative requirement to deliver a 3rd parties message? I hope not.

My gmail address received 35 emails yesterday (which didn't get spam filtered). All but 3 of those got auto-archived by the filters I have in gmail. I would love google to just do this automatically.

Practically I might need another message or two a week that didn't hit my inbox.... but that's fine as long as it's as it is still searchable.

[jcrites]

Sorry, to clarify, I only mean this particular type of transactional email: password reset, MFA.

But even for other types of transactional emails, like shipment confirmations, I would expect the open rate to be much higher and/or the complaint rate to be much lower than for marketing email.

[josephg]

It’s also not a bad idea to provide an unsubscribe option for shipment updates.

[JimDabell]

> If you’re sending transactional emails like password resets or MFA, then the emails will have close to a 100% open rate.

So I can disable a competitor’s email functionality by triggering a whole bunch of password reset requests for all discoverable usernames?

[renewiltord]

If they support SMS 2FA they need to be prepared for this too because it costs a lot. Yeah, so people need to ensure that reset is at least a little hard to abuse. After all, it's a bad experience for their users if they receive a shit ton of reset emails anyway.

[Breza]

Can confirm that last part. I get so many Facebook reset messages, it's a bit ridiculous.

[jcrites]

That could potentially cause them problems, yeah, if you were able to do that endlessly. In practice most companies will have some kind of rate limiting in place around features like that (by IP, cookie, captcha, etc.)

[JimDabell]

IP and cookie-based rate-limiting are trivially bypassed. In fact, any kind of rate-limiting is ineffective here, especially for smaller organisations, because you only need to generate a small fraction of the traffic they normally send out. If they separate transactional mail from other types of mail (something that is frequently recommended), then how many illegitimate password reset emails do you think an attacker needs to trigger to get to, say, a 5% failure rate? Smaller organisations don’t send out an awful lot of transactional email.

[jcrites]

True, but modern CAPTCHA rate limiting is not easily bypassed, and a lot of the solutions are free.

Together with cookies, you can show the captcha only to visitors that are not already recognized in some way, giving them a limited number of actions before showing the captcha. And regardless of whether you want one on your password reset page, you almost certainly want one on your login page anyway.

[mitthrowaway2]

I rarely open 2FA emails, because usually the displayed preview is all I need.

[quickthrower2]

I open way less than 100% of password resets - because some are malicious.