Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Emails from Sydent should include headers that enable automated bounce and complaint handling #539

Open
benbz opened this issue Dec 16, 2022 · 2 comments

Comments

@benbz
Copy link
Contributor

benbz commented Dec 16, 2022

Description:

Various email providers require you to keep your bounce & complaints rates low to keep being able to sending through them. Various providers also provide reports or feedback on which emails have bounced or been complained about. For low traffic identity servers it maybe possible to handle these reports manually, but it is less feasible for high traffic identity servers so there should be automation.

Proposal:

  • Each and every email sent via Synapse includes 2 emails headers: 1 with a URL to an API indicating that this email bounced, 1 with a URL to an API indicating that this email was complained about
    • The URL should include enough parameters to provide the context (e.g. sender MXID, email type) that would allow Sydent to handle the bounce / complaint report
    • Alternatively at sending time, Sydent could store the context against message-id in the email and the API provides that message-id back
  • Identity server administrators could setup a system that automatically processes bounce / complaint reports from the email provider and call the appropriate API
  • On the API being called Sydent performs appropriate actions. The appropriate actions likely differ per report type and per email type and would require discussion, e.g.:
    • For complaints about being invited to a room we may want to block further attempts to that email address for that room
    • For complaints about email address verification emails we may either not want to block at all or just block for a short period of time
@reivilibre
Copy link
Contributor

Alternatively at sending time, Sydent could store the context against message-id in the email and the API provides that message-id back

Assuming these headers can end up in someone's inbox, this would be much more preferable since otherwise you open yourself up to someone sending the API request themselves with someone else's MXID and attempting to deny them the ability to send e-mail invites. If the message ID is unpredictable then that closes this hole.

@benbz
Copy link
Contributor Author

benbz commented Dec 16, 2022

I had been wondering about the parameters just being a single base64 encoded blob that's signed by the IS's signing key to prevent modifications. However I don't super care about the implementation more that some functionality exists that can automatically handle these reports :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants