Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Allow customers to send from their own domain in a SAAS application

Tags:

email

dns

saas

spf

I'm currently running a SAAS application and mails are being sent from our application using Mailjet.

Some of the larger customers have been asking to allow the emails to be sent from their domain (e.g. [email protected]) instead of our system ([email protected]).

Are there any initial pointers I will need to look at? I'm guessing they will need to add our SPF records to their SPF records too and that they will need add a DKIM key that we generate for them to add to their records too? Then do some validation on them on the DNS level and mark them as validated?

I have some understanding to have customers run their own domain against our SAAS domain but a bit lost on the sending from their email domain requirement.

like image 712
Simon Avatar asked Jun 04 '20 02:06

Simon


People also ask

Can I send email from a domain I don't own?

You cannot create an email address for a domain where you have no access. Whoever owns or maintains a domain can create email addresses for it.

Can you send email from another domain?

Generally speaking, you can't. Spammers would really love for this to be possible, and this is the reason why there are lots of systems in place to avoid this. If you have a legitimate reason for sending emails on behalf of someone else, there are two solutions: Send the emails through their mail server.

How do you send an email on behalf of a client?

Add a sender identity to an email You can now add it to an API call to start sending emails on behalf of your client. All you need to do is use a POST request to the email endpoint and enter the sender identity email address instead of the from email address you usually use for your domain.


1 Answers

First, for the record, my SaaS platform does this (vía option 2b). It’s an e-commerce marketplace and I need the receipts to be sent from the email address of the product seller, not from me (the marketplace)

You have two(ish) options

  1. Send email through your client’s mail servers (instead of mailjet)

  2. Verify the client’s domain on your Mailjet (or similar email) service

option 1

With option 1, you’ll need to ask your client’s IT team to setup a username and password for you to access their SMTP server. This is essentially just like them creating an email account for you to use. This may seem like the easiest path available for you, but there are potential pitfalls and disadvantages:

Doing this, you will lose the mail open/click/bounce tracking functionality you get with mailjet; because you’ll be using the company’s SMTP server instead.

If you’re sending out as a fairly common email address (eg [email protected]) the client may already have that account active on their mail servers. That would allow them to receive replies into the existing infrastructure but make them wary of the security issues with sharing a password to their mail server with you.

You might find that they don’t even have the ability to give you a username and password. Modern mail services don’t allow for SMTP access (which is what your web app will need); and security conscious companies require 2 factor authentication on mail accounts (which your web app can’t answer)

Option 2

For this, you will need to ask their IT team to configure some DNS records to prove to mailjet, and to the email recipient, that you’re allowed to send on behalf of your client.

You did this for your own domain when you first setup mailjet. See https://app.mailjet.com/support/how-to-add-a-sender-address,96.htm for what this involves, but it’s a case of asking the client to configure a DNS record.

That tells mailjet that you’re allowed to send on behalf of that domain; but you’ll also want the client to adjust their SPF and DKIM records so as the recipient of the emails knows to trust Mailjet’s servers with emails sent from your client’s domain name. Normally, recipients only trust email sent from your client’s mail server (which you have as option 1) and distrust email sent from SAAS providers.

You will (or should) have done this on mailjet for your own domain already as well. https://app.mailjet.com/docs/spf-dkim-guide

So for this, you’ll need your client to setup 3 DNS records.

If you go this way, you could setup a separate Mailjet account which they and you have access to. That way they ca see their dashboard directly and feel a sense of ownership and security around it. But you won’t be able to markup the price of it 😜

Conclusion

How important is the tracking? If you can’t lose that you need to go with option 2.

How technically savvy is the client? Are they going to be able to have those DNS records changed? Are they going to be (rightly) security conscious around giving you an account on their main mail sever.

Option 2 would be my preference. You might need to hold their hand through the DNS setup so get it configured on Mailjet (And ask about SPF in here to make sure you get it right) so you can provide them with clear instructions of the specific 3 DNS records to create/update.

Whatever approach you take make sure you’re talking to the right people at your clients side soon. Their marketing team may be keen to do this with you, but if their IT feels left out of the conversation they will be difficult to get on board when you need them to make the changes. Us IT folk can be grumpy and obstinate 😀

your web app

This is going to need some adjustment. You probably already store your Mailjet credentials in a file or environment variables; these might need to move these to a dB table so you can relate credentials with specific accounts. But we’d need more info on the web app to be able to speak more to that side of the challenge.

option 2b

just as a note instead of a real suggestion. Be aware that some email service provers allow the sending verification part to be done by sending an email to someone on that domain (eg [email protected]) and then allowing sending vía the API if the recipient clicks on the approve link on that email. But, even with that setup you still need the client to configure SPF and DKIM on their DNS, so the extra one record isn’t a big ask. AWS’s SES allows for this. This works for me; but I have different requirements around deliver ability, and a large number of non-tech users (as opposed to your one or two big clients)

like image 168
Tom Harvey Avatar answered Oct 19 '22 17:10

Tom Harvey