Tuesday, November 23, 2010

Why the SMTP service requires a list of From Addresses when using SMTP Authentication

12/6/10 - IMPORTANT UPDATE - As of December 6, 2010, the SMTP service NO LONGER requires a list of From Addresses when using SMTP Authentication. You can disregard this blog post, which was originally written on November 23, 2010. If you're interested in a bit of JangoSMTP history though, then feel free to read on!

There are two ways to authenticate into to the JangoSMTP service:
  1. By IP Address of the connecting application
  2. By SMTP authentication with username and password, also known as SMTP-AUTH. This, coupled with a specified From Address allows you to send an email through the SMTP server.
We are often asked why in the latter case it is necessary to specify a From Address. Why is it not enough to authenticate with username and password for an email message to be validated for a particular account?

Some might guess that it's a security issue, to prevent a flood of unauthorized emails being relayed through a user account should the username and password become compromised or end up in the wrong hands.

It's actually not a security issue, but an architectural limitation of the SMTP service that we will soon be fixing. An explanation of this architectural limitation, for interested readers, is below.

The basic limitation is that SMTP username/password authorization is done at the SMTP-transmission level, and once the email arrives, there is nothing inside the email message to indicate what SMTP username was used to allow the email to arrive in the first place. Hence, the system has to key off the From Email Address.

The steps JangoSMTP takes when an email is relayed to the SMTP server are:

  1. At the SMTP level, the email is authenticated by connecting IP address or by SMTP-AUTH. The email must conform one of those two checks in order to arrive. Otherwise, the email will be rejected at the SMTP level with a "we do not relay" error after the RCPT-TO command during the SMTP transaction.
  2. Once the email has arrived, a secondary process analyzes the email file in order to determine to what user account it belongs. First, the connecting IP address, which is present at the top of the file in the "Received" line is matched against IP addresses specified in user accounts, and if a match is found, the email is determined to be of that user account. If there's no match, then the assumption is made that the email arrived via SMTP-AUTH and not by IP Address Authentication. In this case, however, there is nothing in the email file that indicates what SMTP username/password were used to transmit the email message, since the SMTP username/password authentication is done during the SMTP level message transmission. No header within the email file contains the SMTP-AUTH information. It is for this reason that the process must rely on the From Address to determine to what user account the email belongs.

  3. If it cannot be determined to what user account an email message belongs, it is discarded. If it can be determined, then the process continues with the next step.
  4. Next the email message is passed to a web service, where it is disassembled and reassembled order to add open tracking, click tracking, DKIM signing, and other mechanics that JangoSMTP supports.
  5. Lastly the web service passes the email message to an email sending server in order for final transmission to the email recipient.
Fortunately, this will soon change. We are having the SMTP listener modified such that it will write an X-header to the email message containing the SMTP-AUTH username if it was transmitted via SMTP-AUTH. This will allow our process to then key off of the account username to identify a matching user account, rather than having to key off of the From Address. Once this is in place, it will no longer be necessary to specify From Addresses when using the SMTP service.

Thursday, November 18, 2010

JangoSMTP Ports

We've recently had some users ask us on what ports they can connect to the SMTP server at relay.jangosmtp.net. While it's documented on our website on the How it Works page, we thought a separate blog post would make it clearer. You can connect to relay.jangosmtp.net on ports:
  1. 25
  2. 2525
  3. 587
  4. 465 for SSL/TLS connections
For more information on SSL/TLS, see the blog post on connecting to JangoSMTP securely.

Sunday, November 14, 2010

Transactional Email integration with Google Analytics

Google Analytics integration is now available with transactional email sent through the SMTP relay or through the API.

To start tracking your transactional email with Google Analytics, first turn on Google Analytics in your JangoSMTP account. Click the Edit Icon next to Google Analytics Integration under Settings --> Tracking and follow the steps outlined in the Procedure section.

Transactional email with click-tracked links will take the recipient to a URL that looks like this:


For transactional email, the Campaign Name inside your Google Analytics account will be the Transactional Group Name inside your JangoSMTP account. And the Content inside your Google Analytics account will be the email address of the recipient.

For transactional email, it wouldn't make sense to use each individual email's Subject line, because if you send 1,000 transactional emails, all with different Subject lines, you'll end up with 1,000 different campaigns in your Google Analytics account, and making sense of the data would be impossible. That's why transactional emails will be categorized by their Transactional Group Name and not their Subject.

You may use any combination of these values in the four Google Analytics variable fields:

%%EmailAddress%% = the email address of recipient
%%TransactionalGroupName%% = the Transactional Group Name of a transactional email
%%TransactionalGroupID%% = the Transactional Group ID of a transactional email

To set this up...

1. You must have click-tracking enabled on your transactional email. If using the SMTP Relay, check the Activate Click Tracking checkbox under Settings --> Tracking --> General. If using the transactional email API, set "ClickTracking=True" in the Options input parameter of one of the following methods:


2. Turn on Google Analytics by checking the box under Settings --> Tracking --> Google Analytics Integration, as shown in the second screenshot.