Posted by Comments

Since adding Inbound parsing to Postmark over two years ago, we‘ve processed millions of messages for our customers. We‘ve been adding more and more features to inbound over time as well, such as MX Domain Forwarding, retries, and StrippedTextReply. Today we‘re announcing the next set of Inbound features, along with a completely redesigned Server Settings page.

Inbound Spam Threshold

When messages are sent to a user‘s Postmark Inbound email address, they‘re scanned using SpamAssassin and assigned a score which is added as a X-Spam-Score header to the message. The header can then be examined at a user‘s webhook endpoint and if the score is high, it can be discarded. Up until now, however, this process was incumbent on the user to setup and maintain. Beginning today, Postmark offers an Inbound Spam Threshold setting which will be applied to all messages that pass through the server it is set for. The spam threshold can be set under the Server Settings > inbound section or through the new Inbound Rules API.

SpamAssassin Threshold

If the spam score of the message message exceeds the threshold that is set for the server, the message will be blocked and not passed on to the user‘s webhook. The message will appear in your inbound activity and is still searchable via the usual API endpoints, but it will not be processed.

Since spam scoring is tricky business, false positives can occasionally happen. In this case, you may use the “Bypass” button to process the message despite any of the rules in place to block it.

Bypass a blocked message

Setting the Inbound Spam Threshold is, of course, also available in the API as well as bypassing blocked messages.

Inbound Rules Triggers

A short time ago we announced the Triggers API which allows you to add actions to certain events as they happen. Today we announce our second set of triggers, Inbound Rules.

Inbound Rules are meant to offer you even more control over inbound processing. You can add either an email address or a domain to a list of rules that will be consulted for each inbound message. If the sender of an inbound message matches one of the rules, the message will be blocked in the same way the Spam Threshold blocking works. Likewise, these rules can also be bypassed in the front-end or by way of the API. Adding an Inbound Rule trigger is easy and can be done through the API or in the web app under the inbound server settings.

Inbound rules

Server Settings Redesign

With the addition of these new inbound features we decided it was time to redesign our server settings.

Server settings redesign

We’ve organized our server settings into three different categories:

  • General — Your server name, color label, and the option to delete your server can be found here.
  • Outbound — Your outbound related webhooks, open tracking, and SMTP settings can be found here.
  • Inbound — Your inbound webhook, inbound domain, and inbound spam filtering settings can be found here.

Anything else you would like to see added or improved? Let us know!

Posted by Comments

Our friends over at Word to the Wise recently posted about Cryptography and Email with a great illustrated follow up on Public-key Encryption.

This is a great topic, mainly because the standard operating method of SMTP is VERY vulnerable - sending content in plain text. We work hard to ensure any communication between you and our servers is secure (https, etc) as well as traffic between our data centers and on our data stores. However, if the email is sent in plain text once it leaves our servers, that doesn’t help much. This is why we use opportunistic TLS for outbound email and almost “force” DKIM for new sending addresses. Right now we have a 91% adoption rate for customers using DKIM, which I am very proud of. I’d much rather that be 100%. If you are reading this and not using DKIM on Postmark, get to it!

It doesn’t stop here of course. Our new (and free) DMARC tool helps you monitor and implement DMARC to protect who can send email on your behalf. We also just returned from our company retreat in Dominican Republic, and part of our road map is to continue adding security features to our application and API endpoints.

Hope you enjoy the good read from Word to the Wise. I always enjoy their posts on email.

Posted by Comments

Earlier today, around 2:05 PM EDT, our API servers started to drop connections and time out. The entire team dropped everything and started to investigate. After ensuring the API servers and backend databases were healthy, we started to investigate other causes. During this time we decided to redirect traffic to our off site disaster recovery data center, to avoid lost messages.

After about 20 minutes, we narrowed down the cause to our RabbitMQ cluster. Two of the three nodes were not properly handing requests and the cluster did not fail over properly. The only solution was to forcibly kill the two nodes, getting us down to a single healthy node. Once we verified this was working again, we redirected traffic back to our Chicago data center and enabled sending again. This happened close to 3:00 PM EDT.

Sometime during the queuing of messages, we know that some messages were picked up and sent more than once. We’re combing through logs to see what could have caused duplicates. If you find them in your account, please get in touch and we’ll reimburse the credits.

Recently we’ve had a few outages from various issues. This was was the worst by far. We are going to do a full analysis of our RabbitMQ cluster to figure out what happened as well as figure out ways to avoid it in the future.

Next week we go on our company retreat, so stability in Postmark will surely be a big topic. I’m really sorry for the trouble we have caused. I’ve always said that in Postmark our #1 priority is to never drop a connection (lose a message) and today we’ve failed you big time.

Posted by Comments

When we launched open tracking, we created two ways to enable tracking on emails. You could either enable it with a field in your messages or enable it for a specific tag. While this works for most cases, it still takes some effort. We wanted to make it incredibly easy to start tracking opens in your emails, so today we launched open tracking per server. Now, with the click of a button, you can automatically enable open tracking on all HTML emails sent through a server.

Enable server open tracking in the Postmark web app

If you are ready to start tracking opens on the server, the absolute easiest way is to use the Postmark web app under your server’s settings page. Once enabled, all HTML emails sent through this server will have opens tracked.


Enable server open tracking via the API

There are two ways to enable open tracking per server in the API. You can either use the account management endpoint or the server specific endpoint.

If you are using the server API key, just set TrackOpens to true for the specific server:

curl -X PUT "" 
-H "Accept: application/json"
-H "Content-Type: application/json"
-H "X-Postmark-Server-Token: " -v -d "{'TrackOpens': true}"

This call responds with the new (updated) server settings. The Server ID doesn’t have to be specified with this call as server token is bound to the specific server.

You can also enable open tracking per server with the Account management endpoint. Just set TrackOpens to true for the specific server:

curl -X PUT "" 
-H "Accept: application/json"
-H "Content-Type: application/json"
-H "X-Postmark-Account-Token: " -v -d "{'TrackOpens': true}"

This call responds with the new (updated) server settings. Notice that with this call has to be specified. The account token is found on Account page.

Disabling open tracking per message

If you wish to disable open tracking for certain messages, remember that you can always set TrackOpens to false for a message in the API endpoint or SMTP header.

Posted by Comments

Email authentication (validating the identities of the parties involved in sending an email) is a hard problem, with no one solution. Different techniques solve different parts of the problem. SPF is a technique to whitelist IP addresses for a domain’s originating address, described in my last article. DMARC is a technique that builds on SPF and DKIM to allow domain owners to enact policies and get reports. Postmark launched a free tool to help you with DMARC reporting at DKIM is a method to protect against email spoofing using public-key cryptography. In this article, I’ll explain how it works and what protection that DKIM provides.

Continue reading…

Posted by Comments

Managing your email templates in your source code can be a pain. Each time you update content either a developer is needed, a deployment is required or both. There’s a better way and it’s much easier than you think.

Today, Sendwithus announced integration with Postmark, allowing you to edit templates, A/B test content and segment your recipients without ever needing to touch code or deploy.

Email templates are created using the Sendwithus service, then each time you send emails the content is merged with your recipient data and delivered through Postmark. Through our recently launched open tracking tools all statistics are then posted back to Sendwithus for reporting.

The best part - you can still let Postmark send your emails, ensuring fast delivery right to the inbox.

Learn more and get started by reading the Sendwithus blog.

Posted by Comments

As promised with the release of open tracking, we released the related open tracking webhooks. With webhooks enabled, Postmark will push the open tracking data to a URL you specify each time an open occurs. This notification will contain all of the great information you can see in the Postmark UI, Opens API and Outbound Stats API.

Webhooks are unique to each server in your account. You can add a webhook on the Server Settings page under the “Opens webhook” section.

By default, all of your email opens will get posted to your webhook. Postmark differentiates between the first and subsequent opens. Every JSON posted to your webhook will contain the property FirstOpen, showing if this was the first time the recipient opened the email. If you don’t care about subsequent opens, you can set a switch “Post only on first open" on the Server Settings page.

Managing webhooks with the API

All of the webhooks functionality can be managed with the API. On a per-server basis, you can call the /server endpoint using the X-Postmark-Server-Token. If you’re managing more than one server with an Account Token, you can use refer to the Account API.

Developer contest: 150,000 credit reward

We’d love to see what you come up with using webhooks and the API with open tracking. We’ll showcase unique examples on our blog, so please share your work in a public GitHub repo. We’ll reward the most interesting or unique implementation with 150,000 free Postmark credits. Just email us with your example. We’ll pick a winner July 31st.

Posted by Comments

Reply Parsing

Before today, the Postmark Inbound processor would parse the html and text bodies of the incoming messages but it was up to the user to decide if this was a reply and what that reply text is. Today we’re introducing the StrippedTextReply field which will contain only the reply text of an Inbound message.

    "ReplyTo": "",
    "Subject": "This is an inbound message",
    "MessageID": "22c74902-a0c1-4511-804f2-341342852c90",
    "Date": "Thu, 5 Apr 2012 16:59:01 +0200",
    "MailboxHash": "ahoy",
    "TextBody": "[ASCII]",
    "HtmlBody": "[HTML(encoded)]",
    "StrippedTextReply": "Ok, thanks for letting me know!",
    "Tag": "",
    "Headers": []

For example, if you send an outbound message and CC your Inbound address, or override the ReplyTo field so that replies will be sent to your Inbound address, the StrippedTextReply field will contain only the reply content from any recipients who reply to the message. We think this will be a big help for users who rely on parsing out the reply text and ignoring the original quoted content. There are some limitations to the StrippedTextReply field which we discuss in the documentation.

Continue reading…