Continuing our Commitment: HTTPS innovation and optimization

Innovation is a tireless sense of drive. It’s hours-long strategy sessions, countless code reviews, shifts in directions, and way too many product roadmap slides. Setting a new standard is never easy, but to us, it is always worth the effort.

That drive hasn’t left us in over ten years, and it carries on in every new feature we introduce to the market today. From our early days of inbound routing to creating the first ESP-driven Validations API, our team put in the time to push the envelope that much further for our customers. 

While we're excited to announce a new feature for us today, we believe it's equally important to iterate and optimize what already exists for a better experience overall. As a result, we’re able to stay true to the developers and engineers who’ve helped us iterate over the years while still pushing the industry forward.

Streamlining sending growth with innovation: HTTPS link tracking

HTTPS link tracking has been a bit of a white whale for many ESPs. In the early days of Mailgun, we decided to avoid using shared domains for message signing and open/click tracking to minimize the risk of a customer impacting another’s reputation.  While this is a best practice, it means that each sending domain on our platform has its own open/click tracking subdomain. 

For example, if you have configured meowgun.com as your sending domain, the open/click tracking host will be set up as email.meowgun.com, meaning an SSL certificate would need to be issued and kept up to date for this domain.  With millions of sending domains on our platform, a seemingly simple problem becomes anything but at scale.

HTTPS is changing how we navigate the internet

With security and privacy in mind, the broader Internet community has been adopting “HTTPS everywhere.”  All data is transmitted over a secure channel rather than selective, sensitive data, and in doing so, protects more people and businesses from attackers.  With this practice, you can protect your applications against spoofing, injection, and man-in-the-middle attacks.  

There have been a variety of incentives (or penalties) to encourage the adoption of this model, including:

• Search Rankings: Google and other search engines consider the use of security practices, including HTTPS, in search engine rankings.

• Browser Warnings: Chrome and other browsers have progressively rolled out “Not secure” warnings when interacting with non-HTTP websites.

Initially, these internet-wide changes didn’t have a significant impact on the contents of e-mail messages.  Images, stylesheets, and other resources often were retrieved over HTTP without triggering a user-facing warning or impacting inbox placement. 

However, times have started to change.  Many webmail clients will now refuse to load images over HTTP, which would result in a lost opened event and potentially a message that did not render properly. Even worse, evidence strongly suggests that e-mail messages that include insecure content may be inadvertently flagged as spam. 

Until today, the only solution was leveraging CDNs or proxies, both of which require configuration off-platform and do not offer full end-to-end encryption. While functional, these workarounds were always “bridge” solutions – we knew we could do better.  

Our approach

Our goal for this feature was to offer customers the “easy button.”  We wanted to create a simple, one-click solution that would securely procure and store a certificate, configure our systems, and rewrite links using HTTPS for all newly sent messages.  We specifically wanted to ensure that customers would not have to upload their certificates or assume any management responsibilities with periodic renewal.

Let’s Encrypt, a free, automated, and open certificate authority that provides certificates for over 260 million websites, was the foundation of our solution.  Let’s Encrypt allows us to programmatically provision and update short-lived certificates for any tracking domain on our infrastructure.

There are three components to our solution: domain validation, certificate issuance, and termination:

• Domain Validation: Through the ACME protocol, we can validate that we are authorized by responding to a “challenge.”  In our case, we leverage an HTTP-01 challenge that responds to an HTTP request at a specified location. By responding to this request with the appropriate response, it proves that we are authorized to obtain a certificate for the tracking domain.

• Certificate Issuance: Once authorized, we can request and renew certificates for the validated tracking domain. Our service automatically generates a certificate signing request, submits it to the Let’s Encrypt Certificate Authority, and retrieves the certificate.  As a best practice, certificates are issued for a 60 day period and are automatically renewed.  The X.509 key pair is stored encrypted at rest using AES-256.

• Termination: We’ve developed a high-performance HTTPS server that allows us to terminate TLS requests for thousands of customer domains and proxy the request within our environment to our tracking infrastructure. 

With the combination of these three capabilities, we’re able to offer a fully automated solution for enabling HTTPS for your open/click tracking links. No more CDN workarounds; just select the domain you want to enable HTTPS link tracking and select it on the dropdown menu. Easy, simple, and intuitive; just what we were looking to do. 

HTTPS link tracking is now available for scale and enterprise customers. For a closer look at how to enable HTTPS link tracking, check out our help article. 

Optimizing our resources and security

The drive that pushes us to create also compels us to improve. As newer features come to the forefront, so do updates and improvements to other areas of our platform. Over the past year, we’ve made substantial improvements to our documentation and security measures on Mailgun API accounts. 

Updating our SDKs

Last year, we wanted to ensure the longevity of our SDKs and developer experience through sweeping updates across the board to our technical resources. Through these updates, we’ve implemented numerous enhancements to improve our user experience, security, and overall SDK usability for our programming languages. To date, we’ve released new versions of our PHP, Javascript, Ruby, and Go SDKs for Mailgun, with a new Python and Java SDK coming later this year. These updated SDKs and updates to our documentation allow developers to cut down on time spent implementing Mailgun into their applications. Less time spent implementing turns into more time shoring up email streams, testing, and getting everything running smoothly.

Implementing SAML SSO

Earlier this year, we were proud to announce our Single Sign-On support via SAML 2.0 through our SAML Single Sign-On (SSO) feature. SAML SSO allows senders to improve their account security and seamlessly manage users – all from their identity provider of choice. In implementing the SAML 2.0 protocol into Mailgun, we wanted to make sure that we supported a wide variety of IDPs like Okta, Auth0, OneLogin, ADFS, and AWS IAM. For more in-depth instructions on implementing SSO, you can check out our help center.

Innovation and optimization for monumental experiences

Launches like the HTTPS link tracking, SDK updates, and SAML SSO push the email industry forward in subtle ways. Quality of life improvements do wonders for streamlining developer workflows and implementation times, and tighter security measures mean that every sender gets to send safer. When brought together, improvements like these spur even bigger innovations within the email industry and the way we communicate with one another. 

If you’re interested in any of the launches mentioned above or are curious about our sending platform, reach out to one of our email specialists, and we’ll answer any questions you may have.