CAP not sending verification emails

Question

CAP not sending verification emails

kilbergr opened this issue 2 years ago · 7 comments

When a new user registers, CAP requests that they verify their email. However, no email is being sent to the user to do so.
Without the email, they are unable to login:

Workaround is that users can be authorized by admins, which allows them to login even without verifying their email. However, in some cases (unclear which), that means when they sign in, users will be asked to verify. They can click out of that page and still access their account, but the verification page may cause confusion because looks like it's stopping them from accessing their account.

AC:
User receives verification email and can verify their email.

Answer 1 · 2022-10-26T17:47:41.000Z

Update: Rebecca and I looked through the back end, and this issue seems fairly limited, even within academic institutions. There have been several Harvard accounts in the past few months (which is as far back as we looked) that have completed the email verification as expected. There was one exception, but the user was able to created an account using an @harvard.edu email address instead of @law.harvard.edu.

Answer 2 · 2022-12-05T19:21:30.000Z

It turned out that HUIT was blocking these messages. This is no longer the case, but I haven't yet been able to find out exactly what tool was being used, or what features of the messages looked like spam.

Answer 3 · 2022-12-05T20:00:59.000Z

The tool that blocked these messages is Proofpoint. I'm waiting to hear whether the addition of our address to safe senders would affect installations of Proofpoint at other institutions.

Answer 4 · 2022-12-05T20:13:07.000Z

Proofpoint mentions that they check things like SPF, DKIM, DMARC. We could test the setup on our email senders with a tool like this and something in the Django shell like

from django.core.mail import send_mail

send_mail('Confirm your account', 'Please confirm your account ...', None, [<something@mailgenius>], fail_silently=False, )

Answer 5 · 2022-12-05T21:02:48.000Z

I just did this experiment. The report says that main problems are that the domain and IP appear on blacklists. When I go to check the domain, though, the link in question goes to spamhaus, where our domain is ok; the IP address in question is not ours but mailgun's. To be discussed further on Slack or in person, maybe.

Answer 6 · 2022-12-12T16:06:36.000Z

I just got this:

As expected Proofpoint is not going to reveal the logic behind thier scoring, however, based on my experience I can offer some reasons I can see that can cause this to score highly. Extremely SPAM like body of the message with bad formatting. For example: Message starts with a random Tab or spacing before the first sentence starts, there is no salutation or signature, the body is basically a link to a site that deals with login information.

My suggestion would be to make the message less SPAM like. If they want to send examples through and see if it is still being stopped I can also submit these to Proofpoint to make them aware that they are legitimate to help with better scoring.

Answer 7 · 2023-01-18T18:55:01.000Z

Not doing for CAP read only.