Page MenuHomePhabricator
Create Task
Maniphest T13669

Discourage use of Mailgun as a mail provider
Open, NormalPublic
Actions

Description

Currently, secure uses Postmark as a primary route with Mailgun as a backup route (and has for quite a long time), while Phacility production uses Mailgun. I'd like to switch everything to Postmark exclusively.

As part of this, I am going to update Phabricator's documentation to discourage use of Mailgun. This task explains my reasoning.

Summary: Mailgun has a good technical track record, but has lost my confidence as a trustworthy custodian of customer data.

I've had a couple of slightly rocky experiences with Mailgun. Two older ones with a bit of supporting documentation are:

  • (D17831, May 2017) Mailgun made an unannounced breaking API change in the middle of the day, but this was kind of our fault so it's not really a mark against them. Customer support had this to say: "Currently there isnt a public notice for API changes. We apologize for any inconvenience."
  • (T13037, January 2018) An attacker gained access to a Mailgun staff account. I was reassured on a call with Josh Odom (Mailgun's CTO), that this did not reflect a failure of internal culture.

This was nowhere near as bad as my experience with SES so I remained fairly comfortable with Mailgun, but I recevied a bizarre unprompted sales-outreach interaction in June 2020 that soured me on Mailgun. Here's a lightly edited version of the exchange, with identifying information redacted and emphasis added:

From: Joe Mailgun Employee
To: Evan Priestley
Subject: Let's take a look

Hi Evan,

I noticed Phacility is consistently sending [a specific large number of] emails or more over the last few months. I’d like to hear about your sending strategy and see how Mailgun can help you see continued success on our platform.

How does Wednesday sound?

Best,
Joe

From: Evan Priestley
To: Joe Mailgun Employee
Subject: Re: Let's take a look

Sorry, I don't take meetings with no agenda.

If you have specific concerns or items in mind, please describe exactly what you'd like to discuss. I'm happy to set up a meeting if we can't settle things via email.

This request is so vague and nonspecific ("Let's take a look"?) that it feels kind of like a low-effort template sales email. If it is, and your primary goal in sending me this email is to get me to purchase more Mailgun services, please do not send me any more emails like this.

Thanks,
Evan

From: Joe Mailgun Employee
To: Evan Priestley
Subject: Let's take a look

Evan,

First, you're right, it is a low effort sales template. It does work.

There wasn't an agenda included, but, the purpose of the proposed call is a real one (albeit not (sic)

Is there a strategy with the transactional emails being sent? There's a delivery rate of only 80%. There are over 30K suppressions still being sent emails.

Is your team familiar with how to remove and ensure the sending volume is clean?

Why doesn't your team use a dedicated IP? At this volume [specific volume number] it would make sense.

I think it would make sense to talk about these things.

How about yourself?

My schedule: [Link to book a meeting]

Joe

From: Evan Priestley
To: Joe Mailgun Employee
Subject: Re: Let's take a look

Is there a strategy with the transactional emails being sent?

Why would there be a strategy with transactional email?

There's a delivery rate of only 80%.

The web console shows a delivery rate of almost 96%. Is the web console wrong? See attached screenshot ("delivery.png").

There are over 30K suppressions still being sent emails. Is your team familiar with how to remove and ensure the sending volume is clean?

See https://secure.phabricator.com/T13115. My understanding is that there is no reason to prioritize this since Mailgun is already managing a suppression list.

Why doesn't your team use a dedicated IP? At this volume [specific volume number] it would make sense.

The web console shows a dedicated IP (see screenshot "dedicated.png").

Mailgun Support confirmed provisioning of a dedicated IP in ticket #299395 on July 4, 2016. The support agent was [specific Mailgun support agent name].

I have been billed for a dedicated IP every month for four years. See attached screenshot of a June 1, 2020 invoice ("invoice.jpg") billing me for a dedicated IP.

Are the web interface, support history, and invoice incorrect? Has Mailgun charged me for a dedicated IP for 4 years without actually giving me a dedicated IP?

(Mail headers show the dedicated IP is functioning correctly, see "headers.png", where the outbound route matches the dedicated IP in the web interface.)

Thanks,
Evan

[Various screenshots substantiating my claims]

From: Joe Mailgun Employee
To: Evan Priestley
Subject: Let's take a look

Evan,

Here's where I'm seeing that delivery rate:

[Screenshot of some other interface showing an 80% delivery rate]

What are the date parameters that you're using?

After the IP request, it doesn't look like it was ever used or followed up on. From that time on, it definitely appears you've been billed since.

Yes, transactional emails can have a strategy. Although it does depend on how critical it is for your users to receive them. Think about password resets, account confirmations, route updates, order updates etc...

Suppression management is always going to stop emails from being delivered. HOwever, if they are not taken out of rotation of the overall sending it'll go to the overall email volume, because they're accepted just not delivered.
What do the suppressions tell you? The recipient domain, [specific customer domain] shows a lot of suppressions. Any ideas why?

Joe

I did not reply.

Based on this exchange, I am concerned that:

  • Despite the incident in 2018, Mailgun appears to be giving an excessive level of access to customer data to employees who do not need it in 2020: Joe had access to specific customer domain information, and didn't hesitate to use it purely to try to sell me something. From this, I infer that it is likely routine that sales staff examine customer data without any kind of control or approval. I don't think this is acceptable.
  • Mailgun's hiring or training process for sales employees doesn't seem to be very good: Joe didn't seem to understand the Mailgun system. Beyond not needing it, I also don't think it is acceptable for staff who can not consistently demonstrate a high level of competence to have access to customer data.
  • I found this whole interaction quite disrespectful, and no longer believe I can trust that the assurances I received from the CTO hold any weight if this sort of interaction is acceptable to Mailgun: if Mailgun is training Joe to waste my time with this deceptive sales nonsense, why should I believe the CTO is above being deceptive when running damage control on a security incident?

In a perfect world, I would have immediately moved away from Mailgun in response to this interaction (that is, 18 months ago in June 2020). In T13037, I said:

I'm satisfied that we aren't violating our commitment to our customers by continuing to use Mailgun as a service provider...

This interaction was so negative to me that it I no longer believe this is true. However, I've had to do a lot of picking my battles over the last couple years and am only getting to fighting this one now.

To counterbalance this with the barest hint of self-awareness, everyone in the non-technical world seems to use this general "let's schedule a mysterious meeting with no agenda, since I'm absolutely sure your time has no value" template -- from shady scammers using addresses like legit.github.customer.list327@gmail.com all the way up to top-tier venture capital (I got one from Andreessen Horowitz back in 2017). Why is this considered acceptable? In what world does some guy I've never heard of from AWS cold-calling me on the account's technical contact number while I'm grocery shopping lead to a sale?

Revisions and Commits

rP Phabricator
D21738rPdc705cea7fec Document Mailgun as discouraged, and update Postmark remote address blocks

Related Objects

Event Timeline

epriestley triaged this task as Normal priority.Dec 2 2021, 10:12 PM
epriestley created this task.
epriestley added a comment.EditedDec 2 2021, 10:30 PM

Purely venting, but the advanced version of "click here to schedule a mysterious meeting" is to outright lie -- pretending that you deeply respect the recipient's achievements -- before asking them to schedule a mysterious meeting.

From: Ryan at Bloom Venture Partners
To: Evan Priestley
Subject: investor inquiry (admirer of Phabricator)

Hey Evan,

I came across Phabricator while browsing the internet. I admire what you have built, and would love to learn more.

I am an investor at bloom venture partners and we are in the market to acquire a business just like Phabricator. You may have not considered selling your business before but it could open up a lot of options. Maybe you are interested in…
Rolling the funds into your next big idea
Diversifying your assets (real estate, stocks, angel/VC, etc)
Giving your investors a soft landing
We would pay a fair price up front and pride ourselves on moving fast. My team and I can close the transaction in 30 days if everything goes well.

Best,
Ryan

Hi Ryan,

Thanks for reaching out. What do you admire about Phabricator?

Thanks,
Evan

Hi Evan,

Thanks for the response and sorry for the late response. I did see your response but decided to defer till today.

There are a number of reasons why we like your business:

  1. We are looking for easy tools for developers to test their code
  2. We are trying to get acquire a host of products that can enable developers to code more efficiently
  3. Based on reviews on Capterra we think there is potential for your product

At bloom, we are actively looking to acquire businesses that are generating $1m to $10m in ARR. If Phabricator fits the bill, I would love to host an introductory meeting with you to learn more about your business and your background. Here is a link to my calendar.

Looking forward to hearing from you.

Thanks,
Ryan

This is a list of reasons that you believe Phabricator satisfies a set of search parameters.

You specifically said you, personally, are an admirer of Phabricator ("I admire what you have built..."). What do you admire about Phabricator?

Thanks,
Evan

Hi Evan,

Perhaps I worded my initial outreach wrong here. I admire what you have built not as a user but as an investor looking into your platform. I think there is potential for bloom to inject our playbook to grow your SaaS business.

We can run circles here where I can pretend to know your product but I simply don't as I am not a user. I have enough information here to make up the reasons why I like it.

If you still want to chat then let me know.

Thanks,
Ryan

I feel that your initial outreach was intentionally deceptive in a transparent and falsifiable way -- and for no reason. You could just as easily have said you were "interested" in Phabricator without being dishonest.

It's important that I be able to trust people I do business with. It took you three words to violate my trust by lying to me.

I am sorry you feel that way. I did not have any intentions of misleading you here.

From: Tim at saas.group
To: Evan Priestley
Subject: Acquisition of Phacility

Hi there,

Firstly, I'd like to start with how impressed I am with what you've achieved with Phacility.
I learned about you on blissfully, thought I'd reach out to learn a bit more.

I'm an entrepreneur myself, and have built up several companies including AdBlock Plus, Sedo & Ecosia. There's more about me on my website: [...]

My latest venture is SaaS.group, a collective of independent SaaS projects operating together. We love healthy SaaS companies with strong margins and a loyal user base that executes their value offering well. If you'd like to learn more about us and our approach, there's a new interview on IndieHackers.

If you're interested in being acquired by us, seeking investment or this is something you'd like to keep in mind for the future, we'd love to have a talk with you. Ideally looking for stable ARRs between $500k all the up to $5M.

If that fits Phacility, are you interested in having a chat?
We move quickly & get to it.

Greetings from Germany,
Tim

Hi Tim,

I find outreach like this ("impressed ... achieved") to be dishonest and disrespectful.

Thanks,
Evan

Hi Evan,

Thanks for your feedback. Appreciate it! Do you have suggestions for improvement?
I have to admit that the text is generic so I don't have to write the same thing over and over again. But we don't spam people which means that the process of pre-selecting businesses that might fit our scope is still manual.

Best,
Tim

Hi Evan,

Any update on this? Just let me know if this is not of interest to you. Then I'll stop following up on.

Best,
Tim

Hi Even, thought I'd give it another try since you didn't reply to my last email. How are things going on your end?

Tim

epriestley mentioned this in T13037: An attacker gained staff access to Mailgun and was able to read customer API keys.Dec 2 2021, 10:39 PM
epriestley updated the task description. (Show Details)
epriestley updated the task description. (Show Details)Dec 2 2021, 10:42 PM
epriestley added a revision: D21738: Document Mailgun as discouraged, and update Postmark remote address blocks.Dec 2 2021, 10:48 PM
epriestley added a commit: rPdc705cea7fec: Document Mailgun as discouraged, and update Postmark remote address blocks.Dec 2 2021, 10:56 PM
cspeckmim updated the task description. (Show Details)Dec 2 2021, 11:18 PM
epriestley mentioned this in T13630: Move Phacility provisioning to Piledriver.Dec 4 2021, 9:22 PM
epriestley mentioned this in 2021 Week 50 (Mid December).Dec 11 2021, 3:47 PM
Phabricator · Built by Phacility