We’re sharing a behind-the-scenes peek at how the magic happens, written by our very own Head of Engineering, Inon.
HoneyBookers shared a couple of email-related concerns with us:
- Fear that emails coming from HoneyBook may go into clients’ spam folders
- Desire to maintain your brand and show your email address in the “From” field
So, as always, we put our members first and dug in to find solutions.
First, we took a deep look into our email reputation and deliverability.
We’ve taken many actions by working with Google, our email providers, and industry leading companies in that domain, and confirmed that our email reputation and deliverability are at the top 0.1% of the industry. You can read about it more here.
Addressing email integration (to show your address in the “from” field) was a bit more complex.
We ended up with a few possible solutions at hand, some were quick and easy, others required much more effort and complexity… so we decided to go with the hard solution.
What’s wrong with the easy solution?
The easiest solution is to ask each of you to provide us with your email and password, then use these credentials to send emails using your SMTP server. It’s easy for us, since all you need to do is provide your credentials, and the rest of the magic happens behind the scenes.
But it is oh so dangerous…
Let’s take Gmail. Who, other than you, has your google credentials? Maybe your partner, parent, a good friend, and probably no one else. This means that you are the only person in the world who has access to your google account, and for a good reason: it allows access to your emails, Drive documents, your location, photos, search history, google wallet, and many more.
The best part? Even google doesn’t know your password.
One of the most basic principles in security is that you never store your users’ passwords. Instead, you store an encrypted version of the password that only works in one direction (also called hashing). This means that when you login to your google account, google takes the password you typed, hashes it and checks whether the result matches the hashed password they have stored in their database. This means that if someone hacks google’s database, they will only have a useless hashed password with no way to reverse it to your real password (which may be used for other accounts as well). You can read more about password encryption.
So, if we wanted to go ahead with the easy solution, we would be storing your google passwords in our database in a way that allows a hacker to get it and use it. We pride ourselves at putting your security and money first, so the easy option went out the window immediately.
We would never store your credentials to other services in our database. Don’t get me wrong, we have many systems and backups in place to keep our system protected, but in today’s world, any company can get hacked (even big, secure companies like Google, Facebook, and the NSA have been hacked).
To our amazement, while doing our research we found out that some CRM systems and web apps are using the easy, yet dangerous solution. My strong advice to you is NEVER give your credentials to a 3rd party service, because even if their intentions are good and you trust them not to misuse this access to your most private data, a hacker who may get access to their database won’t be so nice…
So how does HoneyBook’s new email integration work?
We decided to use google’s API and dedicated application authentication mechanisms to gain access to limited functionality in your Gmail account. You know the drill: you click a button, you are prompted with a google screen to choose your account, you allow the application access with specific permissions… DONE! This way, we never get your password, we just gain access to perform only the actions you allow.
This solution took quite a bit more time and effort for our development team. But at the end of the day, what matters to us is to do things in a way that is right and safe for YOU and not just easy for us.