Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-16099

Update the notification email and subscription systems to be RFC2369 and RFC8058 compliant




      I have recently had a significant problem with Microsoft mail services (hotmail.com, outlook.com, live.com, btinternet.com and others) not accepting emails from our phpBB server. Microsoft have told me it was due to too many users marking our emails as junk. It happens that the particular host that was blocked sends ONLY phpBB notifications, and no other email.

      As part of the process of getting the block removed, I had to put hand on heart and say that our server complies with all of the Microsoft email sender policies, which as of phpBB 3.2.7, it does not.

      I am thinking of making some improvements to the phpBB notification email system, broadly to achieve the goals:
      1. Implement improvements to the notification email system to meet the requirements imposed by major email providers such as Google and Microsoft
      2. Full compliance with RFC2369 and RFC8058
      3. Implement (optional) handling of bounced emails, with automatic suspension of email notifications to affected users.

      There are some other improvements that would be nice to have, but not essential in this context:
      4. Allow easier customisation of notification emails by storing the templates (corresponding to installed language packs) in the database and providing a UI for editing them.
      5. Allow board admins to view a user's subscriptions and unsubscribe them where necessary.
      6. Improve the ability to configure sender and reply-to email addresses for a phpBB board.

      RFC2369 is the standard for URLs used for the control of mailing lists. phpBB is currently partially compliant.
      RFC8058 is the standard for 1-click unsubscription from mailing lists, phpBB is currently not compliant at all.

      In order to meet the applicable parts of RFC2369 and RFC88058, the main new requirements are:

      • A new RFC8058 email header.
      • Email headers protected by a DKIM signature (done in the smtp host not phpBB , but relevant).
      • The phpBB board to provide an unsubscribe URL that for http:// GET requests takes the user to a page where they can easily confirm the they wish to unsubscribe, but an http:// PUSH to the same url results in a 1-click unsubscription without user confirmation.
      • The phpBB board needs to honour unsubscribe requests without requiring a user to log-in (or be logged-in) to the forum, this precludes using the existing UCP pages which require the user to be logged-in.
      • The unsubscribe links must be sufficiently protected to prevent malicious use of the unsubscribe system.
        Microsoft have a requirement that a server should stop sending emails to an email address after multiple delivery failures. This requires phpBB to receive email bounce notifications, but it is not difficult to configure an external service to convert unsubscribe emails to http:// requests for this purpose.
        In addition, some Microsoft email services do not support 1-click unsubscribe via http://, they only support it via //, but as above that is not too difficult to have an external service convert the transport mechanism

      I have prototyped a phpBB extension to implement some of the above (mainly RFC2369 and RFC 8058 compliance), but I am not happy with it as an extension, as I don't think that RFC compliance should be an optional feature, and the current notification email template system does not really have any mechanism that allow extensions to interact with email templates, which makes the extension really ugly. So I am proposing that some or all of the above are implemented as enhancements to core phpBB.




            Unassigned Unassigned
            v12mike v12mike
            1 Vote for this issue
            3 Start watching this issue