Moving away from using SES to send our emails?

Recently I’ve been chasing up the bug which means that email-in replies are threaded wrongly, with the post created set as replying to the wrong post.

Here’s an example: Henrik intended to reply to Terahn, but ended up replying to himself.

The problem, as I detail upstream, is that Amazon SES, which is what we currently use to deliver email, replaces the Message-ID header, which is required to thread emails correctly, with its own.

I’ve proposed a couple of solutions upstream to work around what SES is doing, but in the words of Discourse’s resident infrastructure aficionado:

Seriously, rewriting message IDs is head-desk-grade stupid.

SES is doing something wrong, and I’m not sure upstream will want to accept a PR to fix that, and neither am I sure that we want to invest development resources in working around that.

So, the alternative is moving away from SES.

I’ve just spent some time comparing prices of the different options we have, and this rather hideous chart is what I’ve come up with.

Based off of this, I’m proposing we move to SparkPost.

At our current rate of email sending (~60k/month), the SparkPost Free tier is free! It remains cheaper than SES up to ~120k/month, about double our current usage.

Past ~140k/month it makes sense to hop onto the SparkPost $29/month tier, which is more expensive than SES, but not by much. Up at 500k/month (which is a long way off for us yet) it’s only $49/month more.

Moving to SparkPost means we fix this annoying bug, without investing any more developer time, also saving money for the foresee-able future.

It seems like a no-brainer to me. Thoughts?

if we use something other than SES, presumably we need legal and infosec at the least to review it.

That’s a good point, I hadn’t considered that.

@kang is there a list of email sending services which have been through infosec review? And what does the process look like time- and effort-wise for new ones?

@gerv likewise, do you know the answer to the above on the legal front, or who to reach out to who would?

Also, the alternatives are expensive compared to what we’re paying now - chances are we’ll be paying at least twice what we are now, most others I’ve seen are closer to 10x SES

There’s a reason SES is cheap, it doesn’t deliver our emails correctly!

That would be about $10/month. Considering sending email is one of the core things we’re trying to do here, that seems like a worthwhile investment to me. We can hardly aim to replace mailing lists if we can’t send emails properly.

Hi,

I’m not aware of any other service than SES being looked at with a recent-enough analysis - we generally look at the data that is sent over email and what happens if its leaked/modified/doesn’t get delivered as well performing some service test where possible.

In this case I’d say request a VA (Vulnerability Assessment) from Discourse Risk Record at https://bugzilla.mozilla.org/show_bug.cgi?id=1319459

@gene might also know more

Hope this somewhat helps

There’s a vendor review process of some sort, I believe, which would trigger reviews of Ts and Cs, security review etc. You need to figure out how to trigger that

And it may be this: https://bugzilla.mozilla.org/form.moz-project-review

There ended up being a relatively simple code fix, which we’ve deployed, and is working!