Changes to email security for Pro merchants
By Paul ConnorNov 20172 min read
We launched GoCardless Pro back in 2014 to give merchants more control over their customer experience, making it possible to guarantee your business name appearing on customers' bank statements, build your own Direct Debit mandate setup flow and have more control over notifications sent to customers.
Direct Debit schemes require that you send customers "advance notice", letting them know when payments will leave their account. Merchants on the Pro package can send these themselves, or have GoCardless send clean, unbranded and compliant notifications on their behalf.
Most of our merchants choose to use GoCardless' built-in notifications, making it quicker to get up and running and avoid worries about compliance.
Until now, if you were on Pro, we've sent these notifications so they appear to come from your email address, as well as displaying your name in the "From" header. We also set the "Reply To" so that replies from your customers with queries or questions go directly to you.
Since we built this functionality three years ago, a lot has changed in the email security landscape, particularly with the growing popularity of DomainKey Identified Mail (known as DKIM) which makes it more difficult to send emails that look like they come from someone else - often called "spoofing".
As more and more merchants have enabled DKIM for their domains, we've found that the deliverability of notifications we send has fallen - that is, more of these emails are going to users' spam folders, or are being ignored completely by mail providers. As a security best practice, it's also best to avoid allowing others to send email from your domain, so you have complete control over what's going out.
Consequently, we've decided to optimise for deliverability and security by stopping spoofing the sender address on notifications as of 30 November 2017.
What does this mean for me?
If you're a GoCardless Standard or GoCardless Plus user, nothing will change (if you're not sure what package you're on, head to package selection within GoCardless for a reminder).
If you're a GoCardless Pro user and you send your own notifications, nothing will change.
If you're a GoCardless Pro user and we send notifications on your behalf, we'll stop sending emails that appear to come from your email address on 30 November, instead sending authorisation request & reminders emails from firstname.lastname@example.org, and all other emails from email@example.com. However, your business name will still appear in customers' email inboxes and replies will continue to go direct to you.
In the vast majority of mail clients (for example the Mail app on iOS, or Outlook on Windows), emails will look exactly the same as they did before. Here’s an example of how it looks:
Your business name will still show as the sender of the email
It's only when someone explicitly expands the sender name, will they see change of email address
We recommend informing your Customer Support team about this change (and maybe including it in your website FAQs), in case your customers raise queries about it.
In summary, these changes are being made to optimise for deliverability and security and thus improve and enhance your GoCardless experience. If you have any questions please don’t hesitate to contact us at firstname.lastname@example.org.