If this was easy, everyone would do it.
While I have some interesting articles in the works, I spent more time this week doing behind the scenes administrative work. Figured I might as well share it, for my own reference - maybe they will help you if you came here from Google!
(If so, just know: you are seen, you are not alone, my fellow frustrated friend)
E-Mails for everything
The Ghost CMS which runs my humble website is very reliant on e-mail to handle a wide variety of tasks. In a sense it was built around it.
We can understand these in two categories: transactional and bulk
A transactional e-mail is generated every single time a user signs up (reasonable) and every single time that user wishes to log in (quirky).
The latter is due to the idea and architecture behind Ghost. Rather than putting the brunt of the responsibility that is password storage security on someone who just wishes to create content and expose them to damages in the event of a data breach, a sign-on link is generated, sent, used, and stored as a client-side cookie on the user's browser.
This also serves a different purpose.
Ghost CMS does not use any stored cookies thanks to the above, assuming of course you keep it vanilla, removing the further headache of cookie consent, storage and management.
A bulk email is generated when you send a Newsletter, which sends it out to either all, or a portion of your subscribers.
This once more is sort of the "gist" behind the CMS, with one of the main ideas being to build an audience, offer them subscription tiers, then offering different types of content for the tier of subscribers.
Transactional e-mails are meant to be sent through a simple SMTP server, however the bulk option requires a more specialized service, spreading the workload among many SMTP relays to handle the traffic generated by such an action within a few seconds at most. Your usual e-mail hosting provider would likely get very very triggered if you...triggered such an action.
Now as far as the community forums and some documentation are to be believed, you are able to simply use Gmail for the transactional e-mails with a bit of setup.
A simple solution indeed, but a bit too simple for my taste. I already paid for the domain, and as every SEO zombie generated article loves to tell us, sending e-mails associated with your own domain builds a higher trust factor and appearance of professionalism.
MOM GET THE CAMERA I KNOW HOW TO ADD MX RECORDS!
To achieve that we need someone to let us use their e-mail server and authenticate our domain for this purpose. There are more vendors for this that I can count, but the ones you will come across the most are Microsoft 365 Business and Google Workspace. Microsoft will do it for 57USD/year and Google for 72USD/year.
The Microsoft deal also gets you web version of Excel, Word, PowerPoint and 1TB cloud storage (not bad!), Google only manages 30GB of cloud storage but gives a higher number of web-based apps to play around with.
But the point is I don't need any of this shit right now. Even on a small personal project, no, especially on a small personal project you need to think in business terms. Cut costs, save where you can, consider your options, look for alternatives. Things can be scaled later, but as of now I would have no use of either extras, even if the price of entry is not particularly high.
What I simply need is:
- have my own e-mail, with my own domain, and my own inbox so I can communicate with my readers
- send transactional messages reliably and at a low cost
The solution I created is two-fold:
For my own inbox, I found Zoho Mail. They have a free-forever plan that let's you use your own domain, up to five users, 5GB of storage. Nice!
There are drawbacks of course. IMAP/POP/SMTP is not available, you get web mail access only (and their own desktop app, which appears to be just a Chromium based applet replicating the web view), and can not actually use it to for the sign-up/sign-in e-mails.
Even then I would not use it for this purpose.
I'd not be comfortable using a regular e-mail host for transactional purposes, as I do not know what their policy on such matters are. While the volume of e-mails will never be massive, the repeated sending of similar looking emails en masse makes me paranoid it could trigger a dirty flag somewhere along the line.
But it serves what I require it to: just give me e-mail with no extra fluff.
I can scale it in the future, with the actual paid plan starting at a measly 11.58USD/year per user while providing a significant upgrade in capability.
Now for the transactional e-mails, I made a deal with the devil: AWS Simple Email Service, also known as SES.
As you have gathered, this is a cloud based solution from Daddy Bezos himself.
Now why would I subject myself to this?
Believe it or not: ease of use and cost.
I was just about to ready to pull my teeth out with the differing solutions I was trying, until some further research sent me to SES. After some configuring my very first test e-mail worked, which is further than I got before.
So yeah, good enough for me.
As for the price, the service is pay-for-use rather than subscription based. No monthly rolling fee for a prepaid amount of e-mails (there are of course limitations), no extra-mextra yee-yee ass "special services" on top of it which I simply don't have a use for as an individual. Just e-mail. To my users.
As for cost, in this configuration you primarily pay for two things:
e-mails out
e-mail size
A price calculation, assuming I would use my full allowance of 50 000 emails, with the average size of the e-mail sent by Ghost appearing to be 21kb:
50,000 messages per month x 0.0001 USD = 5.00 USD
1.05 GB per month x 0.12 USD = 0.13 USD
5.00 USD + 0.13 USD = 5.13 USD
Even better, the service is eligible for the AWS Free Tier bonus giving 3000 messages/month at no cost, over a duration of 12 months.
So barring any viral explosion in popularity, I might as well call this one "free".
Here is how to go about it (carried out on DigitalOcean droplet)
Upon singing up for the service, you will be asked to do a couple of tasks.
Verify your e-mail (the one you created through Zoho for example) through a verification link that you will receive.
Next, under SMTP settings generate new SMTP credentials : Access key, secret access key (this is a one-shot deal, so note it down!)
Find the SMTP endpoint in the same settings tab.
Afterwards find your config.production.json Ghost file (through SSH/FTP, whatever you have) and modify as such:
"mail": {
"transport": "SMTP",
"options": {
"host": "SMTP-endpoint.amazonaws.com",
"port": 2465,
"secure": true,
"service": "SES",
"from": "'Name' email",
"auth": {
"user": "access-key",
"pass": "secret-access-key"
}
}
},Save it and do a ghost restart command.
Next, we need to verify that we actually own the domain.
In the Get started tab, on the Verify sending domain entry of your task list you will receive 3x CNAME records and a TXT record. Simply add them as instructed to your DNS provider and... play the waiting game.
Heads up regarding this step.
I experienced issues with getting verified while my DNS was handled by my hosting provider DigitalOcean. It could very much have been user error as I was doing these tasks in my post-work hours, sleep deprived, with a flu. Having had a plan to integrate Cloudflare eventually, I migrated the DNS there and it verified within 30 minutes.
As such your mileage may vary.
Until then your account is in "sandbox" mode and can only be tested.
You can whitelist another e-mail address (ask a friend for help maybe to make it more interactive) and attempt to Sign Up. See if the link is received. Then test out the Sign-In feature the same way.
Once your domain is verified, you will need to request production access. This involves a bit more waiting and faffing about as you wait for Support to answer your ticket. Providing this information worked for me:
State clearly what the service will be used for. Describe the Sign-Up/Sign-In process, provide picture examples of the e-mails that Ghost sends and that all users have the option to opt-out of the program at any point.
It took the advertised 24 hours for me to be taken out of the Sandbox, giving me 50 000 emails/month.
Regarding the bulk e-mail sending, I am honestly leaving that aside for now.
Ghost itself only has built-in support for Mailgun, which does generate some angry commenters on their official forums.
Now I do get it: when they implemented it, it was probably years ago, when Mailgun itself was still a DISRUPTIVE ENERGETIC EPIC startup, giving their product away for nothing to draw in users.
But now they are very much a company, with deceptive practices, and pricing that is totally out of reach for an individual user.
Regarding that!
Apparently they still offer their Mailgun Flex tier, but it requires some doing to get to it as seen here. (Note I have not tested it out, so can't confirm it works yet)
The response to people getting angry is usually the same: Ghost is open-source, create your own solution!
I do have something in my eye, but it will require more testing. As of this moment I have no need for the newsletter feature, so I ain't too chuffed.
Contact me!
We are not quite done with e-mails yet I am afraid.
I probably want a way for my readers to contact me if they so wish.
Easiest way to do it of course would be to just put my e-mail in the Contact page, but we all know how this ends up: massive amounts of spam.
No matter how many variations of @ you try, the bots always seem to find a way.
(In fact I tried it for fun, it took less than 1 hour to receive the first spam message)
Of course no solution will be 100% bullet-proof, but it is a necessary step to take the precautions you can, without closing yourself off from your audience.
There is a form built into Ghost, or the theme I am using, but it doesn't seem to...do anything. Even after setting up transactional e-mails, it just takes the user input and upon submit it just seems to delete the input without actually producing any sending event. So let's look for something else.
As always, there are a million vendors who will do this for you!
If you give them more-money-than-it's-worth/month, your personal data so they may make even more money off you, and fuck it, maybe your wife as well while we are at it.
Sooo I found formsubmit.co
Free. Only requires you to insert some HTML to make it appear on your website. Presents at least a measly CAPTCHA challenge to the user.
Drawbacks?
I did have some issues during the setup, and anecdotal information on the web suggest they have outages here and there but that is fine with me for now honestly.
Here is the code-block I use if you wish to copy it:
<div class="container">
<form target="_blank" action="https://formsubmit.co/your-formsubmitkey" method="POST">
<div class="form-group">
<div class="form-row">
<div class="col">
<input type="text" name="name" class="form-control" placeholder="Name" required>
</div>
<input type="hidden" name="_next" value="https://yourwebsite.com/yourthankyoupage/">
<div class="col">
<input type="email" name="email" class="form-control" placeholder="Email Address" required>
</div>
</div>
</div>
<div class="form-group">
<textarea placeholder="Your Message" class="form-control" name="message" rows="10" required></textarea>
</div>
<button type="submit" class="btn btn-lg btn-dark btn-block">Submit!</button>
</form>
</div>During your initial setup you will enter your desired contact e-mail address, use the contact form, and receive a verification e-mail with a link and a random string to replace your naked e-mail, referred to above as your-formsubmitkey.
Meanwhile yourthankyoupage is referring to another functionality which will redirect the user to a customized page on your website, with a thank you for sending their message.
Bots, Bots, Bots
As I mentioned above, I was going to migrate my DNS to Cloudflare eventually, and doing so helped me resolve some issues with setting up Amazon SES.
It did lead to another problem: it created an infinite HTTP redirect loop.
Now if you came here from Google after getting ERR_TOO_MANY_REDIRECTS on your Ghost blog, this did it for me.
Go to the SSL/TSL tab in Cloudflare and switch this setting to look like this:
Now there are some other good reasons for using Cloudflare: bot mitigation.
Even in it's most basic form, it will do more to help you than not having anything at all.
As an example, I was seeing in my Google Analytics a high amount of traffic from the United States, Russia and India.
Some of those most definitely could have been legitimate users, but it seemed pretty obvious to me what's going on: these are bots.
So I set up some Cloudflare Custom WAF rules:
Now I shall be honest, I am monke, and all three of these could be redundant(?) but we can already see some effect.
I also have allowed verified bots which I call "good bots" a pass, as these are usually used for legitimate research.
But even for them I created a separate Rate limiting rule:
In essence what I am telling the firewall to do is "Good bots are fine, but if they start making too many requests, give them a time out."
One more good setting is Hotlink protection:
This (should) prevent images from being "scraped" and then added to random galleries, but still linked to and hosted on the blog, which can create unwanted traffic.
And last but not least, the Cloudflare CDN.
Through caching and distributing the content on your website across many Points of Presence, Cludflare can help to improve load times, while lowering your overhead on traffic. Pretty mucho bueno.
I might in fact do an entire post on how to exploit the Free tier to it's full protentional, once I get more familiar with it.
See you next week!
(Links are not affiliated, and only added for reference)
