Major European payment processor can't send email to Google Workspace users (atha.io)
396 points by thatha7777 8 hours ago
st_goliath 8 hours ago
> Viva.com's outgoing verification emails lack a Message-ID header, a requirement that has been part of the Internet Message Format specification (RFC 5322) since 2008
> ...
> `Message-ID` is one of the most basic required headers in email.
Section 3.6. of the RFC in question (https://www.rfc-editor.org/rfc/rfc5322.html) says:
+----------------+--------+------------+----------------------------+
| Field | Min | Max number | Notes |
| | number | | |
+----------------+--------+------------+----------------------------+
| | | | |
|/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
... bla bla bla ...
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/|
| message-id | 0* | 1 | SHOULD be present - see |
| | | | 3.6.4 |
|/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
... more bla bla ...
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/|
| optional-field | 0 | unlimited | |
+----------------+--------+------------+----------------------------+
... every message SHOULD have a "Message-ID:" field.
Arnt 6 hours ago
SHOULD is a requirement. It means that you have to do it unless you know some specific reason that the requirement doesn't apply in your case. "I don't want to" is not a valid excuse, "I don't see a reason to" isn't either.
IIRC this particular rule is a SHOULD because MUAs often send messages without a Message-ID to their submission server, and the submission server adds one if necessary. https://www.rfc-editor.org/rfc/rfc6409.html#section-8.3 The SHOULD lets those messages be valid. Low-entropy devices that can't generate a good random ID are rare these days, but old devices remain in service, so the workaround is IMO justified.
BeetleB an hour ago
> SHOULD is a requirement.
I once had a job where reading standards documents was my bread and butter.
SHOULD is not a requirement. It is a recommendation. For requirements they use SHALL.
My team was writing code that was safety related. Bad bugs could mean lives lost. We happily ignored a lot of SHOULDs and were open about it. We did it not because we had a good reason, but because it was convenient. We never justified it. Before our code could be released, everything was audited by a 3rd party auditor.
It's totally fine to ignore SHOULD.
seb1204 16 minutes ago
st_goliath 5 hours ago
> "I don't want to" is not a valid excuse
for the client. If you're implementing a server, "the client SHOULD but didn't" isn't a valid excuse to reject a client either.
You can do it anyway, you might even have good reasons for it, but then you sure don't get to point at the RFC and call the client broken.
geocar 3 hours ago
Veserv 4 hours ago
Arnt 5 hours ago
L_226 5 hours ago
As someone who does systems engineering, the only valid requirements include the word "shall".
stackskipton 5 hours ago
opto 5 hours ago
sas224dbm 4 hours ago
SecretDreams an hour ago
Should = internal target
Must = external requirement
I cannot fathom how you think should* would act as a requirement in any sense of the world.
almosthere 4 hours ago
The original email RFC is also completely unaware of how bad spam is. Sure it might mention it but it's not really AWARE of the problem. The truth is, companies like Google, Microsoft and a few others have de-facto adjusted the minimum requirements for an email. Signing, anti-spam-agreements, etc.. are the true standard if you want an email to get from point a to b. (none of which are going to be REQUIRED in the RFC)
ale42 8 hours ago
The official definition of SHOULD per RFC2119:
3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
citrin_ru 7 hours ago
You can argue that you not obligated to use message-id but if you don't use it you should blame only yourself that your messages are not accepted. In requiring message-id I would side with google (though in general I think they anti-spam is too aggressive and lacks ways to report false positives). Full RFC compliance (as in not only MUST but also SHOULD unless you have a very good reason) is the easiest part of making sure your emails will be delivered.
RHSeeger 7 hours ago
pilif 7 hours ago
Waterluvian 7 hours ago
eli 6 hours ago
You assume that internet standards are prescriptivist; that the document describes how it is to be implemented. In practice it's often descriptivist, with the standards documents playing catch-up with how things are actually going in practice.
Anyway, in general you can expect that doing unusual but technically valid things with email headers will very often get your messages rejected or filtered as spam.
psychoslave 6 hours ago
Juliate 7 hours ago
For producers, ignoring a SHOULD is riskier because it shifts the burden to every consumer.
For consumers, ignoring a SHOULD mostly affects their own robustness.
But here Google seems to understand it as a MUST... maybe the scale of spam is enough to justify it. Users are stuck between two parties that expect the other to behave.
zer00eyz 7 hours ago
jacquesm 6 hours ago
Google interpreted it that way because it drives more people to use gmail.
ZWoz 5 hours ago
My take, as a postmaster for hosting company, who don't have any sympathy to gmail (that should be visible from my comments history): Message-ID is absolutely MUST in production e-mails. You can send your test stuff without it, but real messages always have it. Not having Message-ID's causes lot of fun things. All somewhat competent software is capable to add Message-ID's, so lack of it is good indication of poorly made custom (usually spamming) solution.
Rspamd and spamassassin have missing MID check in their default rules, I am sure that most antispam software is same.
stefan_ 5 hours ago
Why? If I'm writing a mail receiver, and I'm told there is some unique ID generated by the sender in a loosely specified way, the first thing I'm doing is ignoring that value forever. One lesson surely most everyone learns in CS is that unique identifiers are maybe unique to the system generating them, but to rely on foreign generated IDs being unique globally is a terrible idea that will break within the minute.
So at that point the ID has no value to me except being obliged to carry it around with the message, so maybe the originating system can at some point make sense of it. But then there is obviously no reason to ever reject mail without it, it's an ID valid for the sender and the sender didn't care to include one, great, we save on storage.
jasode 5 hours ago
ZWoz 5 hours ago
the_mitsuhiko 8 hours ago
Exactly. Message-ID is not required.
An unrelated frustration of mine is that Message-ID really should not be overridden but SES for instance throws away your Message-ID and replaces it with another one :(
elAhmo 7 hours ago
I would read this as a requirement for email to be 'legit' and not classified as spam.
Sure, you can send email with whatever headers you want, use weird combos, IP addresses, reply-to, and it might be still a technically valid email, but not something that should land in people's inboxes.
Also, a payment processor not testing their email on the most popular email provider in the world is quite ridiculous.
philipallstar 5 hours ago
As indicated in the RFC, it uses another RFC[0] to define those words. Here's the relevant excerpt from that one:
3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
b00ty4breakfast 5 hours ago
I know you're looking for "pedant points" but the specification generally take a backseat to implementation. If Message-ID is expected out here where the rubber meets the road, then you are the squeaky wheel in this scenario for not including it.
OJFord 8 hours ago
The only messages I receive without one are spam/phishing. I check because they're not recognised by notmuch, so I don't see them otherwise.
thatha7777 5 hours ago
And the definition of "SHOULD" (from RFC 2119) is "This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course."
Having said that, I regret my original characterization of the Message-ID header as a "requirement" and have updated the blogpost to be fair to all sides.
Thank you for bringing this up.
deepsun 6 hours ago
GMail SHOULD handle your messages, not MUST.
PunchyHamster 4 hours ago
> That says SHOULD, not MUST, so how is it a requirement?
Battle with spam has been for long part just trying to algorithmically fingerprint the scam bots and reject the message if it looks like it wasn't sent by "real" mail server/client.
So a lot of things that are optional like SPF/DKIM are basically "implement this else your mail have good chance of being put into spam automatically".
s17n 6 hours ago
The reason that European tech sucks is that people in Europe are open to such arguments. If an engineer in the US started talking about SHOULD vs MUST, some PM would just give them that "what the fuck did I just listen to" face, spend the next few minutes gently trying to convince them that the customer experience matters more than the spec, and if they fail, escalate and get the decision they want.
For example, why does Google handle this differently for consumer and enterprise accounts? Well it's Google so the answer could always just be "they are disorganized" but there's a good chance that in both cases, it was the pragmatic choice given the slightly different priorities of these types of customers.
youknownothing 6 hours ago
Not my PM (in the US). My PM would try to avoid anything that is not absolutely necessary and therefore ask developers not to develop anything that isn't a MUST. I know that we like making fun of Europe for their alleged lack of innovation but this isn't a Europe thing.
dlopes7 4 hours ago
lingrush4 6 hours ago
shaan7 4 hours ago
Well the current US Administration would agree - the law doesn't matter, we need to be "pragmatic" and do what we think is right. Rules be damned.
Once you deviate a bit from the standard, you're down a slippery slope. Its not that difficult to use pragmatism to justify wrongdoing.
patrickmcnamara 2 hours ago
Do bugs and bad implementations not exist in US software? If an US company did this, nobody would be bloviating about how it is a cultural issue or whatever.
layer8 6 hours ago
The reason it’s recommended is that it’s useful for detecting when an email you receive is already in your mailbox, so that you don’t accumulate duplicates. Otherwise one would have to compare the complete email, which probably no MUA does. Another reason is that replies can include a reference to the original message, so that it can be properly threaded by MUAs.
So these are mostly quality-of-life reasons, it’s not a reason to reject an email.
hermannj314 6 hours ago
You SHOULD follow the wording of the RFC, you MUST follow Google's interpretation of the RFC.
That is the difference.
redeeman 13 minutes ago
evidently they must not
thatha7777 7 hours ago
You're totally right. I've updated the blog to reflect this. Thank you!
torlavd an hour ago
Standard RFC naming, optional field.
jiggawatts an hour ago
The HTTP User-Agent header is also optional, but if you omit it, something like half of all endpoints will respond with a 500 error code.
zokier 7 hours ago
Also email as a protocol (SMTP) predates RFC5322 by 25 years or so.
zoobab 7 hours ago
Avoid SHALL, SHOULD and all other crap, use Elon MUST.
roysting 6 hours ago
SHALL has been interpreted/clarified by US courts as not being a fancy MUST or REQUIRED that many people were taught it to mean, but SHOULD still has it's purposes, e.g., to provide contractual flexibility in development, i.e., a MUST/REQUIRED requirement was more challenging or complicated and took up more time/resources than anticipated, so SHOULDs can be trimmed due to contingencies.
Another example may be a lightweight implementation of a spec in a limited and/or narrow environment, which remains technically compliant with full implementations of a spec but interaction with such a limited/narrow environment comes with awareness about such limitations.
fosron 7 hours ago
Worked on an ESP. We had a couple of server software we used on low-level for sending. None of them would accept the message without a Message-ID. But even if you have a super-custom, SMTP-injecting service built, how can you ignore all of these bounces from a provider thats likeliest to be the major one you are sending to? Unthinkable. I would not like to have business with such a payment provider.
idopmstuff 7 hours ago
This is the one that gets me - sometimes you're forced to work with systems that do annoying things that you have to accommodate. It's annoying, but it's more important to do the thing that prevents your users from having issues than it is to be theoretically right about whether something's required by a standard.
I've dealt with many worse cases than this, where the systems I was integrating with were doing things that weren't even close to reasonable, but they had the market power so I sucked it up and dealt with it for the sake of my users. Maybe Google's wrong here, but how do you not just implement the solution anyway?
atmosx an hour ago
> Maybe Google's wrong here, but how do you not just implement the solution anyway?
But they just did (make it work). The logical assumption is that most ppl did the same, just used another email provider. Why would viva care? (same as google, why would google care?).
renato_shira 4 hours ago
this is the pragmatic take that matters. i've dealt with this exact dynamic with app store review processes: the guidelines say one thing, the reviewer interprets it differently, and at the end of the day you just fix whatever they flag because shipping matters more than being technically right.
the email situation is the same pattern at scale. google workspace has the market power to enforce whatever interpretation they want, and the RFC debate is basically irrelevant from a business perspective. your users don't care that your reading of the spec is correct, they care that they didn't get the receipt.
the part about a payment processor not testing deliverability is wild though. that should be in the first week of any transactional email setup: send test emails to gmail, outlook, yahoo, protonmail, check headers, verify SPF/DKIM/DMARC, and actually monitor bounce rates. the fact that a major processor missed something this basic suggests the email infra was probably a "set it and forget it" setup from years ago that nobody ever revisited.
atmosx an hour ago
> I would not like to have business with such a payment provider.
Chances are that the decision-makers in most companies don't care about the technicalities (i.e. which email you used for registration) - they want to get up and running.
The reason that Viva doesn't care, I assume, is the reason Google workspace doesn't care: they're both too big to care for 5% of their clients won't do the extra work. They know that their, usually much smaller clients, will "figure it out" by i.e. using another setup that works™. So why bother?
thesuitonym 2 hours ago
> how can you ignore all of these bounces from a provider thats likeliest to be the major one you are sending to?
This is the major issue that most of the discussion is missing. It doesn't matter how you want to interpret the word SHOULD, if you want to send to google workspace, you MUST include a message-id. It's not like this is some fly-by-night server with 12 clients.
If you absolutely and completely don't want to include the message-id, then you need to have a warning that your service can't be used by Google Workspace customers. This used to be common practice, blocking communication to servers that behaved badly, and I sort of wish we'd bring it back.
saltmate 5 hours ago
I doubt Google Workspace is going to be the major provider for European businesses
leansensei 5 hours ago
...and you'd be wrong.
toomuchtodo 3 hours ago
saurik 8 hours ago
My pet peeve are services that go out of their way to include a text/plain alternative message part but send something useless, such as the message without the key link. One time I seriously ran into a service just send a short one-sentence note along the lines of "this is a plain text email" as the plain text part. If you don't want to support plain text, maybe just don't send the alternative part?
cube00 6 hours ago
I find the ones that try to be cute the most frustrating because these appear on the new message notifications so I can't just delete them straight from the notification.
We'd love to share this exciting announcement but you'll a different email app.
Although I guess the argument will be that email clients should use AI to summarise the HTML into a plain text summary.
dwedge 3 hours ago
I had one who sent me the booking details of another client in the plaintext part. I reported it to them nearly a year ago and they didn't reply, so screw anonymity, it was Avis.
kuschku 2 hours ago
If you're in EU or California, you should probably email the local data privacy official's offices about that.
Marsymars 7 hours ago
So I'm wondering a bit here - I've seen an implementation where emails to send only have html versions, but as part of the sending process the html is run through a Lynx browser process with the -dump command to get the plain text, which is included as the text/plain part of the email.
Is there actual value to this? e.g. Is the output of Lynx's text dump better for plain-text email clients than whatever they'd display for html emails?
mihaic 3 hours ago
I've personally converted html to plaintext with beautifulsoup in python, and used that as the plaintext version. Did not have complaints, but I honestly don't know who actually reads the non-html version.
nbernard 7 hours ago
Some (old?) spam filters may be triggered by html only emails.
bandie91 5 hours ago
the best is when some put the same payload in the text/plain part as in the text/html part. yes. the html source. as text/plain.
basilikum 8 hours ago
With fintech that surprises me not the slightest bit. Financial institutions are filled to the brim with unbelievably incompetent people. A large part of it is probably willful ignorance, too. It's often truly staggering that a financial company I interact with in day to day live is even able to exist. That's until I remember that all the others are just as incompetent.
"Major European Payment Processor" really just translates to "Major European Incompetence Center".
oasisbob 7 hours ago
With a broad statement like this, I would usually just suggest this is inflammatory and surely overstated.
However, I've also worked at a financial institution which used core systems by Harland Financial Systems. Their "encryption" for data in transit from teller workstations to the core system was just a two byte XOR, and they sent the key at the beginning of the connection!
Was so unbelievable to be able to crack this in under a half-hour after noticing patterns in a PCAP. Wouldn't have believed it if I hadn't seen it with my own eyes.
That fraud was good enough for our regulators and theirs, so I have no doubt the industry is filled with rotten incompetence through and through.
ryandrake 4 hours ago
The biggest disappointment in my 30 years of adulting has been how much absolute, shameless incompetence is out there in the workforce. When I was a kid, I naively thought that adults were smart and knew what they are doing. Then I got into industry and saw so many people just outright bluffing for 8 hours a day before going home, day in and day out.
It's amazing that society even functions at all.
Foivos 14 minutes ago
zos_kia 2 hours ago
yndoendo 7 hours ago
There is plenty amount of incompetence in FAAMG. Notepad ....
Do Europe financial institutions have the same level of corruption as the USA? Such as a credit card company authorizing credit card transactions with incorrect expiration date to maximum profit, Bank of America? Or opening new accounts without consumer consent, Wells Fargo?
roysting 6 hours ago
It's a broad question, but in many ways, very clearly yes, re. corruption of financial institutions, and to a far greater extent in many, albeit different ways.
Incompetence and corruption only slightly overlap in most cases, i.e., being competent at corruption is a very real thing. The incompetently corrupt, usually end up punished... and there are few and far between...as we all very well know.
The kind of schemes you mentioned are generally not going to be how "corruption" will manifest itself in European financial institutions, because although it is also difficult to speak in general across Europe since the EU has not yet subsumed democratic self-determination all across the continent yet, so there is wide variation; the competent corruption is largely in the form of money laundering and tax evasion, not lower level quantitative schemes that would quickly come to light because Europeans are also a lot more cognizant of money and value than Americans, so people are paying attention a lot more closely and will raise hell over a single cent, where Americans are known to have hundreds of dollars draining out of their pockets every month just alone on recurring payments for things they don't even use anymore and don't bother dealing with it.
What we all don't really seem to internalize as a human species, is the absolutely demonic type of pernicious nature of "banking", i.e., a kind of LotR, ring, that consumes you especially if you are weak... and human, or at least European civilization seems to frequently go through periods of immense weakness where things are going springily and everyone is dancing to the music the "bankers" are playing as they are pandering our pockets, and when they realize they could get away with that and all the pockets are plundered, they move on to plundering our homes, then our accounts, then they want to take our first born... "Banking" is like humanity's cocaine, the seemingly innocuous, feel good drug that will consume your soul if you do not rage and fight against that demon taking over aggressively. It's no coincidence that cocaine is so widely used by the most parasitic elements of European societies, especially in "banking"/finance in general.
dboreham 2 minutes ago
Shouldn't this be "doesn't want to send..."?
amelius 7 minutes ago
That will teach those pesky Europeans not to start their own payment processors.
afavour 7 hours ago
I have some level of sympathy with Google here, which isn’t something I often say.
I recently switched from Gmail to Fastmail and by and large I’m happy with it. But I’ve been surprised by the amount of spam and (particularly) phishing emails I get in a regular basis. Google might be too strict in its filtering but it does serve a legitimate purpose.
lowdude 6 hours ago
Interesting that you mention this, as I also switched to Fastmail recently and got more spam than before, but after marking it as spam for some time it now died down I think. This may also be a symptom of changing providers, where the previous provider knew the kind of spam I tended to get from past years, while Fastmail needed some time to get up to speed.
Fingers crossed that the experience will be the same for you.
olivia-banks 4 hours ago
I don't think a single spam email has ever crossed into my Fastmail inbox. Granted, every service I sign up for gets it's own masked email. But while the @fastmail.nl email that I chuck on my website gets a fair amount of spam, it always gets categorized correctly.
jmuguy 6 hours ago
Fastmail seems to go through periods where they're a little slower to adjust to new spam techniques, and they do rely on users filtering somewhat. About twice a year a few will slip through, but if I report them as spam they soon stop.
I've been a happy customer otherwise for years, for what its worth.
tietjens 7 hours ago
I've considered this switch. You're saying that previously gmail was dropping the emails, or they were landing in spam?
havaloc 24 minutes ago
I switched from Fastmail to Gmail/Workspace a year ago. I think but cannot conclusively prove that Gmail drops Apple transaction emails on occasion ( like receipts ). But I also think Fastmail dropped other emails too.
afavour 6 hours ago
Presumably they were in spam. But I rarely ever checked my spam folder to know with certainty.
thayne 6 hours ago
> Who's in the right
I don't think either are. The payment processor should be sending it, but, at least according to the RFC, it is incorrect to reject an email that doesn't have it. I suspect the reason it is SHOULD, and not MUST is for backwards compatibility with software that predates the RFC that adds the message-id header.
Maybe there is a correlation between missing that header and being spam, but then it should go to the spam folder, not be outright rejected.
----------------------------
The experience with support is also similar to experiences I've had with support at many companies. I provide enough details that an engineer could probably easily fix the problem, but the support representative just dismisses it, and it is doubtful an engineer even hears about it.
askldfhalkdfh 2 hours ago
It's not necessarily the support person's fault. I worked in support way back when. There were some long-standing issues that needed only minor work to fix that engineering management didn't get, didn't care about or just wouldn't prioritize. Engineers weren't free to work on what wasn't prioritized. Acknowledging a problem and leaving the ticket open doomed to be unsolved forever negatively affected my performance rating. I had to respond with this sort of cheery everything's fine message and write it off as a customer issue, even though I didn't believe it.
ajross 6 hours ago
Exactly. This minutiae is all so weird. Email as a formal specification does not work, and the industry as a whole has accepted that for decades now. It's not possible to filter spam from valid traffic without applying a truckload of heuristics and leveraging an ever growing set of auxiliary signals (SPF, DKIM, yada yada).
To wit: basically everything in this world is a "SHOULD", at best. The rules are a conversation.
jonathanstrange 4 hours ago
Then why does my email program reliably distinguish spam from ham without any server-side filtering involved?
ajross 2 hours ago
shadowgovt 4 hours ago
mrighele 6 hours ago
The first thing that comes to my mind is: how come viva.com is unable to send emails to google workspaces and nobody at viva.com noticed before ? For how long has this going on ?
The second thing is, what email software are they using ? If it was any relatively used software I would not expect this problem to arise (maybe it is some commond software but misconfigured).
Third, while the header is not mandatory, I usually read SHOULD as a "if you don't implement it prepare for possible problems". SHOULD is not MAY.
Fourth, they should be thankful that Google bounced the messages with some appropriate error explaining how to solve it. I have plenty of issues in the past with both Google and Microsoft where they accept the message for then sending to /dev/null
camgunz 7 hours ago
The most damning thing about this is they didn't test their email infra w/ Google Workspaces. Imagine what else they didn't test.
vimda 10 minutes ago
They are testing it, every time someone signs up and it fails. We don't know that this wasn't something that changed on Google's side, so IMO it's a bigger indictment that no one is monitoring their live email deliverability
ejpir 7 hours ago
yeah, because the whole world uses Google workspaces, right /s
hn_go_brrrrr 6 hours ago
That and MS Office are pretty darn popular. Not the whole world, but a very decent percentage of your users.
AJ007 6 hours ago
looperhacks 4 hours ago
shadowgovt 4 hours ago
No, just over 6 million paying business customers.
But hey, if you're in a business domain where categorically leaving 6 million potential clients-who-are-demonstrated-to-spend-on-things isn't an issue? One fewer thing to worry about, right? ;)
davsti4 6 hours ago
"Email is tough", software development is tough, IT is tough, walking and talking at the same time is tough, mailing a letter is tough.
When orgs frame problems like this, it erodes trust in the message they try to convey. Email isn't a tough problem, but its a problem nobody wants to really deal with. Email is simple - its a text based protocol, that started out open, but now you need to add security to ensure your email is delivered.
fweimer 3 hours ago
The Gmail requirement is actually slightly different: the header must be present and unique. Gmail only keeps one copy of a message per user and message ID. Combined with a mail source that uses predictable message IDs (such as Github), you can abuse this to suppress delivery of certain messages to Gmail users.
realusername 3 hours ago
Interesting, but what do you gain to send an email which you know will not land?
ZoneZealot 3 hours ago
They mean to send an email in advance, with a message ID that would later be used in the target email. First email gets ignored, moved to spam, or not read yet. Then the target email gets sent with the predicable message ID, and gets bounced.
Comments on issues use the format <[OrgName]/[RepoName]/issues/[IssueNumber]/[CommentID]@github.com>
A mitigation to this would be to take the combination of message ID and the sending domain and use that as the unique value, because message ID is not guaranteed to actually contain a domain label that's owned by the sender.
For example SendGrid's message IDs are <[RandomValue]@geopod-ismtpd-[Integer]>.
fweimer 3 hours ago
fweimer 3 hours ago
If I send it first, the real message won't get delivered. The real message could be be a newly reported security issue.
golem14 29 minutes ago
Hilarious - German users lecturing Google on how to interpret the English RFC?
I say this lovingly, having significant German ancestry:)
But taking a step back :
did viva previously send message ids and pushed a change to prod to strip it? Was it on purpose or an accident?
And other email providers like proton or Hotmail - do they accept messages without message ids?
Have other clients of Google workspace complained about this issue?
juancn 7 hours ago
If that's how they handle email, I wouldn't want to see what they do with payment data.
DaOne256 7 hours ago
Maybe that's something to report to the "European System of Financial Supervision" or some other EU government agency.
They even have a Whistleblowing link at the bottom of their website: https://www.bankingsupervision.europa.eu/about/esfs/html/ind...
looperhacks 4 hours ago
> This experience fits a pattern I keep running into with European business-facing APIs and services. Something is always a little bit broken. Documentation is incomplete, or packaged as a nasty PDF, edge cases are unhandled, error messages are misleading, and when you report issues, the support team doesn't have the technical depth to understand what you're telling them.
I can definitely confirm that this is a common thing. But I think this is a "small org"-problem more than a "European business"-problem. Apparently, the company has somewhere between 500 and 1000 employees (I couldn't find good data, sadly). With a size like this, the "support" is probably outsourced (meaning they don't know anything), there are maybe 100 engineers (probably less) and the mailing is either done via a third-party or set up by an Admin that left three years ago.
Without any basis, I will speculate that you will notice this more in Europe because there is simply no company at the size of Stripe or similar.
bojan 3 hours ago
While there is some truth in while you saying, I have to say that from my European perspective all the big American companies feel enormously bloated. For example, I've recently learned thats Atlassian has 13000 employees, and I have to ask myself, what do all those people do?
TheAceOfHearts 3 hours ago
A minor correction, but Atlassian was founded in Australia, and their global headquarters is still in Australia.
mamiride 37 minutes ago
Mamiride dot com email verifications are not delivered to Gmail from a self-hosted mail server and I wonder if this is the reason. We got around this by making email verification an optional step instead of mandatory.
wolvoleo 6 hours ago
Huh I've lived in Europe for most of my life and I've never heard of viva except as a poor name choice for Microsoft's corporate Facebook (yammer)
Most companies here use stripe on their website.
amarcheschi 4 hours ago
it's a greek company, if you buy from greek websites i guess you'll deal with it
i'm not greek but a greek ecommerce i buy from uses viva
nashashmi 7 hours ago
10 percent of the effort in building software compatibility with open source file specifications is dealing with knowing the specifications. 90 percent of the effort is dealing with errors in generated files by less worthy software programs.
The RSS spec is one way. RSS readers do a fine job of interpreting files done the right way. Publishers don’t always do a good job with publishing error free RSS files. So RSS readers devs have to anticipate all sorts of errors and conduct error handling to ensure RSS items are properly handled.
This is why companies want to keep their file format proprietary. Other devs can really do damage to the ecosystem and ruin the experience
EvanAnderson 6 hours ago
My personal fork of ttrss, from 2005, is a dodgy patchwork of fixes for badly formatted RSS. I can't imagine trying to host a service that deals with RSS feeds from random sites at scale.
tracker1 6 hours ago
One that always irks me to no end, is every time I see someone ham fisting csv handling by hand instead of using an established, well-sourced library. They almost always fail at commas or newlines in quoted text... It's one of the more annoying things.
Currently working on replacing a couple decades old system, and my csv output is using a library that isn't quoting all the strings that don't require quotes... so I'm forced to do it (for compatibility) with the other system this csv is going to. (sigh).
pmontra 5 hours ago
If a business like that doesn't get its emails delivered, it will slowly go out of business. Merchants will find another processor that is able to deliver emails to every inbox. That is, Google could be less picky, but the company with a problem at hand is Viva.
j1elo 4 hours ago
> For viva.com's engineering team, in case this reaches you: [...]
That's too kind of you, but on the other hand it really doesn't solve the issue of bad priorities and lack of overall Quality. Some engineer might log a couple hours fixing a Level 3 severity bug, emails will start working better, but the poor (or at the least, dubious) backwards technical stewardship (or lack of it) will keep going on inside the company, unnoticed from outside (until something bad eventually happens to some client)
flerchin 8 hours ago
The specific bug is annoying, but that there's no way to report such a thing is an exact hallmark of our current corposphere.
newsoftheday 6 hours ago
Google's Postmaster Tools site has a "Report deliverabilty issue" link at the bottom left navigation column.
stonogo 3 hours ago
Which is, of course, hidden behind a login wall
_el1s7 7 hours ago
> For viva.com's engineering team, in case this reaches you: add a Message-ID header to your outgoing transactional emails.
Don't know what they're using for sending emails, but that's something that should be handled by their email service provider, unless they're hosting their own email servers.
basilikum 7 hours ago
Interestingly the MX record of via.com points to Google, but their verification emails could come from anywhere of course. The IP address in the log is also a Google IP, although that could also be the receiving IP.
jms703 3 hours ago
To author:
The phrase:
“sends verification emails without a Message-ID header — a recommendation of RFC 5322 since 2008”
can be misread as though RFC 5322 recommends not including a Message-ID.
herczegzsolt 6 hours ago
I vaguely remember hitting this message id issue in Google Workspace, and being able to work around it in mail routing configuration.
Saidly I don't remember the specifics, it was something along the lines of not all, but only specific routing features requiring it. Workspace settings are a moving target anyway, so the behavior probably changed more than once since.
I'm not saying it's a good idea to send emails without message id, but i'd also double-check that workspace configuration.
sceptic123 7 hours ago
> Why this matters
Hello AI (Claude?)
chrisjj 3 hours ago
> Their support team's response to my detailed bug report
As you said, its not a bug.
A feature request might fare better.
youknownothing 6 hours ago
It used to be said that the reason the Internet evolved so well was because of the basic principle of "be strict when you send, but tolerant when you receive". Clearly Google has forgotten this.
cl0ckt0wer 8 hours ago
Do you want to enable receiving email for viva.com? sign up for VibeCodedSAAS for E49.99/month
EGreg 8 hours ago
Just did! My mac mini got pwned though and I wish I didnt give it SMTP accesss… sigh
I just hope my OpenClaw skills registry doesnt have malware anymore. I sure trust my supply chain of vibecoded software!
Deukhoofd 8 hours ago
Might want to consider Adyen, which should support IRIS, the Greek instant payment system.
thatha7777 6 hours ago
Thank you for the recommendation! That I couldn't sign up using a form and I had to "talk to their team" was a turn-off for my (extremely extroverted) self.
nottorp 6 hours ago
That usually means you can't afford it unless you have people working for you that do the 'talk to the team' thing.
pelorat 6 hours ago
I've never heard of them. Looks to be a company from Greece. That would explain their reply. Not exactly known for their tech.
miki123211 5 hours ago
> This experience fits a pattern I keep running into with European business-facing APIs and services. Something is always a little bit broken.
I feel like this isn't just business services though.
American engineers are used to working for either big tech or "Silicon Valley inc." European engineers are used to working for Volkswagen, Ikea or Ryanair. Very different kinds of businesses who treat tech very differently.
Over here, competing on user experience and attracting users with a slick interface that people love to use isn't really something most companies think about (and so they get their lunch eaten by the Americans).
Nowhere is the European mentality more evident than in cybersecurity, where outdated beliefs still dominate. In this mentality, everybody is out to get you (and that notably incudes your vendors, your business partners and your customers), so all infrastructure has to be on prem, open source is free and hence suspicious by definition, obscurity is the best kind of security, encryption doesn't work so data should go over custom fiber, and if you have to expose an API on the public internet, an Authorization header isn't enough, it should also require MTLS behind a layer of IpSec.
1970-01-01 3 hours ago
>"We can see your account now has a verified email address, so there doesn't appear to be an issue."
There are still too many edge cases like this one that can't get fixed because of ignorant support not doing it's job. In my life, every company that escalates to an engineer instead of punting the ticket with some asinine 'but it works right now, goodbye' message gets rewarded via keeping my business. The ones that don't are immediately cancelled. Sometimes I even do a chargeback as extra punishment. Maybe I'm just old, but I have near zero tolerance for immature support playing games with my time.
mogoh 7 hours ago
The problem is always e-mail itself. It is terrible standardised and hard to get "right".
pembrook 7 hours ago
Typically I'm a DIY type who loves tinkering and building...
HOWEVER, I have learned the hard way to never apply that spirit to email.
In Europe you see this stuff all the time with old school "IT" (what old industrial companies call tech) people balking at the prices of commercial API-based senders and email marketing ESPs.
"Money to send emails in the cloud? HAH! Back at Siemens in 90s we were running millions of emails out of our servers just fine!"
Nobody understands that deliverability has gotten immensely harder these days, and trying to DIY it if its not your core business is just plain stupid. I would never in a million years try to roll my own email, it's nightmarish legacy cruft and footguns all the way down, in everything from IP/Domain Rep to something as simple as the HTML in the email templates themselves.
Microsoft Outlook and Gmail have the last word on everything in email, and their defacto duopoly (over B2B and consumer email respectively) means you play by the rules they set in 2008 and are too lazy to change or you don't get delivered. The protocol of email exists separately from the world of the actual inbox providers, which are locked down to insane degree given the security/spam concerns with email.
jmuguy 7 hours ago
Google is at least less arbitrary than Microsoft. Microsoft will decide an email is spam today, and tomorrow the exact same email is perfectly fine. I think Google relies more and more on sending IP and domain reputation rather than content.
Marsymars 7 hours ago
Google regularly sends legitimate email to my spam folder.
Microsoft regularly sends legitimate emails from Microsoft to my spam folder.
oasisbob 7 hours ago
Deliverability to Microsoft famously took a dive a bit over a year ago due to random arbitrary failures within their infrastructure causing DMARC/DKIM problems which they clearly were having problems diagnosing.
Even with a six-figure email spend and weeks of troubleshooting the best response we could get from our mail provider was that they were having problems getting traction with Microsoft on the issue.
tracker1 6 hours ago
lasgawe 5 hours ago
literally everything is tough when comes to emails
amelius 7 hours ago
Gripe only related to email in general: what annoys me to no end is that if my boss forwards me an email and asks me to reply to it (to everybody in the original email) then I have to type in or copy+paste all the addresses from the Fwd attachment (using Fastmail, but this problem exists everywhere). Instead, there should be a button to make that easy.
fy20 7 hours ago
There's actually nothing that prevents that, if you craft the right headers you can reply to a thread you were not included in, and have it show up as a reply in the thread of common clients (tested Gmail and Outlook).
We added this feature at my $dayjob and I was quite surprised there is no authentication. But thinking about it, this is how mailing lists work (you aren't explicitly specified in "To:") so it makes sense you can do this.
eduction 43 minutes ago
I’m sorry but in the context of a 50 year old technology like email, 2008 was yesterday. Gmail is in the wrong, you don’t get to just update the standard for email like it’s TikTok content or a Roblox update or whatever.
Email was here long before Gmail and will be here long after Google abandons it.
This is why I don’t use Gmail.
Also, get off my lawn.
kotaKat 7 hours ago
Sudden realization that one of my American banks must be having email problems with this too because I use a Google custom email and recently got an in-app notification from my bank saying "we're unable to email you" (and a letter) yet my email works perfectly fine... switching to consumer gmail worked.
OkayPhysicist 5 hours ago
Do you actually not receive their emails? Fidelity uses tracker dots to check email receipt, which drives me nuts, because like any sane person I don't allow emails to load images without damn good reason. My brokerage should not be sending me cute dog photos, thus I have no need of their images.
So they send me an email, send me another email saying they can't reach me by email, then mail me a letter with the same content as the original letter, and mail me an additional letter saying they can't reach me by email.
kotaKat 3 hours ago
For some reason the announcement they sent me didn't show up in my email, which was odd. I've had other bank notifications come through unopened before, even after that announcement.
iso1631 8 hours ago
> Their support team's response to my detailed bug report: "your account has a verified email, so there's no problem."
Sadly I doubt their system is xkcd806 compatible ether.
This isn't an engineering problem, it's an ITIL problem. To be fair 99% of these complaints will be dealt with by the flow chart. Sadly people on the front line are either not knowledgable enough or not empowered enough to bust out of that straightjacket.
tracker1 6 hours ago
I usually reply with snark dialed up about 50% asking if anyone had actually read the original message. And include detail about how it is not, in fact, "ok"
The other day, I literally had trouble signing into a website... then I tried filling the contact us form, about the bug... only to have that fail... call in, have the person on the other end schedule my appointment, then almost drop the call without actually logging my bug report/complaint about the whole issue that had me calling in the first place.
thatha7777 6 hours ago
SHIBBOLEET. I was seriously thinking of this when I contacted them :)
reeddev42 7 hours ago
Email deliverability is the reason I gave up on email entirely for my side project and built on Telegram instead. Setting up SPF, DKIM, DMARC, warming up a domain, monitoring reputation, dealing with bounces and complaints... all of that just to maybe land in someone's inbox.
With Telegram you send a message via the Bot API and it arrives. 100% deliverability. No spam filters. No authentication chain. The message just shows up with a notification on their phone.
Obviously Telegram has its own limitations (smaller user base in the US, less formal). But for anything where you need reliable message delivery to people who opted in, messaging platforms have a massive advantage over email in 2026.
basilikum 7 hours ago
Unless you are running a more complex setup SPF, DKIM and DMARC really aren't that complicated. They are annoying and additional checkboxes you have to go trough that are hard to fully automate because they require access to DNS, but they are more busywork than difficult.
Domain and IP reputation and all the other quirks of deliverability are much more of a headache. DMARC is setup, test and done. But deliverability in praxis is something you cannot just test and can break at any time. The second worst are email providers that do whitelisting for email and require you to go through their process to even be allowed to send emails to their customers. The worst are providers that randomly decide to drop your emails without informing you or giving you a proper way to appeal as a small sender. If you're not a large email provider they have no problem just dropping you and the fault is on you because your service is the only one that is not working.
And then there are so many more intricacies of the ancient email protocol. Compatibility with horrendously outdated and misconfigured mail infrastructure is particular frustrating to me. I'm running a modern, properly configured, state of the art email server, but get ghosted by large email providers, yet have to deal with the broken mess, much bigger providers than myself are, which of course have no trouble delivering their broken spoofable email just because they are large enough.
pbhjpbhj 6 hours ago
I found it maddening that I couldn't whitelist a sender (MS Outlook web, Gmail); well I could, but they still blocked the messages.
In my case, it was reportedly (for MS) an IP associated with mine (same hosting provider) had previously been used to send spam.
My domain is decades old, never sent any spam, and I whitelisted it .. but nope, my host wasn't perfect.
This was some time ago now, but it looks like they've still not adopted proper whitelisting.
jmuguy 7 hours ago
Most of that can be mitigated, or at least centrally managed, using an ESP like Mailgun or Sendgrid.
It is a pain in the ass though, coming from someone that had to dig their domain out of "low" reputation with Google Postmaster.
newsoftheday 6 hours ago
Some of us selfhost email, like me for 30+ years, and have 100% deliverability.
bossyTeacher 7 hours ago
Until the platform owner bans for whatever reason and if communication by way of the platform was your only means of communication with your customer base, that's the platform owner having the power to destroy your business. No different that businesses that rely on the neverending goodwill of the mobile app store owners. One misstep and your business is gone with no recourse whatsoever. Protocols > Platforms. Always.
that_guy_iain 8 hours ago
> Viva.com, one of Europe's largest payment processors, sends verification emails without a Message-ID header — a basic requirement of RFC 5322 since 2008. Google Workspace rejects them outright. Their support team's response to my detailed bug report: "your account has a verified email, so there's no problem."
Their emails do arrive tho? It was your email that didn't arrive? I find it unbelievable that a payment provider ignored customer complaining about no emails being delivered since it would breach their SLAs with their customers and their customers' customers would have complained. Especially since at the top you say Google says you got the verified email.
Dude, you may be liable for damages on this. This is an extremely serious allegation to be making in my opinion. I would delete this asap.
Edit: I think Ycombinator needs to realise they're liable for spreading this too. Holy crap, it's bad. They're lying through their teeth saying an email bounced but ended up in their logs. That's not now emails bounce is it? They bounce because it wasn't found. How was he able to verify his email if he didn't get the code?
flerchin 8 hours ago
Interesting, your take away is that Google is the one with the bug here?
jandrese 8 hours ago
If Gmail rejects emails from your domain it is up to you to fix it. Google is not going to change, and enough of your users will be interacting with people on Gmail that you have to fix it. It doesn't help that Google has been pushing people away from running their own email and into Google's services by ever tightening what it accepts over the years. More than one person has given up on their email server because it was a constant battle with Google, Microsoft, and company to not have important emails disappear into the void.
jeroenhd 7 hours ago
sylos 7 hours ago
that_guy_iain 8 hours ago
My takeaway is there is no bug. My takeaway is that his test email bounced because he didn't have the reputation Viva does. Emails are handled on a reputation basis, this is why we use email service providers like Sendgrid, Mailgun, Postmark, etc.
Johnny555 7 hours ago
flerchin 8 hours ago
yatac42 8 hours ago
thatha7777 6 hours ago
xp84 7 hours ago
basilikum 8 hours ago
If you read two paragraphs further than the Tl;Dr:
> To unblock myself, I switched to a personal @gmail.com address for the account. Gmail's own receiving infrastructure is apparently more lenient with messages, or perhaps routes them differently. The verification email came through.
renewiltord 6 hours ago
1. Email didn’t arrive in his inbox of his Google workspace
2. He checked workspace email logs (with admin you can do this on gsuite)
3. It showed the intentional non-accept
4. Comprehending the problem, he switched to personal Gmail
5. The email arrived
6. He informed the sender of the original problem which he worked around
7. Sender is tech-illiterate and did not realize what the problem is. This is common with first line customer support so that happens.
The question to ask is whether you are literate in English or you skimmed too fast. Because I did a 30 s read of the article and got that.
iso1631 8 hours ago
It does seem unlikely that there are no customers on google workspace who have tried to use viva. I don't do payment processing, and my email is via zoho, so I've no idea how large either of those groups are.
I wonder what google workspace support said.
thatha7777 6 hours ago
I suspect that Google going out of their way to make this required had a very reasonable and thought-out process, while the sender's omission was on oversight, so I haven't contacted Google Workspace support.
What's truly iffy is that GMail doesn't have the same strict requirements, and there's no way (at least that I found) to turn it off for my Google Workspace domain.
iso1631 5 hours ago
johnnyfaehell 5 hours ago
So, I've got to use my old account. I just found out via sources that he verified this account with the code from his main email. It was in his spam which is how he was able to see that the email headers weren't what he wanted. Which is why there was a log for a "bounced" email. I can't believe people don't realise bouncing means the mail server couldn't find an inbox.
And I think Viva is going to be pissed that I'm being stopped from pointing out the absolute lie here.
Lovingly yours that_guy_iain.
Dang, honestly, this is going to blow back big time because someone has clearly decided to stop me from editing my comments which means you're liable for damages and in breach of EU laws. YC is big enough and has enough interests in the EU to qualify. And it's the fact you've removed my ability to redress if your lawyers want to deal with it. And I'm pretty sure someone at YC is going to know how much money I'm going to get and who I'm getting it from which is the most impressive thing. And what my tagline is in certain circles.
Dylan16807 40 minutes ago
EU doesn't require edits, what the hell?
And nobody "decided to stop you" if you just hit the end of the 2 hour edit window.
But go on, what's your tagline.
that_guy_iain 21 minutes ago
gethly 6 hours ago
Google NOT following the spec is not surprising. SHOULD does not mean MUST and they are completely in the wrong here.
thatha7777 2 hours ago
The definition of SHOULD is "This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course."
I suspect viva.com didn't consider the full implications, and I suspect Google did some hard math on hours saved for their customers
shevy-java 7 hours ago
The bigger issue here is that Europe depends way too much on the USA in so many areas. This is not good - you can be constantly blackmailed when you have people such as Trump in charge. I don't think the EU can be fixed, but at the same time I also think the less Europeans depend on outside factors (in particular the USA) the better. Canada kind of showed how to do it. Granted, Canada is also dependent on the USA in numerous ways and most of this is hard to fix (most Canadians live in the south aka close to the USA and trade is primarily done via the USA; security has also been largely outsourced onto the USA and so forth). The sooner people in Canada and Europe get moving away towards more independence from the USA, the better. And more cooperation would not harm either.
thatha7777 6 hours ago
As a European (who spent 15 years in the US), I coudln't agree more. And while I agree, at the end of the day, I just want the better product for me.
egorfine 8 hours ago
This bug will not be fixed before the Environmental Impact Study is concluded on it.
hughw 6 hours ago
Postel’s Law would put the onus on Google to be forgiving in what it receives. Unsure how you could safely use a sender-created Message-Id for anything anyway.
joshuaissac 6 hours ago
Following Postel's law results in the normalisation and proliferation of defective implementations. The actual standard becomes irrelevant, and new implementations have to be coded against the defective ones.
My opinion is that Postel's law should be approached in the same way that Linus Torvalds did CVS when designing Git. If in doubt about an implementation decision, consider what Postel's law would recommend, and then do the exact opposite.
lokar 6 hours ago
That “law” if from a different time, before protocols like SMTP became adversarial. It assumed everyone was acting in good faith.
bell-cot 6 hours ago
Yep. And even a world of perfect good faith, "forgiving in what you receive" has both costs and scaling problems - from researching what "spec" you'll need to design to, to customer service when the added complexity and permissiveness cause interesting stuff to happen.
peter_retief 5 hours ago
I offered to host a friends business email on my DO instance. Works 99% of the time but every now and then emails just disappear only to find out that MS and Apple block DO IP addresses, sometimes. Silently. There is a war on small email providers it seems.
Avamander 5 hours ago
The biggest war on small providers is waged by other small providers. They can be ancient and outdated or simply extremely picky. Which makes everything Google or others require a piece of cake, which it actually kinda is.