Consider configuring mail providers (e.g. Mailgun, Mailchimp) not to store, track and/or shorten sensitive URLs (e.g. reset password links, any URL with a token)

[eliotsykes]

Mail providers (such as Mailgun & Mailchimp) are often setup to track all links in the emails that are sent through their servers.

This means your provider may be logging and building reports for sensitive URLs that could be exploited (e.g. reset password links sent by email, URLs for digital goods and giftcards).

Considerations:

• is the tracked URL https or http?
• if the tracking URL is a short URL, it may be more vulnerable to brute force attacks
• does the URL need to be tracked?
• how to disable URL tracking per URL/per email?
• any mail providers auto-detecting sensitive URLs and actively not tracking them without developer intervention?

[eliotsykes]

So according to some reports, Mailgun has been attacked and it involved a client's password reset emails Mailgun were storing (for compliance?) being intercepted. See comments at https://news.ycombinator.com/item?id=16079544

[eliotsykes]

Consider adding guideline that if you use Mandrill (not Mailgun), to set view_content_link to false by default:

view_content_link set to false to remove content logging for sensitive emails

https://mandrillapp.com/api/docs/messages.JSON.html#method-send

[eliotsykes]

Removed Sendgrid from issue as according to docs on their site they do not log email content: https://sendgrid.com/docs/Classroom/Track/Collecting_Data/is_there_a_way_to_see_the_content_of_transactional_emails_i_send.html