I am writing my review of the Appsumo deal for SocketLabs after 24 hours of solid study of its features. Without any kind of doubt, it is a solid service and the deal provides a lot of value to the right customer. Unfortunately, it has what I believe is a solid principal flaw which makes it unsuitable for what I wanted to use it.

First of all, what I need the service for: a replacement for the sending of transactional emails from multiple webstores under my control. I am aware of the existence of a WordPress plugin, but as far as I know, no such plugin exists for OpenCart, and therefore I am forced to use SMTP authorization for order confirmations, etc.

The flaw I mentioned is that the system provides a single set of SMTP credentials for the whole account. Combined with the way it is configured to accept incoming email (one basically lists all the domains that should be allowed to relay email via SL, and that's everything), this means that a leak of said SMTP credentials immediately compromises all listed domains, as the thief will be able to send perfectly validated messages.

A secondary consequence of this design decision is that a revocation of the compromised SMTP credentials will prevent any website from sending emails until fixed. Unless the user keeps tedious score of all the places where these credentials have been used, there is no easy way to resume normal operation after reset.

Even more surprisingly, the API injection capability works exactly the same way: generate a single API key, use it everywhere, and if needed, regenerate.

The only way to safeguard against this is to send transactional emails from a different domain than used for everyday correspondence; but even then, one cannot not reasonably hope that recipients of past transactional emails (e.g. purchase receipts from a webstore) will have any reason to suspect a spoofed email that comes later.

In all fairness, the service allows for the setup of different servers with separate credential sets but (1) this requires an upgrade to the Pro Plan ($40/mo) and (2) does not solve the problem but just confines the potential damage to a single domain, or a set of domains, that use these credentials.

Somebody less paranoid than me and more interested in sending marketing or transactional messages will undoubtedly be less bothered by this huge flaw. But sadly for me, I will not be able to switch from my other solution to SocketLabs for the kind of email delivery service I require.

If by any chance someone from SocketLabs reads this and finds my conclusions wrong, I will gladly stand to be corrected. Until then, please be careful with your emails!