🔐 API authentication change

• API authentication is now via dedicated, generated credentials using a client ID and client secret. The now-legacy method of authentication using username and password will remain supported for at least 6 months until March 2026. A deprecation warning is emitted in the HTTP response headers when using the legacy credentials.
• Existing users with API access are migrated to API accounts. API accounts are displayed with a different icon to standard users, and their name has a suffix of "API". New credentials can be generated in the Admin interface for API accounts.

🚧

API authentication migration

Client implementations must be migrated to use the new credentials by March 2026. Simply send the client ID and client secret in the same manner as the previous username and password.

Further direct notifications will be sent to account owners if legacy credentials are still used. Any inactive API accounts will be deleted to mitigate the chances of compromised accounts.

🚀 Added

• Customer spaces which are inactive for 18 months will be permanently deleted, to protect against unnecessary data retention in the platform. A warning notification is sent to administrators at least 28 days before deletion.

🔆 Improved

• Google reCAPTCHA used in forms is upgraded to a new API. Standard Form Handler usage is unaffected as the upgrade is automatic, but any self-hosted forms which have unbundled the standard Maxemail Form Handler script may not behave as intended.
• Recipients with at least 10 consecutive temporary delivery failures will be automatically added to the Global Bounce List, in a similar way to those with permanent failures. This will aid those with bad domains that repeatedly fail to deliver.
• The Sends stat on the Dashboard Overview widget shows separate totals for email and SMS, for customers who have the SMS feature enabled.
• An additional Feedback-ID email header is added to help aggregate stats in third-party postmaster tools.

✅ Fixed

• Inactive users are no longer eligible to receive system notifications where they were previously added as a recipient, e.g. scheduled reports.

🚀 Added

• Pre-approved contacts for scheduled reports can be configured within Admin for Customer and Agency spaces. This replaces the previous need to create a new user with the Notifications only role. See Report Contacts.
• The Service Message option is added for Recurring Emails to aid automated messages such as contract expiry and service reminders. See Email Setup Additional Options.

🔆 Improved

• The Admin interface for editing users has been rebuilt as a full page with auto-save, replacing the previous dialog box. This restores the ability for an administrator to change a user's email address, which was temporarily removed when switching to the new login system. See User administration.
• Users set up with the Notifications only role are migrated to the new Report Contacts setting under their respective Agency or Customer space and no longer appear as a user in the Admin navigation. Any user credits will be released. The Notifications only role is no longer available.
• Add support for TLS v1.3 for Transactional SMTP, and update the available encryption ciphers to match those already used for the Maxemail interface and API. This does not change the minimum requirement for TLS v1.2. See Data encrpytion for standard encryption policy details.

✅ Fixed

• Errors shown in Check Email for images with draft edits.
• A "high bit" rule triggered in Spam Check.
• Recipient email addresses with double-hyphens are not marked as invalid.
• New users stuck in a loop for accepting terms and resetting their password.
• A cookie incorrectly set in self-hosted forms when loading the Form Handler helper script.

🚀 Added

• New login system for accessing the Maxemail interface, requiring all users to create a new password and add an authenticator app for MFA. Read more about the setup process in the new user setup guide.
  API accounts are not affected, but will be updated in 2025 to use tokens.

🚫 Removed

By adding a new login system, the following features as part of the legacy login are removed:

• In-app change password.
• Administrator option to trigger user password reset procedure.
• Administrator option to change a user's password and password expiry options.
• Legacy federated login using a token signature.

✅ Fixed

• Not possible to open the dialog to create or rename user permission groups.

🚀 Added

• New customisation options for the unsubscribe landing page. The page itself has been updated with a cleaner style. See info about customising the unsubscribe page.

🔆 Improved

• Simplified interface for creating new users.
• Removed legacy cookie handling for ROI tracking. This was already upgraded to use LocalStorage in a past release. No website changes are required if using the standard Maxemail ROI Tracking script.
• All custom link domains are upgraded to use HTTPS.
• Background improvements to recipient response handling, to support the updates above and allow future improvements to track automated/bot traffic.

✅ Fixed

• Difficulty in editing Datatable field values in the interface.
• Errors were shown in Check Email for images with draft edits.
• Heatmap figures were misplaced for Email Builder buttons with links containing special characters.

Mid-release update

🔆 Improved

• Changed the interactive recipient unsubscribe behaviour to always use the Confirmation type, regardless of the selection in Email Setup. This is in response to seeing an uptick in the number of automated bots triggering the single-click unsubscribe, making it no longer feasible.
  This does not impact the ISP "one-click" requirement described below, as that relates to the automated unsubscribe mechanism through the ISP's own unsubscribe button.
  No client action is required – the Maxemail unsubscribe token added to email content does not change. (The unsubscribe method options in Email Setup will be removed in a future update). Read more on Unsubscribe management

🚀 Added

• Add the new "one-click" List-Unsubscribe-Post header that's required by Google and Yahoo from April 2024. (Maxemail has had the regular List-Unsubscribe header for many years, but this adds the new associated header for 2024). Read more on Feedback loops

🔆 Improved

• Change ROI Tracking to store recipient details in the browser's LocalStorage.
  This removes the need for cookies to implement ROI Tracking. No website changes are required if using the standard Maxemail ROI Tracking script. See more details about the ROI Tracking identifier.
• Update charting package used for Insight Report PDF exports, to make better use of modern browser features.
• Replace the Twitter 'Larry' bird icon with 'X'.
• Rebuild of core application and customer backend, to prepare for future database upgrades.
• Move the User Guide to a new documentation platform.

🚫 Removed

• Removed Email Builder newsfeed component. Meta removed support for fetching page content, and this feature saw no usage in Maxemail.

✅ Fixed

• Update Facebook API connection. Meta discontinued their official SDK, so Maxemail has switched to a recommended third-party to maintain support. See Social media options

🚀 Added

• The new bounce manager that has been in extended testing is live for all accounts.
  This complete re-write improves how Maxemail identifies and categorise bounce messages from ISPs. The format of bounce descriptions included in detailed exports changes slightly, but this doesn't affect the overall columns included in exports.

🔆 Improved

• The Quick Data Export API will validate the parameters to make sure that the request can be served, rather than failing with a timeout error. This applies to the API services and methods for all different message and stat types. There is no impact to users of the Maxemail interface.
  ⚠️ This will impact API implementations that are currently querying this API with no filter criteria, or a timestamp that is older than one month.
• The format of the import failures report has been changed to give a consistent order of columns and produce a fully-compliant CSV when special characters are present in the failed source record.

✅ Fixed

• Solve issue for large manual imports failing to start, when the mapping was completed and the imported started quicker than the file could be inspected to store its metadata.
• A race condition when using the API to add a single record to a Datatable following a manual change to the Datatable structure, causing the new column to fail to accept data.
• Salesforce contact activity was missing for opens and clicks that happened before an email campaign finished sending.
• Heatmap labels were misplaced for buttons generated in the Email Builder.
• Stats shown in the export for an Insight Report's Comparison module did not match the interface, when using the option to group Recurring Emails. Scheduled reports will automatically recalculate on the next schedule; one-off reports must be recalculated manually.
• Summary Report didn't include bounce stats for Triggered Emails.

🚀 Added

• Identify clicks from the HTML or text version when viewing the email link breakdown by content. See Email reports

✅ Fixed

• Comparison Reports were double-counting (or zero-counting) for specific edge cases involving Recurring SMS and multiple folders.
• Links were not tracked in buttons added in the Email Builder when viewed in Microsoft Outlook. See Buttons

🔆 Improved

• Basket tracking no longer accepts new baskets with an invalid value for the checkout stage, preventing subsequent basket errors.
• Email address values stored in Profile Fields that use the Email Address field type are always stored as lower-case, matching the behaviour for the standard Recipient email address. See Field types
• New rendering engine for generating the screenshots included in Email Report PDFs, which should give a better representation of font styles and fix some table overflow display issues.
• Optimised handling of Transactional SMTP emails with large attachments, resulting in faster processing times when running multiple consecutive messages.
• Background updates to the system that builds Maxemail's interface and JavaScript files for website tracking.

✅ Fixed

• Maxemail's built-in suppression lists have been renamed to use the term Global, for example Global Bounce List. This has been changed in a way which will not affect any existing campaigns, or future campaigns created through the Maxemail interface.
  There may be an impact to API integrations that refer to these suppression lists directly by name rather than by their unique identifier, but these cases are rare.
• SMS number did not show as mapped when re-opening a scheduled import. This was a display issue, and did not affect the import's saved mapping.
• Error getting configuration details from Twitter, following their unannounced removal of a previously-recommended feature.
• Error changing password not displayed. If an error message was given when a user attempted to change their own password, this was not displayed.
• Social share widget in Email Builder includes a colon in the text version of the weblink token.
• Social share widget in Email Builder did not correctly apply URL-encoding to reserved characters in an email's subject line.
• Email report PDF generator could wait indefinitely for third-party resources linked from the email content.

🔆 Improved

• Background updates to the bounce manager and how it identifies and categorises bounce messages from ISPs. Currently this is in beta testing so that we can verify that the results are valid compared to (and in many cases improve upon) the current bounce manager.

✅ Fixed

• This release contains background updates to drop terms in Maxemail's codebase that could be considered racially offensive and replace them with more neutral language.

🚧

Upcoming API changes

The next public release will finalise this change by renaming Maxemail's built-in suppression lists, for example Global Bounce List. This will not have an effect on the way customers typically use Maxemail's interface, however integrations using the Maxemail API should be aware of this change in case these lists are referred by name instead of their unique identifier.

More details will be provided ahead of the release, once the date is confirmed, expected November 2021.

• SFTP directories failed to list their full contents if an entry had no access permissions.

🚀 Added

• API control for Recurring SMS
  For customers using the API to send batches of SMS, Recurring SMS campaigns can now be controlled via the API. Developer guide...

🔆 Improved

• SMS data exports are updated to include identifiers for both the unique send and the recurring batch. Developer guide...
• Recipient tab loads more quickly for customers with large volumes of Transactional sends.