Considerations for Hosting Mail Signature Images on Vercel
TLDR;
In certain scenarios, Outlook can 'DDoS attack' your images
If your organization uses Vercel to host email signature images, sends a lot of emails, and also uses a corporate network that concentrates network requests under a small number of IP addresses, beware potential firewall issues.
If you're thinking of using Vercel to host your static email signature images, it will do a fine job (though there are better options IMO), but there are a few things you should be aware of.
Outlook Strikes Again
Coming into this scenario, it was already fairly obvious that Outlook does not cache images the same way that browsers do. In fact, I can say with a decent level of certainty that Outlook does not respect Cache-Control headers whatsoever.
I'm sure there's good reasoning for it, but it still doesn't take the sting away.
If your organization as a whole sends a decent number of emails each day, you will be astounded by how many requests are made to your signature images. In the case I was looking at, the company sent about 30,000 emails a day. Over a 6 day period, Vercel analytics showed approximately 2 million requests were made to the images. Interesting ratio, that.
The Cache-Control Gotcha
We wanted to get those image request counts down. While we didn't have high hopes that enabling Cache-Control would alleviate the issue, we figured that it wouldn't hurt to try.
Spoiler: it did hurt. You see, the company was using a corporate network which gives the appearance that all the image requests are coming from only a few a few IP addresses. That actually wasn't a problem until we enabled Cache-Control, at which point Vercel's system mitigations flagged it as a DDoS attack and began blocking all the requests because it was clear that the requestor was ignoring the Cache-Control settings. Those pesky DDoS'ers are so predicable 🥴.
Get Proactive with Your Vercel Firewall Settings
Luckily, Vercel has a new feature that allows you to specify IP addresses and CIDRs that should bypass Vercel's systems mitigations. However, requests from those sources will contribute to your bill.
In other words, if you tell Vercel that some IPs are okay but those IPs end up DDoS'ing you real bad, you're going to get a hefty bill.
Alternative Approaches
Hosting images on Vercel works great for many static assets, but images for email signatures can get complicated. Be sure to carefully plan how and where you host those images.
Alternative approaches to consider:
- Use a CDN built for high volume image requests: Cloudflare, AWS, etc.
- Embed images directly in the emails. However, note that this will increase email size, can trip spam filters if not done carefully, and recipients might still choose to block images by default in their email client.
- Use an email signature management tool (Exclaimer, CodeTwo, etc.).
Cache me outside, Outlook.
-MG
