Calendly.com vs Email

If you are a calendly.com customer, and are having an issue with your clients receiving emails from you... this article is for you!

Date: 2024-04-10
Author: Simon Jackson

Problem: calendly.com email invites are arriving in the junk folder

My friend, who runs a company using Calendly alongside Gmail (Google Workspace subscription), has encountered an long stream of issues where their customers reported receiving Calendly emails invites in their spam/junk folders. Intrigued by this, I delved deeper into the matter to understand the root cause and potential solutions.

Investigation

I did an investigation for about 1 hour, with my client, and this is what I found:

Calendly don't publish help articles about configuring your domain for SPF
- Configuring your domain for SPF is pretty crucial in todays day-and-age. You can read more about it here.
Surprisingly very few competitors do actually, just HubSpot and ChilliPepper that are leading the way.
I'll address this issue below.
Google Mail (Gmail) configured to sign emails using a DKIM signature, works perfectly with 1024-bit length keys.
- Gmail offers the option of 'Authenticating email with DKIM` in the admin.google.com console. Generating a 1024-bit or 2048-bit signature FAILS to correctly sign emails.
I have addressed this issue in this blog entry.

Objective

The objective of this article is quite simple. Walk through my findings, explain what I can to help others who stumble upon my article, and provide just-enough technical insight to support Calendly Technical Staff to aid them in starting their own investigation surrounding this issue.

What exactly is Calendly

Calendly is an online event scheduling tool that helps businesses and individuals streamline the process of booking appointments and meetings. It allows users to create personalised scheduling links that can be shared with clients, prospects, colleagues, or anyone else who needs to schedule time with them.

How does it work?

User Setup: Users set up their availability preferences within Calendly, including their defined working hours, meeting durations (30-60 minute slots), and buffer times between appointments (5-15 minutes).
Share Scheduling Links: Users then share their Calendly scheduling links via email, social media, or embedded on their website. These links allow others to view the user's availability and schedule appointments accordingly.
Automatic Scheduling: When someone clicks on the scheduling link, they're shown the user's available time slots. The person can then choose a convenient time and book the appointment. Calendly automatically updates the user's calendar and sends confirmation and reminder emails to both parties.
Integration with Calendar Apps: Calendly seamlessly integrates with popular calendar apps like Google Calendar, Outlook, and iCloud Calendar, ensuring that users' schedules are always up to date.
Integration with Gmail: Instead of just sharing links with a description of the meeting-schedule; you can now directly share calendar entries with all parties, as long as you have the contacts email address.

Why is this tool significant?

Time-saving: Calendly eliminates the back-and-forth communication typically involved in scheduling appointments, saving businesses valuable time and resources.
Improved Customer Experience: Clients and customers appreciate the convenience of being able to schedule appointments at their own convenience, leading to higher satisfaction levels.
Increased Team Efficiency: With automated scheduling and calendar integration, businesses can better manage their time and resources across business-units (teams), leading to improved productivity.
Scalability: Calendly is scalable and can accommodate the scheduling needs of businesses of all sizes, from solopreneurs to large enterprises.
Professionalism: Using Calendly can enhance a business's professional image (branding, pre-set event types etc) by providing a seamless and efficient scheduling experience for businesses and clients/customers.

Why bother configuring SPF, DKIM and DMARC?

According to AutoSPF.com

In the year 2020, 76.8% of all domains have SPF configured; including 96% of financial institutions. These two points highlight how wide-spread SPF is, and how important this is to businesses.
Those companies without an SPF record are immediately lowered in spam-confidence-level, by a factor of 20%. With a 10% increase in bounced outbound mails.
Only 8-10% of domains, solely use SPF as the only mail-authentication process - highlighting the necessity to communicate the other standards (DKIM and DMARC for starters - there are several more)
83% of poor email delivery scenarios are caused by a bad sender reputation.
3.4 billion phishing emails are sent every day. As a former Mimecast customer administrator, 90% of the emails inbound were quarantined, due to failures in SPF, DKIM or DMARC. Highlighting that there must be a large quantity of emails still getting through due to poorly configured mail-services.
A staggering 68% of phishing emails get through SPF and DMARC processes, by using unprotected domains, due to poor configuration.
Without a proper SPF setup companies compromise on brand security; 91% of cyberattacks now start with phishing emails.

Stats according to dmarc.org

In 2021 a staggering 8.6 million email services are signed with a DKIM signatures. Showing how widespread DKIM truly is.
The length of RSA keys for DKIM signing has climbed significantly between 2020 and 2021 from 1.3 million to 6.3 million - thats 485%

So what are Phishing emails?

Phishing is a type of cyber attack where malicious actors impersonate legitimate entities, such as banks, government agencies, or reputable companies, in order to deceive individuals into providing sensitive information like passwords, credit card numbers, or personal data.
This is typically done through deceptive emails, text messages, or websites that appear authentic but are actually designed to trick recipients into divulging confidential information. Phishing attacks often exploit human psychology, relying on urgency, fear, or curiosity to manipulate victims into taking actions that compromise their security.
Phishing poses a significant threat to individuals and businesses alike, as falling victim to these attacks can result in identity theft, financial loss, or unauthorized access to sensitive data. Vigilance, education, and the use of security measures like anti-phishing software are crucial in combating this pervasive threat.

What happens in during the flow of an email (from Calendly)?

This diagram should cover off the principal behaviour:

How do we configure SPF?

We are going a little off-topic now. SPF records is effectively a DNS record at the root of your domain.
Configuring SPF, requires a bit of an undersanding and a lot of preparation.

Here is a table of configuration options - and probably more importantly, a link to an SPF record generator (here)

Note: There are plenty of additional options, regular expressions and even variables (associated with macro logic) that can be used here.

How do we configure DKIM?

DKIM is usually configured by the mail-transport-service, through actions of the mail-service administrator. If thats not you; get a professional in to do it. I won't give steps here, as this could

Microsoft Exchange On-Premise: https://github.com/Pro/dkim-exchange/
Microsoft Exchange Online: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide
Google Mail: https://support.google.com/a/answer/180504
ProtonMail: https://proton.me/support/anti-spoofing-custom-domain
Zoho Mail: https://www.zoho.com/mail/help/adminconsole/dkim-configuration.html

How do we configure DMARC?

The Reporting and Conformance aspect is a bit difficult to wrap your head around; unless you have access to a DMARC reporting service.

This website has one (along with lots of other reporting mechanisms) - and as a consumer from product launch, i cannot vouch highly enough for this managed service. https://report-uri.com/products/dmarc_monitoring

If you are able to view the RUA or RUF reports, you can align/tweak the required policy.

What can Calendly customers actually do?

As a Calendly subscriber, you are considered their client, not merely a customer. You contribute to their revenue stream, and therefore, it is both commercially and ethically incumbent upon Calendly to address any issues that may affect your email deliverability.

As a 'free-tier' customer - you don't get any say. Just community forums that land you on articles like this.

While Calendly should ideally provide comprehensive guidance on resolving such issues, I hope you find this external help article useful as we aim to assist subscribers like yourself in navigating email authentication challenges effectively.

Authorise calendly mail-services sending emails FROM your domain

If you are the IT Administrator for the Calendly Client.. then it's your responsibility to ensure your clients emails are Authorised to send emails from your domain.
Go through this very basic process to stop your invites to customer arriving as SPAM.

1) Update your DNS SPF Record

Find out who your DNS Provider is. GoDaddy, CloudFlare, AWS, SquareSpace.. whoever it is - find their administration console to manage DNS records.

The following record is an example, showing what a Google Mail (Gmail) hosted company would use. Find the domain name in question, find the TXT record with `v=spf1` at the start of the value. Then edit the record. Find a space before the `-all` (or ~all" whichever you have) and paste in ONLY the highlighted section of text from the table below. Be careful not to modify any other items in that record. Finally click Save.

2) Wait for DNS to propagate

Usually 1 hour, but could be as much as 24 hours - all depends on the previous TTL value you had BEFORE you clicked save.
EG: 3600 seconds = 1 hour.

3) Send a test invite via Calendly

Now when your company sends emails (via Calendly) to the outside world; the recepients mail server is able to complete the SPF Authorisation check as part of part (3) in the above diagram.

Your mail should arrive now, and be considered a lower spam-confidence-level. Assuming there are no other factors limiting mail-delivery, this shoudl now reach the recepients Inbox folder.

I truly hope someone found this article useful.

Page updated

Report abuse