Forwarded Signing Invitation Emails

Issue

You sent an envelope to a signer for signature.  The intended signer forwarded the email to a different person, who was able to access the envelope and sign.  This behavior raises concerns about how to make sure that the correct person signs an envelope, and how to make sure that only the correct parties have access to an envelope.

Since this scenario handles two different issues, there are multiple configuration options available to address it.  The most common method of collecting signatures via DocuSign is via email, where the DocuSign system sends each signer an email containing a link to the envelope that requires signature.  If the recipient of that email forwards it to someone else or publishes the contents of the email in any way, other parties may be able to view the contents of the envelope, and may be capable of signing as the recipient.

Using a Direct PowerForm (where no email verification or recipient authentication is performed) to gather signatures will also create a situation where it is difficult to prove the identity of a signer.  Proof exists that a person accessed the link, entered the name and email listed in the envelope, and signed it.  However, this workflow does not force the signer to prove they have access to the email address they provided.  Again, multiple configuration options exist to avoid this situation.

Using DocuSign's API, it is possible to embed an envelope into your website.  A "captive recipient" is the term used for the signer of such an embedded envelope.  As with a Direct PowerForm, DocuSign does not perform any inherent verification of a signer's identity with this workflow.  When using an embedded envelope workflow with DocuSign's API, it is advised that the signer's identity be verified to your organization's satisfaction before granting them access to the embedded envelope.

Solution

Signer Instructions
DocuSign includes the following warning message in all signing invitation emails:
 
Do Not Share This Email
This email contains a secure link to DocuSign. Please do not share this email, link, or access code with others.   Additionally, the sender has the option to provide a custom email message to the signer.  As the sender, you can provide more explicit instructions to not forward the email, and to contact you as the sender if another party needs access to the envelope.  

Correcting the Envelope  
As the sender, you have the ability to edit an In Process envelope via the Correct tool.  This tool allows you to change the name and email address of any recipients who have not signed the envelope yet, as well as add new recipients or remove ones that do not need to act on the envelope.  For more details, please see this guide.

Signer Reassign  
DocuSign offers the ability for a signer to reassign an envelope to someone else.  If a recipient reviews an envelope and determines that they are not the correct person to sign it, they can use the "Assign to Someone Else" option (under Other Actions) to designate the name and email address of the new signer.  If a recipient does this, DocuSign will replace the original recipient's information with the new recipient, and send a new signing invitation email to that new signer.  Using this process will also revoke the original recipient's access to the envelope.  This guide contains a description of the options available to a signer, and we advise using this as a basis for any instructions you provide to your signers.  

PowerForm Email Verification
While configuring a PowerForm, you can choose "Require email validation".  Choosing this setting will send the signer an email with an access code in it, which the signer must enter before they can access the envelope.  For directions on how to configure a PowerForm in this manner, please see this guide.

Access Code
As the sender, you can designate an access code for each recipient of your envelope.  You would then provide these access codes to your recipients separately from the signing invitation emails DocuSign sends.  The recipient would be required to enter the Access Code before they would be able to see the contents of the envelope.  For more details about using this feature, please see this guide.  

Third-Party Authentication
DocuSign has partnered with third-party identification services to enable you to more reliably validate the identity of your recipients.  These services incur per-use fees, and can only be used if they have first been enabled on your DocuSign account.  Please see this guide for more details on these features.

Captive Recipient Best Practices
Integration design is a complex topic. Generally speaking, unique system IDs and other metadata can be added to a recipient role. This data can then be set as a requirement to access the signing session. A remote system authenticates a user, then supplies this code to DocuSign, and an audit trail is established to the identity as verified by the client system.  For more information about DocuSign's API and what it can do, please see our Developer Center.

Learn More

Best Practice - do not forward DocuSign email notifications


Keywords:  Forwarded, Email, Forward, Signing, Signer, Wrong Signer, Wrong Name