Email link scanning services and DocuSign email notifications

Issue

When attempting to click a one-time use hyperlink from a DocuSign email notification you may receive a notice that the link has already expired or is no longer available. "Error: There was an error processing your request: This envelope was opened in another browser session. Your signature has been reset, please adopt your signature again and complete signing."


or


Unusual behavior may appear in the DocuSign envelope history such as:
  • Document views from people that are no longer with the company
  • A doubling of views in the history for each email notification.
  • A mismatch of IP addresses that don't appear to belong to the recipient of the email notification

Cause

Many antivirus and malware protection software companies offer an email scanning service that will do 2 things:

  • Click the link to validate that endpoint is safe/secure.
  • Rewrite the URL to include tracking and a forwarding rule of the email recipient to the correct website

The click through of the link is the biggest problem in that it shows in our system that the link has been followed. This can cause oddities and inconsistencies in an envelope's history as noted above. A second and more pressing concern is that it will invalidate one-time use links. This means several things:

  • Password reset links may be expired before the recipient ever gets them.
  • Accounts will be automatically activated
  • Links to sign envelopes may be expired and no longer valid

Essentially, URLs that point to a destination that completes an action that is entirely automated without confirmation via further action on the site will cause the action to be completed automatically.

Known companies that provide this service are:

  • Microsoft Office 365 - Advanced Threat Protection
  • McAfee - ClickProtect
  • Proofpoint - URLDefense Targeted Attack Protection

Solution

The service will need to be disabled or emails from the domain DocuSign.net will need to be whitelisted through the service. Please contact the service provider of the email link scanning service to determine how to take these steps or contact your local IT administrator for more information.