WhiteLabelled | achieve white-labelling without duplicating targets | Android library

We develop whitelabelled apps. To comply with apple guidelines, we make our customers create their own apple developer account and then they invite our account to manage theirs (bcs according to apple guidelines it is the content owner that needs to submit the app to the appstore, not the developer of whitelabelled solution).

So far I manage cca 60 accounts (all of them invited one account that I am the Account Holder for). Everything worked fine (other than it makes automation little bit more challenging), until I wasnt able to find one of the teams in the teams list on apple dev portal.

So on appstore connect I saw that I am member of this team with access to dev resources (apple dev portal). But in the apple dev portal this team was not in the list of teams to choose from.

I have left some other teams then, and this team suddenly appeared in the list of teams to choose from.

Conclusion I made is that there is a limit on how many accounts you can manage from one account. I have asked apple if that is true, but it has been several days and no answer (I posted a bug report through their bug reporter, and I also sent this question to them through web form on their site).

Has anyone encountered this limit? if so, do you have information on how big this limit is? And how did you solve this whole situation? Did you create a new apple id that your customers invite to manage their accounts now?

I am kinda lost now, and apple being silent about this (and the fact that I have not found this documented anywhere) isnt really helping.

We develop, deploy and maintain a web based booking system for a growing number of clients. The web application is branded for each client, including using their own domain name in the URL that users browse to.

We send booking confirmation emails via SendGrid and want them to appear to the recipient as though they are coming from the client's domain. We have not set up any subusers yet.

Our clients tend to have seasonal campaigns that result in occasional surges of booking-related email, followed by quiet periods.

We are happy with our current deliverability and have a good reputation score.

Assume that:

• Our SaaS domain is mybookingapp.com.

• Client domain is clienta.com (...clientb.com etc.)

• We have control over DNS records for mybookingapp.com, clienta.com etc.

Currently, we have configured SendGrid's IP-whitelabelling so SendGrid identifies the originating server as mybookingapp.com ("Received: from o1.email.mybookingapp.com") with a From address of bookings@clienta.com.

We have got green ticks in all the SendGrid DNS settings so we know that DKIM, SPF and rDNS are OK.

I am acutely aware that the domain of the from address (bookings@clienta.com) does not match our application's domain name (mybookingapp.com). This results in mail clients like GMail showing the sender as "bookings@clienta.com via mybookingapp.com". This is slightly disconcerting for users because, until receiving the email, they don't know anything about mybookingapp.com. I also have a possibly unfounded suspicion that this discrepancy is affecting deliverability.

To meet client expectations, we are looking at options to remove all mention of mybookingapp.com from the email.

Should I:

a) Recommend we buy an IP address for every client and do IP-whitelabelling at a non-negligible cost of USD $30/month, particularly for a client that only does occasional campaigns. My research suggests that multiple dedicated IP addresses are usually used by companies with very high email volumes to keep their reputation safe and isolated.

b) Simply set up a whitelabelled domain for each client but continue to use a single IP address. My assumption is that this will cause an RDNS problem (because reverse lookup on an IP can only point to a single domain) and while eliminating the "via mybookingapp.com", possibly affect deliverability.

c) Do something else?

I'm trying to get CORS working with a whitelist of domains based on the customers that exist in our system. We have a whitelabelled product that let's a company CNAME a custom domain to our system. We need to be able to on the fly allow Origin's that come from any of these custom domains by adding in a Access-Control-Allow-Origin: http://some.custom.domain header to the response from HaProxy.

I've been reading about different ways of loading lists/maps from haproxy but I'm just not settled on the best implementation. I've come up with roughly 3-ish possible ways of doing this but I wanted to see if anyone else had some insight as well. My options thus far:

1. Store a map of available domains that I can look for when adding headers. How this map file gets populated is the question at the moment. I suppose I could do an API call through LUA on boot to create the file? Or it could be an NFS mounted file? We'd have to reload each time a new domain is added to our system, either through the same api call or directly to the maps api on the socket.

2. Use LUA to make live requests to an api on every quests through haproxy to validate if the domain passed in on the Origin is legit and add the header in. Could potentially use Memcached for minimal overhead assuming we can find a LUA client lib for memcached.

3. Possibly implement some sort of DNS based solution where we run our own DNS server that resolves these custom domains and have HaProxy do a lookup on that. I don't know if this is possible, I jsut know haproxy has DNS capabilities. The weird thing is that we don't actually want to resolve to an IP, we just want a "yes" or "no" answer.

Does anyone else know of an obvious solution to this problem? I'm looking for ease of implementation, but ultimately minimal overhead on the requests themselves since this will need to occur on EVERY request with an Origin header.

Any insight appreciated!