Enforce signed email tracking codes (post-rollout)

[dmarchuk]

Background

#60229 introduced HMAC signing of email tracking codes (ph_id). It ships fail-open for a safe rollout:

• parseEmailTrackingCode still accepts unsigned codes, so webhooks/pixels for emails already in inboxes keep working.
• generateEmailTrackingCode emits unsigned if ENCRYPTION_SALT_KEYS is not configured, so sends never break.

Both are deliberate for rollout. This issue tracks tightening them once signing has fully rolled out.

When to act

Watch email_tracking_code_format_total{format="unsigned"}. Once it drops to ~0 (all in-flight unsigned links have aged out / expired), it's safe to enforce.

Tasks

• Reject unsigned tracking codes in parseEmailTrackingCode — require the <payload>.<signature> form and a valid signature.
• Escalate the missing-key fail-open in generateEmailTrackingCode (tracking-code.ts, the if (keys.length === 0) branch) — throw or alert instead of silently emitting unsigned, so a misconfigured/empty ENCRYPTION_SALT_KEYS is caught loudly rather than degrading silently.
• Trim/clean the now-redundant unsigned-fallback handling once both are enforced.

Related

• feat(workflows): HMAC-sign email tracking codes #60229 — the signing PR (introduces the fail-open behavior tracked here)
• Harden SES webhook: allowlist SNS TopicArn after signature verification #61644 — separate inbound hardening (allowlist SNS TopicArn); related area but a different axis (inbound webhook authenticity vs outbound signing enforcement)