Yes, this is expected behavior as the system does pre-fetch and scan the destination of the URL as it passes through the service, and at click time. We understand this will cause problems with a minority of email-based URLs, but offers the best opportunity to catch malware, viruses, and phishing attacks.
We do not at this time have an article about how this process causes one-time use only URLs to be invalidated, but I am in the process of writing one and will post the URL to that article as soon as it's published. The options for resolution are whitelisting the URL on the ClickProtect Allow List, or, disabling ClickProtect for specific users or the domain, the latter only being the recommended option if it's determined that the service is not compatable with a particular organization.
Blocking access from the McAfee SaaS IP ranges would be very detrimintal to the user experience, as the system will not be able to complete the appropriate scan, and will return an error stating that we could not connect to either a broken, invalid, or local URL.
Brad, is it possible to add a domain to a global whitelist in your product, rather than having to have each customer do it individually? if so, how would one go about doing that? I certainly understand the reasons you would not want to make this easy to do.
Your click protect software's burning of our links just prior to the customer clicking on a single use link, drives up calls to our support center, who don't really have the skills to troubleshoot this sort of problem. Even if they did, I would bet a majority of the users who call in would not know their company's email is hosted by mxLogic or mcafee SaaS. They just know their email address is email@example.com. They don't know that the email for someplace.com is hosted by Mcaffee. Would they know how to whitelist our domain?
We have other options available, we could could put warnings up on our site to not use MxLogic hosted email addresses for one time link functions, or that user's of mxLogic hosted email addresses should add our domain to their whitelist. Again, I'm fairly certain most of our end users would not know their email was hosted by McAfee so this doesn't seem like it would be effective. Also, making single use links "multi use" seems to defeat the purpose.
The SaaS Service does not maintain any global allow-list, each customer is free and responsible for determining what risk they expose their network to (and an allow-list entry is a risk exposure). On top of that, the Sender Allow list does not affect ClickProtect, which uses a separate allow list based on the actual URL. The ClickProtect service, while valuable to most organizations, is not perfect for every organization. Each organization must evaluate each facet of the service and customize it to fit their needs: If ClickProtect does not work for their needs, each customer is free to disable it. That's why the product does not provision with ClickProtect enabled, specifically because it's not perfect for everyone. It's up to the Administration in any organization to weigh the pros and cons and enable the service, and unfortunately as an outside service there isn't much you can do about it, other than if they are using the service, and their admin has enabled the service, they should contact their internal help desk or IT consultant to either disable the service or find some resolution.
A lot of organizations have actually turned away from using One-Time Use URLs that trigger an action immediately upon access to instead directing to a page that requires the end user to click a confirmation button to trigger the one-time-use action. A big motivator for that change has been the use of services like ClickProtect and other policies that scan what is linked to in a URL and thus trigger the URL.