Risks

Over 95% of email sent over the internet consists of unwanted email: “spam”. Most spam uses spoofed addresses. If your domains are being used in spam messages, spammers may be taking advantage of your users to:

Steal their credentials by sending “phishing” messages. Trick them into falling for online scams by abusing the trust they have in your site. Spread malware by sharing malicious attachments.

Prevention

As a website owner you should prevent your domains being used in spam mail by adopting both of the following approaches:

Implement the Sender Policy Framework (SPF): publish a DNS record to explicitly state which servers are allowed to send email from your domain. Implement Domain Key Identified Mail (DKIM): use a digital signature to prove that the outgoing email was legitimately sent from your domain and that it wasn’t modified in transit. There is also an emerging umbrella standard called DMARC (“Domain-based Message Authentication, Reporting & Conformance”) that you should be aware of. Read more about DMARC here.

Adopting these technologies also has the benefit that the emails you send are less likely to be marked as spam.

Code Samples

Implementing SPF and DKIM requires publishing new DNS records and making configuration changes to your technology stack - consult the documentation for your email sending service or software for details. Here are the relevant documentation links for some of the more common methods of sending email.

Transactional Email Services Transaction emails are sent programmatically in response to actions on a website or application. If your site makes use of transactional email (during sign-ups or password resets, for example) you need to ensure you are sending authenticated mails. Here’s how to set up authenticated emails in the leading transactional email services.

Amazon Simple Email Service Mailgun Mailjet Mandrill Pepipost Postmark SendGrid SendinBlue Email Marketing Services Email marketing services allow bulk-sending of emails to targeted mailing lists. If your sales and marketing staff make use of this kind of service, you need to ensure they are sending authenticated mails.

ActiveCampaign AWeber Benchmark MailChimp Mail Transfer Agents If your organization hosts its own email servers, your system administrators will be making use of “Mail Transfer Agent” software. The most common MTAs are Microsoft Exchange (on Windows) and SendMail/Postfix (on Linux). Here’s how to implement authenticated email on those platforms:

Microsoft Exchange SendMail Postfix