Why are spammers using my company's unsubscribe link?

Spammers often scrape public websites or email templates, extracting your legitimate company email and unsubscribe links. They then embed these elements into their unsolicited messages to make the spam appear more credible and trick recipients into engaging with it.

Will this affect my email deliverability or sender reputation?

While you are not sending these spam messages directly, this activity can indirectly affect your sender reputation if mailbox providers see your brand associated with a high volume of complaints. It can also lead to an influx of irrelevant unsubscribe requests for your customer service team.

What is the most important step to take immediately?

The most important immediate step is to gather full email headers from reported spam messages. This information is crucial for investigating the true origin of the email and will help you or your Email Service Provider take appropriate action.

How can DMARC help prevent this kind of abuse?

DMARC helps protect your domain by telling mailbox providers how to handle emails that fail authentication checks but claim to be from your domain. By setting a DMARC policy to 'quarantine' or 'reject', you can prevent spoofed emails from reaching recipients' inboxes, thereby mitigating the impact of such spam campaigns.

Should I tell recipients to click the unsubscribe link?

No, generally you should advise recipients not to click unsubscribe links in suspicious emails. Clicking these links can confirm to spammers that the email address is active, potentially leading to more unwanted mail. Instead, recipients should mark the email as spam or junk.

What to do if spam emails use my company's email and unsubscribe link? - Sender reputation - Email deliverability - Knowledge base

It can be incredibly frustrating to discover that your company's email address and even its legitimate unsubscribe link are being exploited by spammers. This specific type of abuse not only floods your customer service inbox with irrelevant unsubscribe requests but can also raise serious concerns about your brand's reputation and email deliverability. It feels like an attack from within, using your own infrastructure against you.

The immediate impact is usually an overwhelming influx of inquiries from confused recipients, often coupled with complaints about receiving unsolicited emails. While you didn't send these messages, the association can negatively affect how mailbox providers view your domain, potentially leading to your legitimate emails being flagged as spam. Understanding why this happens and what steps you can take is crucial to protecting your brand and maintaining healthy email deliverability.

Understanding the attack

This form of abuse often involves spammers "spoofing" or cloning elements of your legitimate email design, including your brand's official email address in the "From" or "Reply-To" fields, and sometimes even directly embedding a link that points to your actual unsubscribe service. They typically scrape publicly available email content or simply guess common email addresses and domain patterns. This means they aren't necessarily sending through your systems, but rather impersonating your identity. When your brand's email is used for phishing or spam, it's a form of digital identity theft that undermines trust.

The key distinction here is that the emails are not originating from your own email sending infrastructure. Instead, malicious actors are crafting emails that appear to come from your company by using your domain in the headers, or by copying your email template's header and footer, which includes your company's email address and unsubscribe link. This technique leverages your established credibility to trick recipients, making the spam look more legitimate to the unsuspecting eye.

Even if the emails aren't sent through your servers, the fact that your unsubscribe link is active means that clicking it registers on your ESP's system, confirming the email address as valid to the spammers if they are monitoring those clicks. While most legitimate ESPs are designed to handle high unsubscribe volumes from your own lists, an unexpected surge from non-subscribers can create noise and complicate your data, though it typically won't directly harm your sender reputation if your actual sending practices remain clean. The primary concern becomes the operational burden on your customer service team and the potential for reputational damage.

Immediate actions to take

Your first priority should be to gather as much information as possible. Ask your customer service team to forward any complete messages they receive, including full email headers, not just screenshots. The email headers contain vital clues about the true origin of the message, such as the sending IP address, authentication results (SPF, DKIM, DMARC), and the mail servers involved. Without these details, it's difficult to pinpoint the source of the abuse.

Next, immediately contact your Email Service Provider (ESP). If your ESP-hosted unsubscribe link is being misused, they may be able to provide insights or even temporarily disable the specific link if it's uniquely identifiable to the spam campaigns. They can also advise on how their system handles such an influx of unsubscribe requests for email addresses not on your lists. It's crucial to clarify that these unsubscribes are not from your legitimate subscribers but rather a result of malicious activity.

Finally, communicate clearly with your customer service team. Explain that these unsubscribe requests are part of a spam campaign using your company's identity. Provide them with a script or clear instructions on how to respond to these inquiries, emphasizing that recipients should mark the email as spam in their mail client rather than clicking the malicious unsubscribe link. Clicking unsubscribe on a spam email can confirm the email address is active, potentially leading to more spam.

What your team should do

Collect full headers: Instruct your customer service team to obtain the full email headers from reported spam messages. This is crucial for tracing the true origin of the email.
Contact your ESP: Inform your Email Service Provider about the misuse of your unsubscribe link. They may offer insights or solutions related to their platform.
Educate recipients: Advise recipients to mark the suspicious email as spam or junk rather than clicking the unsubscribe link.

Protecting your domain and brand

Implementing strong email authentication protocols is your best defense against domain spoofing and impersonation. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is critical here, as it allows you to tell mailbox providers how to handle emails that fail authentication checks purporting to be from your domain. A DMARC policy set to 'quarantine' or 'reject' instructs receiving servers to either place non-compliant emails in spam or block them entirely, greatly reducing the impact of spoofed messages. You can learn more about a simple guide to DMARC, SPF, and DKIM to get started.

Beyond DMARC, actively monitoring your sender reputation and blocklist (or blacklist) status is essential. Even if you aren't sending the spam, your domain's reputation can suffer due to association, leading to your legitimate emails landing in spam folders or being blocked. Regularly checking your domain against common blocklists can give you an early warning if your brand is being disproportionately affected by these malicious campaigns. Understanding what happens when your domain is blacklisted is key to proactive management.

Reporting the abuse to relevant authorities, such as the Federal Trade Commission (FTC) in the U.S. or similar bodies in other regions, can also be a proactive step. While individual reports may not lead to immediate action, consistent reporting helps authorities track patterns of abuse and take down large-scale spam operations. The FTC provides resources on the CAN-SPAM Act, which outlines requirements for commercial email, including unsubscribe mechanisms.

Example DMARC recordDNS

v=DMARC1; p=quarantine; rua=mailto:dmarc_reports@yourdomain.com; fo=1;

Benefit	Impact
Enhanced spoofing protection	DMARC helps mailbox providers reject or quarantine emails that spoof your domain, preventing unauthorized use.
Visibility into abuse	Aggregate reports provide data on who is sending email purporting to be from your domain, even if unauthorized.
Improved deliverability	By establishing clear sender authenticity, your legitimate emails are less likely to be marked as spam.
Brand reputation safeguard	Prevents spammers from damaging your brand's trust by associating it with malicious content.

Long-term prevention and reputation management

Maintaining robust email security practices for your own legitimate sending is crucial. This includes ensuring your SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) records are correctly configured and cover all legitimate sending sources. Errors in these records can cause your own emails to fail authentication, making it harder for mailbox providers to distinguish your legitimate mail from spoofed spam. Regularly reviewing your email infrastructure for any vulnerabilities is also a wise practice.

It's also important to educate your internal teams, especially customer service and marketing, about the nuances of email abuse and how to respond appropriately. Training them to identify suspicious emails and to understand why clicking unsubscribe on unsolicited mail is risky can prevent further issues. They should be aware of how to mark the email as spam, a vital action that helps mailbox providers improve their spam filtering.

Consider proactive measures to prevent your email content from being easily scraped or cloned. While it's impossible to completely prevent sophisticated spoofing, strong email authentication makes it significantly harder for spammers to leverage your domain's reputation. Continuously monitoring DMARC reports is vital for catching any further attempts at domain impersonation. If you're encountering issues with emails going to spam, a comprehensive guide on why your emails are going to spam can provide further assistance.

Views from the trenches

Best practices

Implement DMARC with an enforcement policy (p=quarantine or p=reject) to protect your domain.

Instruct CS to obtain full email headers from users reporting spam to aid investigation.

Proactively monitor DMARC reports for signs of domain spoofing and abuse patterns.

Advise recipients to mark suspicious emails as spam rather than clicking unsubscribe links.

Common pitfalls

Assuming emails with your brand's unsubscribe link originated from your ESP.

Clicking unsubscribe links in suspicious emails, which validates your email address.

Not having a DMARC policy, leaving your domain vulnerable to impersonation and spoofing.

Underestimating potential reputational damage caused by spam associated with your company.

Expert tips

Ensure your ESP validates Reply-To addresses, or that your mail provider aligns these.

Collaborate with your ESP to temporarily disable compromised unsubscribe links if possible.

Analyze email headers for the true origin and authentication status of suspicious messages.

Focus on educating your customer service team to handle spam-related inquiries effectively.

Expert view

Expert from Email Geeks says that you do not need to worry too much about deliverability impact if you did not originate the messages.

2022-11-09 - Email Geeks

Expert view

Expert from Email Geeks says that ESP unsubscribe links are typically unique per recipient and suggests reaching out to the ESP to see if the link can be disabled.

2022-11-09 - Email Geeks

Safeguarding your email identity

Dealing with spam emails that misuse your company's email and unsubscribe link is a challenging situation that requires a multi-faceted approach. While the immediate concern is often the influx of customer inquiries and potential damage to your sender reputation, proactive measures can significantly mitigate these risks. By focusing on strong authentication, vigilant monitoring, and clear internal communication, you can protect your brand's integrity and ensure your legitimate communications continue to reach their intended audience.

It's a constant battle against evolving spam tactics, but with the right strategies, you can stay ahead. Prioritizing email authentication, being prepared to investigate incidents, and educating your team are key pillars in maintaining a healthy and trusted email presence. Protecting your email identity is an ongoing commitment, but it's one that pays off in sustained deliverability and brand trust.