What to do if spam emails use my company's email and unsubscribe link?

Key findings

• No deliverability impact: If your company did not originate the spam messages, it's unlikely your email deliverability will be directly harmed, as the negative activity isn't associated with your sending reputation.
• Exploited headers and footers: Spammers often copy legitimate company email headers and footers, including contact information and unsubscribe links, to make their unsolicited emails appear credible.
• Inundated customer service: The primary immediate impact is typically an increase in customer service inquiries and unsubscribe requests from recipients who wrongly believe your company sent the spam.
• ESP role: Email Service Providers (ESPs) generally require unsubscribe links in legitimate emails. Spammers may choose a valid company's contact or unsubscribe link to appear compliant.
• DMARC monitoring: This situation often indicates email spoofing, where malicious actors forge your domain in the From address, making DMARC monitoring essential to detect such abuse.

Key considerations

• Collect evidence: Gather full email headers and the original messages from recipients to identify the true sender and origin of the spam. Screenshots alone are often insufficient.
• Contact your ESP: Consult your Email Service Provider. They may be able to analyze the situation, disable the specific compromised unsubscribe link, or provide guidance on protecting your branding.
• Implement DMARC: Ensure you have a robust DMARC policy (preferably p=reject) to prevent unauthorized use of your domain for email sending. This is crucial for stopping email spoofing.
• Educate customer service: Train your customer service team on how to respond to these requests, explaining that your company is also a victim and guiding users on how to report spam effectively.
• Report abuse: Report the spam to the relevant authorities, such as the Federal Trade Commission (FTC), and the abuse departments of the true sending email providers (if identifiable from headers).

Key opinions

• Brand reputation risk: Marketers are primarily concerned with how this misuse impacts their brand's perception and trust among customers, leading to a negative association with spam.
• Customer service burden: The influx of unsubscribe requests from non-subscribers can overwhelm customer support teams, diverting resources from legitimate customer interactions.
• Unsubscribe link vulnerability: Some ESP-hosted unsubscribe links may not be robust enough to handle high volumes of invalid requests or distinguish between legitimate and illegitimate clicks.
• Reporting is key: Many advise reporting the abuse to the ESP or host of the malicious sender, as they are often required to comply with CAN-SPAM regulations.
• Distinguishing reply-to vs. content: It's important to discern if the email address is being used in the Reply-To header or simply copied into the message body (header/footer content scrape).

Key considerations

• Monitor inbound requests: Keep a close eye on the volume and nature of unsubscribe requests and support tickets to gauge the scale of the issue.
• Automate responses where possible: Implement automated responses for unsubscribe requests, clarifying that these emails were not sent by your company and directing users on how to report them.
• Internal communication: Ensure all relevant internal teams (CS, marketing, legal) are aware of the situation and coordinated in their response.
• Review email assets: Periodically review your email templates and publicly available assets to minimize the ease with which spammers can scrape your content.
• Enhance unsubscribe process:Strengthen your legitimate unsubscribe processes to handle legitimate requests efficiently and differentiate them from fraudulent ones.

Key opinions

• Reputation impact: The overall sending reputation of the victim company is unlikely to be significantly affected, as these messages are not originating from their infrastructure or authorized senders.
• ESPs and reply-to validation: Many Email Service Providers do not validate Reply-To addresses, making them susceptible to misuse. Also, the spam might not even be relayed through a reputable ESP.
• Spoofing detection: Monitoring DMARC reports is critical to identify if your domain is being spoofed in the From header.
• Unsubscribe link vulnerability: ESP unsubscribe links are usually unique per recipient. If they are being mass-used, it suggests a content scraping issue rather than direct email spoofing.
• Mitigating customer impact: It's advisable to replace the content of the compromised unsubscribe link with a notice clarifying that it's a phishing attempt and that the link won't work for the emails users received.

Key considerations

• Forensic analysis: Always request full message headers from affected recipients. These headers provide crucial information to trace the true origin of the spam.
• ESP collaboration: Work closely with your ESP. They might be able to disable the specific unsubscribe link being abused or provide insights into unusual activity related to your account.
• DMARC implementation: Ensure your DMARC policy is actively enforced (quarantine/reject) to prevent unauthorized senders from using your domain. This is the most effective technical defense.
• Public messaging: Consider a public statement or FAQ for customers explaining the situation and advising them not to engage with these fraudulent messages.
• Abuse reporting: Report the abuse to relevant authorities and ISPs when you have sufficient evidence of the spam's origin.

Key findings

• CAN-SPAM compliance: The CAN-SPAM Act mandates that commercial emails include a clear, conspicuous, and functional opt-out mechanism.
• Identity transparency: Senders must accurately identify themselves and their purpose in the email, preventing deceptive practices often used by spammers.
• Unsubscribe link necessity: An unsubscribe link is a critical component of respectful and compliant email marketing, allowing recipients to manage their preferences.
• Reporting mechanisms: Regulatory bodies like the FTC provide clear channels for consumers to report unsolicited or deceptive emails, which can indirectly help abused brands.
• DMARC as a standard: DMARC (along with SPF and DKIM) is increasingly recognized and recommended by email providers as a standard for protecting domains from unauthorized use and spoofing.

Key considerations

• Legal obligations: Businesses must understand their legal responsibilities regarding unsubscribe links to avoid penalties, even if their link is misused by others.
• Brand protection: Documentation often highlights that maintaining brand integrity involves not just legitimate sending but also proactive measures against misuse.
• Technical standards: Adhering to technical email authentication standards (SPF, DKIM, DMARC) is presented as a fundamental defense against spoofing and phishing that leverages your domain.
• Consumer reporting effectiveness: Encouraging consumers to report problematic emails helps law enforcement and service providers track and shut down spammers, indirectly benefiting the brands being abused.
• Unsubscribe link validation: Email platforms and services are increasingly scrutinizing unsubscribe links to ensure they are valid and responsive, as this is a key indicator of sender legitimacy.