Why would Temu spam emails have valid DKIM signatures from major brands?

A valid DKIM signature means the email originated from a server authorized by the domain and was not tampered with in transit. It does not mean the content is legitimate or that the sender intended for that specific message to be sent. Often, this indicates an account takeover on a legitimate email service provider used by the brand.

Are Disney or Homegoods intentionally sending these Temu spam emails?

No, it's highly unlikely. Major brands like Disney or Homegoods prioritize their brand reputation and would not intentionally associate with unsolicited spam campaigns. The issue typically arises from a compromised email sending account or misuse of their legitimate email infrastructure by malicious actors.

What steps can brands take to prevent their domains from being used in such attacks?

For domains, implement a strong DMARC policy (p=quarantine or p=reject) and enable two-factor authentication on all email sending platforms. For recipients, always be cautious of unsolicited emails, do not click suspicious links, and report the emails as spam to your email provider.

Why do these emails still go to spam if they have a valid DKIM signature?

Email service providers use a combination of factors beyond DKIM , SPF , and DMARC , including content analysis, sender reputation, and user reports. Even if authentication passes, suspicious content or recipient complaints can lead to the email being flagged as spam.

Why am I receiving Temu spam emails with valid DKIM signatures from Disney or Homegoods domains? - Sender reputation - Email deliverability - Knowledge base

It is certainly perplexing to receive unsolicited spam emails, especially when they appear to be legitimately authenticated by well-known brands like

Disney or

Homegoods, only to discover they are promoting something entirely unrelated, like Temu. This scenario raises critical questions about email security and how phishing or spam messages can bypass standard protections like DKIM, landing directly in your inbox instead of the spam folder. It’s a common issue that highlights the complexities of modern email deliverability.

The key here is understanding what DKIM (DomainKeys Identified Mail) actually validates. DKIM provides a way for the recipient’s email server to verify that an email was sent by the legitimate owner of that domain and that the message hasn't been altered during transit. It's a crucial part of email authentication, working alongside SPF and DMARC to build trust. However, a valid DKIM signature alone doesn't guarantee the email's content is legitimate or desired.

This article will explore why you might receive such emails, focusing on how malicious actors can exploit legitimate email infrastructure. We'll delve into the nuances of DKIM authentication and how email service providers (ESPs) handle messages that pass these checks but are still spam. Understanding these mechanisms is vital for both senders looking to protect their brand and recipients aiming to safeguard their inboxes.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

The mechanism behind authenticated spam

When an email has a valid DKIM signature from a domain like Disney or Homegoods, it means the email originated from a sending server authorized by that domain and the content was not altered in transit. This is usually a good sign, indicating the email is not a basic spoof. However, it does not mean the email’s content is benign or that the sender necessarily intended for that specific message to be sent. For example, a discussion on ServerFault clarifies that valid DKIM doesn't prevent spam.

The issue likely stems from a compromise or misuse of a legitimate email service provider (ESP) account. Large brands like Disney and Homegoods often use third-party ESPs, such as

Braze,

SparkPost, or

Acoustic (formerly Silverpop), to send their marketing and transactional emails. If an account with one of these providers is compromised, attackers can send emails using the brand's authenticated domain, making them appear legitimate in terms of authentication.

This type of attack is known as an Account Takeover (ATO). Once an attacker gains access to a legitimate sending account, they can craft and send emails that pass SPF, DKIM, and DMARC checks because they are using the actual infrastructure authorized by the domain owner. This makes them significantly harder for standard spam filters to catch based solely on authentication. Learn more about how phishing emails can pass authentication. A DMARC policy with a reject directive would help, but many domains still use a relaxed policy.

Account compromise or affiliate abuse

Another possibility is that these emails are part of an unsolicited affiliate marketing scheme. Attackers might sign up for affiliate programs and then use various tactics to send emails, often leveraging compromised accounts or weak security configurations on legitimate sending platforms. Temu, like many fast-growing e-commerce platforms, attracts a wide range of marketing affiliates, some of whom might resort to aggressive or illicit tactics.

In the case of Disney or Homegoods, it's highly unlikely they would intentionally send Temu spam. These companies are typically very protective of their brand and email reputation. The presence of a BIMI logo, as some users reported for Homegoods, further complicates the situation, as BIMI relies on strong DMARC enforcement to display brand logos. This strongly points to an ATO or a deeply integrated third-party misuse rather than a direct partnership.

For domain owners, this highlights the critical importance of vetting third-party senders and continuously monitoring their sending activities, especially from subdomains. It also underscores the need for robust security practices, including two-factor authentication (2FA), on all ESP accounts to prevent unauthorized access. You can find more information about common Temu scams and avoidance strategies in this Bitdefender article.

Beyond authentication: reputation and filtering

Email service providers like

Google and

Yahoo don't solely rely on SPF, DKIM, and DMARC for spam detection. They employ sophisticated algorithms that analyze various factors, including content, sender reputation, recipient engagement, and historical sending patterns. Even if an email passes all authentication checks, suspicious content (like references to Temu from a Disney domain) or unusual sending volume can trigger spam filters.

The spam categorization is often a result of these other signals overriding the positive authentication results. If enough recipients mark these emails as spam, or if the content is highly indicative of spam, then even a perfectly authenticated email can end up in the junk folder, or worse, be outright blocked. This is a constant battle for mailbox providers trying to protect their users. You can explore more about improving domain reputation with Google Postmaster Tools.

The sender's overall reputation plays a massive role. If a domain is consistently associated with legitimate sending, but then a sudden surge of irrelevant emails (even authenticated ones) appears, it raises red flags. Mailbox providers might also use internal blocklists (or blacklists) based on behavior, independent of DKIM or SPF passing. A practical guide to understanding your email domain reputation can provide further insights.

Protecting your domain and inbox

For domain owners, implementing a strong DMARC policy is crucial. While a p=none policy provides monitoring, moving to p=quarantine or p=reject will instruct receiving mail servers on how to handle emails that fail DMARC checks. This can help prevent unauthorized use of your domain, even if an ESP account is compromised. It’s important to monitor DMARC reports regularly to identify suspicious activity. This helps identify domains or IPs sending on your behalf that you might not be aware of, which could be indicators of compromise.

For recipients, your best defense remains vigilance. Always be skeptical of unsolicited emails, regardless of who they appear to be from. If an email seems out of place, has suspicious content or an unusual tone, it's best to err on the side of caution. Do not click on links or download attachments from such emails. Instead, report them as spam. Reporting helps train spam filters and contributes to a safer email ecosystem for everyone. You can also monitor for your domain on a blocklist or blacklist monitoring service.

The example of Temu spam with valid Disney or Homegoods DKIM signatures is a powerful reminder that email security is a multi-layered challenge. While authentication protocols like SPF, DKIM, and DMARC are essential, they are not foolproof against sophisticated attacks like account takeovers or malicious third-party activities. Learn more about DMARC, SPF, and DKIM. Both senders and recipients must stay informed and proactive in their security measures to combat evolving spam tactics. Continuous monitoring of email delivery and reputation is vital for maintaining trust and inbox placement.

Summary of the problem

Account Takeover (ATO) Prevention

It’s not enough to have SPF and DKIM set up, implement a strong DMARC policy with an enforcement action (quarantine or reject) to prevent unauthorized use of your domain, even if a third-party ESP account is compromised. This will protect your domain’s sending reputation. You can also configure two-factor authentication on all your ESP accounts to add an extra layer of security.

Monitor your sending infrastructure

Regularly review your DMARC reports to identify legitimate and illegitimate sources of email purporting to be from your domain. This vigilance is key to catching and shutting down unauthorized sending quickly.

The issue of legitimate brands seemingly sending spam emails is a complex one, primarily rooted in the misuse or compromise of email service provider accounts. When a third-party ESP account is compromised, attackers can leverage the brand’s authenticated domain to send malicious or unwanted emails that still pass authentication checks, making them appear legitimate at first glance. This is why you might see a Temu email with valid DKIM signatures from Disney or Homegoods.

For domain owners, the defense lies in strict security protocols for all email sending platforms and moving toward strong DMARC enforcement. For recipients, vigilance and reporting suspicious emails are crucial steps. While email authentication provides a strong foundation, the evolving tactics of spammers mean that a layered approach to security, combining technical controls with user awareness, is essential for a safer email experience.

Views from the trenches

Best practices

Always implement a DMARC policy with an enforcement action (p=quarantine or p=reject) to protect your domain.

Use two-factor authentication (2FA) for all third-party email service provider accounts.

Regularly review your DMARC reports to identify and investigate any unauthorized sending sources.

Educate your team on phishing and account takeover risks, especially for email sending platforms.

Monitor your subdomains for any unusual email activity or unapproved sending.

Common pitfalls

Relying solely on SPF and DKIM without DMARC enforcement, which leaves doors open for abuse.

Not regularly reviewing DMARC reports, leading to delayed detection of compromised accounts.

Having weak passwords or no 2FA on email service provider accounts, making them vulnerable to takeover.

Assuming a valid DKIM signature means the email content is always legitimate and safe.

Overlooking activity on subdomains that might be used by attackers or malicious affiliates.

Expert tips

Consider engaging with your ESP's security team if you suspect an account takeover or misuse of your domain for spam.

If an email passes authentication but looks suspicious, always check the actual sending IP and reverse DNS for discrepancies.

Remember that attackers are always looking for the path of least resistance; strong authentication on parent domains means they'll target third-party accounts or subdomains.

Even with strong DMARC, content and reputation filters play a huge role. Don't neglect positive sender reputation practices.

Investigate email headers thoroughly if you receive authenticated spam to identify the exact sending path and potentially compromised provider.

Marketer view

A marketer from Email Geeks says they received a Temu ad with a valid DKIM domain for m.disneymovieinsiders.com, indicating a potential issue with the sending infrastructure.

December 2, 2023 - Email Geeks

Marketer view

A marketer from Email Geeks says they got a similar Temu spam email where the DKIM was valid for em.homegoods.com, using an spop1024 selector, and even featured the HomeGoods BIMI logo.

December 2, 2023 - Email Geeks

Final thoughts on email authentication and security

Receiving Temu spam emails with valid DKIM signatures from reputable domains like Disney or Homegoods is a clear indicator of a sophisticated spam tactic, likely involving an account takeover or severe misuse of a legitimate email service provider. While DKIM validates the origin and integrity of the message, it does not certify the sender's intent or the content's legitimacy. Mailbox providers rely on a broader set of signals, including sender reputation and content analysis, to identify and filter unwanted emails.

For brands, this underscores the critical need for strong internal security measures on all sending platforms and the proactive enforcement of DMARC policies to prevent their domains from being exploited. For recipients, maintaining a healthy skepticism towards unexpected emails, even those that appear authenticated, and promptly reporting spam are crucial defenses. By understanding these dynamics, both senders and recipients can contribute to a more secure and trustworthy email ecosystem.