What is the CAN-SPAM Act, and how does it relate to unsubscribe requests?

The CAN-SPAM Act is a U.S. law setting rules for commercial email. It requires that all commercial emails include a clear and prominent mechanism for recipients to opt out of future messages. Even if your domain is spoofed, if these emails appear to come from you, the resulting unsubscribe requests or complaints can still impact your brand and legal compliance.

My DMARC record is set to p=none. Is that sufficient protection against spoofing?

No, a p=none DMARC policy is primarily for monitoring. It tells mailbox providers to report on emails using your domain but not to take action if they fail authentication. For effective protection against spoofing and unauthorized sending, you should aim to transition to a p=quarantine or p=reject policy after careful monitoring and adjustments. Suped offers DMARC monitoring solutions to help.

How can I tell if an email is a legitimate marketing email from my domain or a spoofed one?

The best way is to examine the email's full headers. Look at the SPF, DKIM, and DMARC authentication results. If these show failures or misalignment, it's likely spoofed. Additionally, check the domain in tracking links and unsubscribe links. Legitimate emails will point to your known sending infrastructure, while spoofed emails might use suspicious or generic domains. You can also use a blocklist checker to see if the sending IP is listed.

Why would someone subscribe an 'exploder' list to my marketing emails?

An 'exploder' is a single email address that forwards messages to many others. This could happen accidentally, if a person sets up a forwarding rule from their personal email to a group address that includes people who don't want your emails, or if an organization uses an exploder for internal distribution and one of those internal addresses gets subscribed. It can lead to your emails being distributed beyond your intended audience.

What should I do if recipients report receiving my emails five times a day, but I only send once a week?

This significant discrepancy points strongly to your domain being spoofed by a malicious sender. The bad actor is likely sending high volumes of spam using your domain. Immediately investigate your DMARC reports for unauthorized sending sources, and try to get full email headers from the complaining recipients to trace the origin of these high-frequency emails. You may also be experiencing a sudden spike in Gmail unsubscribes .

Why are non-subscribers receiving marketing emails and submitting unsubscribe requests? - Troubleshooting - Email deliverability - Knowledge base

It can be incredibly perplexing when you start receiving unsubscribe requests, or even complaints, from individuals who are not on your email marketing lists. My first thought when facing such a situation is often, “How is this even possible?” We work hard to maintain clean lists and adhere to best practices, so phantom unsubscribes can feel like a direct contradiction to our efforts. This scenario points to a deeper issue beyond simple list management and often suggests unauthorized use of your domain or other complex deliverability challenges.

The immediate assumption might be that your records are somehow flawed, or that a hidden list exists. However, if your database checks confirm these recipients aren't subscribers, the problem likely lies elsewhere. This is especially true if recipients report receiving emails multiple times a day when your sending frequency is much lower. Such discrepancies strongly suggest that someone else is sending emails that appear to originate from your domain, even if your email authentication protocols are seemingly in order.

Investigating unauthorized sending

One of the primary concerns when non-subscribers report receiving your emails is domain spoofing. You might assume your domain is protected if DMARC, SPF, and DKIM are all set up and passing authentication checks. While these protocols are crucial for legitimate email, their configuration, particularly DMARC's policy, determines how aggressively mailbox providers (MBPs) handle unauthorized emails. If your DMARC record is set to a p=none policy, even authenticated DMARC reports showing passed authentication for your legitimate mail won't prevent spoofed emails from being delivered if they fail alignment.

A p=none DMARC policy essentially tells receiving servers to monitor but not enforce any specific action on emails that fail DMARC authentication or alignment. This means that if someone spoofs your domain, those emails might still reach inboxes, even if they don't align with your SPF or DKIM records. The recipients, upon receiving these unsolicited messages, naturally assume they came from your organization and attempt to unsubscribe, often through your website's contact form, especially if the spoofed email lacks a functional unsubscribe link. This can lead to the illusion that you are emailing non-subscribers.

The importance of DMARC enforcement

While your IT team might confirm SPF, DKIM, and DMARC are set up, the crucial detail lies in your DMARC policy's enforcement level. A p=reject or p=quarantine policy significantly reduces the chances of spoofed emails reaching inboxes. This tells MBPs to either outright reject emails that fail DMARC or place them in spam or junk folders, thereby protecting your brand's reputation and preventing unsolicited mail from appearing to come from you. You can learn how to safely transition your DMARC policy.

Diving into email headers for clues

The most effective way to diagnose this issue is to obtain a copy of the unsolicited email, ideally with full headers, from one of the complaining non-subscribers. Email headers contain a wealth of information about the email's origin, path, and authentication results. Even if a recipient cannot provide full headers, the message content itself, including tracking links or personalized elements, can reveal whether the email truly originated from your sending infrastructure.

Without full headers

Tracking links: Analyze the domain in any embedded links. Do they point to your legitimate tracking domain or a suspicious third-party one?
Unsubscribe links: Check if the unsubscribe mechanism points to your known email service provider's (ESP) unsubscribe page. If it doesn't, it's likely not your legitimate email.
Personalization: Does the email contain any personalization that only you would have access to, or is it generic?

With full headers

Authentication results: Look for SPF, DKIM, and DMARC pass/fail results. A fail, especially for DMARC alignment, indicates a problem.
Receiving IP addresses: Trace the Received headers to see the path the email took and the IP addresses involved. These can reveal the true sending source.
Mail From and From addresses: Compare these. For DMARC to pass, they must align. Spoofing often involves a mismatched From header.

Another possibility to investigate is whether email forwarding or exploders are at play. An exploder is essentially a single email address that, when sent to, automatically forwards the message to a larger group of recipients. If such an address was mistakenly subscribed to your list, or if a legitimate subscriber has a forwarding rule set up, it could lead to your emails reaching people outside your intended audience, including those who then try to unsubscribe via your website. This can be challenging to track without recipient cooperation, but observing patterns in the email addresses that complain might offer hints.

Finally, consider the nuances of how mailbox providers handle unsubscribe requests and spam complaints. For example, if many complaints are coming from

Gmail users, it's worth noting that Gmail has a prominent unsubscribe button directly in its interface, which sends an instant unsubscribe request. This is separate from clicking a link within the email body. If spoofed emails trigger these system-level unsubscribes, it further complicates identifying the true source of the issue. You can read more about why Gmail list-unsubscribe requests are increasing.

Mitigating future issues and maintaining compliance

To prevent these issues, it's important to proactively monitor your email performance metrics, including unsubscribe rates and spam complaints. While seemingly paradoxical, a well-implemented unsubscribe process, even for unsolicited (spoofed) mail, can paradoxically protect your sender reputation by indicating to MBPs that you are attempting to address complaints. The CAN-SPAM Act legally mandates that all commercial emails include a clear and conspicuous way for recipients to opt out of future messages. Even if it's not your email, a flood of complaints from non-subscribers can negatively impact your domain's standing.

The risks of ignoring unsubscribe requests

Ignoring unsubscribe requests, even from non-subscribers who have received spoofed emails, can have severe consequences. If your company ignores opt-out requests, it can lead to increased spam complaints, damage to your sender reputation, and potentially land your IP addresses or domains on an email blocklist (or blacklist). These actions can severely impact your legitimate email deliverability, causing your important marketing and transactional emails to go to spam or be blocked entirely. For more information on this, check out our guide to what happens when your domain is on an email blacklist.

Regularly review your DMARC reports for unauthorized sending activity. These reports provide invaluable insight into who is sending email using your domain, whether authorized or not, and how those emails are being handled by receiving servers. Pay close attention to sources with high failure rates or unexpected sending volumes. Implementing a robust DMARC monitoring solution is key to quickly identifying and mitigating such issues.

Finally, ensure your internal lists are meticulously managed and that you're not inadvertently sending to stale or unengaged contacts, which could also lead to higher unsubscribe rates, even if it's not the primary cause of the phantom unsubscribes. While distinct from spoofing, poor list hygiene can contribute to overall deliverability issues and make it harder to pinpoint specific problems.

Views from the trenches

Best practices

Implement a DMARC policy of 'p=reject' to ensure unauthorized emails are rejected, improving brand security and deliverability.

Regularly monitor DMARC reports to identify any suspicious sending activity or unaligned mail streams.

Always request full email headers from users complaining about unsolicited mail, as they contain critical diagnostic information.

Verify all email sending sources are properly authenticated with SPF, DKIM, and DMARC alignment for your domain.

Common pitfalls

Relying solely on 'p=none' DMARC policy, which only monitors and does not prevent spoofed emails from reaching inboxes.

Assuming DMARC, SPF, and DKIM setup alone provides full protection without checking policy enforcement.

Not considering email forwarding or 'exploder' lists as potential reasons for emails reaching non-subscribers.

Overlooking the impact of system-level unsubscribe buttons, like Gmail's, on tracking unsubscribe sources.

Expert tips

The specific way mailbox providers honor DMARC can vary, so monitor deliverability across different providers.

Even if your DMARC is set to reject, issues can arise if you have multiple sending systems not fully configured, leading to legitimate mail being rejected.

Always communicate with recipients who complain, asking for the email with full headers to get direct insight.

Be aware that unsolicited emails can increase spam complaints, even if they aren't directly from your legitimate sending.

Expert view

Expert from Email Geeks says DMARC reporting is the first place to look to understand what is happening with your domain's email.

September 24, 2024 - Email Geeks

Expert view

Expert from Email Geeks says it is crucial to get a copy of the actual email being complained about, preferably with full headers, to determine its true origin.

September 24, 2024 - Email Geeks

Taking control of your email sending

Dealing with non-subscribers receiving marketing emails and submitting unsubscribe requests is a complex issue, often pointing to unauthorized domain usage rather than simple list errors. While checking your existing authentication protocols is a good first step, the real solution often lies in deeper investigation of DMARC reports and obtaining direct evidence from affected recipients. This forensic approach allows you to pinpoint whether your domain is being spoofed or if other factors, like forwarding, are at play.

Proactive monitoring and a strong DMARC policy are your best defenses. By understanding the intricate paths your emails take and verifying their authenticity, you can not only stop unwanted messages but also protect your sender reputation and ensure your legitimate marketing efforts reach the right audience. It's an ongoing process of vigilance and adaptation to the evolving landscape of email security and deliverability.